Skip to content

Commit

Permalink
chore: archive new rule references and update cache file
Browse files Browse the repository at this point in the history
  • Loading branch information
@marvi
marvi authored Dec 15, 2023
1 parent f07e2b3 commit abbb52f
Show file tree
Hide file tree
Showing 2 changed files with 111 additions and 102 deletions.
206 changes: 104 additions & 102 deletions .github/latest_archiver_output.md
View file
Original file line number Diff line number Diff line change
@@ -1,133 +1,135 @@
# Reference Archiver Results

Last Execution: 2023-12-01 01:53:38
Last Execution: 2023-12-15 01:48:46

### Archiver Script Results


#### Newly Archived References

- https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
- https://www.swascan.com/cactus-ransomware-malware-analysis/
N/A

#### Already Archived References

- https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
- https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
- https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
- https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
- https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
- https://github.com/grayhatkiller/SharpExShell
- https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
- https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
- https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
- https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
- https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/

#### Error While Archiving References

- https://www.sans.org/cyber-security-summit/archives
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://www.group-ib.com/blog/apt41-world-tour-2021/
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
- https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
- https://linux.die.net/man/1/arecord
- https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
- https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
- https://github.com/outflanknl/NetshHelperBeacon
- https://www.group-ib.com/resources/threat-research/red-curl-2.html
- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
- https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
- https://linux.die.net/man/8/useradd
- https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
- https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
- https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
- https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
- https://www.group-ib.com/resources/threat-research/red-curl-2.html
- https://github.com/outflanknl/NetshHelperBeacon
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- https://blog.hrncirik.net/cve-2023-46214-analysis
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
- https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
- https://linux.die.net/man/1/arecord
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
- https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
- https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
- https://www.sans.org/cyber-security-summit/archives
- https://www.group-ib.com/blog/apt41-world-tour-2021/
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- https://paper.seebug.org/1495/
- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
- https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
- https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
- https://cydefops.com/vscode-data-exfiltration
- https://cydefops.com/devtunnels-unleashed
- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://news.ycombinator.com/item?id=29504755
- https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
- https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
- https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://paper.seebug.org/1495/
- https://github.com/nathan31337/Splunk-RCE-poc/
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
- https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
- https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
- https://advisory.splunk.com/advisories/SVD-2023-1104
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
- https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
- https://github.com/ForceFledgling/CVE-2023-22518
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
- https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
- https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
- https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/
- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
- https://megatools.megous.com/
- https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60
- https://ngrok.com/blog-post/new-ngrok-domains
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
- https://cydefops.com/devtunnels-unleashed
- https://cydefops.com/vscode-data-exfiltration
- https://linux.die.net/man/8/useradd
- https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://github.com/nathan31337/Splunk-RCE-poc/
- https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
- https://blog.hrncirik.net/cve-2023-46214-analysis
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
- https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
- https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
- https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
- https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
- https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
- https://megatools.megous.com/
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://advisory.splunk.com/advisories/SVD-2023-1104
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
- https://github.com/grayhatkiller/SharpExShell
- https://github.com/ForceFledgling/CVE-2023-22518
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
7 changes: 7 additions & 0 deletions tests/rule-references.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3473,3 +3473,10 @@ https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provid
https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
https://www.swascan.com/cactus-ransomware-malware-analysis/
https://github.com/grayhatkiller/SharpExShell
https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/

0 comments on commit abbb52f

Please sign in to comment.