From 21f414c47915e4ce177ecf371150145cf70670d3 Mon Sep 17 00:00:00 2001 From: LuxNoBu!!shit <51244609+LuxNoBulIshit@users.noreply.github.com> Date: Fri, 25 Dec 2020 12:05:16 -0800 Subject: [PATCH 1/3] Create pnputil.exe --- pnputil.exe | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 pnputil.exe diff --git a/pnputil.exe b/pnputil.exe new file mode 100644 index 0000000..7611392 --- /dev/null +++ b/pnputil.exe @@ -0,0 +1,39 @@ +--- +Name: pnputil.exe +Description: used for Install drivers. +Author: Hai vaknin (lux) +Created: 25/12/2020 +Commands: + - Command: + pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf + Description: Binary file used by .NET to compile c# code to .exe + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Execution + Privileges required:Administrator + MitreID: T1127 + MitreLink: https://attack.mitre.org/techniques/T1127/ + OperatingSystem: Windows 10,7 + - Command: ilasm.exe C:\Users\חי\Desktop\test.txt /dll + Description: Binary file used by .NET to compile c# code to dll + Usecase: A description of the usecase + Category: Compile + Privileges required:User + MitreID: T1127 + MitreLink: https://attack.mitre.org/techniques/T1127/ + +Full_Path: + - Path: + C:\Windows\System32\PnPUtil.exe +Code_Sample: +https://github.com/LuxNoBulIshit/test.inf/blob/main/inf + +Code: +1.pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf +Acknowledgement: + - Person: +Hai Vaknin(Lux) https://github.com/LuxNoBulIshit +Avihay Eldad +AlonEliassaf http://github.com/aloneliassaf + + +--- From 0d819439c5e027fdcbb9de77857a513416c4b675 Mon Sep 17 00:00:00 2001 From: LuxNoBu!!shit <51244609+LuxNoBulIshit@users.noreply.github.com> Date: Fri, 25 Dec 2020 12:14:15 -0800 Subject: [PATCH 2/3] Create pnputil.exe --- yml/OSBinaries/pnputil.exe | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 yml/OSBinaries/pnputil.exe diff --git a/yml/OSBinaries/pnputil.exe b/yml/OSBinaries/pnputil.exe new file mode 100644 index 0000000..3ce817e --- /dev/null +++ b/yml/OSBinaries/pnputil.exe @@ -0,0 +1,29 @@ +--- +Name: Pnputil.exe +Description: used for Install drivers. +Author: Hai vaknin (lux) +Created: 25/12/2020 +Commands: + - Command: + pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf + Description: used for Install drivers + Usecase: add malicious driver. + Category: Execution + Privileges required:Administrator. + MitreID: + MitreLink: + OperatingSystem: Windows 10,7 + +Full_Path: + - Path: + C:\Windows\system32\pnputil.exe + +Code_Sample: +https://github.com/LuxNoBulIshit/test.inf/blob/main/inf +Acknowledgement: + - Person: +Hai Vaknin(Lux) https://github.com/LuxNoBulIshit +Avihay eldad +AlonEliassaf http://github.com/aloneliassaf + +--- From f59da6598c63afe641af6685c2decd427998babf Mon Sep 17 00:00:00 2001 From: LuxNoBu!!shit <51244609+LuxNoBulIshit@users.noreply.github.com> Date: Fri, 25 Dec 2020 12:22:28 -0800 Subject: [PATCH 3/3] Delete pnputil.exe --- pnputil.exe | 39 --------------------------------------- 1 file changed, 39 deletions(-) delete mode 100644 pnputil.exe diff --git a/pnputil.exe b/pnputil.exe deleted file mode 100644 index 7611392..0000000 --- a/pnputil.exe +++ /dev/null @@ -1,39 +0,0 @@ ---- -Name: pnputil.exe -Description: used for Install drivers. -Author: Hai vaknin (lux) -Created: 25/12/2020 -Commands: - - Command: - pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf - Description: Binary file used by .NET to compile c# code to .exe - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Execution - Privileges required:Administrator - MitreID: T1127 - MitreLink: https://attack.mitre.org/techniques/T1127/ - OperatingSystem: Windows 10,7 - - Command: ilasm.exe C:\Users\חי\Desktop\test.txt /dll - Description: Binary file used by .NET to compile c# code to dll - Usecase: A description of the usecase - Category: Compile - Privileges required:User - MitreID: T1127 - MitreLink: https://attack.mitre.org/techniques/T1127/ - -Full_Path: - - Path: - C:\Windows\System32\PnPUtil.exe -Code_Sample: -https://github.com/LuxNoBulIshit/test.inf/blob/main/inf - -Code: -1.pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf -Acknowledgement: - - Person: -Hai Vaknin(Lux) https://github.com/LuxNoBulIshit -Avihay Eldad -AlonEliassaf http://github.com/aloneliassaf - - ----