diff --git a/YML-Schema.yml b/YML-Schema.yml index 2159230a3..0ce084a2d 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -74,6 +74,7 @@ mapping: "Path": type: str required: true + pattern: '^(([cC]:)\\([a-zA-Z0-9\-\_\. \(\)\<\>]+\\)*([a-zA-Z0-9_\-\.]+\.[a-z0-9]{3})|no default)$' "Code_Sample": type: seq required: false diff --git a/yml/HonorableMentions/Code.yml b/yml/HonorableMentions/Code.yml index 574b13bfd..6ea998280 100644 --- a/yml/HonorableMentions/Code.yml +++ b/yml/HonorableMentions/Code.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1219 OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: '%LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe' + - Path: 'C:\Users\\AppData\Local\Programs\Microsoft VS Code\Code.exe' - Path: C:\Program Files\Microsoft VS Code\Code.exe - Path: C:\Program Files (x86)\Microsoft VS Code\Code.exe Detection: diff --git a/yml/HonorableMentions/PowerShell.yml b/yml/HonorableMentions/PowerShell.yml index dfc304857..cfcfc319a 100644 --- a/yml/HonorableMentions/PowerShell.yml +++ b/yml/HonorableMentions/PowerShell.yml @@ -26,8 +26,8 @@ Commands: MitreID: T1059.001 OperatingSystem: Windows 7 and up Full_Path: - - Path: '%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe' - - Path: '%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' + - Path: 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe' + - Path: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' Detection: - Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell Resources: diff --git a/yml/OSBinaries/OneDriveStandaloneUpdater.yml b/yml/OSBinaries/OneDriveStandaloneUpdater.yml index 5ff829e1f..5bce0a0f1 100644 --- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml +++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1105 OperatingSystem: Windows 10 Full_Path: - - Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe' + - Path: 'C:\Users\\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe' Detection: - IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 950e86279..7bfe43d66 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -1,7 +1,7 @@ --- Name: msedge_proxy.exe Full_Path: - - Path: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe + - Path: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Description: Microsoft Edge Browser Author: 'Mert Daş' Created: 2023-08-18 diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index bb4fd22c6..237afa951 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -26,8 +26,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat - - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat + - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\\bin\Pester.bat Code_Sample: - Code: Detection: diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index 9f4e6e65a..386361e1f 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -59,7 +59,7 @@ Commands: Tags: - Execute: WSH Full_Path: - - Path: No fixed path + - Path: no default Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml diff --git a/yml/OtherMSBinaries/Createdump.yml b/yml/OtherMSBinaries/Createdump.yml index 60b678b9c..8498c5bee 100644 --- a/yml/OtherMSBinaries/Createdump.yml +++ b/yml/OtherMSBinaries/Createdump.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1003 OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe - - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe - - Path: C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe - - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe + - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\\createdump.exe + - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\\createdump.exe + - Path: C:\Program Files\Microsoft Visual Studio\\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index f919cbaa8..a63da1507 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Full_Path: - - Path: C:\Program Files (x86)\Microsoft\DefaultPack\ + - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe Code_Sample: - Code: Detection: diff --git a/yml/OtherMSBinaries/Devinit.yml b/yml/OtherMSBinaries/Devinit.yml index 9bc0fe0f2..2ed83b489 100644 --- a/yml/OtherMSBinaries/Devinit.yml +++ b/yml/OtherMSBinaries/Devinit.yml @@ -12,8 +12,8 @@ Commands: MitreID: T1218.007 OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe - - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe + - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\Tools\devinit\devinit.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\Tools\devinit\devinit.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml Resources: diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index c887a20cc..44a00cd24 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Full_Path: - - Path: N/A + - Path: no default Code_Sample: - Code: Detection: diff --git a/yml/OtherMSBinaries/DumpMinitool.yml b/yml/OtherMSBinaries/DumpMinitool.yml index 8cd9a97ea..086913997 100644 --- a/yml/OtherMSBinaries/DumpMinitool.yml +++ b/yml/OtherMSBinaries/DumpMinitool.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1003.001 OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions + - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions\DumpMinitool.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index 29afc34e2..fb183235c 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -19,7 +19,7 @@ Commands: MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Full_Path: - - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe + - Path: C:\Program Files\dotnet\sdk\\FSharp\fsi.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe Code_Sample: - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index ecc196774..09c960a8c 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -19,10 +19,10 @@ Commands: MitreID: T1127 OperatingSystem: Windows Full_Path: - - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 - - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 - - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86 - - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64 + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe + - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86\mftrace.exe + - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64\mftrace.exe Code_Sample: - Code: Detection: diff --git a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml index db7324693..9ac12c29a 100644 --- a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml +++ b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml @@ -12,8 +12,8 @@ Commands: MitreID: T1127 OperatingSystem: Windows Full_Path: - - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe - - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe + - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml index 73d68c66b..0055ff320 100644 --- a/yml/OtherMSBinaries/Squirrel.yml +++ b/yml/OtherMSBinaries/Squirrel.yml @@ -40,7 +40,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Full_Path: - - Path: '%localappdata%\Microsoft\Teams\current\Squirrel.exe' + - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\current\Squirrel.exe' Code_Sample: - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel Detection: diff --git a/yml/OtherMSBinaries/Teams.yml b/yml/OtherMSBinaries/Teams.yml index 8d830e9a8..fffb4b1ff 100644 --- a/yml/OtherMSBinaries/Teams.yml +++ b/yml/OtherMSBinaries/Teams.yml @@ -26,7 +26,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe" + - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\current\Teams.exe' Code_Sample: - Code: https://github.com/lltltk/LOLBAS-research/tree/master/Teams Detection: diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index b97549ab3..f4049a496 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -96,7 +96,7 @@ Commands: MitreID: T1070 OperatingSystem: Windows 7 and up with Microsoft Teams installed Full_Path: - - Path: '%localappdata%\Microsoft\Teams\update.exe' + - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\update.exe' Code_Sample: - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel Detection: diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml index bcb804bd5..d3c0b05be 100644 --- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Full_Path: - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\\arm64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\\x64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\\UIAVerify\VisualUiaVerifyNative.exe Code_Sample: - Code: Detection: diff --git a/yml/OtherMSBinaries/VsLaunchBrowser.yml b/yml/OtherMSBinaries/VsLaunchBrowser.yml index 7e5c476d4..723ed3481 100644 --- a/yml/OtherMSBinaries/VsLaunchBrowser.yml +++ b/yml/OtherMSBinaries/VsLaunchBrowser.yml @@ -28,8 +28,8 @@ Commands: MitreID: T1127 OperatingSystem: Windows Full_Path: - - Path: C:\Program Files\Microsoft Visual Studio\{version}\Community\Common7\IDE\VSLaunchBrowser.exe - - Path: C:\Program Files (x86)\Microsoft Visual Studio\{version}\Community\Common7\IDE\VSLaunchBrowser.exe + - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\IDE\VSLaunchBrowser.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\IDE\VSLaunchBrowser.exe Detection: - IOC: cmd.exe as sub-process of VSLaunchBrowser - IOC: URL on a VSLaunchBrowser command line diff --git a/yml/OtherMSBinaries/devtunnels.yml b/yml/OtherMSBinaries/devtunnels.yml index 630fcd730..141ce2c35 100644 --- a/yml/OtherMSBinaries/devtunnels.yml +++ b/yml/OtherMSBinaries/devtunnels.yml @@ -12,8 +12,8 @@ Commands: MitreID: T1105 OperatingSystem: Windows 10, Windows 11, MacOS Full_Path: - - Path: C:\Users\\AppData\Local\Temp\.net\devtunnel\ - - Path: C:\Users\\AppData\Local\Temp\DevTunnels + - Path: C:\Users\\AppData\Local\Temp\.net\devtunnel\devtunnel.exe + - Path: C:\Users\\AppData\Local\Temp\DevTunnels\devtunnel.exe Detection: - IOC: devtunnel.exe binary spawned - IOC: '*.devtunnels.ms' diff --git a/yml/OtherMSBinaries/xsd.yml b/yml/OtherMSBinaries/xsd.yml index a30e73a60..435807efd 100644 --- a/yml/OtherMSBinaries/xsd.yml +++ b/yml/OtherMSBinaries/xsd.yml @@ -14,7 +14,7 @@ Commands: Tags: - Download: INetCache Full_Path: - - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\{version}\bin\NETFX {version} Tools\xsd.exe + - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\\bin\NETFX Tools\xsd.exe Detection: - IOC: URL on a xsd.exe command line - IOC: xsd.exe making unexpected network connections or DNS requests