From 04df2e483a5e269995c49079e36e2927c656ea74 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 1 Nov 2024 10:49:49 +0100 Subject: [PATCH] Merge PR #5051 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 1054 ++++++++++++++--------------- tests/rule-references.txt | 18 + 2 files changed, 545 insertions(+), 527 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index dd075557ff0..d699adc0d56 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,6 +1,6 @@ # Reference Archiver Results -Last Execution: 2024-10-01 02:09:15 +Last Execution: 2024-11-01 02:08:46 ### Archiver Script Results @@ -11,570 +11,570 @@ N/A #### Already Archived References -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 -- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture -- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ -- https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature -- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://x.com/yarden_shafir/status/1822667605175324787 -- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt -- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml -- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 -- https://anydesk.com/en/changelog/windows -- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html -- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior +- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +- https://pentestlab.blog/tag/svchost/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 +- https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md +- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +- https://ss64.com/nt/shell.html +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +- https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview +- https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/ +- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ +- https://twitter.com/0gtweet/status/1720419490519752955 +- https://asec.ahnlab.com/en/78944/ +- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ +- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf +- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ +- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 +- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa #### Error While Archiving References -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://redcanary.com/blog/msix-installers/ -- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://ss64.com/nt/shell.html -- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://redcanary.com/blog/threat-detection/process-masquerading/ -- https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/ -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://objective-see.org/blog/blog_0x1E.html -- https://gtfobins.github.io/gtfobins/env/#shell -- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ -- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://bazaar.abuse.ch/browse/tag/one/ -- https://twitter.com/Kostastsale/status/1480716528421011458 -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://www.loobins.io/binaries/pbpaste/ -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ -- https://twitter.com/standa_t/status/1808868985678803222 -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal -- https://gtfobins.github.io/gtfobins/nawk/#shell -- https://x.com/Max_Mal_/status/1826179497084739829 -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://github.com/0xthirteen/SharpMove/ +- https://paper.seebug.org/1495/ +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://learn.microsoft.com/en-us/windows/client-management/manage-recall - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu -- https://megatools.megous.com/ -- https://gtfobins.github.io/gtfobins/capsh/#shell -- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ -- https://www.action1.com/documentation/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://www.loobins.io/binaries/nscurl/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://linux.die.net/man/1/arecord +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ +- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 +- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ +- https://labs.withsecure.com/publications/kapeka +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://twitter.com/th3_protoCOL/status/1480621526764322817 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://github.com/embedi/CVE-2017-11882 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://github.com/FalconForceTeam/SOAPHound -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://linux.die.net/man/1/arecord +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://github.com/nettitude/SharpWSUS - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet -- https://gtfobins.github.io/gtfobins/git/#shell -- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://www.loobins.io/binaries/launchctl/ -- https://twitter.com/MsftSecIntel/status/1737895710169628824 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://gtfobins.github.io/gtfobins/flock/#shell -- https://github.com/GhostPack/SharpDPAPI -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities -- https://trustedsec.com/blog/oops-i-udld-it-again -- https://www.loobins.io/binaries/tmutil/ -- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector -- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators -- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 -- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization -- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://gtfobins.github.io/gtfobins/rsync/#shell -- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ -- https://www.tarasco.org/security/pwdump_7/ -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://www.loobins.io/binaries/launchctl/ +- https://www.softperfect.com/products/networkscanner/ +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 +- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://github.com/nettitude/SharpWSUS -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://labs.nettitude.com/blog/introducing-sharpwsus/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://twitter.com/Max_Mal_/status/1775222576639291859 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ -- https://tria.ge/220422-1pw1pscfdl/ -- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://ss64.com/mac/chflags.html -- https://gtfobins.github.io/gtfobins/gawk/#shell -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete -- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 -- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf -- https://github.com/antonioCoco/RoguePotato +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://localtonet.com/documents/supported-tunnels -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://tria.ge/220422-1nnmyagdf2/ -- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://ss64.com/mac/hdiutil.html +- https://gtfobins.github.io/gtfobins/git/#shell +- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://www.action1.com/documentation/ +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode - https://twitter.com/TheDFIRReport/status/1482078434327244805 -- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector +- https://bazaar.abuse.ch/browse/tag/one/ +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role - https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://twitter.com/NathanMcNulty/status/1785051227568632263 -- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ -- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF -- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion -- https://twitter.com/0gtweet/status/1720419490519752955 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 +- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 +- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://unit42.paloaltonetworks.com/chromeloader-malware/ - https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ -- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +- https://www.attackiq.com/2023/09/20/emulating-rhysida/ +- https://www.loobins.io/binaries/tmutil/ +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue - https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://asec.ahnlab.com/en/78944/ -- https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html -- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 -- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive -- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://tria.ge/240731-jh4crsycnb/behavioral2 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown - https://gtfobins.github.io/gtfobins/awk/#shell -- https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 -- https://www.trustedsec.com/blog/art_of_kerberoast/ -- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ -- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa -- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 -- https://www.sans.org/cyber-security-summit/archives -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) -- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace -- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e -- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://github.com/Ylianst/MeshAgent -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://gtfobins.github.io/gtfobins/python/#shell +- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://gtfobins.github.io/gtfobins/capsh/#shell +- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +- https://gtfobins.github.io/gtfobins/c89/#shell +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://evasions.checkpoint.com/techniques/macos.html -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://gtfobins.github.io/gtfobins/nawk/#shell +- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://github.com/Ylianst/MeshAgent +- https://objective-see.org/blog/blog_0x1E.html +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://twitter.com/1ZRR4H/status/1537501582727778304 +- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://tria.ge/220422-1nnmyagdf2/ +- https://tria.ge/220422-1pw1pscfdl/ +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a +- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://gtfobins.github.io/gtfobins/c99/#shell +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray +- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://twitter.com/standa_t/status/1808868985678803222 - https://twitter.com/DTCERT/status/1712785421845790799 -- https://ss64.com/nt/set.html -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability -- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ -- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ -- https://twitter.com/th3_protoCOL/status/1480621526764322817 -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- https://github.com/embedi/CVE-2017-11882 -- https://objective-see.org/blog/blog_0x6D.html - https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://ipurple.team/2024/07/15/sharphound-detection/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://paper.seebug.org/1495/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ +- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- https://gtfobins.github.io/gtfobins/gcc/#shell +- https://www.cyberciti.biz/faq/linux-remove-user-command/ +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ +- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 +- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://localtonet.com/documents/supported-tunnels +- https://github.com/rapid7/metasploit-framework/issues/11337 - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://x.com/Max_Mal_/status/1826179497084739829 +- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- https://github.com/CICADA8-Research/RemoteKrbRelay -- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ -- https://gtfobins.github.io/gtfobins/mawk/#shell -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://www.tenable.com/security/research/tra-2023-11 -- https://boinc.berkeley.edu/ -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues -- https://asec.ahnlab.com/en/40263/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://twitter.com/1ZRR4H/status/1537501582727778304 -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://ss64.com/mac/hdiutil.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://www.loobins.io/binaries/pbpaste/ +- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 +- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://cloud.google.com/access-context-manager/docs/audit-logging +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://github.com/grayhatkiller/SharpExShell +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://gtfobins.github.io/gtfobins/rsync/#shell +- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- https://github.com/FalconForceTeam/SOAPHound +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://twitter.com/Kostastsale/status/1480716528421011458 - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://learn.microsoft.com/en-us/windows/win32/shell/launch -- https://github.com/rapid7/metasploit-framework/issues/11337 -- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response -- https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain +- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 -- https://securelist.com/network-tunneling-with-qemu/111803/ -- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration -- https://www.loobins.io/binaries/hdiutil/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://tria.ge/240226-fhbe7sdc39/behavioral1 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://redcanary.com/blog/msix-installers/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ - https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html -- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt -- https://support.google.com/a/answer/9261439 -- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 -- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction +- https://www.sans.org/cyber-security-summit/archives +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 -- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://support.google.com/a/answer/9261439 +- https://boinc.berkeley.edu/ +- https://www.loobins.io/binaries/xattr/ - https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction -- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ +- https://tria.ge/240521-ynezpagf56/behavioral1 +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://gtfobins.github.io/gtfobins/mawk/#shell +- https://www.loobins.io/binaries/hdiutil/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://ipurple.team/2024/09/10/browser-stored-credentials/ +- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ +- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://news.ycombinator.com/item?id=29504755 -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://adsecurity.org/?p=1785 - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://www.huntress.com/blog/attacking-mssql-servers +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://news.ycombinator.com/item?id=29504755 +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp +- https://gtfobins.github.io/gtfobins/find/#shell +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ +- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +- https://www.trustedsec.com/blog/art_of_kerberoast/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://ipurple.team/2024/07/15/sharphound-detection/ +- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration +- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://objective-see.org/blog/blog_0x6D.html +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://github.com/antonioCoco/RoguePotato +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +- https://www.tenable.com/security/research/tra-2023-11 +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html +- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability +- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- https://www.huntress.com/blog/attacking-mssql-servers +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +- https://gtfobins.github.io/gtfobins/gawk/#shell +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://github.com/0xthirteen/SharpMove/ +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://www.group-ib.com/resources/threat-research/red-curl-2.html - https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://ngrok.com/blog-post/new-ngrok-domains -- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ -- https://docs.microsoft.com/en-us/sql/tools/bcp-utility -- https://gtfobins.github.io/gtfobins/find/#shell -- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address -- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://www.anyviewer.com/help/remote-technical-support.html -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://github.com/grayhatkiller/SharpExShell -- https://gtfobins.github.io/gtfobins/gcc/#shell -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://twitter.com/Cryptolaemus1/status/1517634855940632576 -- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd -- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://evasions.checkpoint.com/techniques/macos.html +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ -- https://www.loobins.io/binaries/xattr/ -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://cloud.google.com/access-context-manager/docs/audit-logging -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://www.loobins.io/binaries/nscurl/ +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://www.tarasco.org/security/pwdump_7/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://gtfobins.github.io/gtfobins/c89/#shell +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://ss64.com/nt/set.html +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://github.com/GhostPack/SharpDPAPI +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://ngrok.com/blog-post/new-ngrok-domains +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://twitter.com/Cryptolaemus1/status/1517634855940632576 +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://github.com/gentilkiwi/mimikatz +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://adsecurity.org/?p=3513 - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://megatools.megous.com/ +- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu - https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ -- https://github.com/gentilkiwi/mimikatz -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf +- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://ss64.com/mac/chflags.html +- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii +- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer +- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +- https://asec.ahnlab.com/en/61000/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://gtfobins.github.io/gtfobins/python/#shell +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace +- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://ss64.com/osx/sw_vers.html -- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://adsecurity.org/?p=3513 -- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://www.softperfect.com/products/networkscanner/ -- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 -- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser - https://tria.ge/231023-lpw85she57/behavioral2 -- https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md -- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://adsecurity.org/?p=1785 -- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file -- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 -- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://asec.ahnlab.com/en/61000/ -- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ - https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- https://pentestlab.blog/tag/svchost/ -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://gtfobins.github.io/gtfobins/c99/#shell -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 -- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior -- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ -- https://twitter.com/th3_protoCOL/status/1536788652889497600 -- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://asec.ahnlab.com/en/40263/ +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue -- https://labs.withsecure.com/publications/kapeka -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 +- https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/ +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery +- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://gtfobins.github.io/gtfobins/flock/#shell +- https://ss64.com/osx/sw_vers.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://www.anyviewer.com/help/remote-technical-support.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +- https://gtfobins.github.io/gtfobins/env/#shell +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +- https://blog.talosintelligence.com/uat-5647-romcom/ +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +- https://trustedsec.com/blog/oops-i-udld-it-again +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 diff --git a/tests/rule-references.txt b/tests/rule-references.txt index 65c2fa05e8c..c0d417d3a2b 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3824,3 +3824,21 @@ https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/se https://anydesk.com/en/changelog/windows https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior +https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +https://pentestlab.blog/tag/svchost/ +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 +https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md +https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +https://ss64.com/nt/shell.html +https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview +https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/ +https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ +https://twitter.com/0gtweet/status/1720419490519752955 +https://asec.ahnlab.com/en/78944/ +https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ +https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf +https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ +https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 +https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa