From 02207882f637e7017fd3e0c200cde19ad664b826 Mon Sep 17 00:00:00 2001 From: Elliot Killick Date: Sat, 28 Aug 2021 00:55:50 -0400 Subject: [PATCH 1/2] Create cmdl32.yml --- yml/OSBinaries/cmdl32.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 yml/OSBinaries/cmdl32.yml diff --git a/yml/OSBinaries/cmdl32.yml b/yml/OSBinaries/cmdl32.yml new file mode 100644 index 0000000..84933f9 --- /dev/null +++ b/yml/OSBinaries/cmdl32.yml @@ -0,0 +1,24 @@ +--- +Name: cmdl32.exe +Description: Microsoft Connection Manager Auto-Download +Author: 'Elliot Killick' +Created: '2021-08-26' +Commands: + - Command: cmdl32 /vpn /lan %cd%\config + Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/techniques/T1105/ + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\System32\cmdl32.exe + - Path: C:\Windows\SysWOW64\cmdl32.exe +Detection: + - IOC: Reports of downloading from suspicious URLs in %TMP%\config.log + - IOC: Useragent Microsoft(R) Connection Manager Vpn File Update +Acknowledgement: + - Person: Elliot Killick + Handle: '@elliotkillick' +--- From fb9b6d65d5e4fd2a91e3f4ac31ebcb0a3f9d4d1a Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Fri, 22 Oct 2021 16:31:54 +0200 Subject: [PATCH 2/2] Update cmdl32.yml --- yml/OSBinaries/cmdl32.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/cmdl32.yml b/yml/OSBinaries/cmdl32.yml index 84933f9..de4d492 100644 --- a/yml/OSBinaries/cmdl32.yml +++ b/yml/OSBinaries/cmdl32.yml @@ -18,6 +18,8 @@ Full_Path: Detection: - IOC: Reports of downloading from suspicious URLs in %TMP%\config.log - IOC: Useragent Microsoft(R) Connection Manager Vpn File Update +Resource: + - Link: https://github.com/LOLBAS-Project/LOLBAS/pull/151 Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick'