Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions yml/OSBinaries/At.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/builtin/security/win_security_atsvc_task.yml
- Splunk: https://research.splunk.com/endpoint/7bc20606-5f40-11ec-a586-acde48001122/
- Splunk: https://research.splunk.com/endpoint/4be54858-432f-11ec-8209-3e22fbd008af/
- Splunk: https://research.splunk.com/endpoint/bf0a378e-5f3c-11ec-a6de-acde48001122/
- IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job)
- IOC: C:\Windows\Tasks\At1.job
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
Expand Down
1 change: 1 addition & 0 deletions yml/OSBinaries/Bitsadmin.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml
- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/bitsadmin_download_file.yml
- Splunk: https://research.splunk.com/endpoint/80630ff4-8e4c-11eb-aab5-acde48001122/
- IOC: Child process from bitsadmin.exe
- IOC: bitsadmin creates new files
- IOC: bitsadmin adds data to alternate data stream
Expand Down
3 changes: 3 additions & 0 deletions yml/OSBinaries/Certutil.yml
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,9 @@ Detection:
- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml
- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml
- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_with_decode_argument.yml
- Splunk: https://research.splunk.com/endpoint/801ad9e4-8bfb-11eb-8b31-acde48001122/
- Splunk: https://research.splunk.com/endpoint/415b4306-8bfb-11eb-85c4-acde48001122/
- Splunk: https://research.splunk.com/endpoint/bfe94226-8c10-11eb-a4b3-acde48001122/
- IOC: Certutil.exe creating new files on disk
- IOC: Useragent Microsoft-CryptoAPI/10.0
- IOC: Useragent CertUtil URL Agent
Expand Down
4 changes: 4 additions & 0 deletions yml/OSBinaries/Cmd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- Splunk: https://research.splunk.com/endpoint/dcfd6b40-42f9-469d-a433-2e53f7486664/
- Splunk: https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/
- Splunk: https://research.splunk.com/endpoint/eb277ba0-b96b-11eb-b00e-acde48001122/
- Splunk: https://research.splunk.com/endpoint/b89919ed-fe5f-492c-b139-95dbb162039e/
- IOC: cmd.exe executing files from alternate data streams.
- IOC: cmd.exe creating/modifying file contents in an alternate data stream.
Resources:
Expand Down
1 change: 1 addition & 0 deletions yml/OSBinaries/Cmstp.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ Detection:
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
- Splunk: https://research.splunk.com/endpoint/f87b5062-b405-11eb-a889-acde48001122/
- IOC: Execution of cmstp.exe without a VPN use case is suspicious
- IOC: DotNet CLR libraries loaded into cmstp.exe
- IOC: DotNet CLR Usage Log - cmstp.exe.log
Expand Down
1 change: 1 addition & 0 deletions yml/OSBinaries/Control.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- Splunk: https://research.splunk.com/endpoint/10423ac4-10c9-11ec-8dc4-acde48001122/
- IOC: Control.exe executing files from alternate data streams
- IOC: Control.exe executing library file without cpl extension
- IOC: Suspicious network connections from control.exe
Expand Down
1 change: 1 addition & 0 deletions yml/OSBinaries/Eventvwr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml
- Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml
- Splunk: https://research.splunk.com/endpoint/9cf8fe08-7ad8-11eb-9819-acde48001122/
- IOC: eventvwr.exe launching child process other than mmc.exe
- IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command
Resources:
Expand Down
2 changes: 2 additions & 0 deletions yml/OSBinaries/Forfiles.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ Full_Path:
- Path: C:\Windows\SysWOW64\forfiles.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml
- Splunk: https://research.splunk.com/endpoint/bfdaabe7-3db8-48c5-80c1-220f9b8f22be/
- Splunk: https://research.splunk.com/endpoint/1fdf31c9-ff4d-4c48-b799-0e8666e08787/
Resources:
- Link: https://twitter.com/vector_sec/status/896049052642533376
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Expand Down
6 changes: 6 additions & 0 deletions yml/OSBinaries/Installutil.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- Splunk: https://research.splunk.com/endpoint/4fbf9270-43da-11ec-9486-acde48001122/
