chore: archive new rule references and update cache file

marvi · web-flow · commit 85a34903765f · 2023-12-01T01:52:33.000Z
diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md
@@ -1,108 +1,102 @@
 # Reference Archiver Results
 
-Last Execution: 2023-11-15 01:55:35
+Last Execution: 2023-12-01 01:52:33
 
 ### Archiver Script Results
 
 
 #### Newly Archived References
 
-- https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main
+N/A
 
 #### Already Archived References
 
-- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
-- https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
-- https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242
-- https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/
-- https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml
-- https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication
-- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
-- https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
-- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
+- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
+- https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
 
 #### Error While Archiving References
 
-- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
-- https://news.ycombinator.com/item?id=29504755
-- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
-- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
-- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
+- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
 - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
-- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
-- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
-- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
-- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
-- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
-- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
-- https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
-- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
-- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
-- https://www.cyberciti.biz/faq/linux-remove-user-command/
-- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
-- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
-- https://paper.seebug.org/1495/
-- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
+- https://news.ycombinator.com/item?id=29504755
+- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
 - https://megatools.megous.com/
-- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
+- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
+- https://www.sans.org/cyber-security-summit/archives
+- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
 - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
-- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
-- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
-- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+- https://www.cyberciti.biz/faq/linux-remove-user-command/
+- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
+- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
+- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
 - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
+- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+- https://github.com/grayhatkiller/SharpExShell
+- https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
+- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
+- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
+- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
 - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
-- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
+- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
 - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
-- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
+- https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
+- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
+- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+- https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
+- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
+- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
+- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
+- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
 - https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
+- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
 - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
-- https://www.sans.org/cyber-security-summit/archives
-- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
+- https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60
+- https://linux.die.net/man/8/useradd
+- https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
+- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
+- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
+- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
+- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
+- https://github.com/ForceFledgling/CVE-2023-22518
+- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
+- https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
+- https://linux.die.net/man/1/arecord
 - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
-- https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
-- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
-- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
+- https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
 - https://www.cyberciti.biz/faq/how-force-kill-process-linux/
-- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
-- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
+- https://paper.seebug.org/1495/
+- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
+- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
 - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
-- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
-- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
+- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
+- https://www.group-ib.com/resources/threat-research/red-curl-2.html
+- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
+- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
+- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
+- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
+- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
+- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
+- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
+- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
 - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
-- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
-- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
-- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
-- https://github.com/grayhatkiller/SharpExShell
-- https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
-- https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
+- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
+- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
 - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
-- https://linux.die.net/man/1/arecord
-- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
-- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
-- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
+- https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
+- https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
 - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
-- https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60
-- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
-- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
-- https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
-- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
-- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
-- https://linux.die.net/man/8/useradd
-- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
-- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
-- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
-- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
-- https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
-- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
-- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
-- https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
-- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
-- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
-- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
+- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
+- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
 - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
-- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
-- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
-- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
-- https://www.group-ib.com/resources/threat-research/red-curl-2.html
-- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
-- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
diff --git a/tests/rule-references.txt b/tests/rule-references.txt
@@ -3462,3 +3462,6 @@ https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provid
 https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
 https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
 https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main
+https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
+https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
+https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
