diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index 61bb3c1b997..96cb0b08d5c 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,561 +1,559 @@ # Reference Archiver Results -Last Execution: 2024-12-01 02:17:42 +Last Execution: 2025-01-01 02:08:04 ### Archiver Script Results #### Newly Archived References -- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ -- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu -- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ #### Already Archived References -- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ -- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac -- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ -- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code -- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 -- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html -- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace -- https://www.sans.org/cyber-security-summit/archives +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://github.com/antonioCoco/RoguePotato +- https://gtfobins.github.io/gtfobins/env/#shell +- https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html +- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ #### Error While Archiving References -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 -- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://www.huntress.com/blog/attacking-mssql-servers +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://www.trustedsec.com/blog/art_of_kerberoast/ -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://tria.ge/220422-1nnmyagdf2/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ -- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens -- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://objective-see.org/blog/blog_0x1E.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://twitter.com/MsftSecIntel/status/1737895710169628824 -- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +- https://twitter.com/th3_protoCOL/status/1480621526764322817 +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch +- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery +- https://github.com/Ylianst/MeshAgent - https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ -- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://gtfobins.github.io/gtfobins/c99/#shell +- https://www.loobins.io/binaries/launchctl/ - https://www.loobins.io/binaries/nscurl/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://objective-see.org/blog/blog_0x6D.html -- https://www.huntress.com/blog/attacking-mssql-servers +- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc +- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ +- https://gtfobins.github.io/gtfobins/c89/#shell +- https://twitter.com/Kostastsale/status/1480716528421011458 +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role -- https://lots-project.com/site/2a2e617a75726566642e6e6574 -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://github.com/FalconForceTeam/SOAPHound -- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://twitter.com/standa_t/status/1808868985678803222 -- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ -- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://github.com/rapid7/metasploit-framework/issues/11337 -- https://twitter.com/TheDFIRReport/status/1482078434327244805 -- https://twitter.com/Kostastsale/status/1480716528421011458 -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy -- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- https://www.softperfect.com/products/networkscanner/ -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change -- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication -- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior -- https://ngrok.com/blog-post/new-ngrok-domains -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://gtfobins.github.io/gtfobins/rsync/#shell -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ -- https://ipurple.team/2024/09/10/browser-stored-credentials/ -- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 -- https://github.com/0xthirteen/SharpMove/ -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://boinc.berkeley.edu/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://adsecurity.org/?p=1785 -- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel -- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://twitter.com/NathanMcNulty/status/1785051227568632263 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html -- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ -- https://www.loobins.io/binaries/hdiutil/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet -- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ -- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://labs.nettitude.com/blog/introducing-sharpwsus/ -- https://www.tarasco.org/security/pwdump_7/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown -- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://tria.ge/231023-lpw85she57/behavioral2 -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ -- https://redcanary.com/blog/threat-detection/process-masquerading/ -- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://twitter.com/Cryptolaemus1/status/1517634855940632576 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ - https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 -- https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://tria.ge/220422-1pw1pscfdl/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e -- https://asec.ahnlab.com/en/61000/ -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html -- https://www.loobins.io/binaries/xattr/ -- https://cloud.google.com/access-context-manager/docs/audit-logging -- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://ngrok.com/blog-post/new-ngrok-domains +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations +- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps -- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues -- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool -- https://learn.microsoft.com/en-us/windows/win32/shell/launch -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://github.com/embedi/CVE-2017-11882 -- https://linux.die.net/man/1/arecord -- https://news.ycombinator.com/item?id=29504755 -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage -- https://ss64.com/osx/sw_vers.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://redcanary.com/blog/msix-installers/ -- https://gtfobins.github.io/gtfobins/capsh/#shell -- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF -- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://github.com/GhostPack/SharpDPAPI -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://gtfobins.github.io/gtfobins/env/#shell -- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 -- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ -- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/ +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://gtfobins.github.io/gtfobins/git/#shell +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://www.anyviewer.com/help/remote-technical-support.html - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://x.com/Max_Mal_/status/1826179497084739829 +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://ss64.com/mac/hdiutil.html +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 +- https://www.trustedsec.com/blog/art_of_kerberoast/ +- https://evasions.checkpoint.com/techniques/macos.html +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://paper.seebug.org/1495/ +- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -- https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://github.com/antonioCoco/RoguePotato -- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 -- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +- https://adsecurity.org/?p=3513 +- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 +- https://man.freebsd.org/cgi/man.cgi?pwd_mkdb +- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 +- https://www.loobins.io/binaries/tmutil/ +- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef - https://gtfobins.github.io/gtfobins/gcc/#shell -- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://gtfobins.github.io/gtfobins/c89/#shell -- https://www.anyviewer.com/help/remote-technical-support.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +- https://trustedsec.com/blog/oops-i-udld-it-again +- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html +- https://ipurple.team/2024/07/15/sharphound-detection/ +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://objective-see.org/blog/blog_0x6D.html +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 +- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 +- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://github.com/rapid7/metasploit-framework/issues/11337 +- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://news.ycombinator.com/item?id=29504755 +- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://tria.ge/240226-fhbe7sdc39/behavioral1 +- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 - https://gtfobins.github.io/gtfobins/gawk/#shell -- https://github.com/grayhatkiller/SharpExShell -- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://trustedsec.com/blog/oops-i-udld-it-again -- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://gtfobins.github.io/gtfobins/find/#shell +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/ +- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf +- https://tria.ge/240521-ynezpagf56/behavioral1 +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +- https://asec.ahnlab.com/en/40263/ +- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://github.com/gentilkiwi/mimikatz +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure +- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted +- https://www.cve.org/CVERecord?id=CVE-2024-1709 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://linux.die.net/man/1/arecord +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation +- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ +- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ +- https://github.com/embedi/CVE-2017-11882 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://twitter.com/th3_protoCOL/status/1536788652889497600 -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal -- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://gtfobins.github.io/gtfobins/awk/#shell -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 +- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ +- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://twitter.com/1ZRR4H/status/1537501582727778304 - https://gtfobins.github.io/gtfobins/flock/#shell -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://gtfobins.github.io/gtfobins/capsh/#shell - https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://www.action1.com/documentation/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://twitter.com/Max_Mal_/status/1775222576639291859 - https://github.com/CICADA8-Research/RemoteKrbRelay -- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://gtfobins.github.io/gtfobins/mawk/#shell +- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://bazaar.abuse.ch/browse/tag/one/ +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://gtfobins.github.io/gtfobins/nawk/#shell +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 +- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws +- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c -- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml +- https://www.loobins.io/binaries/xattr/ +- https://lots-project.com/site/2a2e617a75726566642e6e6574 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ +- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://tria.ge/220422-1pw1pscfdl/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address +- https://cloud.google.com/access-context-manager/docs/audit-logging +- https://objective-see.org/blog/blog_0x1E.html - https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://paper.seebug.org/1495/ -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization +- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://ss64.com/nt/set.html +- https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html +- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://www.loobins.io/binaries/hdiutil/ +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ +- https://labs.withsecure.com/publications/kapeka +- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://gtfobins.github.io/gtfobins/rsync/#shell +- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://twitter.com/standa_t/status/1808868985678803222 +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ +- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +- https://localtonet.com/documents/supported-tunnels +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://www.forensafe.com/blogs/runmrukey.html +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://www.attackiq.com/2023/09/20/emulating-rhysida/ - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 -- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675 +- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 - https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://ss64.com/nt/set.html -- https://www.loobins.io/binaries/tmutil/ -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ +- https://megatools.megous.com/ +- https://my.f5.com/manage/s/article/K589 +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://www.tenable.com/security/research/tra-2023-11 +- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +- https://www.loobins.io/binaries/pbpaste/ +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://ss64.com/osx/sw_vers.html +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ +- https://gtfobins.github.io/gtfobins/awk/#shell +- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- https://redcanary.com/blog/msix-installers/ +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://asec.ahnlab.com/en/61000/ +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://github.com/GhostPack/SharpDPAPI +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup - https://support.google.com/a/answer/9261439 -- https://gtfobins.github.io/gtfobins/python/#shell -- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://gtfobins.github.io/gtfobins/find/#shell +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 +- https://twitter.com/TheDFIRReport/status/1482078434327244805 +- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ -- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://boinc.berkeley.edu/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://github.com/0xthirteen/SharpMove/ +- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 +- https://adsecurity.org/?p=1785 +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html - https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html -- https://gtfobins.github.io/gtfobins/c99/#shell -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- https://x.com/Max_Mal_/status/1826179497084739829 -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 -- https://gtfobins.github.io/gtfobins/git/#shell +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html - https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://labs.withsecure.com/publications/kapeka -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ -- https://securelist.com/network-tunneling-with-qemu/111803/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://evasions.checkpoint.com/techniques/macos.html -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://megatools.megous.com/ -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html -- https://gtfobins.github.io/gtfobins/nawk/#shell -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://github.com/gentilkiwi/mimikatz - https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ -- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ -- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare -- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ -- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://twitter.com/1ZRR4H/status/1537501582727778304 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://twitter.com/Cryptolaemus1/status/1517634855940632576 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change - https://blog.talosintelligence.com/uat-5647-romcom/ -- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178 -- https://www.forensafe.com/blogs/runmrukey.html -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://www.loobins.io/binaries/launchctl/ -- https://github.com/Ylianst/MeshAgent -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 -- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization -- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise -- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 -- https://www.tenable.com/security/research/tra-2023-11 -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://localtonet.com/documents/supported-tunnels -- https://twitter.com/DTCERT/status/1712785421845790799 -- https://www.loobins.io/binaries/pbpaste/ -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 -- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://twitter.com/th3_protoCOL/status/1480621526764322817 -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging -- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 -- https://bazaar.abuse.ch/browse/tag/one/ -- https://ipurple.team/2024/07/15/sharphound-detection/ -- https://ss64.com/mac/hdiutil.html -- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector +- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://twitter.com/DTCERT/status/1712785421845790799 +- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://unit42.paloaltonetworks.com/chromeloader-malware/ +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html +- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address - https://ss64.com/mac/chflags.html -- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability -- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive -- https://gtfobins.github.io/gtfobins/mawk/#shell -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a -- https://asec.ahnlab.com/en/40263/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://docs.microsoft.com/en-us/sql/tools/bcp-utility -- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf -- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://www.tarasco.org/security/pwdump_7/ +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ +- https://tria.ge/220422-1nnmyagdf2/ +- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 +- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files +- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://www.cyberciti.biz/faq/linux-remove-user-command/ +- https://github.com/grayhatkiller/SharpExShell +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 +- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ +- https://www.softperfect.com/products/networkscanner/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://tria.ge/231023-lpw85she57/behavioral2 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval - https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ -- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector -- https://adsecurity.org/?p=3513 +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- https://x.com/cyb3rops/status/1862406110365245506 +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://gtfobins.github.io/gtfobins/python/#shell +- https://tria.ge/240731-jh4crsycnb/behavioral2 diff --git a/README.md b/README.md index 84debf6d01e..0c66a83ace1 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,7 @@ If you find a false positive or would like to propose a new detection rule idea * [alterix](https://github.com/mtnmunuklu/alterix) - Converts Sigma rules to the query language of CRYPTTECH's SIEM * [AttackIQ](https://www.attackiq.com/2024/01/10/sigmaiq-attackiqs-latest-innovation-for-actionable-detections/) - Sigma Rules integrated in AttackIQ's platform, and [SigmAIQ](https://github.com/AttackIQ/SigmAIQ) for Sigma rule conversion and LLM apps * [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (Since December 2018) +* [AttackRuleMap - Mapping of Atomic Red Team tests and Sigma Rules](https://attackrulemap.com/) * [Confluent Sigma](https://github.com/confluentinc/confluent-sigma) - Kafka Streams supported Sigma rules * [IBM QRadar](https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2023/08/02/qradar-natively-supports-sigma-for-rules-creation) * [Impede Detection Platform](https://impede.ai/) diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml index f483b6e47d1..1bb15c5abf4 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml @@ -1,6 +1,6 @@ title: Exploitation Indicator Of CVE-2022-42475 id: 293ccb8c-bed8-4868-8296-bef30e303b7e -status: experimental +status: test description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd. references: - https://www.fortiguard.com/psirt/FG-IR-22-398 diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index 76bc58c80e4..9b8e5582e64 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -1,6 +1,6 @@ title: Qakbot Regsvr32 Calc Pattern id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 -status: experimental +status: test description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml index 51d4f2d343f..0f2db55b544 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml @@ -3,7 +3,7 @@ id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1 related: - id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62 type: similar -status: experimental +status: test description: | This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. references: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml index a5b7c079d12..1f5177a1f6d 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml @@ -3,7 +3,7 @@ id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62 related: - id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1 type: similar -status: experimental +status: test description: | This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory. diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml index 651a9363f40..1520735459d 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml @@ -3,7 +3,7 @@ id: 1a821580-588b-4323-9422-660f7e131020 related: - id: 4109cb6a-a4af-438a-9f0c-056abba41c6f type: similar -status: experimental +status: test description: | Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml index 4914ee493d8..54c5f4a936c 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml @@ -1,6 +1,6 @@ title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation id: d27eabad-9068-401a-b0d6-9eac744d6e67 -status: experimental +status: test description: | Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709. references: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml index f63b2547f00..ed6c82ce731 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml @@ -3,7 +3,7 @@ id: 4109cb6a-a4af-438a-9f0c-056abba41c6f related: - id: 1a821580-588b-4323-9422-660f7e131020 type: similar -status: experimental +status: test description: | This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml new file mode 100644 index 00000000000..d6b0692c907 --- /dev/null +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml @@ -0,0 +1,33 @@ +title: CVE-2024-50623 Exploitation Attempt - Cleo +id: f007b877-02e3-45b7-8501-1b78c2864029 +status: experimental +description: | + Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline. +references: + - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild +author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson +date: 2024-12-09 +tags: + - attack.execution + - attack.t1190 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\javaw.exe' + ParentCommandLine|contains: + - 'Harmony' + - 'lexicom' + - 'VersaLex' + - 'VLTrader' + Image|endswith: '\cmd.exe' + CommandLine|contains: + - 'powershell' + - ' -enc ' + - ' -EncodedCommand' + - '.Download' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml b/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml new file mode 100644 index 00000000000..fbbd0e98a74 --- /dev/null +++ b/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml @@ -0,0 +1,34 @@ +title: File Creation Related To RAT Clients +id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d +status: experimental +description: | + File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild. +references: + - https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 + - https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675 +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2024-12-19 +tags: + - attack.execution +logsource: + category: file_event + product: windows +detection: + # VT Query: behaviour_files:"\\AppData\\Roaming\\DataLogs\\DataLogs.conf" + # VT Query: behaviour_files:"DataLogs.conf" or behaviour_files:"hvnc.conf" or behaviour_files:"dcrat.conf" + selection_required: + TargetFilename|contains: '\AppData\Roaming\' + selection_variants: + TargetFilename|contains: + - '\mydata\' + - '\datalogs\' + - '\hvnc\' + - '\dcrat\' + TargetFilename|endswith: + - '\datalogs.conf' + - '\hvnc.conf' + - '\dcrat.conf' + condition: all of selection_* +falsepositives: + - Legitimate software creating a file with the same name +level: high diff --git a/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml new file mode 100644 index 00000000000..527eb6e4590 --- /dev/null +++ b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml @@ -0,0 +1,31 @@ +title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe +id: 19b3806e-46f2-4b4c-9337-e3d8653245ea +status: experimental +description: | + Detects the execution of more.com and vbc.exe in the process tree. + This behavior was observed by a set of samples related to Lummac Stealer. + The Lummac payload is injected into the vbc.exe process. +references: + - https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files + - https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef + - https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html + - https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2024-12-19 +tags: + - attack.defense-evasion + - attack.t1055 +logsource: + category: process_creation + product: windows +detection: + # VT Query: behaviour_processes:"C:\\Windows\\SysWOW64\\more.com" behaviour_processes:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe" + selection_parent: + ParentImage|endswith: '\more.com' + selection_child: + - Image|endswith: '\vbc.exe' + - OriginalFileName: 'vbc.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml index 24eb3cbda42..e0e6cb1ee5b 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml @@ -1,6 +1,6 @@ title: Potential Raspberry Robin CPL Execution Activity id: 92020b88-9caf-464f-bad8-cd0fb0aa2a81 -status: experimental +status: test description: | Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants. diff --git a/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml b/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml index e40426947ff..9a3133c6bda 100644 --- a/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml +++ b/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml @@ -1,6 +1,6 @@ title: DPRK Threat Actor - C2 Communication DNS Indicators id: 4d16c9a6-4362-4863-9940-1dee35f1d70f -status: experimental +status: test description: Detects DNS queries for C2 domains used by DPRK Threat actors. references: - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 diff --git a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml index f4d21e4595a..e3db0e2b46f 100644 --- a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml +++ b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml @@ -1,6 +1,6 @@ title: ScreenConnect - SlashAndGrab Exploitation Indicators id: 05164d17-8e11-4d7d-973e-9e4962436b87 -status: experimental +status: test description: | Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress references: diff --git a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml b/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml similarity index 78% rename from rules/linux/process_creation/proc_creation_lnx_kill_process.yml rename to rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml index 0dd9466797b..78192617d31 100644 --- a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml +++ b/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml @@ -5,11 +5,14 @@ description: Detects usage of command line tools such as "kill", "pkill" or "kil references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html - https://www.cyberciti.biz/faq/how-force-kill-process-linux/ + - https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/ author: Tuan Le (NCSGroup) date: 2023-03-16 +modified: 2024-12-12 tags: - attack.defense-evasion - attack.t1562 + - detection.threat-hunting logsource: product: linux category: process_creation @@ -17,9 +20,10 @@ detection: selection: Image|endswith: - '/kill' - - '/pkill' - '/killall' + - '/pkill' + - '/xkill' condition: selection falsepositives: - - Likely -level: low + - Unknown +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml b/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_running_process_discovery.yml similarity index 75% rename from rules/linux/process_creation/proc_creation_lnx_process_discovery.yml rename to rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_running_process_discovery.yml index ccb7e71601b..4af8025ffa5 100644 --- a/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml +++ b/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_running_process_discovery.yml @@ -6,21 +6,27 @@ description: | Information obtained could be used to gain an understanding of common software/applications running on systems within the network references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md -author: Ömer Günal, oscd.community + - https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ +author: Ömer Günal, oscd.community, CheraaghiMilad date: 2020-10-06 modified: 2022-07-07 tags: - attack.discovery - attack.t1057 + - detection.threat-hunting logsource: product: linux category: process_creation detection: selection: Image|endswith: + - '/atop' + - '/htop' + - '/pgrep' - '/ps' + - '/pstree' - '/top' condition: selection falsepositives: - Legitimate administration activities -level: informational +level: low diff --git a/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml b/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml new file mode 100644 index 00000000000..fabaf99bf5f --- /dev/null +++ b/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml @@ -0,0 +1,29 @@ +title: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic +id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 +status: test +description: | + Detects powershell execution with that make use of to the bxor (Bitwise XOR). + Attackers might use as an alternative obfuscation method to Base64 encoded commands. + Investigate the CommandLine and process tree to determine if the activity is malicious. +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1 +author: Teymur Kheirkhabarov, Harish Segar +date: 2020-06-29 +modified: 2024-12-11 +tags: + - attack.execution + - attack.t1059.001 + - detection.threat-hunting +logsource: + product: windows + category: ps_classic_start +detection: + selection: + Data|contains|all: + - 'HostName=ConsoleHost' + - ' -bxor ' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml index 432593f2bdd..e8dfcfac80d 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml @@ -5,7 +5,7 @@ related: type: derived - id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 type: derived -status: experimental +status: test description: | Detects remote binary or command execution via the ScreenConnect Service. Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml index 138f44b31d7..8c4d88f2547 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml @@ -1,6 +1,6 @@ title: Shell Context Menu Command Tampering id: 868df2d1-0939-4562-83a7-27408c4a1ada -status: experimental +status: test description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands. references: - https://mrd0x.com/sentinelone-persistence-via-menu-context/ diff --git a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml index 0cd347efae5..4c9e9d3de9b 100644 --- a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml +++ b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml @@ -1,6 +1,6 @@ title: AWS Console GetSigninToken Potential Abuse id: f8103686-e3e8-46f3-be72-65f7fcb4aa53 -status: experimental +status: test description: | Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request. diff --git a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml new file mode 100644 index 00000000000..39d0764567b --- /dev/null +++ b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml @@ -0,0 +1,28 @@ +title: AWS SAML Provider Deletion Activity +id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374 +status: experimental +description: | + Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. + An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it. +references: + - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html +author: Ivan Saakov +date: 2024-12-19 +tags: + - attack.t1078.004 + - attack.privilege-escalation + - attack.t1531 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'iam.amazonaws.com' + eventName: 'DeleteSAMLProvider' + status: 'success' + condition: selection +falsepositives: + - Automated processes using tools like Terraform may trigger this alert. + - Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected. + - Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule. +level: medium diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml new file mode 100644 index 00000000000..0130118809f --- /dev/null +++ b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml @@ -0,0 +1,27 @@ +title: AWS Key Pair Import Activity +id: 92f84194-8d9a-4ee0-8699-c30bfac59780 +status: experimental +description: | + Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations. +references: + - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html +author: Ivan Saakov +date: 2024-12-19 +tags: + - attack.initial-access + - attack.t1078 + - attack.persistence + - attack.privilege-escalation +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'ec2.amazonaws.com' + eventName: 'ImportKeyPair' + condition: selection +falsepositives: + - Legitimate administrative actions by authorized users importing keys for valid purposes. + - Automated processes for infrastructure setup may trigger this alert. + - Verify the user identity, user agent, and source IP address to ensure they are expected. +level: medium diff --git a/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml b/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml new file mode 100644 index 00000000000..5d611b64ade --- /dev/null +++ b/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml @@ -0,0 +1,27 @@ +title: New AWS Lambda Function URL Configuration Created +id: ec541962-c05a-4420-b9ea-84de072d18f4 +status: experimental +description: | + Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. + This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function. +references: + - https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html + - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc + - https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws +author: Ivan Saakov +date: 2024-12-19 +tags: + - attack.initial-access + - attack.privilege-escalation +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: lambda.amazonaws.com + eventName: 'CreateFunctionUrlConfig' + condition: selection +falsepositives: + - Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml index ab30043f2fa..6c6dad09725 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml @@ -1,6 +1,6 @@ title: Bitbucket Full Data Export Triggered id: 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8 -status: experimental +status: test description: Detects when full data export is attempted. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml index 2e920a4e307..c47aabd523d 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Global Permission Changed id: aac6c4f4-87c7-4961-96ac-c3fd3a42c310 -status: experimental +status: test description: Detects global permissions change activity. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml index 6e8bda2c16c..d85ad0009c4 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml @@ -1,6 +1,6 @@ title: Bitbucket Global Secret Scanning Rule Deleted id: e16cf0f0-ee88-4901-bd0b-4c8d13d9ee05 -status: experimental +status: test description: Detects Bitbucket global secret scanning rule deletion activity. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml index 39179f0e763..88bb6f2772e 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Global SSH Settings Changed id: 16ab6143-510a-44e2-a615-bdb80b8317fc -status: experimental +status: test description: Detects Bitbucket global SSH access configuration changes. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml index ce0a8b0aa98..cb09d1cda9d 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Audit Log Configuration Updated id: 6aa12161-235a-4dfb-9c74-fe08df8d8da1 -status: experimental +status: test description: Detects changes to the bitbucket audit log configuration. references: - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml index b1baeb37115..1b5a7a1fb4b 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml @@ -1,6 +1,6 @@ title: Bitbucket Project Secret Scanning Allowlist Added id: 42ccce6d-7bd3-4930-95cd-e4d83fa94a30 -status: experimental +status: test description: Detects when a secret scanning allowlist rule is added for projects. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml index 6019e448233..2b4c012ae51 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Secret Scanning Exempt Repository Added id: b91e8d5e-0033-44fe-973f-b730316f23a1 -status: experimental +status: test description: Detects when a repository is exempted from secret scanning feature. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml index 5ef1c1901ed..dce9a90f6c3 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml @@ -1,6 +1,6 @@ title: Bitbucket Secret Scanning Rule Deleted id: ff91e3f0-ad15-459f-9a85-1556390c138d -status: experimental +status: test description: Detects when secret scanning rule is deleted for the project or repository. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml index 08ebde49a7c..d07b69e3309 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Unauthorized Access To A Resource id: 7215374a-de4f-4b33-8ba5-70804c9251d3 -status: experimental +status: test description: Detects unauthorized access attempts to a resource. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml index ebb2f462150..a678f07dc31 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml @@ -1,6 +1,6 @@ title: Bitbucket Unauthorized Full Data Export Triggered id: 34d81081-03c9-4a7f-91c9-5e46af625cde -status: experimental +status: test description: Detects when full data export is attempted an unauthorized user. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml index a0e96ebd384..ba8d21c409a 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Details Export Attempt Detected id: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3 -status: experimental +status: test description: Detects user data export activity. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml index 7eed1a8403e..4fad0d31bae 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Login Failure id: 70ed1d26-0050-4b38-a599-92c53d57d45a -status: experimental +status: test description: | Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field. diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml index 9e9a0cebde4..d1fa3fdbdb5 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Login Failure Via SSH id: d3f90469-fb05-42ce-b67d-0fded91bbef3 -status: experimental +status: test description: | Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field. diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml index 221d4a24fc9..aff1211d40f 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Permissions Export Attempt id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2 -status: experimental +status: test description: Detects user permission data export attempt. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/github/github_push_protection_bypass_detected.yml b/rules/cloud/github/github_push_protection_bypass_detected.yml index 7e537f304b3..a619e57d300 100644 --- a/rules/cloud/github/github_push_protection_bypass_detected.yml +++ b/rules/cloud/github/github_push_protection_bypass_detected.yml @@ -1,6 +1,6 @@ title: Github Push Protection Bypass Detected id: 02cf536a-cf21-4876-8842-4159c8aee3cc -status: experimental +status: test description: Detects when a user bypasses the push protection on a secret detected by secret scanning. references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations diff --git a/rules/cloud/github/github_push_protection_disabled.yml b/rules/cloud/github/github_push_protection_disabled.yml index dff55ef9118..296b8125eb0 100644 --- a/rules/cloud/github/github_push_protection_disabled.yml +++ b/rules/cloud/github/github_push_protection_disabled.yml @@ -1,6 +1,6 @@ title: Github Push Protection Disabled id: ccd55945-badd-4bae-936b-823a735d37dd -status: experimental +status: test description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules. references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index 40bccc49ac2..403ed87c47e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -4,9 +4,11 @@ status: test description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md -author: Alejandro Ortuno, oscd.community + - https://my.f5.com/manage/s/article/K589 + - https://man.freebsd.org/cgi/man.cgi?pwd_mkdb +author: Alejandro Ortuno, oscd.community, CheraghiMilad date: 2020-10-08 -modified: 2024-08-10 +modified: 2024-12-10 tags: - attack.discovery - attack.t1087.001 @@ -28,10 +30,17 @@ detection: - '/tail' - '/vi' - '/vim' + - '/less' + - '/emacs' + - '/sqlite3' + - '/makemap' CommandLine|contains: - '/etc/passwd' - '/etc/shadow' - '/etc/sudoers' + - '/etc/spwd.db' + - '/etc/pwd.db' + - '/etc/master.passwd' selection_4: Image|endswith: '/id' selection_5: diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml index 6fe2530d1b1..62bbccddefa 100644 --- a/rules/windows/builtin/application/Other/win_av_relevant_match.yml +++ b/rules/windows/builtin/application/Other/win_av_relevant_match.yml @@ -10,7 +10,7 @@ references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2017-02-19 -modified: 2024-08-29 +modified: 2024-12-25 tags: - attack.resource-development - attack.t1588 @@ -43,7 +43,9 @@ detection: - 'GrandCrab ' - 'HackTool' - 'HKTL' - - 'HTool' + - 'HTool-' + - '/HTool' + - '.HTool' - 'IISExchgSpawnCMD' - 'Impacket' - 'JSP/BackDoor ' diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index 4932cd36fa6..f99cf13f302 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -9,7 +9,7 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 -modified: 2024-08-29 +modified: 2024-12-25 tags: - attack.defense-evasion logsource: @@ -33,6 +33,7 @@ detection: - 'https://statics.teams.cdn.live.net/' - 'https://statics.teams.cdn.office.net/' - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968 + - 'https://installer.teams.static.microsoft/' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml index 5f5fc4dce4f..1bed4b7f0de 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/malmoeb/status/1535142803075960832 author: Florian Roth (Nextron Systems) date: 2022-06-10 -modified: 2023-03-27 +modified: 2024-12-25 tags: - attack.defense-evasion - attack.persistence @@ -24,6 +24,8 @@ detection: - '.com/' - '.sfx.ms/' - 'download.mozilla.org/' # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&os=win64&lang=en-US + - 'cdn.onenote.net/' + - 'cdn.office.net/' condition: selection and not 1 of filter_main_* falsepositives: - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index f9fac468880..f3c8172ecc8 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -11,7 +11,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-01-20 -modified: 2024-10-08 +modified: 2024-12-25 tags: - attack.execution logsource: @@ -104,6 +104,17 @@ detection: - FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent' # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe - ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent' + filter_optional_national_instruments: + # Example: \device\harddiskvolume3\program files\national instruments\shared\mdns responder\nimdnsnsp.dll + FileNameBuffer|contains: '\National Instruments\Shared\mDNS Responder\' + filter_optional_kaspersky: + # Example: \Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\antimalware_provider.dll + - ProcessNameBuffer|contains|all: + - '\Kaspersky Lab\' + - '\avp.exe' + - FileNameBuffer|contains|all: + - '\Kaspersky Lab\' + - '\antimalware_provider.dll' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule. diff --git a/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml index 12b6abebf09..3ec1b616e18 100644 --- a/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml @@ -10,6 +10,7 @@ modified: 2022-10-09 tags: - attack.lateral-movement - attack.privilege-escalation + - attack.credential-access - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_sdelete.yml b/rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml similarity index 76% rename from rules/windows/builtin/security/win_security_susp_sdelete.yml rename to rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml index 4700f531631..23923fcb34d 100644 --- a/rules/windows/builtin/security/win_security_susp_sdelete.yml +++ b/rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml @@ -1,14 +1,14 @@ -title: Secure Deletion with SDelete +title: Potential Secure Deletion with SDelete id: 39a80702-d7ca-4a83-b776-525b1f86a36d status: test -description: Detects renaming of file while deletion with SDelete tool. +description: Detects files that have extensions commonly seen while SDelete is used to wipe files. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete author: Thomas Patzke date: 2017-06-14 -modified: 2021-11-27 +modified: 2024-12-13 tags: - attack.impact - attack.defense-evasion @@ -32,4 +32,5 @@ detection: condition: selection falsepositives: - Legitimate usage of SDelete + - Files that are interacted with that have these extensions legitimately level: medium diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index e21a9959cba..3bf361f213e 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -9,7 +9,7 @@ references: - https://redcanary.com/blog/misbehaving-rats/ author: Connor Martin, Nasreddine Bencherchali (Nextron Systems) date: 2022-12-23 -modified: 2023-11-15 +modified: 2024-12-07 tags: - attack.persistence - attack.t1543.003 @@ -24,6 +24,7 @@ detection: ServiceName|contains: # Based on https://github.com/SigmaHQ/sigma/pull/2841 - 'AmmyyAdmin' # https://www.ammyy.com/en/ + - 'AnyDesk' # https://usersince99.medium.com/windows-privilege-escalation-8214ceaf4db8 - 'Atera' - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html diff --git a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml index eebe651bf39..ca0de698b91 100644 --- a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml +++ b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml @@ -1,6 +1,6 @@ title: Active Directory Certificate Services Denied Certificate Enrollment Request id: 994bfd6d-0a2e-481e-a861-934069fcf5f5 -status: experimental +status: test description: | Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures. diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml index e87cd0f4fed..2f097f59400 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml @@ -1,6 +1,6 @@ title: No Suitable Encryption Key Found For Generating Kerberos Ticket id: b1e0b3f5-b62e-41be-886a-daffde446ad4 -status: experimental +status: test description: | Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled. diff --git a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml index ee5288b09c8..bb67b6b82d0 100644 --- a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml +++ b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml @@ -1,6 +1,6 @@ title: DNS Query Request To OneLaunch Update Service id: df68f791-ad95-447f-a271-640a0dab9cf8 -status: experimental +status: test description: | Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain. diff --git a/rules/windows/dns_query/dns_query_win_quickassist.yml b/rules/windows/dns_query/dns_query_win_quickassist.yml new file mode 100644 index 