Closed frack113 closed 2 years ago
Hi, I have run grep -ri "contains all" | grep -v ';'
grep -ri "contains all" | grep -v ';'
12_13_14_registry_event/include_autoruns_and_startup_keys.xml: <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject><!--MDE--> 12_13_14_registry_event/include_office.xml: <TargetObject condition="contains all">software\microsoft\office\16.0\common\internet\server cache\</TargetObject> <!--MDE--> 1_process_creation/include_living_off_the_land.xml: <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">vssadmin.exe delete</CommandLine> <!-- Possible Ransomeware detection or any kind of backup prevention https://attack.mitre.org/techniques/T1490/--> 1_process_creation/include_living_off_the_land.xml: <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">wbadmin.exe delete</CommandLine> <!-- Deletion of Backup Catalog https://attack.mitre.org/techniques/T1490/--> 1_process_creation/include_living_off_the_land.xml: <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">bcedit.exe /set</CommandLine> <!-- Modify Windows Recovery features by modifying boot config data https://attack.mitre.org/techniques/T1490/--> 1_process_creation/include_living_off_the_land.xml: <CommandLine name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="contains all">diskshadow.exe /s</CommandLine> <!--This only applies to versions of Windows Server--> 1_process_creation/include_living_off_the_land.xml: <CommandLine name="technique_id=T1218,technique_name=Proxy Execution of unsigned C# Code" condition="contains all">dnx.exe consoleapp</CommandLine> 1_process_creation/include_living_off_the_land.xml: <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">update --download</CommandLine> 1_process_creation/include_living_off_the_land.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">update.exe --update</CommandLine> 1_process_creation/include_living_off_the_land.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">update.exe --ProcessStart</CommandLine> 1_process_creation/include_living_off_the_land.xml: <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">squirrel --download</CommandLine> 1_process_creation/include_living_off_the_land.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">squirrel.exe --update</CommandLine> 1_process_creation/include_living_off_the_land.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">dxcap.exe -c</CommandLine> 1_process_creation/include_wsl.xml: <ParentCommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -e</ParentCommandLine> 1_process_creation/include_wsl.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -e</CommandLine> <!--This will execute local PEs on the windows host--> 1_process_creation/include_wsl.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -u root</CommandLine> <!--Run a bash command as root--> 1_process_creation/include_wsl.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe --exec bash</CommandLine> <!--This will execute a command within the distro --> 1_process_creation/include_wsl.xml: <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">wsl.exe --exec bash</CommandLine> 1_process_creation/include_wsl.xml: <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">/dev/tcp</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">vssadmin.exe delete</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">wbadmin.exe delete</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">bcedit.exe /set</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="contains all">diskshadow.exe /s</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1218,technique_name=Proxy Execution of unsigned C# Code" condition="contains all">dnx.exe consoleapp</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">update --download</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">update.exe --update</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">update.exe --ProcessStart</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">squirrel --download</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">squirrel.exe --update</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">dxcap.exe -c</CommandLine> sysmonconfig.xml: <ParentCommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -e</ParentCommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -e</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe -u root</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe --exec bash</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">wsl.exe --exec bash</CommandLine> sysmonconfig.xml: <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">/dev/tcp</CommandLine> sysmonconfig.xml: <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains all">hkcu\software\microsoft\windows nt\currentversion\accessibility\ATs\\*(1)\StartExe</TargetObject> sysmonconfig.xml: <TargetObject condition="contains all">software\microsoft\office\16.0\common\internet\server cache\</TargetObject>
Example wsl.exe -e it is wsl.exe;-e or a simple contains ?
wsl.exe -e
wsl.exe;-e
contains
great point, thanks! I'll improve these
Hi, I have run
grep -ri "contains all" | grep -v ';'
Example
wsl.exe -e
it iswsl.exe;-e
or a simplecontains
?