| sigma |
gcp_bucket_modified_or_deleted.yml |
- storage.buckets.patch |
DRL 1.0 |
| sigma |
gcp_dns_zone_modified_or_deleted.yml |
- Dns.ManagedZones.Patch |
DRL 1.0 |
| sigma |
gcp_firewall_rule_modified_or_deleted.yml |
- v*.Compute.Firewalls.Patch |
DRL 1.0 |
| sigma |
gcp_full_network_traffic_packet_capture.yml |
- v*.Compute.PacketMirrorings.Patch |
DRL 1.0 |
| sigma |
gcp_kubernetes_admission_controller.yml |
- patch |
DRL 1.0 |
| sigma |
gcp_kubernetes_rolebinding.yml |
- io.k8s.authorization.rbac.v*.clusterrolebindings.patch |
DRL 1.0 |
| sigma |
gcp_kubernetes_rolebinding.yml |
- io.k8s.authorization.rbac.v*.rolebindings.patch |
DRL 1.0 |
| sigma |
gcp_kubernetes_secrets_modified_or_deleted.yml |
- io.k8s.core.v*.secrets.patch |
DRL 1.0 |
| sigma |
gcp_service_account_modified.yml |
- .serviceAccounts.patch |
DRL 1.0 |
| sigma |
proc_creation_win_termserv_proc_spawn.yml |
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ |
DRL 1.0 |
| LOLBAS |
Bginfo.yml |
Description: This style of execution may not longer work due to patch. |
|
| malware-ioc |
misp-dukes-operation-ghost-event.json |
"description": "Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include <code>C$</code>, <code>ADMIN$</code>, and <code>IPC$</code>. \n\nAdversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1035), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares)\n\nThe [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote systems using <code>net use</code> commands with valid credentials. (Citation: Technet Net Use)", |
© ESET 2014-2018 |
| malware-ioc |
keydnap |
A patch for UPX to unpack the samples is provided here: |
© ESET 2014-2018 |
| malware-ioc |
keydnap |
https://github.com/eset/malware-research/blob/master/keydnap/keydnap_upx.patch |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "magnet:?xt=urn:btih:ty3nlty4wdouzzatdmnjd3p64odxlkus&dn=Photo Supreme 4.3.2.1920 + x64 + patch - Crackingpatching.zip&xl=70934596&fc=1", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "magnet:?xt=urn:btih:ozb6szbtms5hsqi2vdijs4hc7dgy3ss2&dn=Aiseesoft Video Converter Ultimate 9.2.60 + Portable + patch - Crackingpatching.zip&xl=128497026&fc=1", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "magnet:?xt=urn:btih:cf2h5zsx26ff3j5dhrildejodhedukar&dn=Aiseesoft FoneLab 9.1.82 + patch - Crackingpatching.zip&xl=70973015&fc=1", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "magnet:?xt=urn:btih:eutba6opydl3zj4gmzt2asurlvtwzdlo&dn=Awesome Miner Ultimate Plus 6.1.6 + Activation (licence-key-patch).zip&xl=109403625&fc=1", |
© ESET 2014-2018 |
| malware-ioc |
misp-kryptocibule.json |
"value": "magnet:?xt=urn:btih:w6m7jlh757iecyl6efsccku2oyradqnb&dn=4K YouTube to MP3 3.4.0.1964 + x64 + patch - Crackingpatching.zip&xl=40491417&fc=1", |
© ESET 2014-2018 |
| malware-ioc |
nouns.txt |
patch |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
\|magnet[:]?xt=urn[:]btih[:]ty3nlty4wdouzzatdmnjd3p64odxlkus&dn=Photo Supreme 4.3.2.1920 + x64 + patch - Crackingpatching.zip&xl=70934596&fc=1\| - |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
\|magnet[:]?xt=urn[:]btih[:]ozb6szbtms5hsqi2vdijs4hc7dgy3ss2&dn=Aiseesoft Video Converter Ultimate 9.2.60 + Portable + patch - Crackingpatching.zip&xl=128497026&fc=1\| - |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
\|magnet[:]?xt=urn[:]btih[:]cf2h5zsx26ff3j5dhrildejodhedukar&dn=Aiseesoft FoneLab 9.1.82 + patch - Crackingpatching.zip&xl=70973015&fc=1\| - |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
\|magnet[:]?xt=urn[:]btih[:]eutba6opydl3zj4gmzt2asurlvtwzdlo&dn=Awesome Miner Ultimate Plus 6.1.6 + Activation (licence-key-patch).zip&xl=109403625&fc=1\| - |
© ESET 2014-2018 |
| malware-ioc |
kryptocibule |
\|magnet[:]?xt=urn[:]btih[:]w6m7jlh757iecyl6efsccku2oyradqnb&dn=4K YouTube to MP3 3.4.0.1964 + x64 + patch - Crackingpatching.zip&xl=40491417&fc=1\| - |
© ESET 2014-2018 |
| malware-ioc |
oceanlotus-rtf_ocx_campaigns.misp.event.json |
"description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).\n\nThe Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system's Windows Admin Shares for RPC communication.\n\nDetection: Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\n\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, File monitoring, Process monitoring, Process command-line parameters\n\nDefense Bypassed: Host forensic analysis\n\nPermissions Required: User, Administrator, SYSTEM\n\nContributors: Bartosz Jerzman, Travis Smith, Tripwire", |
© ESET 2014-2018 |
| malware-ioc |
oceanlotus-rtf_ocx_campaigns.misp.event.json |
