deploy: 8bfd957

frack113 · May 20, 2024 · 0021de0 · 0021de0
1 parent ff84123
commit 0021de0
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 10 deletions.
diff --git a/index.md b/index.md
@@ -2065,7 +2065,7 @@ Caution: a test can generate a lot of noise...
 
 [Use PsExec to execute a command on a remote host](tests/873106b7-cfed-454b-8680-fa9f6400431c.md) ['windows'] (sigma rule :heavy_check_mark:)
 
-[Modifying ACL of Service Control Manager via SDET](tests/bf07f520-3909-4ef5-aa22-877a50f2f77b.md) ['windows'] (sigma rule :x:)
+[Modifying ACL of Service Control Manager via SDET](tests/bf07f520-3909-4ef5-aa22-877a50f2f77b.md) ['windows'] (sigma rule :heavy_check_mark:)
 
 [Execute a Command as a Service](tests/2382dee2-a75f-49aa-9378-f52df6ed3fb1.md) ['windows'] (sigma rule :heavy_check_mark:)
 
@@ -2461,7 +2461,7 @@ Caution: a test can generate a lot of noise...
 ### T1546.008
 [Create Symbolic Link From osk.exe to cmd.exe](tests/51ef369c-5e87-4f33-88cd-6d61be63edf2.md) ['windows'] (sigma rule :heavy_check_mark:)
 
-[Atbroker.exe (AT) Executes Arbitrary Command via Registry Key](tests/444ff124-4c83-4e28-8df6-6efd3ece6bd4.md) ['windows'] (sigma rule :x:)
+[Atbroker.exe (AT) Executes Arbitrary Command via Registry Key](tests/444ff124-4c83-4e28-8df6-6efd3ece6bd4.md) ['windows'] (sigma rule :heavy_check_mark:)
 
 [Replace binary of sticky keys](tests/934e90cf-29ca-48b3-863c-411737ad44e3.md) ['windows'] (sigma rule :heavy_check_mark:)
 
@@ -3183,9 +3183,9 @@ Caution: a test can generate a lot of noise...
 
 
 ### T1505.005
-[Modify Terminal Services DLL Path](tests/18136e38-0530-49b2-b309-eed173787471.md) ['windows'] (sigma rule :x:)
+[Modify Terminal Services DLL Path](tests/18136e38-0530-49b2-b309-eed173787471.md) ['windows'] (sigma rule :heavy_check_mark:)
 
-[Simulate Patching termsrv.dll](tests/0b2eadeb-4a64-4449-9d43-3d999f4a317b.md) ['windows'] (sigma rule :x:)
+[Simulate Patching termsrv.dll](tests/0b2eadeb-4a64-4449-9d43-3d999f4a317b.md) ['windows'] (sigma rule :heavy_check_mark:)
 
 
 ### T1571
@@ -3705,7 +3705,7 @@ Caution: a test can generate a lot of noise...
 
 
 ### T1547.012
-[Print Processors](tests/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.md) ['windows'] (sigma rule :x:)
+[Print Processors](tests/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.md) ['windows'] (sigma rule :heavy_check_mark:)
 
 
 ### T1552

diff --git a/index2.md b/index2.md
@@ -157,6 +157,7 @@
   * T1055.012 [RunPE via VBA](tests/3ad4a037-1598-4136-837c-4027e4fa319b.md)
 * file_event_win_powershell_drop_binary_or_script.yml
   * T1176 [Google Chrome Load Unpacked Extension With Command Line](tests/7a714703-9f6b-461c-b06d-e6aeac650f27.md)
+  * T1505.005 [Simulate Patching termsrv.dll](tests/0b2eadeb-4a64-4449-9d43-3d999f4a317b.md)
 * file_event_win_powershell_exploit_scripts.yml
   * T1558.003 [WinPwn - Kerberoasting](tests/78d10e20-c874-45f2-a9df-6fea0120ec27.md)
   * T1552.001 [WinPwn - SessionGopher](tests/c9dc9de3-f961-4284-bd2d-f959c9f9fda5.md)
@@ -2274,6 +2275,8 @@
   * T1036.004 [Creating W32Time similar named service using schtasks](tests/f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9.md)
 * proc_creation_win_at_interactive_execution.yml
   * T1053.002 [At.exe Scheduled task](tests/4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8.md)
+* proc_creation_win_atbroker_uncommon_ats_execution.yml
+  * T1546.008 [Atbroker.exe (AT) Executes Arbitrary Command via Registry Key](tests/444ff124-4c83-4e28-8df6-6efd3ece6bd4.md)
 * proc_creation_win_attrib_hiding_files.yml
   * T1222.001 [attrib - hide file](tests/32b979da-7b68-42c9-9a99-0e39900fc36c.md)
   * T1564.001 [Create Windows Hidden File with Attrib](tests/dadb792e-4358-4d8d-9207-b771faa0daa5.md)
@@ -3080,6 +3083,9 @@
   * T1003.002 [dump volume shadow copy hives with System.IO.File](tests/9d77fed7-05f8-476e-a81b-8ff0472c64d0.md)
 * proc_creation_win_powershell_script_engine_parent.yml
   * T1216 [SyncAppvPublishingServer Signed Script PowerShell Command Execution](tests/275d963d-3f36-476c-8bef-a2a3960ee6eb.md)
+* proc_creation_win_powershell_set_acl.yml
+  * T1505.005 [Modify Terminal Services DLL Path](tests/18136e38-0530-49b2-b309-eed173787471.md)
+  * T1505.005 [Simulate Patching termsrv.dll](tests/0b2eadeb-4a64-4449-9d43-3d999f4a317b.md)
 * proc_creation_win_powershell_set_policies_to_unsecure_level.yml
   * T1216 [SyncAppvPublishingServer Signed Script PowerShell Command Execution](tests/275d963d-3f36-476c-8bef-a2a3960ee6eb.md)
   * T1112 [Change Powershell Execution Policy to Bypass](tests/f3a6cceb-06c9-48e5-8df8-8867a6814245.md)
@@ -3395,10 +3401,14 @@
   * T1562.001 [Tamper with Windows Defender Command Prompt](tests/aa875ed4-8935-47e2-b2c5-6ec00ab220d2.md)
   * T1119 [Recon information for export with Command Prompt](tests/aa1180e2-f329-4e1e-8625-2472ec0bfaf3.md)
   * T1007 [System Service Discovery](tests/89676ba1-b1f8-47ee-b940-2e1a113ebc71.md)
+* proc_creation_win_sc_sdset_allow_service_changes.yml
+  * T1569.002 [Modifying ACL of Service Control Manager via SDET](tests/bf07f520-3909-4ef5-aa22-877a50f2f77b.md)
 * proc_creation_win_sc_sdset_deny_service_access.yml
   * T1564 [Create and Hide a Service with sc.exe](tests/333c7de0-6fbe-42aa-ac2b-c7e40b18246a.md)
 * proc_creation_win_sc_sdset_hide_sevices.yml
   * T1564 [Create and Hide a Service with sc.exe](tests/333c7de0-6fbe-42aa-ac2b-c7e40b18246a.md)
+* proc_creation_win_sc_sdset_modification.yml
+  * T1569.002 [Modifying ACL of Service Control Manager via SDET](tests/bf07f520-3909-4ef5-aa22-877a50f2f77b.md)
 * proc_creation_win_sc_service_path_modification.yml
   * T1543.003 [Modify Fax service to run PowerShell](tests/ed366cde-7d12-49df-a833-671904770b9f.md)
