Merge PR #4868 from @nasbench - Archive new rule references and update cache file
chore: archive new rule references and update cache file Co-authored-by: nasbench <nasbench@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
committed by
GitHub
GitHub
parent
48f2d09699
commit
3be29eb79e
+277
-274
@@ -1,298 +1,301 @@
|
||||
# Reference Archiver Results
|
||||
|
||||
Last Execution: 2024-05-15 01:51:41
|
||||
Last Execution: 2024-06-01 01:53:02
|
||||
|
||||
### Archiver Script Results
|
||||
|
||||
|
||||
#### Newly Archived References
|
||||
|
||||
N/A
|
||||
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
|
||||
|
||||
#### Already Archived References
|
||||
|
||||
- https://mrd0x.com/sentinelone-persistence-via-menu-context/
|
||||
- https://lab52.io/blog/winter-vivern-all-summer/
|
||||
- https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
|
||||
- https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
|
||||
- https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
|
||||
- https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
|
||||
- https://security.paloaltonetworks.com/CVE-2024-3400
|
||||
- https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
|
||||
- https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
|
||||
- https://regex101.com/r/RugQYK/1
|
||||
- https://twitter.com/ReneFreingruber/status/1172244989335810049
|
||||
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)
|
||||
- https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html
|
||||
- https://twitter.com/cyb3rops/status/1096842275437625346
|
||||
- https://github.com/iagox86/dnscat2
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows
|
||||
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
|
||||
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
|
||||
- https://github.com/xuanxuan0/DripLoader
|
||||
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected
|
||||
- https://www.cve.org/CVERecord?id=CVE-2024-1708
|
||||
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
|
||||
- https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/
|
||||
- https://github.com/EmpireProject/PSInject
|
||||
- https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
|
||||
- https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/
|
||||
- https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-
|
||||
- https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
|
||||
|
||||
#### Error While Archiving References
|
||||
|
||||
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
|
||||
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
|
||||
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
|
||||
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
|
||||
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
|
||||
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
|
||||
- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
|
||||
- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
|
||||
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
|
||||
- https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team
|
||||
- https://github.com/gentilkiwi/mimikatz
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
|
||||
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
|
||||
- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
|
||||
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
|
||||
- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
|
||||
- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
|
||||
- https://www.tarasco.org/security/pwdump_7/
|
||||
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
|
||||
- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
|
||||
- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
|
||||
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
|
||||
- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
|
||||
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
|
||||
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
|
||||
- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
|
||||
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
|
||||
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
|
||||
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
|
||||
- https://www.group-ib.com/blog/apt41-world-tour-2021/
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
|
||||
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
|
||||
- https://github.com/antonioCoco/RoguePotato
|
||||
- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
|
||||
- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
|
||||
- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
|
||||
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
|
||||
- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
|
||||
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
|
||||
- https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
|
||||
- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
|
||||
- https://github.com/LOLBAS-Project/LOLBAS/pull/151
|
||||
- https://www.tarasco.org/security/pwdump_7/
|
||||
- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
|
||||
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
|
||||
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
|
||||
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
|
||||
- https://redcanary.com/blog/msix-installers/
|
||||
- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
|
||||
- https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team
|
||||
- https://ngrok.com/blog-post/new-ngrok-domains
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
|
||||
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md
|
||||
- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
|
||||
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
|
||||
- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
|
||||
- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
|
||||
- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
|
||||
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
|
||||
- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
|
||||
- https://www.loobins.io/binaries/tmutil/
|
||||
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
|
||||
- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
|
||||
- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
|
||||
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
|
||||
- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
|
||||
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
|
||||
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
|
||||
- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
|
||||
- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
|
||||
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
|
||||
- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
|
||||
- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
|
||||
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4
|
||||
- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
|
||||
- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
|
||||
- https://tria.ge/240226-fhbe7sdc39/behavioral1
|
||||
- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
|
||||
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
|
||||
- https://support.google.com/a/answer/9261439
|
||||
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
|
||||
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
|
||||
- https://megatools.megous.com/
|
||||
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281
|
||||
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
|
||||
- https://malware.guide/browser-hijacker/remove-onelaunch-virus/
|
||||
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
|
||||
- https://portmap.io/
|
||||
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
|
||||
- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
|
||||
- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
|
||||
- https://twitter.com/Max_Mal_/status/1775222576639291859
|
||||
- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
|
||||
- https://www.softperfect.com/products/networkscanner/
