diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml new file mode 100644 index 0000000..0ed5c87 --- /dev/null +++ b/yml/OSBinaries/Conhost.yml @@ -0,0 +1,27 @@ +--- +Name: Conhost.exe +Description: Console Window host +Author: Wietze Beukema +Created: 2022-04-05 +Commands: + - Command: "conhost.exe calc.exe" + Description: Execute calc.exe with conhost.exe as parent process + Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\conhost.exe +Detection: + - IOC: conhost.exe spawning unexpected processes + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +Resources: + - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ + - Link: https://twitter.com/Wietze/status/1511397781159751680 +Acknowledgement: + - Person: Adam + Handle: '@hexacorn' + - Person: Wietze + Handle: '@wietze' +--- diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index b04e7c4..cc11b3a 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -24,6 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml - IOC: Scripts added in local group policy - IOC: Execution of Gpscript.exe after logon Resources: diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index ab11f79..3e133ca 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -14,6 +14,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml Resources: - Link: https://twitter.com/notwhickey/status/1367493406835040265 Acknowledgement: diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index f5efdd3..4c3b8a6 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -21,6 +21,7 @@ Code_Sample: Detection: - IOC: ie4uinit.exe copied outside of %windir% - IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml Resources: - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Acknowledgement: diff --git a/yml/OSBinaries/Ilasm.yml b/yml/OSBinaries/Ilasm.yml index de74137..bda21ee 100644 --- a/yml/OSBinaries/Ilasm.yml +++ b/yml/OSBinaries/Ilasm.yml @@ -25,6 +25,7 @@ Code_Sample: - Code: Detection: - IOC: Ilasm may not be used often in production environments (such as on endpoints) + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml Resources: - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt Acknowledgement: diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index 5356363..91b7545 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -26,6 +26,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml - IOC: Jsc.exe should normally not run a system unless it is used for development. Resources: - Link: https://twitter.com/DissectMalware/status/998797808907046913 diff --git a/yml/OSBinaries/OfflineScannerShell.yml b/yml/OSBinaries/OfflineScannerShell.yml index a400cc1..89765d4 100644 --- a/yml/OSBinaries/OfflineScannerShell.yml +++ b/yml/OSBinaries/OfflineScannerShell.yml @@ -14,6 +14,7 @@ Commands: Full_Path: - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml - IOC: OfflineScannerShell.exe should not be run on a normal workstation Acknowledgement: - Person: Elliot Killick diff --git a/yml/OSBinaries/Pktmon.yml b/yml/OSBinaries/Pktmon.yml index 50030de..b64462a 100644 --- a/yml/OSBinaries/Pktmon.yml +++ b/yml/OSBinaries/Pktmon.yml @@ -24,6 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml - IOC: .etl files found on system Resources: - Link: https://binar-x79.com/windows-10-secret-sniffer/ diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml index c39d6ce..39857e5 100644 --- a/yml/OSBinaries/PrintBrm.yml +++ b/yml/OSBinaries/PrintBrm.yml @@ -21,6 +21,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\spool\tools\PrintBrm.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml - IOC: PrintBrm.exe should not be run on a normal workstation Resources: - Link: https://twitter.com/elliotkillick/status/1404117015447670800 diff --git a/yml/OSBinaries/Rdrleakdiag.yml b/yml/OSBinaries/Rdrleakdiag.yml new file mode 100644 index 0000000..dedb202 --- /dev/null +++ b/yml/OSBinaries/Rdrleakdiag.yml @@ -0,0 +1,44 @@ +--- +Name: rdrleakdiag.exe +Description: Microsoft Windows resource leak diagnostic tool +Author: 'John Dwyer' +Created: 2022-05-18 +Commands: + - Command: rdrleakdiag.exe /p 940 /o c:\evil /fullmemdmp /wait 1 + Description: Dump process by PID and create a dump file (Creates files called minidump_.dmp and results_.hlk). + Usecase: Dump process by PID. + Category: Dump + Privileges: User + MitreID: T1003 + OperatingSystem: Windows + - Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /wait 1 + Description: Dump LSASS process by PID and create a dump file (Creates files called minidump_.dmp and results_.hlk). + Usecase: Dump LSASS process. + Category: Dump + Privileges: Administrator + MitreID: T1003.001 + OperatingSystem: Windows + - Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /snap + Description: After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_.dmp and results_.hlk). + Usecase: Dump LSASS process mutliple times. + Category: Dump + Privileges: Administrator + MitreID: T1003.001 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\rdrleakdiag.exe + - Path: c:\Windows\SysWOW64\rdrleakdiag.exe +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml + - Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html + - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml +Resources: + - Link: https://twitter.com/0gtweet/status/1299071304805560321?s=21 + - Link: https://www.pureid.io/dumping-abusing-windows-credentials-part-1/ + - Link: https://github.com/LOLBAS-Project/LOLBAS/issues/84 +Acknowledgement: + - Person: Grzegorz Tworek + Handle: '@0gtweet' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Register-cimprovider.yml b/yml/OSBinaries/Register-cimprovider.yml index 9971e61..4c06ee3 100644 --- a/yml/OSBinaries/Register-cimprovider.yml +++ b/yml/OSBinaries/Register-cimprovider.yml @@ -17,6 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml - IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious Resources: - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161 diff --git a/yml/OSBinaries/Replace.yml b/yml/OSBinaries/Replace.yml index 7b1b57d..bceb8d7 100644 --- a/yml/OSBinaries/Replace.yml +++ b/yml/OSBinaries/Replace.yml @@ -25,6 +25,7 @@ Code_Sample: - Code: Detection: - IOC: Replace.exe retrieving files from remote server + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml Resources: - Link: https://twitter.com/elceef/status/986334113941655553 - Link: https://twitter.com/elceef/status/986842299861782529 diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 19fb508..8a08def 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -24,6 +24,8 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml - IOC: Parent child relationship. Ttdinject.exe parent for executed command - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process Resources: diff --git a/yml/OSBinaries/Wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml new file mode 100644 index 0000000..303a5fc --- /dev/null +++ b/yml/OSBinaries/Wlrmdr.yml @@ -0,0 +1,33 @@ +--- +Name: Wlrmdr.exe +Description: Windows Logon Reminder executable +Author: Moshe Kaplan +Created: 2022-02-16 +Commands: + - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe" + Description: Execute calc.exe with wlrmdr.exe as parent process + Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\wlrmdr.exe +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml + - IOC: wlrmdr.exe spawning any new processes +Resources: + - Link: https://twitter.com/0gtweet/status/1493963591745220608 + - Link: https://twitter.com/Oddvarmoe/status/927437787242090496 + - Link: https://twitter.com/falsneg/status/1461625526640992260 + - Link: https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw +Acknowledgement: + - Person: Grzegorz Tworek + Handle: '@0gtweet' + - Person: Oddvar Moe + Handle: '@Oddvarmoe' + - Person: Freddy + Handle: '@falsneg' +--- diff --git a/yml/OSBinaries/Wuauclt.yml b/yml/OSBinaries/Wuauclt.yml index 3e5df11..c5608aa 100644 --- a/yml/OSBinaries/Wuauclt.yml +++ b/yml/OSBinaries/Wuauclt.yml @@ -4,12 +4,12 @@ Description: Windows Update Client Author: 'David Middlehurst' Created: 2020-09-23 Commands: - - Command: wuauclt.exe /UpdateDeploymentProvider /RunHandlerComServer + - Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach. Usecase: Execute dll via attach/detach methods Category: Execute Privileges: User - MitreID: T1218.011 + MitreID: T1218 OperatingSystem: Windows 10 Full_Path: - Path: C:\Windows\System32\wuauclt.exe diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml new file mode 100644 index 0000000..532c0e7 --- /dev/null +++ b/yml/OSLibraries/Desk.yml @@ -0,0 +1,44 @@ +--- +Name: Desk.cpl +Description: Desktop Settings Control Panel +Author: Hai Vaknin +Created: 2022-04-21 +Commands: + - Command: rundll32.exe desk.cpl,InstallScreenSaver C:\temp\file.scr + Description: Launch an executable with a .scr extension by calling the InstallScreenSaver function. + Usecase: Launch any executable payload, as long as it uses the .scr extension. + Category: Execute + Privileges: User + MitreID: T1218.011 + OperatingSystem: Windows 10, Windows 11 + - Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr + Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function. + Usecase: Launch any executable payload, as long as it uses the .scr extension. + Category: Execute + Privileges: User + MitreID: T1218.011 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\desk.cpl + - Path: C:\Windows\SysWOW64\desk.cpl +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +Resources: + - Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt + - Link: https://twitter.com/pabraeken/status/998627081360695297 + - Link: https://twitter.com/VakninHai/status/1517027824984547329 + - Link: https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files +Acknowledgement: + - Person: Rafael S Marques + Handle: '@pegabizu' + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' + - Person: hai + Handle: '@VakninHai' + - Person: Christopher Peacock + Handle: '@SecurePeacock' + - Person: Jose Luis Sanchez + Handle: '@Joseliyo_Jstnk' +--- diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index c299470..78e91c2 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -1,5 +1,5 @@ --- -Name: Ieaframe.dll +Name: Ieframe.dll Description: Internet Browser DLL for translating HTML code. Author: Created: 2018-05-25 diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml new file mode 100644 index 0000000..6c21705 --- /dev/null +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -0,0 +1,37 @@ +--- +Name: AccCheckConsole.exe +Description: Verifies UI accessibility requirements +Author: 'bohops' +Created: 2022-01-02 +Commands: + - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll + Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. + Usecase: Local execution of managed code from assembly DLL. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows + - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll + Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. + Usecase: Local execution of managed code to bypass AppLocker. + Category: AWL Bypass + Privileges: User + MitreID: T1218 + OperatingSystem: Windows +Full_Path: + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe +Code_Sample: + - Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines +Detection: + - IOC: Sysmon Event ID 1 - Process Creation + - Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 +Resources: + - Link: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 + - Link: https://twitter.com/bohops/status/1477717351017680899 +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' +--- diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index 641b1da..7026e44 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -4,7 +4,7 @@ Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads Author: Martin Sohn Christensen Created: 2020-10-09 Commands: - - Command: coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name + - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name Description: Loads the target .DLL in arbitrary path specified with /L. Usecase: Execute DLL code Category: Execute diff --git a/yml/OtherMSBinaries/Dump64.yml b/yml/OtherMSBinaries/Dump64.yml new file mode 100644 index 0000000..4adb7c9 --- /dev/null +++ b/yml/OtherMSBinaries/Dump64.yml @@ -0,0 +1,24 @@ +--- +Name: Dump64.exe +Description: Memory dump tool that comes with Microsoft Visual Studio +Author: mr.d0x +Created: 2021-11-16 +Commands: + - Command: dump64.exe out.dmp + Description: Creates a memory dump of the LSASS process. + Usecase: Create memory dump and parse it offline to retrieve credentials. + Category: Dump + Privileges: Administrator + MitreID: T1003.001 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/138b06628380468fb8a41fc27770e1630cb64326/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml + - IOC: As a Windows SDK binary, execution on a system may be suspicious +Resources: + - Link: https://twitter.com/mrd0x/status/1460597833917251595 +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x' +--- diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index 89d4fbe..235cbf4 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -16,6 +16,7 @@ Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe + - Path: C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe Code_Sample: - Code: Detection: @@ -24,9 +25,12 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml - Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md Resources: + - Link: https://twitter.com/ManuelBerrueta/status/1527289261350760455 - Link: https://twitter.com/bryon_/status/975835709587075072 - Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017 Acknowledgement: - Person: Bryon Handle: '@bryon_' + - Person: Manny + Handle: '@ManuelBerrueta' ---