diff --git a/YML-Template.yml b/YML-Template.yml index 7520901..ae2618f 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -7,7 +7,7 @@ Commands: - Command: The command Description: Description of the command Usecase: A description of the usecase - Category: Execution + Category: Execute Privileges: Required privs MitreID: T1055 MitreLink: https://attack.mitre.org/wiki/Technique/T1055 @@ -15,15 +15,15 @@ Commands: - Command: The second command Description: Description of the second command Usecase: A description of the usecase - Category: AWL-Bypass + Category: AWL Bypass Privileges: Required privs MitreID: T1033 MitreLink: https://attack.mitre.org/wiki/Technique/T1033 OperatingSystem: Windows 10 All -Full Path: +Full_Path: - Path: c:\windows\system32\bin.exe - Path: c:\windows\syswow64\bin.exe -Code Sample: +Code_Sample: - Code: http://url.com/git.txt Detection: - IOC: Event ID 10 diff --git a/yml/LOLUtilz/OSBinaries/Explorer.yml b/yml/LOLUtilz/OSBinaries/Explorer.yml index ac7879b..99a6348 100644 --- a/yml/LOLUtilz/OSBinaries/Explorer.yml +++ b/yml/LOLUtilz/OSBinaries/Explorer.yml @@ -7,10 +7,10 @@ Categories: [] Commands: - Command: explorer.exe calc.exe Description: 'Executes calc.exe as a subprocess of explorer.exe.' -Full Path: +Full_Path: - c:\windows\explorer.exe - c:\windows\sysWOW64\explorer.exe -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://twitter.com/bohops/status/986984122563391488 diff --git a/yml/LOLUtilz/OSBinaries/Netsh.yml b/yml/LOLUtilz/OSBinaries/Netsh.yml index 8866ef8..d7dd77f 100644 --- a/yml/LOLUtilz/OSBinaries/Netsh.yml +++ b/yml/LOLUtilz/OSBinaries/Netsh.yml @@ -13,10 +13,10 @@ Commands: Description: Load (execute) NetSh.exe helper DLL file. - Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 Description: Forward traffic from the listening address and proxy to a remote system. -Full Path: +Full_Path: - C:\Windows\System32 - C:\Windows\SysWOW64 -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md diff --git a/yml/LOLUtilz/OSBinaries/Nltest.yml b/yml/LOLUtilz/OSBinaries/Nltest.yml index 16aeb81..e0db5ff 100644 --- a/yml/LOLUtilz/OSBinaries/Nltest.yml +++ b/yml/LOLUtilz/OSBinaries/Nltest.yml @@ -7,9 +7,9 @@ Categories: [] Commands: - Command: nltest.exe /SERVER:192.168.1.10 /QUERY Description: '' -Full Path: +Full_Path: - c:\windows\system32\nltest.exe -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://twitter.com/sysopfb/status/986799053668139009 diff --git a/yml/LOLUtilz/OSBinaries/Openwith.yml b/yml/LOLUtilz/OSBinaries/Openwith.yml index 9f91ba1..ae20a00 100644 --- a/yml/LOLUtilz/OSBinaries/Openwith.yml +++ b/yml/LOLUtilz/OSBinaries/Openwith.yml @@ -9,10 +9,10 @@ Commands: Description: Opens the target file with the default application. - Command: OpenWith.exe /c C:\testing.msi Description: Opens the target file with the default application. -Full Path: +Full_Path: - c:\windows\system32\Openwith.exe - c:\windows\sysWOW64\Openwith.exe -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://twitter.com/harr0ey/status/991670870384021504 diff --git a/yml/LOLUtilz/OSBinaries/Powershell.yml b/yml/LOLUtilz/OSBinaries/Powershell.yml index c62bf48..f8d44e6 100644 --- a/yml/LOLUtilz/OSBinaries/Powershell.yml +++ b/yml/LOLUtilz/OSBinaries/Powershell.yml @@ -7,10 +7,10 @@ Categories: [] Commands: - Command: powershell -ep bypass - < c:\temp:ttt Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS). -Full Path: +Full_Path: - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://twitter.com/Moriarty_Meng/status/984380793383370752 diff --git a/yml/LOLUtilz/OSBinaries/Psr.yml b/yml/LOLUtilz/OSBinaries/Psr.yml index 32a4b1e..b9b9e45 100644 --- a/yml/LOLUtilz/OSBinaries/Psr.yml +++ b/yml/LOLUtilz/OSBinaries/Psr.yml @@ -11,10 +11,10 @@ Commands: Description: Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file. - Command: psr.exe /stop Description: Stop the Problem Step Recorder. -Full Path: +Full_Path: - C:\Windows\System32\Psr.exe - C:\Windows\SysWOW64\Psr.exe -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf diff --git a/yml/LOLUtilz/OSBinaries/Robocopy.yml b/yml/LOLUtilz/OSBinaries/Robocopy.yml index 7f7d425..8ebb462 100644 --- a/yml/LOLUtilz/OSBinaries/Robocopy.yml +++ b/yml/LOLUtilz/OSBinaries/Robocopy.yml @@ -9,10 +9,10 @@ Commands: Description: Copy the entire contents of the SourceFolder to the DestFolder. - Command: Robocopy.exe \\SERVER\SourceFolder C:\DestFolder Description: Copy the entire contents of the SourceFolder to the DestFolder. -Full Path: +Full_Path: - c:\windows\system32\binary.exe - c:\windows\sysWOW64\binary.exe -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx diff --git a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml index b1b15bf..941436c 100644 --- a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml +++ b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml @@ -7,9 +7,9 @@ Categories: [] Commands: - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe -Full Path: +Full_Path: - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/997997818362155008 diff --git a/yml/LOLUtilz/OtherBinaries/Gpup.yml b/yml/LOLUtilz/OtherBinaries/Gpup.yml index a327972..f5824be 100644 --- a/yml/LOLUtilz/OtherBinaries/Gpup.yml +++ b/yml/LOLUtilz/OtherBinaries/Gpup.yml @@ -7,9 +7,9 @@ Categories: [] Commands: - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe Description: Execute another command through gpup.exe (Notepad++ binary). -Full Path: +Full_Path: - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe ' -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/997892519827558400 diff --git a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml index b90b9ce..da4d4cd 100644 --- a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml +++ b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml @@ -7,9 +7,9 @@ Categories: [] Commands: - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } Description: Run PowerShell via LotusNotes. -Full Path: +Full_Path: - C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f diff --git a/yml/LOLUtilz/OtherBinaries/Notes.yml b/yml/LOLUtilz/OtherBinaries/Notes.yml index eaa8577..8ddb03a 100644 --- a/yml/LOLUtilz/OtherBinaries/Notes.yml +++ b/yml/LOLUtilz/OtherBinaries/Notes.yml @@ -7,9 +7,9 @@ Categories: [] Commands: - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } Description: Run PowerShell via LotusNotes. -Full Path: +Full_Path: - C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f diff --git a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml index 15337c7..a7fd86e 100644 --- a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml +++ b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml @@ -17,9 +17,9 @@ Commands: Description: Kill a process. - Command: Nvudisp.exe Run foo Description: Run process -Full Path: +Full_Path: - C:\windows\system32\nvuDisp.exe -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html diff --git a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml index a53efec..9e13364 100644 --- a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml +++ b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml @@ -17,9 +17,9 @@ Commands: Description: Kill a process. - Command: nvuhda6.exe Run foo Description: Run process -Full Path: +Full_Path: - Missing -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/ diff --git a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml index 7cf7d0b..853d33e 100644 --- a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml +++ b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml @@ -7,9 +7,9 @@ Categories: [] Commands: - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe -Full Path: +Full_Path: - C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\ -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/994213164484001793 diff --git a/yml/LOLUtilz/OtherBinaries/Setup.yml b/yml/LOLUtilz/OtherBinaries/Setup.yml index 6788570..06494de 100644 --- a/yml/LOLUtilz/OtherBinaries/Setup.yml +++ b/yml/LOLUtilz/OtherBinaries/Setup.yml @@ -7,9 +7,9 @@ Categories: [] Commands: - Command: Run Setup.exe Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload. -Full Path: +Full_Path: - C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315 -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/994381620588236800 diff --git a/yml/LOLUtilz/OtherBinaries/Usbinst.yml b/yml/LOLUtilz/OtherBinaries/Usbinst.yml index 55e3956..6b2b33c 100644 --- a/yml/LOLUtilz/OtherBinaries/Usbinst.yml +++ b/yml/LOLUtilz/OtherBinaries/Usbinst.yml @@ -7,9 +7,9 @@ Categories: [] Commands: - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf" Description: Execute calc.exe through DefaultInstall Section Directive in INF file. -Full Path: +Full_Path: - C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/993514357807108096 diff --git a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml index fba2f2c..77de123 100644 --- a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml +++ b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml @@ -7,9 +7,9 @@ Categories: [] Commands: - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe -Full Path: +Full_Path: - C:\Program Files\Oracle\VirtualBox Guest Additions -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/993497996179492864 diff --git a/yml/LOLUtilz/OtherMSBinaries/Winword.yml b/yml/LOLUtilz/OtherMSBinaries/Winword.yml index 0e60895..43cddf7 100644 --- a/yml/LOLUtilz/OtherMSBinaries/Winword.yml +++ b/yml/LOLUtilz/OtherMSBinaries/Winword.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1218 MItreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/LOLUtilz/OtherScripts/Testxlst.yml b/yml/LOLUtilz/OtherScripts/Testxlst.yml index 0baf199..3cf7399 100644 --- a/yml/LOLUtilz/OtherScripts/Testxlst.yml +++ b/yml/LOLUtilz/OtherScripts/Testxlst.yml @@ -18,9 +18,9 @@ Commands: MitreID: T1064 MitreLink: https://attack.mitre.org/wiki/Technique/T1064 OperatingSystem: Windows -Full Path: +Full_Path: - c:\python27amd64\Lib\site-packages\win32com\test\testxslt.js (Visual Studio Installation) -Code Sample: [] +Code_Sample: [] Detection: [] Resources: - https://twitter.com/bohops/status/993314069116485632 diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 8909a81..0d58b23 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index c59f793..64d96bf 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\bash.exe - Path: C:\Windows\SysWOW64\bash.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Child process from bash.exe diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index 3e58b92..9b0b5e6 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -36,10 +36,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\bitsadmin.exe - Path: C:\Windows\SysWOW64\bitsadmin.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Child process from bitsadmin.exe diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 276fe0a..b1102b2 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -36,10 +36,10 @@ Commands: MitreID: T1140 MitreLink: https://attack.mitre.org/wiki/Technique/T1140 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Certutil.exe creating new files on disk diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index 1df1920..a3b4136 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1078 MitreLink: https://attack.mitre.org/wiki/Technique/T1078 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\cmdkey.exe - Path: C:\Windows\SysWOW64\cmdkey.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Usage of this command could be an IOC diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 97d216c..cf8204a 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1191 MitreLink: https://attack.mitre.org/wiki/Technique/T1191 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Execution of cmstp.exe should not be normal unless VPN is in use diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 155fc98..4abeb42 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1196 MitreLink: https://attack.mitre.org/wiki/Technique/T1196 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\control.exe - Path: C:\Windows\SysWOW64\control.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Control.exe executing files from alternate data streams. diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index 00b3973..3b19bdf 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Csc.exe should normally not run a system unless it is used for development. diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 5ee0143..0027aba 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\cscript.exe - Path: C:\Windows\SysWOW64\cscript.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Cscript.exe executing files from alternate data streams diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index 4364f31..4943e81 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -12,12 +12,12 @@ Commands: MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index 1cfdcb1..b0164e5 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1003 MitreLink: https://attack.mitre.org/wiki/Technique/T1003 OperatingSystem: Windows server -Full Path: +Full_Path: - Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\SysWOW64\diskshadow.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Child process from diskshadow.exe diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index 835c371..18cf73c 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1035 MitreLink: https://attack.mitre.org/wiki/Technique/T1035 OperatingSystem: Windows server -Full Path: +Full_Path: - Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Dnscmd.exe loading dll from UNC path diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index e61c99c..384b259 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -44,10 +44,10 @@ Commands: MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\SysWOW64\esentutl.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index 42fcf2a..a4835a2 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -28,10 +28,10 @@ Commands: MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\Expand.exe - Path: C:\Windows\SysWOW64\Expand.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index a35aabc..0d4cc0c 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files\Internet Explorer(x86)\Extexport.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Extexport.exe loads dll and is execute from other folder the original path diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index 9f2552c..e243ed2 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -28,10 +28,10 @@ Commands: MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\extrac32.exe - Path: C:\Windows\SysWOW64\extrac32.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index f44b00a..95668b9 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -36,10 +36,10 @@ Commands: MitreID: T1185 MitreLink: https://attack.mitre.org/wiki/Technique/T1185 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\findstr.exe - Path: C:\Windows\SysWOW64\findstr.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: finstr.exe should normally not be invoked on a client system diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index 2e3abb8..38d3189 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 656a194..81fae7a 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1216 MitreLink: https://attack.mitre.org/wiki/Technique/T1216 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\SysWOW64\gpscript.