security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: apply suggestions from code review

Browse Source 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
2023-08-18 15:15:26 +02:00
committed by GitHub
parent be9abb9364
commit 360475d6ff
11 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml
+1 -1
View File
@@ -9,7 +9,7 @@ related:
type: similar
status: experimental
description: |
Detects the creation of new DLL assembly files by "aspnet_compiler.exe". Which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml
+1 -1
View File
@@ -4,7 +4,7 @@ related:
- id: d2605a99-2218-4894-8fd3-2afb7946514d
type: similar
status: experimental
description: Detects DLL sideloading of unsigned "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml
+1 -1
View File
@@ -8,7 +8,7 @@ related:
- id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
type: similar
status: experimental
description: Detects potential suspicious child process of "aspnet_compiler.exe".
description: Detects potentially suspicious child processes of "aspnet_compiler.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
- https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml
+1 -1
View File
@@ -1,4 +1,4 @@
title: Potential Suspicious ASP.NET Compilation Via AspNetCompiler
title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
related:
- id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
rules/windows/process_creation/proc_creation_win_bash_command_execution.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Indirect Inline Command Execution Via Bash.EXE
id: 5edc2273-c26f-406c-83f3-f4d948e740dd
status: experimental
description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute linux or windows based binaries directly via bash
description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash
references:
- https://lolbas-project.github.io/lolbas/Binaries/Bash/
author: frack113
rules/windows/process_creation/proc_creation_win_bash_file_execution.yml
+1 -1
View File
@@ -4,7 +4,7 @@ related:
- id: 5edc2273-c26f-406c-83f3-f4d948e740dd
type: similar
status: experimental
description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute linux or windows based binaries directly via bash
description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash
references:
- https://lolbas-project.github.io/lolbas/Binaries/Bash/
- https://linux.die.net/man/1/bash
rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Assembly Loading Via CL_LoadAssembly.ps1
id: c57872c7-614f-4d7f-a40d-b78c8df2d30d
status: experimental
description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. Which can be abused to load different assemblies and bypass App locker controls.
description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
references:
- https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
- https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/
rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d
status: experimental
description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional powershell script commands
description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
references:
- https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113
rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: New BgInfo.EXE Custom DB Path Registry Configuration
id: 53330955-dc52-487f-a3a2-da24dcff99b5
status: experimental
description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can set this value to save the results of the commands executed by BgInfo in order to exfiltrate information for example.
description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml
+1 -1
View File
@@ -4,7 +4,7 @@ related:
- id: cd277474-5c52-4423-a52b-ac2d7969902f
type: similar
status: experimental
description: Detects setting of a new registry value related to BgInfo configuration. Which can be abused to execute custom VBScript via "BgInfo.exe"
description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml
+1 -1
View File
@@ -4,7 +4,7 @@ related:
- id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
type: similar
status: experimental
description: Detects setting of a new registry value related to BgInfo configuration. Which can be abused to execute custom WMI query via "BgInfo.exe"
description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)