 * proc_creation_win_sc_service_tamper_for_persistence.yml
@@ -3483,6 +3493,7 @@
   * T1036.003 [Malicious process Masquerading as LSM.exe](tests/83810c46-f45e-4485-9ab6-8ed0e9e6ed7f.md)
   * T1003.003 [Copy NTDS.dit from Volume Shadow Copy](tests/c6237146-9ea6-4711-85c9-c56d263a6b03.md)
   * T1036.003 [Masquerading as Windows LSASS process](tests/5ba5a3d1-cf3c-4499-968a-a93155d1f717.md)
+  * T1505.005 [Simulate Patching termsrv.dll](tests/0b2eadeb-4a64-4449-9d43-3d999f4a317b.md)
   * T1140 [Certutil Rename and Decode](tests/71abc534-3c05-4d0c-80f7-cbe93cb2aa94.md)
   * T1105 [MAZE Propagation Script](tests/70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf.md)
   * T1546.008 [Replace binary of sticky keys](tests/934e90cf-29ca-48b3-863c-411737ad44e3.md)
@@ -3950,6 +3961,8 @@
   * T1547.005 [Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry](tests/afdfd7e3-8a0b-409f-85f7-886fdf249c9e.md)
 * registry_event_stickykey_like_backdoor.yml
   * T1546.008 [Attaches Command Prompt as a Debugger to a List of Target Processes](tests/3309f53e-b22b-4eb6-8fd2-a6cf58b355a9.md)
+* registry_event_susp_atbroker_change.yml
+  * T1546.008 [Atbroker.exe (AT) Executes Arbitrary Command via Registry Key](tests/444ff124-4c83-4e28-8df6-6efd3ece6bd4.md)
 * registry_event_susp_lsass_dll_load.yml
   * T1547.008 [Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt](tests/8ecef16d-d289-46b4-917b-0dba6dc81cf1.md)
 * registry_event_susp_mic_cam_access.yml
@@ -3961,6 +3974,7 @@
   * T1112 [Windows Add Registry Value to Load Service in Safe Mode without Network](tests/1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5.md)
 * registry_set_add_port_monitor.yml
   * T1547.010 [Add Port Monitor persistence in Registry](tests/d34ef297-f178-4462-871e-9ce618d44e50.md)
+  * T1547.012 [Print Processors](tests/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.md)
 * registry_set_allow_rdp_remote_assistance_feature.yml
   * T1112 [Allow RDP Remote Assistance Feature](tests/86677d0e-0b5e-4a2b-b302-454175f9aa9e.md)
 * registry_set_amsi_com_hijack.yml
@@ -4132,6 +4146,7 @@
   * T1562.001 [Kill antimalware protected processes using Backstab](tests/24a12b91-05a7-4deb-8d7f-035fa98591bc.md)
 * registry_set_servicedll_hijack.yml
   * T1543.003 [TinyTurla backdoor service w64time](tests/ef0581fd-528e-4662-87bc-4c2affb86940.md)
+  * T1505.005 [Modify Terminal Services DLL Path](tests/18136e38-0530-49b2-b309-eed173787471.md)
 * registry_set_set_nopolicies_user.yml
   * T1112 [Activate Windows NoSetTaskbar Group Policy Feature](tests/d29b7faf-7355-4036-9ed3-719bd17951ed.md)
   * T1112 [Activate Windows NoClose Group Policy Feature](tests/12f50e15-dbc6-478b-a801-a746e8ba1723.md)
@@ -4159,6 +4174,7 @@
   * T1112 [Mimic Ransomware - Allow Multiple RDP Sessions per User](tests/35727d9e-7a7f-4d0c-a259-dc3906d6e8b9.md)
 * registry_set_terminal_server_tampering.yml
   * T1078.001 [Enable Guest account with RDP capability and admin privileges](tests/99747561-ed8d-47f2-9c91-1e5fde1ed6e0.md)
+  * T1505.005 [Modify Terminal Services DLL Path](tests/18136e38-0530-49b2-b309-eed173787471.md)
 * registry_set_timeproviders_dllname.yml
   * T1547.003 [Edit an existing time provider](tests/29e0afca-8d1d-471a-8d34-25512fc48315.md)
   * T1547.003 [Create a new time provider](tests/df1efab7-bc6d-4b88-8be9-91f55ae017aa.md)

diff --git a/tests/0b2eadeb-4a64-4449-9d43-3d999f4a317b.md b/tests/0b2eadeb-4a64-4449-9d43-3d999f4a317b.md
@@ -1,7 +1,7 @@
 
 [back](../index.md)
 
-Find sigma rule :x: 
+Find sigma rule :heavy_check_mark: 
 
 # Attack: Server Software Component: Terminal Services DLL 
 
@@ -34,6 +34,12 @@ Before we can make the modifications we need to take ownership of the file and g
 powershell
 
 # Sigma Rule
+ - proc_creation_win_susp_copy_system_dir.yml (id: fff9d2b7-e11c-4a69-93d3-40ef66189767)
+
+ - proc_creation_win_powershell_set_acl.yml (id: bdeb2cff-af74-4094-8426-724dc937f20a)
+
+ - file_event_win_powershell_drop_binary_or_script.yml (id: 7047d730-036f-4f40-b9d8-1c63e36d5e62)
+
 
 
 [back](../index.md)
diff --git a/tests/18136e38-0530-49b2-b309-eed173787471.md b/tests/18136e38-0530-49b2-b309-eed173787471.md
@@ -1,7 +1,7 @@
 
 [back](../index.md)
 
-Find sigma rule :x: 
+Find sigma rule :heavy_check_mark: 
 
 # Attack: Server Software Component: Terminal Services DLL 
 
@@ -32,6 +32,12 @@ This atomic test simulates the modification of the ServiceDll value in HKLM\Syst
 powershell
 
 # Sigma Rule
+ - proc_creation_win_powershell_set_acl.yml (id: bdeb2cff-af74-4094-8426-724dc937f20a)
+
+ - registry_set_terminal_server_tampering.yml (id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c)
+
+ - registry_set_servicedll_hijack.yml (id: 612e47e9-8a59-43a6-b404-f48683f45bd6)
+
 
 
 [back](../index.md)
diff --git a/tests/444ff124-4c83-4e28-8df6-6efd3ece6bd4.md b/tests/444ff124-4c83-4e28-8df6-6efd3ece6bd4.md
@@ -1,7 +1,7 @@
 
 [back](../index.md)
 
-Find sigma rule :x: 
+Find sigma rule :heavy_check_mark: 
 
 # Attack: Event Triggered Execution: Accessibility Features 
 
@@ -44,6 +44,10 @@ Executes code specified in the registry for a new AT (Assistive Technologies).
 command_prompt
 
 # Sigma Rule
+ - registry_event_susp_atbroker_change.yml (id: 9577edbb-851f-4243-8c91-1d5b50c1a39b)
+
+ - proc_creation_win_atbroker_uncommon_ats_execution.yml (id: f24bcaea-0cd1-11eb-adc1-0242ac120002)
+
 
 
 [back](../index.md)
diff --git a/tests/bf07f520-3909-4ef5-aa22-877a50f2f77b.md b/tests/bf07f520-3909-4ef5-aa22-877a50f2f77b.md
@@ -1,7 +1,7 @@
 
 [back](../index.md)
 
-Find sigma rule :x: 
+Find sigma rule :heavy_check_mark: 
 
 # Attack: System Services: Service Execution 
 
@@ -34,6 +34,10 @@ Modify permissions of Service Control Manager via SDSET. This allows any adminis
 command_prompt
 
 # Sigma Rule
+ - proc_creation_win_sc_sdset_allow_service_changes.yml (id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47)
+
+ - proc_creation_win_sc_sdset_modification.yml (id: 98c5aeef-32d5-492f-b174-64a691896d25)
+
 
 
 [back](../index.md)
diff --git a/tests/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.md b/tests/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.md
@@ -1,7 +1,7 @@
 
 [back](../index.md)
 
-Find sigma rule :x: 
+Find sigma rule :heavy_check_mark: 
 
 # Attack: Boot or Logon Autostart Execution: Print Processors 
 
@@ -41,6 +41,8 @@ The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com
 powershell
 
 # Sigma Rule
+ - registry_set_add_port_monitor.yml (id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e)
+
 
 
 [back](../index.md)