- Splunk: https://research.splunk.com/endpoint/dcf74b22-7933-11ec-857c-acde48001122/
- Splunk: https://research.splunk.com/endpoint/cfa7b9ac-43f0-11ec-9b48-acde48001122/
- Splunk: https://research.splunk.com/endpoint/ccfeddec-43ec-11ec-b494-acde48001122/
- Splunk: https://research.splunk.com/endpoint/1a52c836-43ef-11ec-a36c-acde48001122/
- Splunk: https://research.splunk.com/endpoint/28e06670-43df-11ec-a569-acde48001122/
Resources:
- Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
Expand Down
1 change: 1 addition & 0 deletions yml/OSBinaries/Mavinject.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Full_Path:
- Path: C:\Windows\SysWOW64\mavinject.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml
- Splunk: https://research.splunk.com/endpoint/ccf4b61b-1b26-4f2e-a089-f2009c569c57/
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
Resources:
- Link: https://twitter.com/gN3mes1s/status/941315826107510784
Expand Down
2 changes: 2 additions & 0 deletions yml/OSBinaries/Microsoft.Workflow.Compiler.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Splunk: https://research.splunk.com/endpoint/9bbc62e8-55d8-11eb-ae93-0242ac130002/
- Splunk: https://research.splunk.com/endpoint/f0db4464-55d9-11eb-ae93-0242ac130002/
- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
- IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe
- IOC: Presence of "<CompilerInput" in a text file.
Expand Down
2 changes: 2 additions & 0 deletions yml/OSBinaries/Mmc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ Full_Path:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml
- Splunk: https://research.splunk.com/endpoint/7f04349c-e30d-11eb-bc7f-acde48001122/
- Splunk: https://research.splunk.com/endpoint/f6601940-4c74-11ec-b9b7-3e22fbd008af/
Resources:
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
- Link: https://offsec.almond.consulting/UAC-bypass-dotnet.html
Expand Down
4 changes: 4 additions & 0 deletions yml/OSBinaries/Msbuild.yml
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,10 @@ Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Splunk: https://research.splunk.com/endpoint/f5198224-551c-11eb-ae93-0242ac130002/
- Splunk: https://research.splunk.com/endpoint/213b3148-24ea-11ec-93a2-acde48001122/
- Splunk: https://research.splunk.com/endpoint/4006adac-5937-11eb-ae93-0242ac130002/
- Splunk: https://research.splunk.com/endpoint/a115fba6-5514-11eb-ae93-0242ac130002/
- IOC: Msbuild.exe should not normally be executed on workstations
Resources:
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
Expand Down
1 change: 1 addition & 0 deletions yml/OSBinaries/Msdt.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- Splunk: https://research.splunk.com/endpoint/e1d5145f-38fe-42b9-a5d5-457796715f97/
Resources:
- Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
Expand Down
7 changes: 7 additions & 0 deletions yml/OSBinaries/Mshta.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,13 @@ Detection:
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_child_process.yml
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_url_in_command_line.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Splunk: https://research.splunk.com/endpoint/a0873b32-5b68-11eb-ae93-0242ac130002/
- Splunk: https://research.splunk.com/endpoint/8f45fcf0-5b68-11eb-ae93-0242ac130002/
- Splunk: https://research.splunk.com/endpoint/9b3af1e6-5b68-11eb-ae93-0242ac130002/
- Splunk: https://research.splunk.com/endpoint/60023bb6-5500-11eb-ae93-0242ac130002/
- Splunk: https://research.splunk.com/endpoint/4d33a488-5b5f-11eb-ae93-0242ac130002/
- Splunk: https://research.splunk.com/endpoint/4aa5d062-e893-11eb-9eb2-acde48001122/
- Splunk: https://research.splunk.com/endpoint/e13ceade-b673-4d34-adc4-4d9c01729753/
- IOC: mshta.exe executing raw or obfuscated script within the command-line
- IOC: General usage of HTA file
- IOC: msthta.exe network connection to Internet/WWW resource
Expand Down
6 changes: 6 additions & 0 deletions yml/OSBinaries/Msiexec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,12 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/uninstall_app_using_msiexec.yml
- Splunk: https://research.splunk.com/endpoint/e9d05aa2-32f0-411b-930c-5b8ca5c4fcee/
- Splunk: https://research.splunk.com/endpoint/1fca2b28-f922-11eb-b2dd-acde48001122/
- Splunk: https://research.splunk.com/endpoint/827409a1-5393-4d8d-8da4-bbb297c262a7/
- Splunk: https://research.splunk.com/endpoint/fdb59aef-d88f-4909-8369-ec2afbd2c398/
- Splunk: https://research.splunk.com/endpoint/6aa49ff2-3c92-4586-83e0-d83eb693dfda/
- Splunk: https://research.splunk.com/endpoint/a27db3c5-1a9a-46df-a577-765d3f1a3c24/
- IOC: msiexec.exe retrieving files from Internet
Resources:
- Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
Expand Down
3 changes: 3 additions & 0 deletions yml/OSBinaries/Netsh.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml
- Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml
- Splunk: https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/deprecated/processes_created_by_netsh.yml
- Splunk: https://research.splunk.com/endpoint/7bc20606-5f40-11ec-a586-acde48001122/
- Splunk: https://research.splunk.com/endpoint/4be54858-432f-11ec-8209-3e22fbd008af/
- Splunk: https://research.splunk.com/endpoint/bf0a378e-5f3c-11ec-a6de-acde48001122/
- IOC: Netsh initiating a network connection
Resources:
- Link: https://freddiebarrsmith.com/trix/trix.html
Expand Down
3 changes: 3 additions & 0 deletions yml/OSBinaries/Odbcconf.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- Splunk: https://research.splunk.com/endpoint/141e7fca-a9f0-40fd-a539-9aac8be41f1b/
- Splunk: https://research.splunk.com/endpoint/0562ad4b-fdaa-4882-b12f-7b8e0034cd72/
- Splunk: https://research.splunk.com/endpoint/1acafff9-1347-4b40-abae-f35aa4ba85c1/
Resources:
- Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
- Link: https://github.com/woanware/application-restriction-bypasses
Expand Down
1 change: 1 addition & 0 deletions yml/OSBinaries/Pcalua.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ Full_Path:
- Path: C:\Windows\System32\pcalua.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml
- Splunk: https://research.splunk.com/endpoint/3428ac18-a410-4823-816c-ce697d26f7a8/
Resources:
- Link: https://twitter.com/KyleHanslovan/status/912659279806640128
Acknowledgement:
Expand Down
1 change: 1 addition & 0 deletions yml/OSBinaries/Rasautou.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ Full_Path:
- Path: C:\Windows\System32\rasautou.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml
- Splunk: https://research.splunk.com/endpoint/6f42b8be-8e96-11ec-ad5a-acde48001122/
- IOC: rasautou.exe command line containing -d and -p
Resources:
- Link: https://github.com/fireeye/DueDLLigence
Expand Down
2 changes: 2 additions & 0 deletions yml/OSBinaries/Reg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml
- Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_dump_registry_hives.toml
- Splunk: https://research.splunk.com/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/
- Splunk: https://research.splunk.com/endpoint/8bbb7d58-b360-11eb-ba21-acde48001122/
- IOC: reg.exe writing to an ADS
Resources:
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Expand Down
3 changes: 3 additions & 0 deletions yml/OSBinaries/Regasm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml
- Splunk: https://github.com/splunk/security_content/blob/bc93e670f5dcb24e96fbe3664d6bcad92df5acad/docs/_stories/suspicious_regsvcs_regasm_activity.md
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_regasm_with_network_connection.yml
- Splunk: https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/
- Splunk: https://research.splunk.com/endpoint/c3bc1430-04e7-4178-835f-047d8e6e97df/
- Splunk: https://research.splunk.com/endpoint/72170ec5-f7d2-42f5-aefb-2b8be6aad15f/
- IOC: regasm.exe executing dll file
Resources:
- Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
Expand Down
1 change: 1 addition & 0 deletions yml/OSBinaries/Regedit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ Full_Path:
- Path: C:\Windows\regedit.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml
- Splunk: https://research.splunk.com/endpoint/6f42b8be-8e96-11ec-ad5a-acde48001122/
- IOC: regedit.exe reading and writing to alternate data stream
- IOC: regedit.exe should normally not be executed by end-users
Resources:
Expand Down
Loading
Loading