Merge PR #4540 from @nasbench - Update Archived Rule References

chore: archive new rule references and update cache file

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>

.github/latest_archiver_output.md

@@ -0,0 +1,130 @@
+# Reference Archiver Results
+
+Last Execution: 2023-11-03 14:11:09
+
+### Archiver Script Results
+
+
+#### Newly Archived References
+
+N/A
+
+#### Already Archived References
+
+- https://twitter.com/_JohnHammond/status/1708910264261980634
+- https://github.com/Pennyw0rth/NetExec/
+- https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html
+- https://linux.die.net/man/1/wget
+- https://github.com/1N3/Sn1per
+- https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+- https://github.com/Tib3rius/AutoRecon
+- https://github.com/pr0xylife/DarkGate/tree/main
+- https://github.com/HavocFramework/Havoc
+- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
+- https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
+- https://ipfyx.fr/post/visual-studio-code-tunnel/
+- https://github.com/t3l3machus/hoaxshell
+- https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
+- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
+- https://twitter.com/fr0s7_/status/1712780207105404948
+- https://code.visualstudio.com/docs/remote/tunnels
+- https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
+- https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection
+- https://badoption.eu/blog/2023/01/31/code_c2.html
+- https://github.com/t3l3machus/Villain
+- https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/
+- https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior
+- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
+- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
+- https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
+- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
+- https://ss64.com/nt/regsvr32.html
+- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
+- https://github.com/Ne0nd0g/merlin
+- https://github.com/projectdiscovery/naabu
+- https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
+- https://dataconomy.com/2023/10/23/okta-data-breach/
+- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
+- https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
+- https://github.com/win3zz/CVE-2023-43261
+- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
+- https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
+- https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
+- https://github.security.telekom.com/2023/08/darkgate-loader.html
+- https://vulncheck.com/blog/real-world-cve-2023-43261
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
+- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
+- https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
+
+#### Error While Archiving References
+
+- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
+- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
+- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
+- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
+- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
+- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
+- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
+- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
+- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
+- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+- https://linux.die.net/man/8/useradd
+- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
+- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+- https://paper.seebug.org/1495/
+- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
+- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
+- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
+- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
+- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
+- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
+- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
+- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
+- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
+- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
+- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
+- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
+- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
+- https://linux.die.net/man/1/arecord
+- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
+- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
+- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
+- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
+- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
+- https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
+- https://www.cyberciti.biz/faq/linux-remove-user-command/
+- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
+- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
+- https://www.sans.org/cyber-security-summit/archives
+- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
+- https://www.group-ib.com/resources/threat-research/red-curl-2.html
+- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
+- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
+- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
+- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
+- https://news.ycombinator.com/item?id=29504755
+- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
+- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
+- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
+- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
+- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
+- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
+- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+- https://megatools.megous.com/
+- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
+- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
+- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
+- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
+- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
+- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/

tests/rule-references.txt

@@ -3408,3 +3408,47 @@ https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-0003
 https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
 https://twitter.com/vysecurity/status/974806438316072960
 https://web.archive.org/web/20220815065318/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
+https://twitter.com/_JohnHammond/status/1708910264261980634
+https://github.com/Pennyw0rth/NetExec/
+https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html
+https://linux.die.net/man/1/wget
+https://github.com/1N3/Sn1per
+https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+https://github.com/Tib3rius/AutoRecon
+https://github.com/pr0xylife/DarkGate/tree/main
+https://github.com/HavocFramework/Havoc
+https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
+https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
+https://ipfyx.fr/post/visual-studio-code-tunnel/
+https://github.com/t3l3machus/hoaxshell
+https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
+https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
+https://twitter.com/fr0s7_/status/1712780207105404948
+https://code.visualstudio.com/docs/remote/tunnels
+https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
+https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection
+https://badoption.eu/blog/2023/01/31/code_c2.html
+https://github.com/t3l3machus/Villain
+https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/
+https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior
+https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
+https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
+https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
+https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
+https://ss64.com/nt/regsvr32.html
+https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
+https://github.com/Ne0nd0g/merlin
+https://github.com/projectdiscovery/naabu
+https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
+https://dataconomy.com/2023/10/23/okta-data-breach/
+https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
+https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
+https://github.com/win3zz/CVE-2023-43261
+https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
+https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
+https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
+https://github.security.telekom.com/2023/08/darkgate-loader.html
+https://vulncheck.com/blog/real-world-cve-2023-43261
+https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
+https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
+https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt