Merge PR #4482 From @nasbench - Add New Automation Workflows

chore: update workflows and add quality of life updates and automation to the repository --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-10-18 11:53:44 +02:00
parent cc4d2115b1
commit 95793d73bd
501 changed files with 7250 additions and 3382 deletions
@@ -22,7 +22,7 @@ detection:
            - 'Function Get-ADRExcelComOb'
            - 'Get-ADRGPO'
            - 'Get-ADRDomainController'
-            - 'ADRecon-Report.xlsx' #Default
+            - 'ADRecon-Report.xlsx' # Default
    condition: selection
 falsepositives:
    - Unknown
@@ -16,7 +16,7 @@ logsource:
    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
-        #4194304 DONT_REQ_PREAUTH
+        # 4194304 DONT_REQ_PREAUTH
        ScriptBlockText|contains|all:
            - 'Get-ADUser'
            - '-Filter'
@@ -29,7 +29,7 @@ detection:
            - 'Windows-Defender-Features'
            - 'Windows-Defender'
            - 'Windows-Defender-ApplicationGuard'
-            #- 'Containers-DisposableClientVM' # Windows Sandbox
+            # - 'Containers-DisposableClientVM' # Windows Sandbox
    condition: all of selection*
 falsepositives:
    - Unknown
@@ -21,7 +21,7 @@ detection:
    selection_1:
        ScriptBlockText|contains: '[Type]::GetTypeFromCLSID('
    selection_2:
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
            - '0002DF01-0000-0000-C000-000000000046'
            - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
            - 'F5078F35-C551-11D3-89B9-0000F81FE221'
@@ -20,9 +20,9 @@ logsource:
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
-    selection_pwsh_remove:   #Autologger provider removal
+    selection_pwsh_remove:   # Autologger provider removal
        ScriptBlockText|contains: 'Remove-EtwTraceProvider '
-    selection_pwsh_set:   #Provider “Enable” property modification
+    selection_pwsh_set:   # Provider “Enable” property modification
        ScriptBlockText|contains|all:
            - 'Set-EtwTraceProvider '
            - '0x11'
@@ -18,11 +18,11 @@ detection:
    selection_cmdlet:
        - ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
        - ScriptBlockText|contains|all:
-            - ' -i '
-            - ' -d '
-            - ' -p '
-            - ' -doh '
-            - ' -t '
+              - ' -i '
+              - ' -d '
+              - ' -p '
+              - ' -doh '
+              - ' -t '
    condition: selection_cmdlet
 falsepositives:
    - Legitimate script
@@ -3,7 +3,7 @@ id: 73e67340-0d25-11eb-adc1-0242ac120002
 status: test
 description: Detects Obfuscated use of Clip.exe to execute PowerShell
 references:
-    - https://github.com/SigmaHQ/sigma/issues/1009  #(Task 26)
+    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/13
 modified: 2022/12/02
@@ -3,7 +3,7 @@ id: 779c8c12-0eb1-11eb-adc1-0242ac120002
 status: test
 description: Detects Obfuscated use of stdin to execute PowerShell
 references:
-    - https://github.com/SigmaHQ/sigma/issues/1009  #(Task 25)
+    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
 modified: 2022/12/03
@@ -3,7 +3,7 @@ id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
 status: test
 description: Detects Obfuscated use of Environment Variables to execute PowerShell
 references:
-    - https://github.com/SigmaHQ/sigma/issues/1009  #(Task 24)
+    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
 modified: 2022/12/02
@@ -3,7 +3,7 @@ id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
 status: test
 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 references:
-    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 19)
+    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
 modified: 2022/11/29
@@ -3,7 +3,7 @@ id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
 status: test
 description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 references:
-    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23)
+    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
 modified: 2022/11/29
@@ -3,7 +3,7 @@ id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
 status: test
 description: Detects Obfuscated Powershell via Stdin in Scripts
 references:
-    - https://github.com/SigmaHQ/sigma/issues/1009  #(Task28)
+    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task28)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/12
 modified: 2022/11/29
@@ -3,7 +3,7 @@ id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
 status: test
 description: Detects Obfuscated Powershell via use Clip.exe in Scripts
 references:
-    - https://github.com/SigmaHQ/sigma/issues/1009  #(Task29)
+    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
 modified: 2022/11/29
@@ -3,7 +3,7 @@ id: e55a5195-4724-480e-a77e-3ebe64bd3759
 status: test
 description: Detects Obfuscated Powershell via use MSHTA in Scripts
 references:
-    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31)
+    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/08
 modified: 2022/11/29
@@ -3,7 +3,7 @@ id: e54f5149-6ba3-49cf-b153-070d24679126
 status: test
 description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 references:
-    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task27)
+    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
 modified: 2022/12/02
@@ -19,7 +19,7 @@ detection:
