LOLBAS/YML-Template.yml
bohops 23dd0236ae
Detection Resources and Other Updates (#179)
* Add detection links for scripts

* Add detection links for OtherMSBins. Fixed and updated as needed.

* Add detection links for MSBins. Fixed and updated as needed.

* Add detection links for oslibraries

* Updating template for Detections

* Removing empty Detection:Sigma entries

* Remove redundant blank line

* Replacing commit URL with file URL

Co-authored-by: root <root@DESKTOP-5CR935D.localdomain>
Co-authored-by: Wietze <wietze@users.noreply.github.com>
2021-11-15 08:19:03 -05:00

43 lines
1.3 KiB
YAML

---
Name: Binary.exe
Description: Something general about the binary
Author: The name of the person that created this file
Created: YYYY-MM-DD (date the person created this file)
Commands:
- Command: The command
Description: Description of the command
Usecase: A description of the usecase
Category: Execute
Privileges: Required privs
MitreID: T1055
OperatingSystem: Windows 10 1803, Windows 10 1703
- Command: The second command
Description: Description of the second command
Usecase: A description of the usecase
Category: AWL Bypass
Privileges: Required privs
MitreID: T1033
OperatingSystem: Windows 10 All
Full_Path:
- Path: c:\windows\system32\bin.exe
- Path: c:\windows\syswow64\bin.exe
Code_Sample:
- Code: http://url.com/git.txt
Detection:
- IOC: Event ID 10
- IOC: binary.exe spawned
- Analysis: https://link/to/blog/gist/writeup/if/applicable
- Sigma: https://link/to/sigma/rule/if/applicable
- Elastic: https://link/to/elastic/rule/if/applicable
- Splunk: https://link/to/splunk/rule/if/applicable
- BlockRule: https://link/to/microsoft/block/rules/if/applicable
Resources:
- Link: http://blogpost.com
- Link: http://twitter.com/something
- Link: Threatintelreport...
Acknowledgement:
- Person: John Doe
Handle: '@johndoe'
- Person: Ola Norman
Handle: '@olaNor'