security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1222 from feedb/oscd

Browse Source 
[OSCD] zer0w
This commit is contained in:
yugoslavskiy
2021-01-06 00:23:25 +03:00
committed by GitHub
parent 93718975fb 3d47d17769
commit 23519e47cd
2 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/process_creation_dotnet.yml
+33
View File
@@ -0,0 +1,33 @@
title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
status: experimental
id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
author: Beyu Denis, oscd.community
date: 2020/10/18
description: dotnet.exe will execute any DLL and execute unsigned code
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml
- https://twitter.com/_felamos/status/1204705548668555264
- https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
tags:
- attack.execution
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Commandline|endswith:
- '.dll'
- '.csproj'
Image|endswith:
- '\dotnet.exe'
condition: selection
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
falsepositives:
- System administrator Usage
- Penetration test
level: medium
rules/windows/process_creation/process_creation_msdeploy.yml
+34
View File
@@ -0,0 +1,34 @@
title: Execute Files with Msdeploy.exe
status: experimental
id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
author: Beyu Denis, oscd.community
date: 2020/10/18
description: Detects file execution using the msdeploy.exe lolbin
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml
- https://twitter.com/pabraeken/status/995837734379032576
- https://twitter.com/pabraeken/status/999090532839313408
tags:
- attack.execution
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Commandline|contains|all:
- 'verb:sync'
- '-source:RunCommand'
- '-dest:runCommand'
Image|endswith:
- '\msdeploy.exe'
condition: selection
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
falsepositives:
- System administrator Usage
- Penetration test
level: medium