|
||||
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
|
||||
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
|
||||
- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
|
||||
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
|
||||
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
|
||||
- https://twitter.com/MsftSecIntel/status/1737895710169628824
|
||||
- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
|
||||
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
|
||||
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
|
||||
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
|
||||
- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
|
||||
- https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
|
||||
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
|
||||
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
|
||||
- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
|
||||
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
|
||||
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
|
||||
- https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/
|
||||
- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
|
||||
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
|
||||
- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
|
||||
- https://blog.sekoia.io/darkgate-internals/
|
||||
- https://www.group-ib.com/resources/threat-research/red-curl-2.html
|
||||
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
|
||||
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md
|
||||
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
|
||||
- https://unit42.paloaltonetworks.com/chromeloader-malware/
|
||||
- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
|
||||
- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
|
||||
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
|
||||
- https://pentestlab.blog/tag/svchost/
|
||||
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
|
||||
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected
|
||||
- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
|
||||
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
|
||||
- https://blog.router-switch.com/2013/11/show-running-config/
|
||||
- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
|
||||
- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
|
||||
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
|
||||
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
|
||||
- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
|
||||
- https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
|
||||
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
|
||||
- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
|
||||
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
|
||||
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
|
||||
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
|
||||
- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
|
||||
- https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py
|
||||
- https://tria.ge/240123-rapteaahhr/behavioral1
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
|
||||
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
|
||||
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
|
||||
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
|
||||
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
|
||||
- https://paper.seebug.org/1495/
|
||||
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
|
||||
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
|
||||
- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
|
||||
- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
|
||||
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
|
||||
- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
|
||||
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
|
||||
- https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-
|
||||
- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
|
||||
- https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
|
||||
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
|
||||
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
|
||||
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
|
||||
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
|
||||
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
|
||||
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
|
||||
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
|
||||
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
|
||||
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
|
||||
- https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf
|
||||
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
|
||||
- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
|
||||
- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
|
||||
- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
|
||||
- https://github.com/LOLBAS-Project/LOLBAS/pull/151
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
|
||||
- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
|
||||
- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
|
||||
- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
|
||||
- https://www.cve.org/CVERecord?id=CVE-2024-1709
|
||||
- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
|
||||
- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2
|
||||
- https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
|
||||
- https://ss64.com/osx/sw_vers.html
|
||||
- https://tria.ge/231023-lpw85she57/behavioral2
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
|
||||
- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
|
||||
- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
|
||||
- https://www.softperfect.com/products/networkscanner/
|
||||
- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
|
||||
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
|
||||
- https://objective-see.org/blog/blog_0x6D.html
|
||||
- https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
|
||||
- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
|
||||
- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
|
||||
- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
|
||||
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
|
||||
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
|
||||
- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
|
||||
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
|
||||
- https://github.com/EmpireProject/PSInject
|
||||
- https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf
|
||||
- https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
|
||||
- https://tria.ge/240226-fhbe7sdc39/behavioral1
|
||||
- https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
|
||||
- https://www.sans.org/cyber-security-summit/archives
|
||||
- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
|
||||
- https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
|
||||
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
|
||||
- https://support.google.com/a/answer/9261439
|
||||
- https://github.com/amjcyber/EDRNoiseMaker
|
||||
- https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
|
||||
- https://help.duo.com/s/article/6327?language=en_US
|
||||
- https://github.com/embedi/CVE-2017-11882
|
||||
- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
|
||||
- https://www.phpied.com/make-your-javascript-a-windows-exe/
|
||||
- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
|
||||
- https://twitter.com/Max_Mal_/status/1775222576639291859
|
||||
- https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2
|
||||
- https://twitter.com/DTCERT/status/1712785421845790799
|
||||
- https://ngrok.com/blog-post/new-ngrok-domains
|
||||
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
|
||||
- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
|
||||
- https://www.cve.org/CVERecord?id=CVE-2024-1708
|
||||
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
|
||||
- https://github.com/xuanxuan0/DripLoader
|
||||
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
|
||||
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
|
||||
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
|
||||
- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
|
||||
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
|
||||
- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
|
||||
- https://megatools.megous.com/
|
||||
- https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
|
||||
- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet
|
||||
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml
|
||||
- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
|
||||
- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
|
||||
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
|
||||
- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
|
||||
- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
|
||||
- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
|
||||
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
|
||||
- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
|
||||
- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
|
||||
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
|
||||
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
|
||||
- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
|
||||
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
|
||||
- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/
|
||||
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
|
||||
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
|
||||
- https://x.com/_st0pp3r_/status/1742203752361128162?s=20
|
||||
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
|
||||
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
|
||||
- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
|
||||
- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
|
||||
- https://github.com/grayhatkiller/SharpExShell
|
||||
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
|
||||
- https://www.loobins.io/binaries/xattr/
|
||||
- https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
|
||||
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
|
||||
- https://linux.die.net/man/1/arecord
|
||||
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
|
||||
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
|
||||
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
|
||||
- https://github.com/wavestone-cdt/EDRSandblast
|
||||
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
|
||||
- https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
|
||||
- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
|
||||
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
|
||||
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4
|
||||
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
|
||||
- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
|
||||
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
|
||||
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
|
||||
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
|
||||
- https://www.cyberciti.biz/faq/linux-remove-user-command/
|
||||
- https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html
|
||||
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
|
||||
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
|
||||
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
|
||||
- https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
|
||||
- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
|
||||
- https://twitter.com/DTCERT/status/1712785426895839339
|
||||
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
|
||||
- https://github.com/0xthirteen/SharpMove/
|
||||
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
|
||||
- https://twitter.com/MsftSecIntel/status/1737895710169628824
|
||||
- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
|
||||
- https://anydesk.com/en/changelog/windows
|
||||
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
|
||||
- https://redcanary.com/blog/msix-installers/
|
||||
- https://tria.ge/231212-r1bpgaefar/behavioral2
|
||||
- https://malware.guide/browser-hijacker/remove-onelaunch-virus/
|
||||
- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
|
||||
- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
|
||||
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
|
||||
- https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
|
||||
- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
|
||||
- https://news.ycombinator.com/item?id=29504755
|
||||
- https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
|
||||
- https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/
|
||||
- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010
|
||||
- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
|
||||
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
|
||||
- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
|
||||
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
|
||||
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
|
||||
- https://www.fortiguard.com/psirt/FG-IR-22-398
|
||||
- https://cloud.google.com/access-context-manager/docs/audit-logging
|
||||
- https://lolbas-project.github.io/lolbas/Binaries/Tar/
|
||||
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
|
||||
- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
|
||||
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
|
||||
- https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/
|
||||
- https://www.loobins.io/binaries/launchctl/
|
||||
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
|
||||
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
|
||||
- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
|
||||
- https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/
|
||||
- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
|
||||
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
|
||||
- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/
|
||||
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
|
||||
- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
|
||||
- https://github.com/rapid7/metasploit-framework/issues/11337
|
||||
- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
|
||||
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
|
||||
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
|
||||
- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
|
||||
- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
|
||||
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
|
||||
- https://tria.ge/231023-lpw85she57/behavioral2
|
||||
- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
|
||||
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
|
||||
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
|
||||
- https://lolbas-project.github.io/lolbas/Binaries/Tar/
|
||||
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
|
||||
- https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
|
||||
- https://asec.ahnlab.com/en/58878/
|
||||
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
|
||||
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
|
||||
- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
|
||||
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
|
||||
- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
|
||||
- https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010
|
||||
- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/
|
||||
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
|
||||
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
|
||||
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
|
||||
- https://help.duo.com/s/article/6327?language=en_US
|
||||
- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
|
||||
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
|
||||
- https://github.com/amjcyber/EDRNoiseMaker
|
||||
- https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
|
||||
- https://github.com/wavestone-cdt/EDRSandblast
|
||||
- https://www.cve.org/CVERecord?id=CVE-2024-1709
|
||||
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml
|
||||
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
|
||||
- https://www.cyberciti.biz/faq/linux-remove-user-command/
|
||||
- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
|
||||
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
|
||||
- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
|
||||
- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
|
||||
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
|
||||
- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
|
||||
- https://tria.ge/231212-r1bpgaefar/behavioral2
|
||||
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
|
||||
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
|
||||
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
|
||||
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
|
||||
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
|
||||
- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
|
||||
- https://paper.seebug.org/1495/
|
||||
- https://linux.die.net/man/1/arecord
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
|
||||
- https://unit42.paloaltonetworks.com/chromeloader-malware/
|
||||
- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
|
||||
- https://x.com/_st0pp3r_/status/1742203752361128162?s=20
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
|
||||
- https://objective-see.org/blog/blog_0x1E.html
|
||||
- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
|
||||
- https://tria.ge/240123-rapteaahhr/behavioral1
|
||||
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
|
||||
- https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
|
||||
- https://github.com/antonioCoco/RoguePotato
|
||||
- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
|
||||
- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
|
||||
- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
|
||||
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
|
||||
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
|
||||
- https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2
|
||||
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
|
||||
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
|
||||
- https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
|
||||
- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
|
||||
- https://github.com/grayhatkiller/SharpExShell
|
||||
- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
|
||||
- https://blog.router-switch.com/2013/11/show-running-config/
|
||||
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
|
||||
- https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
|
||||
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
|
||||
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
|
||||
- https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
|
||||
- https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/
|
||||
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
|
||||
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
|
||||
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
|
||||
- https://anydesk.com/en/changelog/windows
|
||||
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
|
||||
- https://www.loobins.io/binaries/launchctl/
|
||||
- https://github.com/gentilkiwi/mimikatz
|
||||
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
|
||||
- https://github.com/0xthirteen/SharpMove/
|
||||
- https://www.loobins.io/binaries/sysctl/#
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
|
||||
- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
|
||||
- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
|
||||
- https://github.com/embedi/CVE-2017-11882
|
||||
- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
|
||||
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
|
||||
- https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html
|
||||
- https://pentestlab.blog/tag/svchost/
|
||||
- https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py
|
||||
- https://news.ycombinator.com/item?id=29504755
|
||||
- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
|
||||
- https://www.fortiguard.com/psirt/FG-IR-22-398
|
||||
- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
|
||||
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
|
||||
- https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf
|
||||
- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
|
||||
- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
|
||||
- https://www.phpied.com/make-your-javascript-a-windows-exe/
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
|
||||
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
|
||||
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
|
||||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
|
||||
- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
|
||||
- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
|
||||
- https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
|
||||
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
|
||||
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
|
||||
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
|
||||
- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
|
||||
- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/
|
||||
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
|
||||
- https://evasions.checkpoint.com/techniques/macos.html
|
||||
- https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf
|
||||
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
|
||||
- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
|
||||
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
|
||||
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
|
||||
- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
|
||||
- https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
|
||||
- https://twitter.com/DTCERT/status/1712785421845790799
|
||||
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
|
||||
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
|
||||
- https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
|
||||
- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet
|
||||
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
|
||||
- https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/
|
||||
- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
|
||||
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
|
||||
- https://www.loobins.io/binaries/xattr/
|
||||
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
|
||||
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
|
||||
- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/
|
||||
- https://www.sans.org/cyber-security-summit/archives
|
||||
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
|
||||
- https://objective-see.org/blog/blog_0x6D.html
|
||||
- https://docs.python.org/3/library/site.html
|
||||
- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
|
||||
- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
|
||||
- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
|
||||
- https://cloud.google.com/access-context-manager/docs/audit-logging
|
||||
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
|
||||
- https://www.group-ib.com/blog/apt41-world-tour-2021/
|
||||
- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
|
||||
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
|
||||
- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
|
||||
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
|
||||
- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
|
||||
- https://twitter.com/DTCERT/status/1712785426895839339
|
||||
- https://ss64.com/osx/sw_vers.html
|
||||
- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
|
||||
- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2
|
||||
- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
|
||||
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
|
||||
- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
|
||||
- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
|
||||
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
|
||||
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
|
||||
|
||||
Reference in New Issue
Block a user