diff --git a/yml/OSBinaries/Robocopy.yml b/yml/OSBinaries/Robocopy.yml new file mode 100644 index 00000000..98f6fd3a --- /dev/null +++ b/yml/OSBinaries/Robocopy.yml @@ -0,0 +1,80 @@ +--- +Name: Robocopy.exe +Description: built-in Windows utility used for directory replication, metadata-preserving file operations, and backup automation + +Aliases: [] + +Author: Raja Singh +Created: 2025-12-10 + +Commands: + - Command: robocopy "C:\source" "D:\dest" file.txt /COPYALL /R:0 /W:0 + Description: file and directory copying while preserving timestamps, ACLs, and attributes. + Usecase: Detect unusual timestomp-like or stealth file movement behavior. + Category: Copy + Privileges: User or Administrator (depending on source/destination) + MitreID: T1005 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Tag: MetadataPreservation + + - Command: robocopy "C:\Source" "D:\Destination" /MIR /R:0 /W:0 + Description: replicating entire folder structures and deletes mismatches in the destination. + Usecase: Identify large-scale replication or suspicious mirroring of sensitive directories. + Category: Copy + Privileges: User or Administrator + MitreID: T1074 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Tag: Mirroring + + - Command: robocopy "C:\Source" "D:\Destination" file.txt /COPY:DATS /R:0 /W:0 + Description: copying NTFS Alternate Data Streams when present in source files. + Usecase: Surface rare ADS movements that may indicate concealment or staging. + Category: ADS + Privileges: User + MitreID: T1564 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Tag: ADS + + - Command: robocopy "C:\Source" "$env:TEMP" file.txt /R:0 /W:0 + Description: copies files into temporary or user-writable directories. + Usecase: Identify data staging behaviors that may precede exfiltration. + Category: Copy + Privileges: User + MitreID: T1074 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Tag: Staging + +Full_Path: + - Path: C:\Windows\System32\robocopy.exe + - Path: C:\Windows\SysWOW64\robocopy.exe + +Code_Sample: [] + +Detection: + - IOC: robocopy.exe process execution + - IOC: Metadata, mirroring, or ADS-related switches observed in command line + - IOC: High-volume or unusual directory replication operations + - IOC: Execution from uncommon parent processes such as office applications or browsers + - IOC: Copy operations targeting temporary or user-writable staging directories + - IOC: Replication of files from sensitive or user-profile locations + - IOC: Use of robocopy.exe with deletion or mirroring flags (/MIR, /PURGE) in unexpected paths + - IOC: robocopy.exe executed by non-administrative users in abnormal contexts + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml#L37 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml#L30 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml#L38 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml#L51 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml#L38 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml#L48 + +Resources: + - Link: https://learn.microsoft.com/windows-server/administration/windows-commands/robocopy + - Link: https://attack.mitre.org/groups/G0045/ + - Link: https://www.cisa.gov/news-events/alerts/2018/10/03/advanced-persistent-threat-activity-exploiting-managed-service-providers + +Acknowledgement: + - Person: Raja Singh + Handle: '@fluxwarden' diff --git a/yml/OSBinaries/setx.yml b/yml/OSBinaries/setx.yml new file mode 100644 index 00000000..a86c4734 --- /dev/null +++ b/yml/OSBinaries/setx.yml @@ -0,0 +1,205 @@ +--- +Name: SetX.exe +Description: Microsoft-signed utility used to create or modify user and system environment variables, including registry extraction, remote variable creation, and file parsing. +Aliases: + - Alias: setx64.exe +Author: Raja Singh +Created: 2025-12-10 + +Commands: + + # Basic Variable Assignment + - Command: setx MACHINE COMPAQ + Description: Creates or updates a user environment variable. + Usecase: Persistent variable modification. + Category: Tamper + Privileges: User + MitreID: T1547 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: EnvModification + - Risk: Persistence + + - Command: setx MACHINE "COMPAQ COMPUTER" /M + Description: Creates or updates a system environment variable. + Usecase: System-wide persistence. + Category: Tamper + Privileges: Administrator + MitreID: T1547 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: SystemPersistence + - Risk: ExecutionHijack + + # PATH Hijacking + - Command: setx MYPATH %PATH% + Description: Copies PATH to a new variable. + Usecase: Prepare for PATH hijacking. + Category: Tamper + Privileges: User + MitreID: T1574.009 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: PathCopy + - Risk: HijackPrep + + - Command: setx MYPATH ~PATH~ + Description: Copies PATH with tilde expansion. + Usecase: Modify PATH to insert malicious directories. + Category: Tamper + Privileges: User + MitreID: T1574.009 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: PathManipulation + - Risk: ExecutionHijack + + # Remote Execution Context + - Command: setx /S system /U user /P password MACHINE COMPAQ + Description: Creates a variable on a remote host. + Usecase: Remote persistence. + Category: Upload + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RemoteWrite + - Risk: LateralMovement + + - Command: setx /S system /U user /P password MYPATH ^%PATH^% + Description: Writes variables remotely using escaped syntax. + Usecase: Remote environment poisoning. + Category: Upload + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RemotePoisoning + - Risk: LMPreAttack + + # Registry Extraction (/K) + - Command: setx TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName + Description: Extracts registry value into an environment variable. + Usecase: Collect system configuration without reg.exe. + Category: Reconnaissance + Privileges: User + MitreID: T1005 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RegistryRead + - Risk: DataGathering + + - Command: setx BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M + Description: Extracts build number into a system variable. + Usecase: Persist configuration state. + Category: Reconnaissance + Privileges: Administrator + MitreID: T1547 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: BuildInfo + - Risk: ReconPersistence + + - Command: setx /S system /U user /P password TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName + Description: Remote registry extraction. + Usecase: Discovery across hosts. + Category: Upload + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RemoteRecon + - Risk: LateralMovement + + - Command: setx /S system /U user /P password BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M + Description: Writes system registry values remotely. + Usecase: Cross-host persistence. + Category: Upload + Privileges: DomainAdmin + MitreID: T1021 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RemoteBuildWrite + - Risk: CrossHostPersistence + + # File Parsing (Syntax 3) + - Command: setx /F ipconfig.out /X + Description: Displays file content via coordinate rendering. + Usecase: Covert file reading. + Category: Reconnaissance + Privileges: User + MitreID: T1083 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: FileRead + - Risk: DataLeak + + - Command: setx IPADDR /F ipconfig.out /A 5,11 + Description: Extracts text at file coordinates. + Usecase: Extract sensitive values. + Category: Reconnaissance + Privileges: User + MitreID: T1083 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: CoordinateExtract + - Risk: SensitiveInfoGrab + + - Command: setx OCTET1 /F ipconfig.out /A 5,3 /D "#$*." + Description: Parses file content using custom delimiters. + Usecase: Extract structured data. + Category: Reconnaissance + Privileges: User + MitreID: T1083 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: DelimiterParsing + - Risk: StructuredLeak + + - Command: setx IPGATEWAY /F ipconfig.out /R 0,7 Gateway + Description: Extracts text relative to keyword. + Usecase: Pattern-based extraction. + Category: Reconnaissance + Privileges: User + MitreID: T1083 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: PatternExtract + - Risk: InfraRecon + + - Command: setx /S system /U user /P password /F c:\ipconfig.out /X + Description: Reads file contents remotely. + Usecase: Remote file reconnaissance. + Category: Upload + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RemoteFileRead + - Risk: LMRecon + +Full_Path: + - Path: C:\Windows\System32\setx.exe + - Path: C:\Windows\SysWOW64\setx.exe + +Code_Sample: + - Code: setx payload C:\Users\Public\evil.exe + - Code: setx /M COMSPEC C:\Users\Public\cmd.exe + - Code: setx PATH "%PATH%;C:\Temp\bin" + - Code: setx SECRET /K HKCU\Software\MyApp\Config\Password + - Code: setx KEYVAL /F output.txt /A 2,5 + - Code: setx /S 10.0.0.8 /U corp\admin /P Pass123 backdoor C:\backdoor.exe + +Detection: + - IOC: Modification of PATH, COMSPEC, WINDIR, PATHEXT, TEMP, TMP + - IOC: System variable modification via /M + - IOC: Remote SetX usage via /S /U /P + - IOC: Registry extraction using /K + - IOC: Coordinate-based parsing (/A, /R, /X) + +Resources: + - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx + +Acknowledgement: + - Person: Raja Singh + Handle: '@fluxwarden'