Commit Graph

315 Commits

Author SHA1 Message Date
Rich Rumble
1b00b374b3
Updated per suggestion
Thanks!
2020-09-03 11:46:25 -04:00
Rich Rumble
3078cc3755
Update MpCmdRun.yml
Added note that slashes (/) can also be used as command separators, and that the UA is MpCommunication
Thanks!
2020-09-03 10:39:24 -04:00
Oddvar Moe
63c9bc97c3 Added detection details on mpcmdrun 2020-09-03 15:29:32 +02:00
Oddvar Moe
5c5a218faf Updated links on mpcmdrun 2020-09-03 11:00:56 +02:00
Oddvar Moe
bfccb51085 Added MpCmdRun.exe 2020-09-03 10:55:37 +02:00
Oddvar Moe
9a5e2b114f Fixed the OS versions on Diantz 2020-09-03 10:28:49 +02:00
Oddvar Moe
38a3d406b0
Update and rename pktmon.yml to Pktmon.yml 2020-08-24 09:51:48 +02:00
Oddvar Moe
2bb6404160
Merge pull request #82 from binar-x79/patch-1
Create pktmon.yml
2020-08-24 09:49:44 +02:00
Oddvar Moe
525fc0c1eb Added missing ticks in Diantz 2020-08-24 09:48:07 +02:00
Oddvar Moe
9b290ba808
Update and rename diantz.yml to Diantz.yml 2020-08-24 09:46:09 +02:00
Oddvar Moe
48219b177f
Merge pull request #80 from Tamirye/master
Create diantz.yml
2020-08-24 09:45:12 +02:00
Oddvar Moe
57346d17f4 Changed capitalization inside file 2020-08-24 09:34:56 +02:00
Oddvar Moe
4792d22ddd
Rename vbc.yml to Vbc.yml 2020-08-24 09:33:37 +02:00
Oddvar Moe
380b8cfecd
Rename ilasm.yml to Ilasm.yml 2020-08-24 09:33:22 +02:00
Oddvar Moe
fa3710ede5
Rename certreq.yml to Certreq.yml 2020-08-24 09:32:54 +02:00
Oddvar Moe
a104fbd075
Merge pull request #75 from dtmsecurity/master
Create certreq.yml
2020-08-24 09:30:16 +02:00
Oddvar Moe
2cf7d8cdeb Adjusted missing ticks in Acknowledgement 2020-08-24 09:28:38 +02:00
Oddvar Moe
84a6cd8e85
Merge pull request #66 from GoSecure/gosecure/ttdinject
Added proxy execution for ttdinject.exe
2020-08-24 09:25:29 +02:00
Oddvar Moe
2dabdb0840 adjusted extrac32 yml error 2020-08-15 00:13:16 +02:00
Oddvar Moe
a24bc5b946
Merge pull request #79 from LuxNoBulIshit/master
add new usecase for Extrace32.exe
2020-08-15 00:05:37 +02:00
Oddvar Moe
631996950a
Update Extrac32.yml 2020-08-15 00:05:16 +02:00
binar-x79
eb0279838b
Create pktmon.yml 2020-08-12 22:04:03 -07:00
Tamirye
4db780e0f0
Create diantz.yml
use daintz.exe to download and compress a binary file from a remote server\internet or use it to store file in Alternate data stream.
2020-08-08 15:09:53 +03:00
LuxNoBu!!shit
be19ca53ed
Update Extrac32.yml 2020-08-08 15:02:05 +03:00
LuxNoBu!!shit
2450b9fc0a
Update Extrac32.yml 2020-08-08 15:01:46 +03:00
LuxNoBu!!shit
3a3d28e496
Update Extrac32.yml
another use case for extrace32.
