From 2cc0ee99e6e82581043ad9db4f003a1709552398 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 24 Apr 2024 15:10:59 +0100 Subject: [PATCH] Applying MITRE ATT&CK v15 changes (#370) https://attack.mitre.org/resources/updates/updates-april-2024/ --- yml/OSBinaries/Certutil.yml | 2 +- yml/OSBinaries/Msedge.yml | 2 +- yml/OSBinaries/msedge_proxy.yml | 2 +- yml/OSBinaries/msedgewebview2.yml | 8 ++++---- yml/OSScripts/Syncappvpublishingserver.yml | 4 +--- yml/OtherMSBinaries/Teams.yml | 6 +++--- 6 files changed, 11 insertions(+), 13 deletions(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index d38c052..75445ed 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -30,7 +30,7 @@ Commands: Usecase: Encode files to evade defensive measures Category: Encode Privileges: User - MitreID: T1027 + MitreID: T1027.013 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil -decode encodedInputFileName decodedOutputFileName Description: Command to decode a Base64 encoded file. diff --git a/yml/OSBinaries/Msedge.yml b/yml/OSBinaries/Msedge.yml index 3acac68..2844303 100644 --- a/yml/OSBinaries/Msedge.yml +++ b/yml/OSBinaries/Msedge.yml @@ -23,7 +23,7 @@ Commands: Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index a8c118e..950e862 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -25,7 +25,7 @@ Commands: Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml diff --git a/yml/OSBinaries/msedgewebview2.yml b/yml/OSBinaries/msedgewebview2.yml index e693858..83f76cd 100644 --- a/yml/OSBinaries/msedgewebview2.yml +++ b/yml/OSBinaries/msedgewebview2.yml @@ -9,28 +9,28 @@ Commands: Usecase: Proxy execution of binary Category: Execute Privileges: Low privileges - MitreID: T1202 + MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 - Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary Category: Execute Privileges: User - MitreID: T1202 + MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary Category: Execute Privileges: User - MitreID: T1202 + MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary Category: Execute Privileges: User - MitreID: T1202 + MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index d25e08d..64ef7b9 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -9,12 +9,10 @@ Commands: Usecase: Use Powershell host invoked from vbs script Category: Execute Privileges: User - MitreID: T1216 + MitreID: T1216.002 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml Resources: diff --git a/yml/OtherMSBinaries/Teams.yml b/yml/OtherMSBinaries/Teams.yml index 79ae4b2..8d830e9 100644 --- a/yml/OtherMSBinaries/Teams.yml +++ b/yml/OtherMSBinaries/Teams.yml @@ -9,21 +9,21 @@ Commands: Usecase: Execute JavaScript code Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 - Command: teams.exe Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing. Usecase: Execute JavaScript code Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User - MitreID: T1218 + MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe"