Merge branch 'master' into windows_11_sprint

This commit is contained in:
Wietze 2022-05-24 08:38:50 +01:00 committed by GitHub
commit 7797a1967c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 229 additions and 4 deletions

View File

@ -0,0 +1,27 @@
---
Name: Conhost.exe
Description: Console Window host
Author: Wietze Beukema
Created: 2022-04-05
Commands:
- Command: "conhost.exe calc.exe"
Description: Execute calc.exe with conhost.exe as parent process
Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\conhost.exe
Detection:
- IOC: conhost.exe spawning unexpected processes
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
Resources:
- Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
- Link: https://twitter.com/Wietze/status/1511397781159751680
Acknowledgement:
- Person: Adam
Handle: '@hexacorn'
- Person: Wietze
Handle: '@wietze'
---

View File

@ -24,6 +24,7 @@ Full_Path:
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml
- IOC: Scripts added in local group policy - IOC: Scripts added in local group policy
- IOC: Execution of Gpscript.exe after logon - IOC: Execution of Gpscript.exe after logon
Resources: Resources:

View File

@ -14,6 +14,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml
Resources: Resources:
- Link: https://twitter.com/notwhickey/status/1367493406835040265 - Link: https://twitter.com/notwhickey/status/1367493406835040265
Acknowledgement: Acknowledgement:

View File

@ -21,6 +21,7 @@ Code_Sample:
Detection: Detection:
- IOC: ie4uinit.exe copied outside of %windir% - IOC: ie4uinit.exe copied outside of %windir%
- IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% - IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml
Resources: Resources:
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Acknowledgement: Acknowledgement:

View File

@ -25,6 +25,7 @@ Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Ilasm may not be used often in production environments (such as on endpoints) - IOC: Ilasm may not be used often in production environments (such as on endpoints)
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml
Resources: Resources:
- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
Acknowledgement: Acknowledgement:

View File

@ -26,6 +26,7 @@ Full_Path:
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml
- IOC: Jsc.exe should normally not run a system unless it is used for development. - IOC: Jsc.exe should normally not run a system unless it is used for development.
Resources: Resources:
- Link: https://twitter.com/DissectMalware/status/998797808907046913 - Link: https://twitter.com/DissectMalware/status/998797808907046913

View File

@ -14,6 +14,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml
- IOC: OfflineScannerShell.exe should not be run on a normal workstation - IOC: OfflineScannerShell.exe should not be run on a normal workstation
Acknowledgement: Acknowledgement:
- Person: Elliot Killick - Person: Elliot Killick

View File

@ -24,6 +24,7 @@ Full_Path:
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml
- IOC: .etl files found on system - IOC: .etl files found on system
Resources: Resources:
- Link: https://binar-x79.com/windows-10-secret-sniffer/ - Link: https://binar-x79.com/windows-10-secret-sniffer/

View File

@ -21,6 +21,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\spool\tools\PrintBrm.exe - Path: C:\Windows\System32\spool\tools\PrintBrm.exe
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml
- IOC: PrintBrm.exe should not be run on a normal workstation - IOC: PrintBrm.exe should not be run on a normal workstation
Resources: Resources:
- Link: https://twitter.com/elliotkillick/status/1404117015447670800 - Link: https://twitter.com/elliotkillick/status/1404117015447670800

View File

@ -0,0 +1,44 @@
---
Name: rdrleakdiag.exe
Description: Microsoft Windows resource leak diagnostic tool
Author: 'John Dwyer'
Created: 2022-05-18
Commands:
- Command: rdrleakdiag.exe /p 940 /o c:\evil /fullmemdmp /wait 1
Description: Dump process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
Usecase: Dump process by PID.
Category: Dump
Privileges: User
MitreID: T1003
OperatingSystem: Windows
- Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /wait 1
Description: Dump LSASS process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
Usecase: Dump LSASS process.
Category: Dump
Privileges: Administrator
MitreID: T1003.001
OperatingSystem: Windows
- Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /snap
Description: After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
Usecase: Dump LSASS process mutliple times.
Category: Dump
Privileges: Administrator
MitreID: T1003.001
OperatingSystem: Windows
Full_Path:
- Path: c:\windows\system32\rdrleakdiag.exe
- Path: c:\Windows\SysWOW64\rdrleakdiag.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
- Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
Resources:
- Link: https://twitter.com/0gtweet/status/1299071304805560321?s=21
- Link: https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
- Link: https://github.com/LOLBAS-Project/LOLBAS/issues/84
Acknowledgement:
- Person: Grzegorz Tworek
Handle: '@0gtweet'
---

View File

@ -17,6 +17,7 @@ Full_Path:
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml
- IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious - IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious
Resources: Resources:
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161 - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161

View File

@ -25,6 +25,7 @@ Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Replace.exe retrieving files from remote server - IOC: Replace.exe retrieving files from remote server
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml
Resources: Resources:
- Link: https://twitter.com/elceef/status/986334113941655553 - Link: https://twitter.com/elceef/status/986334113941655553
- Link: https://twitter.com/elceef/status/986842299861782529 - Link: https://twitter.com/elceef/status/986842299861782529

View File

@ -24,6 +24,8 @@ Full_Path:
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml
- IOC: Parent child relationship. Ttdinject.exe parent for executed command - IOC: Parent child relationship. Ttdinject.exe parent for executed command
- IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
Resources: Resources:

33
yml/OSBinaries/Wlrmdr.yml Normal file
View File

@ -0,0 +1,33 @@
---
Name: Wlrmdr.exe
Description: Windows Logon Reminder executable
Author: Moshe Kaplan
Created: 2022-02-16
Commands:
- Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe"
Description: Execute calc.exe with wlrmdr.exe as parent process
Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\wlrmdr.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml
- IOC: wlrmdr.exe spawning any new processes
Resources:
- Link: https://twitter.com/0gtweet/status/1493963591745220608
- Link: https://twitter.com/Oddvarmoe/status/927437787242090496
- Link: https://twitter.com/falsneg/status/1461625526640992260
- Link: https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw
Acknowledgement:
- Person: Grzegorz Tworek
Handle: '@0gtweet'
- Person: Oddvar Moe
Handle: '@Oddvarmoe'
- Person: Freddy
Handle: '@falsneg'
---

View File

@ -4,12 +4,12 @@ Description: Windows Update Client
Author: 'David Middlehurst' Author: 'David Middlehurst'
Created: 2020-09-23 Created: 2020-09-23
Commands: Commands:
- Command: wuauclt.exe /UpdateDeploymentProvider <Full_Path_To_DLL> /RunHandlerComServer - Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer
Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach. Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach.
Usecase: Execute dll via attach/detach methods Usecase: Execute dll via attach/detach methods
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218
OperatingSystem: Windows 10 OperatingSystem: Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\wuauclt.exe - Path: C:\Windows\System32\wuauclt.exe

44
yml/OSLibraries/Desk.yml Normal file
View File

@ -0,0 +1,44 @@
---
Name: Desk.cpl
Description: Desktop Settings Control Panel
Author: Hai Vaknin
Created: 2022-04-21
Commands:
- Command: rundll32.exe desk.cpl,InstallScreenSaver C:\temp\file.scr
Description: Launch an executable with a .scr extension by calling the InstallScreenSaver function.
Usecase: Launch any executable payload, as long as it uses the .scr extension.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr
Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function.
Usecase: Launch any executable payload, as long as it uses the .scr extension.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\desk.cpl
- Path: C:\Windows\SysWOW64\desk.cpl
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
Resources:
- Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt
- Link: https://twitter.com/pabraeken/status/998627081360695297
- Link: https://twitter.com/VakninHai/status/1517027824984547329
- Link: https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
Acknowledgement:
- Person: Rafael S Marques
Handle: '@pegabizu'
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
- Person: hai
Handle: '@VakninHai'
- Person: Christopher Peacock
Handle: '@SecurePeacock'
- Person: Jose Luis Sanchez
Handle: '@Joseliyo_Jstnk'
---

View File

@ -1,5 +1,5 @@
--- ---
Name: Ieaframe.dll Name: Ieframe.dll
Description: Internet Browser DLL for translating HTML code. Description: Internet Browser DLL for translating HTML code.
Author: Author:
Created: 2018-05-25 Created: 2018-05-25

View File

@ -0,0 +1,37 @@
---
Name: AccCheckConsole.exe
Description: Verifies UI accessibility requirements
Author: 'bohops'
Created: 2022-01-02
Commands:
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
Usecase: Local execution of managed code from assembly DLL.
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
Usecase: Local execution of managed code to bypass AppLocker.
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe
Code_Sample:
- Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
- Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
Resources:
- Link: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
- Link: https://twitter.com/bohops/status/1477717351017680899
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -4,7 +4,7 @@ Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads
Author: Martin Sohn Christensen Author: Martin Sohn Christensen
Created: 2020-10-09 Created: 2020-10-09
Commands: Commands:
- Command: coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
Description: Loads the target .DLL in arbitrary path specified with /L. Description: Loads the target .DLL in arbitrary path specified with /L.
Usecase: Execute DLL code Usecase: Execute DLL code
Category: Execute Category: Execute

View File

@ -0,0 +1,24 @@
---
Name: Dump64.exe
Description: Memory dump tool that comes with Microsoft Visual Studio
Author: mr.d0x
Created: 2021-11-16
Commands:
- Command: dump64.exe <pid> out.dmp
Description: Creates a memory dump of the LSASS process.
Usecase: Create memory dump and parse it offline to retrieve credentials.
Category: Dump
Privileges: Administrator
MitreID: T1003.001
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/138b06628380468fb8a41fc27770e1630cb64326/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://twitter.com/mrd0x/status/1460597833917251595
Acknowledgement:
- Person: mr.d0x
Handle: '@mrd0x'
---

View File

@ -16,6 +16,7 @@ Full_Path:
- Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe
- Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe
- Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
- Path: C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
@ -24,9 +25,12 @@ Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml
- Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md - Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md
Resources: Resources:
- Link: https://twitter.com/ManuelBerrueta/status/1527289261350760455
- Link: https://twitter.com/bryon_/status/975835709587075072 - Link: https://twitter.com/bryon_/status/975835709587075072
- Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017 - Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017
Acknowledgement: Acknowledgement:
- Person: Bryon - Person: Bryon
Handle: '@bryon_' Handle: '@bryon_'
- Person: Manny
Handle: '@ManuelBerrueta'
--- ---