2020-08-08 14:59:15 +03:00
Chris "Lopi" Spehn
689c3b1fea
Update Regsvcs.yml
Fixed inaccurate permissions
2020-08-04 07:40:48 -06:00
@dtmsecurity
aa88bf8144 Create certreq.yml 2020-07-07 21:09:06 +01:00
Maxime Nadeau
640e7f2d65 Added a Windows 10 2004 version 2020-07-03 16:59:53 -04:00
bohops
343a0e2478
Added plain explorer execution 2020-07-03 15:03:07 -04:00
bohops
a976eaefe1
Updated Mitre Reference - T1096 2020-07-03 10:35:01 -04:00
bohops
f1a7ad92dd
Changed privilege level for registration 2020-07-03 10:24:34 -04:00
Oddvar Moe
cb3a45008e Added regini.exe writing to registry using ADS 2020-07-03 15:40:58 +02:00
Oddvar Moe
420860e5f7 Adjusted some missing quotes and stuff on Dekstopimgdownldr 2020-07-03 15:05:33 +02:00
Oddvar Moe
7dfbc7af67
Update and rename desktopimgdownldr.yml to Desktopimgdownldr.yml
Changed capitalization
2020-07-03 15:04:09 +02:00
Oddvar Moe
c5866efc41
Merge pull request #74 from Kristal-g/master
Added desktopimgdownldr.exe
2020-07-03 15:03:10 +02:00
Oddvar Moe
dac58c312f Fixed some missing quotes and stuff on psr.exe 2020-07-03 14:59:50 +02:00
Oddvar Moe
17db28c643
Merge pull request #73 from Lemonada/master
Add psr.exe
2020-07-03 14:58:26 +02:00
Oddvar Moe
416680941d
Rename explorer.yml to Explorer.yml
Changed capitalization
2020-07-03 14:52:29 +02:00
Oddvar Moe
8bb57e1ac5
Merge pull request #72 from JPMinty/master
Create explorer.yml
2020-07-03 14:50:07 +02:00
Oddvar Moe
8ce4c1497d
Merge pull request #64 from noraj/patch-1
Download for ftp.exe
2020-07-03 14:08:32 +02:00
Oddvar Moe
794d3c04cc Added Acknowledgement to rundll32 2020-07-03 14:03:51 +02:00
Oddvar Moe
604eb45fb4
Merge pull request #61 from MartinIngesen/master
Using rundll32 to execute dll from a SMB share
2020-07-03 14:01:12 +02:00
Kristal-g
fd01a9151a Added desktopimgdownldr.exe 2020-07-02 20:46:05 +03:00
Lemonada
2a5a4e391d
Create Psr.yml
take screenshots of user sessions
2020-06-27 14:51:07 +03:00
JPMinty
663724523f Update explorer.yml 2020-06-24 21:15:40 +09:30
JPMinty
dec26ada21 Create explorer.yml 2020-06-24 21:09:59 +09:30
Maxime Nadeau
b95fb7ed27 Added the IOCs 2020-05-12 16:40:49 -04:00
Maxime Nadeau
b8b265b397 Added ttdinject 2020-05-12 16:31:47 -04:00
Maxime Nadeau
5de8d357b6 Added ttdinject.exe 2020-05-12 16:24:49 -04:00
Alexandre ZANNI
aef4b06952
Download for ftp.exe
add a non-interactive one-line command to download arbitrary binary with ftp.exe
excessively useful on Windows XP, & Windows Server 2003 where all other LOLBAS that allow download (certutils, bitsutils, etc.) don't exist and where powershell was not install by default.
2020-04-21 23:52:22 +02:00
Oddvar Moe
9f110bce07 Fixed missing octet in command 2020-03-25 11:24:54 +01:00
Oddvar Moe
6ac04d73d7 Added examples to bash.exe 2020-03-25 11:08:13 +01:00
Chris "Lopi" Spehn
d67c8f5c11
Update RegAsm to the correct permissions 2020-03-20 11:51:21 -06:00
Martin Ingesen
e4face79af Using rundll32 to execute dll via SMB 2020-03-18 15:20:50 +01:00
Oddvar Moe
cce7c5ce3a Adjusted error in atbroker as per issue #47 2020-03-17 11:08:47 +01:00
Oddvar Moe
94d10799d3 Adjusted ilasm 2020-03-17 11:05:14 +01:00
LuxNoBu!!shit
7a2ff4c250
Create ilasm.yml 2020-03-17 03:04:20 +02:00
Oddvar Moe
80295ef865
Merge pull request #54 from ForensicITGuy/ntdsutil
Ntdsutil & Rasautou addition
2020-03-16 20:06:54 +01:00
Oddvar Moe
81c363ac8a Adjustment to vbc.yml contribution 2020-03-16 19:55:27 +01:00
leo1-1
c7c93e9f95
Create vbc.yml 2020-02-27 17:13:07 +02:00
Oddvar Moe
acecdcf3df Netsh contribution from Freddie Bar-Smith - Thank you 2020-01-23 09:07:40 +01:00
Oddvar Moe
94708ac5d6 Added links to obfuscation technique from Sailay(valen) on rundll32 2020-01-23 08:57:43 +01:00
Tony M Lambert
99b87fdc13 Rasautou addition 2020-01-10 22:52:15 -06:00
Oddvar Moe
ecc94c2d09 Adjusted GfxDownloadWrapper 2020-01-07 09:08:13 +01:00
Oddvar Moe
71aec7465b Minor adjustments to GfxDownloadWrapper.yml 2020-01-07 09:03:42 +01:00
jesgal
c9e608ce0f
Update GfxDownloadWrapper.yml 2019-12-27 17:11:30 +01:00
jesgal
a057cf2420
Create GfxDownloadWrapper.yml
GfxDownloadWrapper.exe downloads the content that returns <URL> and writes it to the file <DESTINATION FILE PATH>. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
2019-12-27 17:02:34 +01:00
Oddvar Moe
94a295213e Added Dump example to TTTracer.exe 2019-11-18 12:50:49 +01:00
Oddvar Moe
e0db5721ff Added Dump Example to TTTracer.exe 2019-11-18 12:47:51 +01:00
Oddvar Moe
4663c13324 Adjustment 2019-11-05 15:47:20 +01:00
Oddvar Moe
8d74b3062f Adjustment 2019-11-05 14:36:53 +01:00
Oddvar Moe
f9a7c42a85 Added TTTracer.exe - Thanks Onur Ulusoy 2019-11-05 12:12:46 +01:00
Oddvar Moe
13093c879e Updated odbcconf.exe with discovery from @Hexacorn <3 2019-10-24 10:01:44 +02:00
Oddvar Moe
8eb582de42
Update At.yml 2019-10-07 23:51:26 +02:00
freddie
9f47e26f16 Adding At.exe, for submission to LOLbas list, with proof of malware using it in wild :O 2019-09-21 03:19:25 +01:00
Oddvar Moe
b284e46763 Added example to wscript 2019-06-27 17:27:31 +02:00
Oddvar Moe
da3b619651 Adjusted new contributions 2019-06-27 13:42:06 +02:00
Oddvar Moe
285e4d78d8 Adjusted new contributions 2019-06-27 13:40:03 +02:00
r0lan
fb5f164827
Cmd.exe ADS 2019-06-26 18:33:11 +08:00
Oddvar Moe
f7748a08cc added Jsc.exe - Thanks @DissectMalware 2019-05-31 13:56:55 +02:00
Oddvar Moe
106c359687 added Jsc.exe - Thanks @DissectMalware 2019-05-31 13:53:43 +02:00
Oddvar Moe
17e541f8c0 Added wsreset.exe - uac bypass 2019-03-18 08:44:53 +01:00
bohops
8806a9e0ee
Added VSS use case 2019-02-12 08:15:55 -05:00
Oddvar Moe
69795dca7e Added fixes from https://github.com/sagishahar, typos in wmic and extexport 2019-02-01 18:38:35 +01:00
Santiago Bruno
cc8288c7d5 Fixing some typos 2019-01-28 13:39:23 -03:00
Oddvar Moe
a0136a78cd Typo in command - fixed 2019-01-24 11:52:25 +01:00
Oddvar Moe
92bcd8cfd8 added new example to certutil from egre55 2019-01-24 10:40:45 +01:00
Santiago Bruno
64623edd6e Renaming Ie4unit.yml as Ie4uinit.yml since this is the correct binary name 2019-01-23 20:06:16 -03:00
Santiago Bruno
7252652920 replacing ie4unit occurrences with ie4uinit 2019-01-23 20:04:12 -03:00
Oddvar Moe
aba9538581 minor changes to Eventvwr 2018-12-12 12:50:27 +01:00
Oddvar Moe
d827dfba1f
Merge pull request #22 from eSentire/master
Eventvwr.exe UAC bypass
2018-12-12 12:45:35 +01:00
Oddvar Moe
7addc14d7f
Update Eventvwr.yml
Category change
2018-12-12 12:45:05 +01:00
Maverick
99d1eed476 Correct wrongly attributed twitter handle
- it should be *Moriarty_Meng* instead of *moriarty2016*
2018-12-10 21:26:33 +01:00
Oddvar Moe
1af009d707 Added example to DFSVC - Thanks to PolarBearGod 2018-12-10 18:45:41 +01:00
Oddvar Moe
c9b4b244fa Added ftp.exe 2018-12-10 15:03:30 +01:00
Oddvar Moe
04d193ccfa Minor typo in Runscripthelper.exe 2018-12-10 14:38:48 +01:00
Oddvar Moe
94368c1e69 Major changes to Web portal - Small fixes to source files to adjust 2018-12-10 14:28:12 +01:00
bohops
2b77add5b4
Update Mmc.yml 2018-12-04 19:38:17 -05:00
bohops
931ea67ce4
Update Mmc.yml 2018-12-04 19:35:52 -05:00
bohops
838f2c9a49
Create Mmc.yml 2018-12-04 19:35:26 -05:00
bohops
cb1db201b8
Create Verclsid.yml 2018-12-04 19:26:34 -05:00
bohops
ef2b253227
Update Xwizard.yml 2018-12-04 19:09:42 -05:00
bohops
34b1287f10
Added rundll32 -sta COM server execution 2018-12-04 18:59:08 -05:00
Jacob Gajek
fd44373927 Eventvwr.exe UAC bypass 2018-11-01 15:20:09 -04:00
Oddvar Moe
60874f9754 Changed from non-existing category persistence to execute 2018-10-25 21:35:37 +02:00
Oddvar Moe
a61d2586cf Errors in YAML files corrected 2018-10-25 21:24:55 +02:00
xenoscr
d6fe95fe98 Adding Microsoft.Workflow.Compiler.exe and payload examples. 2018-10-24 22:48:45 -04:00
Ossi Väänänen
31d7b4aa77 Failed to RTFM -- removed .md, added .yml 2018-10-24 11:55:52 +03:00
Oddvar Moe
bac3b9e56c Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00
Oddvar Moe
d48273583e Changed alternate data stream to ADS as category 2018-09-26 09:34:01 +02:00
Oddvar Moe
f8fec9849b Minor adjustments to be yaml compliant 2018-09-24 23:18:00 +02:00
Oddvar Moe
37cc1ee83e Changed all OSBinaries according to the new template 2018-09-24 21:59:43 +02:00
Oddvar Moe
adafa6de3f Update readme, began updating OSBins with new template 2018-09-24 01:50:14 +02:00
Oddvar Moe
c949e100bd MD files generate from Script, and adjustments to readme 2018-09-14 15:48:52 +02:00