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Scripts added in local group policy diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index c107bae..55f5471 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1216 MitreLink: https://attack.mitre.org/wiki/Technique/T1216 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\hh.exe - Path: C:\Windows\SysWOW64\hh.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: hh.exe should normally not be in use on a normal workstation diff --git a/yml/OSBinaries/Ie4unit.yml b/yml/OSBinaries/Ie4unit.yml index 925013d..e994403 100644 --- a/yml/OSBinaries/Ie4unit.yml +++ b/yml/OSBinaries/Ie4unit.yml @@ -12,12 +12,12 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: c:\windows\system32\ie4unit.exe - Path: c:\windows\sysWOW64\ie4unit.exe - Path: c:\windows\system32\ieuinit.inf - Path: c:\windows\sysWOW64\ieuinit.inf -Code Sample: +Code_Sample: - Code: Detection: - IOC: ie4unit.exe loading a inf file from outside %windir% diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index 20e9c20..922efda 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index 86afd15..a99c341 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\Infdefaultinstall.exe - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe -Code Sample: +Code_Sample: - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a Detection: - IOC: diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 9a02884..53283d6 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -20,12 +20,12 @@ Commands: MitreID: T1118 MitreLink: https://attack.mitre.org/wiki/Technique/T1118 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index 9fb67b5..89e332e 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -15,7 +15,7 @@ Commands: - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Usecase: Hide data compressed into an alternate data stream - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 @@ -28,10 +28,10 @@ Commands: MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\makecab.exe - Path: C:\Windows\SysWOW64\makecab.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Makecab getting files from Internet diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index 09bc4e8..d1d1530 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\mavinject.exe - Path: C:\Windows\SysWOW64\mavinject.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: mavinject.exe should not run unless APP-v is in use on the workstation diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index eec5b16..44ec67c 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -7,7 +7,7 @@ Commands: - Command: Microsoft.Worflow.Compiler.exe tests.xml results.xml Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file. Usecase: Compile and run code - Category: Execution + Category: Execute Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 @@ -28,9 +28,9 @@ Commands: MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows 10S -Full Path: +Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 725529a..ab0fb79 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 10 (and possibly earlier versions) -Full Path: +Full_Path: - Path: C:\Windows\System32\mmc.exe - Path: C:\Windows\SysWOW64\mmc.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 8b5bb46..b5bfbe5 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -20,14 +20,14 @@ Commands: MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Msbuild.exe should not normally be executed on workstations diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index 8e6e402..6f9dbfc 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\msconfig.exe -Code Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml Detection: - IOC: mscfgtlc.xml changes in system32 folder diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index f83d507..b460d25 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe -Code Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml Detection: - IOC: diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 9790a47..13acc84 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -36,10 +36,10 @@ Commands: MitreID: T1170 MitreLink: https://attack.mitre.org/wiki/Technique/T1170 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\mshta.exe - Path: C:\Windows\SysWOW64\mshta.exe -Code Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct Detection: - IOC: mshta.exe executing raw or obfuscated script within the command-line diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index 16b1ad2..8d52eb1 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -36,10 +36,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: msiexec.exe getting files from Internet diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml index 9cd761e..b654bac 100644 --- a/yml/OSBinaries/Odbcconf.yml +++ b/yml/OSBinaries/Odbcconf.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\odbcconf.exe - Path: C:\Windows\SysWOW64\odbcconf.exe -Code Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp Detection: - IOC: diff --git a/yml/OSBinaries/Pcalua.yml b/yml/OSBinaries/Pcalua.yml index 678b6b4..c568598 100644 --- a/yml/OSBinaries/Pcalua.yml +++ b/yml/OSBinaries/Pcalua.yml @@ -28,9 +28,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\pcalua.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Pcwrun.yml b/yml/OSBinaries/Pcwrun.yml index 65ebb0e..2e3c31c 100644 --- a/yml/OSBinaries/Pcwrun.yml +++ b/yml/OSBinaries/Pcwrun.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\pcwrun.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index d7f528d..0733048 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\Presentationhost.exe - Path: C:\Windows\SysWOW64\Presentationhost.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Print.yml b/yml/OSBinaries/Print.yml index 6535861..a91dd92 100644 --- a/yml/OSBinaries/Print.yml +++ b/yml/OSBinaries/Print.yml @@ -28,10 +28,10 @@ Commands: MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\print.exe - Path: C:\Windows\SysWOW64\print.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Print.exe getting files from internet diff --git a/yml/OSBinaries/Reg.yml b/yml/OSBinaries/Reg.yml index 57c46f2..7d5f928 100644 --- a/yml/OSBinaries/Reg.yml +++ b/yml/OSBinaries/Reg.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\reg.exe - Path: C:\Windows\SysWOW64\reg.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: reg.exe writing to an ADS diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 62d4a91..1569be0 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -20,12 +20,12 @@ Commands: MitreID: T1121 MitreLink: https://attack.mitre.org/wiki/Technique/T1121 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: regasm.exe executing dll file diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index a410cda..ffccf75 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\regedit.exe - Path: C:\Windows\SysWOW64\regedit.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: regedit.exe reading and writing to alternate data stream diff --git a/yml/OSBinaries/Register-cimprovider.yml b/yml/OSBinaries/Register-cimprovider.yml index 5b2b37d..a19a039 100644 --- a/yml/OSBinaries/Register-cimprovider.yml +++ b/yml/OSBinaries/Register-cimprovider.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\Register-cimprovider.exe - Path: C:\Windows\SysWOW64\Register-cimprovider.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 8a9335b..a89ca2e 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1121 MitreLink: https://attack.mitre.org/wiki/Technique/T1121 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\regsvcs.exe - Path: C:\Windows\SysWOW64\regsvcs.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index e750927..02e262b 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -36,10 +36,10 @@ Commands: MitreID: T1117 MitreLink: https://attack.mitre.org/wiki/Technique/T1117 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: regsvr32.exe getting files from Internet diff --git a/yml/OSBinaries/Replace.yml b/yml/OSBinaries/Replace.yml index 6294b2d..85bbdbc 100644 --- a/yml/OSBinaries/Replace.yml +++ b/yml/OSBinaries/Replace.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\replace.exe - Path: C:\Windows\SysWOW64\replace.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Replace.exe getting files from remote server diff --git a/yml/OSBinaries/Rpcping.yml b/yml/OSBinaries/Rpcping.yml index f5871a3..3c2d344 100644 --- a/yml/OSBinaries/Rpcping.yml +++ b/yml/OSBinaries/Rpcping.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1003 MitreLink: https://attack.mitre.org/wiki/Technique/T1003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\rpcping.exe - Path: C:\Windows\SysWOW64\rpcping.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index 31c6e07..d452cb6 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -47,7 +47,7 @@ Commands: - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). Usecase: Execute code from alternate data stream - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 @@ -60,10 +60,10 @@ Commands: MitreID: MitreLink: OperatingSystem: Windows 10 (and likely previous versions) -Full Path: +Full_Path: - Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index 30c39ec..f317e7d 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\runonce.exe - Path: C:\Windows\SysWOW64\runonce.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 8d7f4dd..931e45a 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: CC:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Event 4014 - Powershell logging diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index b924953..5eabd4d 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\sc.exe - Path: C:\Windows\SysWOW64\sc.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Services that gets created diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index b75535f..f9d99df 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1053 MitreLink: https://attack.mitre.org/wiki/Technique/T1053 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Services that gets created diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index 98f9a95..3aaf782 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\scriptrunner.exe - Path: C:\Windows\SysWOW64\scriptrunner.