mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-27 07:18:05 +01:00
23dd0236ae
* Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com>
43 lines
1.3 KiB
YAML
43 lines
1.3 KiB
YAML
---
|
|
Name: Binary.exe
|
|
Description: Something general about the binary
|
|
Author: The name of the person that created this file
|
|
Created: YYYY-MM-DD (date the person created this file)
|
|
Commands:
|
|
- Command: The command
|
|
Description: Description of the command
|
|
Usecase: A description of the usecase
|
|
Category: Execute
|
|
Privileges: Required privs
|
|
MitreID: T1055
|
|
OperatingSystem: Windows 10 1803, Windows 10 1703
|
|
- Command: The second command
|
|
Description: Description of the second command
|
|
Usecase: A description of the usecase
|
|
Category: AWL Bypass
|
|
Privileges: Required privs
|
|
MitreID: T1033
|
|
OperatingSystem: Windows 10 All
|
|
Full_Path:
|
|
- Path: c:\windows\system32\bin.exe
|
|
- Path: c:\windows\syswow64\bin.exe
|
|
Code_Sample:
|
|
- Code: http://url.com/git.txt
|
|
Detection:
|
|
- IOC: Event ID 10
|
|
- IOC: binary.exe spawned
|
|
- Analysis: https://link/to/blog/gist/writeup/if/applicable
|
|
- Sigma: https://link/to/sigma/rule/if/applicable
|
|
- Elastic: https://link/to/elastic/rule/if/applicable
|
|
- Splunk: https://link/to/splunk/rule/if/applicable
|
|
- BlockRule: https://link/to/microsoft/block/rules/if/applicable
|
|
Resources:
|
|
- Link: http://blogpost.com
|
|
- Link: http://twitter.com/something
|
|
- Link: Threatintelreport...
|
|
Acknowledgement:
|
|
- Person: John Doe
|
|
Handle: '@johndoe'
|
|
- Person: Ola Norman
|
|
Handle: '@olaNor'
|