"description": "When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. \n\nAdversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.\n\nDetection: Monitor service creation through changes in the Registry and common utilities using command-line invocation. New, benign services may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence. (Citation: TechNet Autoruns) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could create services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process monitoring, Process command-line parameters\n\nEffective Permissions: SYSTEM\n\nPermissions Required: Administrator, SYSTEM", |
© ESET 2014-2018 |
| malware-ioc |
oceanlotus-rtf_ocx_campaigns.misp.event.json |
"description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) The program will be executed under the context of the user and will have the account's associated permissions level.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.\n\nDetection: Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, File monitoring\n\nPermissions Required: User, Administrator", |
© ESET 2014-2018 |
| malware-ioc |
oceanlotus-rtf_ocx_campaigns.misp.event.json |
"description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.\n\nDetection: Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Monitor process execution from the <code>svchost.exe<\/code> in Windows 10 and the Windows Task Scheduler <code>taskeng.exe<\/code> for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in <code>%systemroot%\\System32\\Tasks<\/code> for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler\/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)\n\n*Event ID 106 - Scheduled task registered\n*Event ID 140 - Scheduled task updated\n*Event ID 141 - Scheduled task removed\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be taken to create tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows\n\nData Sources: File monitoring, Process command-line parameters, Process monitoring, Windows event logs\n\nEffective Permissions: Administrator, SYSTEM, User\n\nPermissions Required: Administrator, SYSTEM, User\n\nRemote Support: Yes\n\nContributors: Travis Smith, Tripwire, Leo Loobeek, @leoloobeek, Alain Homewood, Insomnia Security", |
© ESET 2014-2018 |
| malware-ioc |
oceanlotus-rtf_ocx_campaigns.misp.event.json |
"description": "Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.\n\nDetection: Changes to service Registry entries and command-line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool PsExec.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process command-line parameters, Process monitoring\n\nPermissions Required: Administrator, SYSTEM\n\nRemote Support: Yes", |
© ESET 2014-2018 |
| atomic-red-team |
index.md |
- T1601.001 Patch System Image CONTRIBUTE A TEST |
MIT License. © 2018 Red Canary |
| atomic-red-team |
linux-index.md |
- T1601.001 Patch System Image CONTRIBUTE A TEST |
MIT License. © 2018 Red Canary |
| atomic-red-team |
linux-matrix.md |
| | | Unix Shell Configuration Modification | | Patch System Image CONTRIBUTE A TEST | | | | | | | | |
MIT License. © 2018 Red Canary |
| atomic-red-team |
matrix.md |
| | | TFTP Boot CONTRIBUTE A TEST | | Patch System Image CONTRIBUTE A TEST | | | | | | | | |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1021.002.md |
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.(Citation: Microsoft Admin Shares)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1055.md |
The effect of /inject is explained in https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1090.003.md |
In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging Patch System Image, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the Network Boundary Bridging method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the “amsiInitFailed” function to true. |
MIT License. © 2018 Red Canary |
| signature-base |
apt_hafnium.yar |
description = “Detects a Windows Error Report (WER) that indicates and exploitation attempt of the Exchange server as described in CVE-2021-26857 after the corresponding patches have been applied. WER files won’t be written upon successful exploitation before applying the patch. Therefore, this indicates an unsuccessful attempt.” |
CC BY-NC 4.0 |
| signature-base |
apt_hkdoor.yar |
$s2 = “Patch Success.” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
cn_pentestset_tools.yar |
$s0 = “Patch” fullword ascii /* PEStudio Blacklist: strings */ |
CC BY-NC 4.0 |
| signature-base |
crime_bad_patch.yar |
$x8 = “ :Old - update patch and check anti-virus.. “ fullword wide |
CC BY-NC 4.0 |
| signature-base |
crime_bad_patch.yar |
$x11 = “PatchNotExit– Version Patch” fullword wide |
CC BY-NC 4.0 |
| signature-base |
thor-hacktools.yar |
$s7 = “- Windows NT,2000 Patch Method - “ fullword |
CC BY-NC 4.0 |