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Scriptrunner.exe should not be in use unless App-v is deployed diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index 7450aef..2822c69 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index 99552d5..87be396 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index fb281c0..c45c6e0 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: WAB.exe should normally never be used diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index 133e753..8a50604 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -68,10 +68,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\wmic.exe - Path: C:\Windows\SysWOW64\wmic.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Wmic getting scripts from remote system diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index 8fcb842..0504107 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\wscript.exe - Path: C:\Windows\SysWOW64\wscript.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: Wscript.exe executing code from alternate data streams diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index c8ad78d..f5afcee 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\xwizard.exe - Path: C:\Windows\SysWOW64\xwizard.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: @@ -38,5 +38,5 @@ Acknowledgement: - Person: Nick Tyrer Handle: '@NickTyrer' - Person: harr0ey - Handle: @harr0ey + Handle: '@harr0ey' --- diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 3f1ad49..b661e63 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -42,10 +42,10 @@ Commands: Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 -Full Path: +Full_Path: - Path: c:\windows\system32\advpack.dll - Path: c:\windows\syswow64\advpack.dll -Code Sample: +Code_Sample: - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct Detection: diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index b9c6770..8e071a1 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -42,10 +42,10 @@ Commands: Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 -Full Path: +Full_Path: - Path: c:\windows\system32\ieadvpack.dll - Path: c:\windows\syswow64\ieadvpack.dll -Code Sample: +Code_Sample: - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct Detection: diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 3ecd88a..3d9fea5 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\windows\system32\ieframe.dll - Path: c:\windows\syswow64\ieframe.dll -Code Sample: +Code_Sample: - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url Detection: - IOC: diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 705a934..94f8df8 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\windows\system32\mshtml.dll - Path: c:\windows\syswow64\mshtml.dll -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 2cf63bd..7b4286b 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\windows\system32\pcwutl.dll - Path: c:\windows\syswow64\pcwutl.dll -Code Sample: +Code_Sample: - Code: Detection: - IOC: @@ -25,3 +25,4 @@ Resources: Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' +--- \ No newline at end of file diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index 558f779..85241a5 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\windows\system32\setupapi.dll - Path: c:\windows\syswow64\setupapi.dll -Code Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct - Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index d375231..b02158f 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\windows\system32\shdocvw.dll - Path: c:\windows\syswow64\shdocvw.dll -Code Sample: +Code_Sample: - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url Detection: - IOC: diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index ead3084..d41c301 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -26,10 +26,10 @@ Commands: Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 -Full Path: +Full_Path: - Path: c:\windows\system32\shell32.dll - Path: c:\windows\syswow64\shell32.dll -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index 862b33e..802cbd5 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\windows\system32\syssetup.dll - Path: c:\windows\syswow64\syssetup.dll -Code Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct - Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415 diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 39309e7..15be3a5 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -52,10 +52,10 @@ Commands: MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\windows\system32\url.dll - Path: c:\windows\syswow64\url.dll -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index b080f4c..963e7b4 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\windows\system32\zipfldr.dll - Path: c:\windows\syswow64\zipfldr.dll -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 9b0faea..06bdf24 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -12,11 +12,11 @@ Commands: MitreID: T1216 MitreLink: https://attack.mitre.org/wiki/Technique/T1216 OperatingSystem: Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index 4266e6d..07cf235 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -12,11 +12,11 @@ Commands: MitreID: T1216 MitreLink: https://attack.mitre.org/wiki/Technique/T1216 OperatingSystem: Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1 -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index fcfd182..8d98bef 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -20,9 +20,9 @@ Commands: MitreID: T1216 MitreLink: https://attack.mitre.org/wiki/Technique/T1216 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\manage-bde.wsf -Code Sample: +Code_Sample: - Code: Detection: - IOC: Manage-bde.wsf should normally not be invoked by a user diff --git a/yml/OSScripts/Pubprn.yml b/yml/OSScripts/Pubprn.yml index 3452ae4..84215d7 100644 --- a/yml/OSScripts/Pubprn.yml +++ b/yml/OSScripts/Pubprn.