        ScriptBlockText|contains:
            - 'AdjustTokenPrivileges'
            - 'IMAGE_NT_OPTIONAL_HDR64_MAGIC'
-            #- 'LSA_UNICODE_STRING'
+            # - 'LSA_UNICODE_STRING'
            - 'Metasploit'
            - 'Microsoft.Win32.UnsafeNativeMethods'
            - 'Mimikatz'
@@ -18,9 +18,9 @@ detection:
    selection:
        ScriptBlockText|contains:
            - 'Add-ConstrainedDelegationBackdoor'
-            #- 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
-            #- 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
-            #- 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            # - 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            # - 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            # - 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Copy-VSS'
            - 'Create-MultipleSessions'
            - 'DataToEncode'
@@ -44,14 +44,14 @@ detection:
            - 'FireBuster'
            - 'FireListener'
            - 'Get-Information ' # Space at the end is required. Otherwise, we get FP with Get-InformationBarrierReportDetails or Get-InformationBarrierReportSummary
-            #- 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            # - 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Get-PassHints'
            - 'Get-Web-Credentials'
            - 'Get-WebCredentials'
            - 'Get-WLAN-Keys'
-            #- 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            # - 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'HTTP-Backdoor'
-            #- 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            # - 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-AmsiBypass'
            - 'Invoke-BruteForce'
            - 'Invoke-CredentialsPhish'
@@ -62,18 +62,18 @@ detection:
            - 'Invoke-JSRatRundll'
            - 'Invoke-MimikatzWDigestDowngrade'
            - 'Invoke-NetworkRelay'
-            #- 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
-            #- 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            # - 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            # - 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-PowerShellIcmp'
            - 'Invoke-PowerShellUdp'
            - 'Invoke-Prasadhak'
            - 'Invoke-PSGcat'
            - 'Invoke-PsGcatAgent'
-            #- 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            # - 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-SessionGopher'
            - 'Invoke-SSIDExfil'
-            #- Jitter  # Prone to FPs
-            #- 'Keylogger' # Too generic to be linked to Nishang
+            # - Jitter  # Prone to FPs
+            # - 'Keylogger' # Too generic to be linked to Nishang
            - 'LoggedKeys'
            - 'Nishang'
            - 'NotAllNameSpaces' # This is param to "Set-RemoteWMI"
@@ -19,7 +19,7 @@ detection:
        ScriptBlockText|contains:
            - 'Invoke-SMBAutoBrute'
            - 'Invoke-GPOLinks'
-            #- 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            # - 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-Potato'
    condition: selection
 falsepositives:
@@ -4,7 +4,7 @@ status: test
 description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
-    - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna
+    - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
 author: Nikita Nazarov, oscd.community
 date: 2020/10/16
 modified: 2022/12/02
@@ -31,8 +31,8 @@ detection:
            - 'SuspendThread'
            - 'rundll32'
            # - 'FromBase64'
-            #- 'Invoke-WMIMethod' # Prone to FP
-            #- 'http://127.0.0.1' # Prone to FP
+            # - 'Invoke-WMIMethod' # Prone to FP
+            # - 'http://127.0.0.1' # Prone to FP
    condition: selection
 falsepositives:
    - Unknown
@@ -25,7 +25,7 @@ detection:
        #   &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
        #   ${e`Nv:pATh}
        - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'
-        #- ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
+        # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
        - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f'  # trigger on at least two placeholders. One might be used for legitimate string formatting
        - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
    filter_chocolatey:
@@ -18,15 +18,15 @@ logsource:
 detection:
    selection_ioc:
        - ScriptBlockText|contains|all:
-            - 'New-CimInstance '
-            - '-Namespace root/subscription '
-            - '-ClassName __EventFilter '
-            - '-Property ' #is a variable name
+              - 'New-CimInstance '
+              - '-Namespace root/subscription '
+              - '-ClassName __EventFilter '
+              - '-Property ' # is a variable name
        - ScriptBlockText|contains|all:
-            - 'New-CimInstance '
-            - '-Namespace root/subscription '
-            - '-ClassName CommandLineEventConsumer '
-            - '-Property ' #is a variable name
+              - 'New-CimInstance '
+              - '-Namespace root/subscription '
+              - '-ClassName CommandLineEventConsumer '
+              - '-Property ' # is a variable name
    condition: selection_ioc
 falsepositives:
    - Unknown