00000000000..4ec687d3caf --- /dev/null +++ b/rules/windows/dns_query/dns_query_win_quickassist.yml @@ -0,0 +1,27 @@ +title: DNS Query Request By QuickAssist.EXE +id: 882e858a-3233-4ba8-855e-2f3d3575803d +status: experimental +description: | + Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session. +references: + - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ + - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/ + - https://x.com/cyb3rops/status/1862406110365245506 + - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist +author: Muhammad Faisal (@faisalusuf) +date: 2024-12-19 +tags: + - attack.initial-access + - attack.t1071.001 + - attack.t1210 +logsource: + category: dns_query + product: windows +detection: + selection: + Image|endswith: '\QuickAssist.exe' + QueryName|endswith: 'remoteassistance.support.services.microsoft.com' + condition: selection +falsepositives: + - Legitimate use of Quick Assist in the environment. +level: low diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index 0d00207add1..78e12bf5c59 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -23,7 +23,7 @@ references: - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization author: frack113, Connor Martin date: 2022-07-11 -modified: 2024-09-13 +modified: 2024-12-17 tags: - attack.command-and-control - attack.t1219 @@ -51,6 +51,7 @@ detection: - 'dwservice.net' - 'express.gotoassist.com' - 'getgo.com' + - 'getscreen.me' # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w - 'integratedchat.teamviewer.com' - 'join.zoho.com' - 'kickstart.jumpcloud.com' diff --git a/rules/windows/image_load/image_load_susp_unsigned_dll.yml b/rules/windows/image_load/image_load_susp_unsigned_dll.yml index cce9bc1f3ba..c651259e622 100644 --- a/rules/windows/image_load/image_load_susp_unsigned_dll.yml +++ b/rules/windows/image_load/image_load_susp_unsigned_dll.yml @@ -1,6 +1,6 @@ title: Unsigned DLL Loaded by Windows Utility id: b5de0c9a-6f19-43e0-af4e-55ad01f550af -status: experimental +status: test description: | Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code. diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 329717393b6..4bd9c7c9805 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -7,7 +7,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Harish Segar, frack113 date: 2020-06-29 -modified: 2024-10-08 +modified: 2024-12-27 tags: - attack.execution - attack.t1059.001 @@ -30,7 +30,7 @@ detection: filter_main_host_application_null: # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex. # If you're already mapping and extracting the field, then obviously use that directly. - Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion=' + Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion=' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml index 41f34de7858..bb0aa14b1a6 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml @@ -8,7 +8,7 @@ references: - https://github.com/bohops/WSMan-WinRM author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-06-24 -modified: 2024-10-08 +modified: 2024-12-27 tags: - attack.execution - attack.t1059.001 @@ -31,7 +31,7 @@ detection: filter_main_host_application_null: # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex. # If you're already mapping and extracting the field, then obviously use that directly. - Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion=' + Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion=' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml deleted file mode 100644 index c54a451470b..00000000000 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspicious XOR Encoded PowerShell Command Line - PowerShell -id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 -status: test -description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. -references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 -author: Teymur Kheirkhabarov, Harish Segar (rule) -date: 2020-06-29 -modified: 2023-10-27 -tags: - - attack.execution - - attack.t1059.001 -logsource: - product: windows - category: ps_classic_start -detection: - selection: - Data|contains: 'HostName=ConsoleHost' - filter: - Data|contains: - - 'bxor' - - 'char' - - 'join' - condition: selection and filter -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml b/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml index 2a5248dfb6d..14edd6ab649 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml @@ -1,6 +1,6 @@ title: HackTool - Evil-WinRm Execution - PowerShell Module id: 9fe55ea2-4cd6-4491-8a54-dd6871651b51 -status: experimental +status: test description: | Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility. references: diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index bf8053d1212..f666d4895c4 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -1,6 +1,6 @@ title: Potential Credential Dumping Activity Via LSASS id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da -status: experimental +status: test description: | Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature. diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index 98edaf1a986..0f50997da81 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -3,7 +3,7 @@ id: ea0cdc3e-2239-4f26-a947-4e8f8224e464 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 6f1fae87e99..b4a8cf6cffc 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -3,7 +3,7 @@ id: 82a6714f-4899-4f16-9c1e-9a333544d4c3 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml index d86cf13668d..ea4a95808c5 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -1,6 +1,6 @@ title: Console CodePage Lookup Via CHCP id: 7090adee-82e2-4269-bd59-80691e7c6338 -status: experimental +status: test description: Detects use of chcp to look up the system locale value as part of host discovery references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index abbed65b2dd..d96cbf5ad45 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Ping/Copy Command Combination id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 -status: experimental +status: test description: | Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware. references: diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml index 68c22c51fae..b82b4a93ee3 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: | Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required. diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml index 6b74583968f..95994b838a6 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_download.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -3,7 +3,7 @@ id: 587254ee-a24b-4335-b3cd-065c0f1f4baa related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f type: obsolete -status: experimental +status: test description: | Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. references: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml index f584edbd743..1734125a56f 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -3,7 +3,7 @@ id: 04936b66-3915-43ad-a8e5-809eadfd1141 related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f type: obsolete -status: experimental +status: test description: | Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. references: diff --git a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml index cf707302bd3..7e745360300 100644 --- a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -1,6 +1,6 @@ title: Rebuild Performance Counter Values Via Lodctr.EXE id: cc9d3712-6310-4320-b2df-7cb408274d53 -status: experimental +status: test description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml index fc62df134c1..1b20ada9acd 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -5,7 +5,7 @@ related: type: similar - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e type: obsolete -status: experimental +status: test description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index 5e81fdb2abd..892f6d19f9f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -3,7 +3,7 @@ id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc related: - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 type: derived -status: experimental +status: test description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ diff --git a/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml new file mode 100644 index 00000000000..78987739d6f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml @@ -0,0 +1,25 @@ +title: QuickAssist Execution +id: e20b5b14-ce93-4230-88af-981983ef6e74 +status: experimental +description: | + Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access. +references: + - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ + - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/ + - https://x.com/cyb3rops/status/1862406110365245506 + - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist +author: Muhammad Faisal (@faisalusuf) +date: 2024-12-19 +tags: + - attack.command-and-control + - attack.t1219 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\QuickAssist.exe' + condition: selection +falsepositives: + - Legitimate use of Quick Assist in the environment. +level: low diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml index 0234458bf40..05010f5d315 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate id: 41f407b5-3096-44ea-a74f-96d04fbc41be -status: experimental +status: test description: | Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml index ebe5cec977c..7848faadace 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - ScreenConnect Remote Command Execution id: b1f73849-6329-4069-bc8f-78a604bb8b23 -status: experimental +status: test description: Detects the execution of a system command via the ScreenConnect RMM service. references: - https://github.com/SigmaHQ/sigma/pull/4467 diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml index 4c96eab5ac8..964b93cc835 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - ScreenConnect Server Web Shell Execution id: b19146a3-25d4-41b4-928b-1e2a92641b1b -status: experimental +status: test description: Detects potential web shell execution from the ScreenConnect server process. references: - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml index f5ae7a5751b..36cbe7befdd 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - Simple Help Execution id: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2 -status: experimental +status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. diff --git a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml index 7ecfdb1441c..135bbaf94fe 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml @@ -1,6 +1,6 @@ title: Interesting Service Enumeration Via Sc.EXE id: e83e8899-c9b2-483b-b355-5decc942b959 -status: experimental +status: test description: | Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors. diff --git a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml index 0e5e79ac389..456e35274ec 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml @@ -1,6 +1,6 @@ title: Port Forwarding Activity Via SSH.EXE id: 327f48c1-a6db-4eb8-875a-f6981f1b0183 -status: experimental +status: test description: Detects port forwarding activity via SSH.exe references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index d363c1c4fb9..8d153142bb5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -18,10 +18,11 @@ references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior date: 2022-09-01 -modified: 2024-10-21 +modified: 2024-12-23 tags: - attack.defense-evasion - attack.t1489 + - attack.t1562.001 logsource: category: process_creation product: windows @@ -148,6 +149,7 @@ detection: - 'mfewc' - 'MMS' - 'mozyprobackup' + - 'mpssvc' - 'MSComplianceAudit' - 'MSDTC' - 'MsDtsServer' @@ -235,6 +237,7 @@ detection: - 'swi_service' - 'swi_update' - 'Symantec' + - 'sysmon' - 'TeamViewer' - 'Telemetryserver' - 'ThreatLockerService' @@ -277,6 +280,7 @@ detection: - 'WRSVC' - 'wsbexchange' - 'WSearch' + - 'wscsvc' - 'Zoolz 2 Service' condition: all of selection_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml index 96feead4ecc..b2ee15af63b 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml @@ -5,9 +5,10 @@ description: Detects certain command line parameters often used during reconnais references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ -author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community + - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson date: 2017-01-01 -modified: 2022-05-13 +modified: 2024-12-14 tags: - attack.persistence - attack.t1505.003 @@ -58,6 +59,17 @@ detection: selection_susp_wmic_utility: OriginalFileName: 'wmic.exe' CommandLine|contains: ' /node:' + selection_susp_powershell_cli: + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + CommandLine|contains: + - ' -enc ' + - ' -EncodedCommand ' + - ' -w hidden ' + - ' -windowstyle hidden' + - '.WebClient).Download' selection_susp_misc_discovery_binaries: - Image|endswith: - '\dsquery.exe' diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml index 01636c4e67d..2f37af92a8b 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml @@ -1,6 +1,6 @@ title: Suspicious File Download From IP Via Wget.EXE - Paths id: 40aa399c-7b02-4715-8e5f-73572b493f33 -status: experimental +status: test description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe references: - https://www.gnu.org/software/wget/manual/wget.html diff --git a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml index 22817da9b36..ad25c8fd8d2 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml @@ -1,6 +1,6 @@ title: Enumerate All Information With Whoami.EXE id: c248c896-e412-4279-8c15-1c558067b6fa -status: experimental +status: test description: Detects the execution of "whoami.exe" with the "/all" flag references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index 82a4e741382..ef1f2a33296 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -12,9 +12,10 @@ references: - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ - https://blog.talosintelligence.com/uat-5647-romcom/ - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques + - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-16 -modified: 2024-11-19 +modified: 2024-12-14 tags: - attack.persistence - attack.t1546.015 @@ -39,6 +40,7 @@ detection: - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\' - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\' - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\' + - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\' selection_susp_location_1: Details|contains: # Note: Add more suspicious paths and locations diff --git a/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml b/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml index 6ab23312f4a..777a1fdcd09 100644 --- a/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml @@ -1,6 +1,6 @@ title: Potential SentinelOne Shell Context Menu Scan Command Tampering id: 6c304b02-06e6-402d-8be4-d5833cdf8198 -status: experimental +status: test description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne. references: - https://mrd0x.com/sentinelone-persistence-via-menu-context/ diff --git a/tests/rule-references.txt b/tests/rule-references.txt index 88df0e48bb1..7192856a49d 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3874,3 +3874,36 @@ https://www.sans.org/cyber-security-summit/archives https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques +https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname +https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +https://ipurple.team/2024/09/10/browser-stored-credentials/ +https://www.action1.com/documentation/ +https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown +https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html +https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +https://github.com/FalconForceTeam/SOAPHound +https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ +https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +https://github.com/antonioCoco/RoguePotato +https://gtfobins.github.io/gtfobins/env/#shell +https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html +https://twitter.com/MsftSecIntel/status/1737895710169628824 +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 +https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ +https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/