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1216 MitreLink: https://attack.mitre.org/wiki/Technique/T1216 OperatingSystem: Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs -Code Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Pubprn_calc.sct Detection: - IOC: diff --git a/yml/OSScripts/Slmgr.yml b/yml/OSScripts/Slmgr.yml index b1ca4bc..8f04c38 100644 --- a/yml/OSScripts/Slmgr.yml +++ b/yml/OSScripts/Slmgr.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1216 MitreLink: https://attack.mitre.org/wiki/Technique/T1216 OperatingSystem: Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\slmgr.vbs - Path: C:\Windows\SysWOW64\slmgr.vbs -Code Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg Detection: diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index 8f19521..f8f6dd0 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1216 MitreLink: https://attack.mitre.org/wiki/Technique/T1216 OperatingSystem: Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index 1e19cd2..76bc036 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -36,10 +36,10 @@ Commands: MitreID: T1216 MitreLink: https://attack.mitre.org/wiki/Technique/T1216 OperatingSystem: Windows 10 -Full Path: +Full_Path: - Path: C:\Windows\System32\winrm.vbs - Path: C:\Windows\SysWOW64\winrm.vbs -Code Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct Detection: diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 9dbc7cd..56d8193 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1216 MitreLink: https://attack.mitre.org/wiki/Technique/T1216 OperatingSystem: Windows 10 -Full Path: +Full_Path: - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index a6746b2..c9ea79d 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -28,10 +28,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 10 w/Office 2016 -Full Path: +Full_Path: - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index a16f627..b7e2819 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -52,9 +52,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: No fixed path -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index e0f7fcc..2411a0d 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index 0e90270..46a5ea7 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index 68ab14d..b133a8a 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: N/A -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml index 0fbbb24..ef13851 100644 --- a/yml/OtherMSBinaries/Dxcap.yml +++ b/yml/OtherMSBinaries/Dxcap.yml @@ -12,10 +12,10 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: C:\Windows\System32\dxcap.exe - Path: C:\Windows\SysWOW64\dxcap.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index 81bdb98..6cda996 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -20,12 +20,12 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86 - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64 -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml index b180e03..dd8e2ac 100644 --- a/yml/OtherMSBinaries/Msdeploy.yml +++ b/yml/OtherMSBinaries/Msdeploy.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index 4cfec8c..c11ad9f 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -36,9 +36,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index b4586b6..cb2b30c 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -20,9 +20,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Sqldumper.yml b/yml/OtherMSBinaries/Sqldumper.yml index ebc26a0..2a0ccd6 100644 --- a/yml/OtherMSBinaries/Sqldumper.yml +++ b/yml/OtherMSBinaries/Sqldumper.yml @@ -20,10 +20,10 @@ Commands: MitreID: T1003 MitreLink: https://attack.mitre.org/wiki/Technique/T1003 OperatingSystem: Windows -Full Path: +Full_Path: - Path: C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe - Path: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index 1586ce8..422ebc3 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index 97e379f..50d3dbe 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index 7a71d43..a6745e7 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index fe0a5b5..f7902a4 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -20,9 +20,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: -Code Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OtherMSBinaries/Vsjitdebugger.yml b/yml/OtherMSBinaries/Vsjitdebugger.yml index 2f8b912..e0be905 100644 --- a/yml/OtherMSBinaries/Vsjitdebugger.yml +++ b/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: +Full_Path: - Path: c:\windows\system32\vsjitdebugger.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: