From 73a1c28dd7476949084ddd7ba4e66f73d7ef0411 Mon Sep 17 00:00:00 2001 From: Raja Singh Date: Thu, 11 Dec 2025 10:00:19 +0530 Subject: [PATCH 1/7] Create Robocopy.yml --- yml/OSBinaries/Robocopy.yml | 80 +++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 yml/OSBinaries/Robocopy.yml diff --git a/yml/OSBinaries/Robocopy.yml b/yml/OSBinaries/Robocopy.yml new file mode 100644 index 00000000..e8406c3b --- /dev/null +++ b/yml/OSBinaries/Robocopy.yml @@ -0,0 +1,80 @@ +--- +Name: Robocopy.exe +Description: built-in Windows utility used for directory replication, metadata-preserving file operations, and backup automation + +Aliases: [] + +Author: Raja Singh +Created: 2025-12-10 + +Commands: + - Command: robocopy "C:\source" "D:\dest" file.txt /COPYALL /R:0 /W:0 + Description: file and directory copying while preserving timestamps, ACLs, and attributes. + Usecase: Detect unusual timestomp-like or stealth file movement behavior. + Category: Copy + Privileges: User or Administrator (depending on source/destination) + MitreID: T1005 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Tag: MetadataPreservation + + - Command: robocopy "C:\Source" "D:\Destination" /MIR /R:0 /W:0 + Description: replicating entire folder structures and deletes mismatches in the destination. + Usecase: Identify large-scale replication or suspicious mirroring of sensitive directories. + Category: Copy + Privileges: User or Administrator + MitreID: T1074 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Tag: Mirroring + + - Command: robocopy "C:\Source" "D:\Destination" file.txt /COPY:DATS /R:0 /W:0 + Description: copying NTFS Alternate Data Streams when present in source files. + Usecase: Surface rare ADS movements that may indicate concealment or staging. + Category: ADS + Privileges: User + MitreID: T1564 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Tag: ADS + + - Command: robocopy "C:\Source" "$env:TEMP" file.txt /R:0 /W:0 + Description: copies files into temporary or user-writable directories. + Usecase: Identify data staging behaviors that may precede exfiltration. + Category: Copy + Privileges: User + MitreID: T1074 + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Tag: Staging + +Full_Path: + - Path: C:\Windows\System32\robocopy.exe + - Path: C:\Windows\SysWOW64\robocopy.exe + +Code_Sample: [] + +Detection: + - IOC: robocopy.exe process execution + - IOC: Metadata, mirroring, or ADS-related switches observed in command line + - IOC: High-volume or unusual directory replication operations + - IOC: Execution from uncommon parent processes such as office applications or browsers + - IOC: Copy operations targeting temporary or user-writable staging directories + - IOC: Replication of files from sensitive or user-profile locations + - IOC: Use of robocopy.exe with deletion or mirroring flags (/MIR, /PURGE) in unexpected paths + - IOC: robocopy.exe executed by non-administrative users in abnormal contexts + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml#L37 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml#L30 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml#L38 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml#L51 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml#L38 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml#L48 + +Resources: + - Link: https://learn.microsoft.com/windows-server/administration/windows-commands/robocopy + - Link: https://attack.mitre.org/groups/G0045/ + - Link: https://www.cisa.gov/news-events/alerts/2018/10/03/advanced-persistent-threat-activity-exploiting-managed-service-providers + +Acknowledgement: + - Person: Raja Singh + Handle: '@flux-warden' From 43c16b8c60890aae574653ef377eb8cca60c9d32 Mon Sep 17 00:00:00 2001 From: Raja Singh Date: Thu, 11 Dec 2025 10:06:38 +0530 Subject: [PATCH 2/7] Update Robocopy.yml @flux-warde -> @fluxwarden --- yml/OSBinaries/Robocopy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Robocopy.yml b/yml/OSBinaries/Robocopy.yml index e8406c3b..98f6fd3a 100644 --- a/yml/OSBinaries/Robocopy.yml +++ b/yml/OSBinaries/Robocopy.yml @@ -77,4 +77,4 @@ Resources: Acknowledgement: - Person: Raja Singh - Handle: '@flux-warden' + Handle: '@fluxwarden' From 529a22ac0be11f2b2ad9075a967396a764229a01 Mon Sep 17 00:00:00 2001 From: Raja Singh Date: Thu, 11 Dec 2025 23:44:08 +0530 Subject: [PATCH 3/7] Create Setx.yml --- Setx.yml | 155 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 155 insertions(+) create mode 100644 Setx.yml diff --git a/Setx.yml b/Setx.yml new file mode 100644 index 00000000..2be89fad --- /dev/null +++ b/Setx.yml @@ -0,0 +1,155 @@ +--- +Name: SetX.exe +Description: Microsoft-signed utility used to create or modify user and system environment variables. Supports registry extraction, remote execution context, and coordinate-based file parsing. Useful for persistence, execution flow hijacking, discovery, and lateral movement. +Aliases: + - Alias: setx64.exe +Author: Raja Singh +Created: 2025-12-10 + +Commands: + - Command: setx MACHINE COMPAQ + Description: Creates or updates a user environment variable. + Usecase: Persistent environment modification. + Category: Hijack Execution Flow + Privileges: User + MitreID: T1547 + OperatingSystem: Windows + + - Command: setx MACHINE "COMPAQ COMPUTER" /M + Description: Creates or updates a system-wide environment variable. + Usecase: System-level persistence. + Category: Hijack Execution Flow + Privileges: Administrator + MitreID: T1547 + OperatingSystem: Windows + + - Command: setx MYPATH %PATH% + Description: Copies current PATH into a new variable. + Usecase: Allows PATH manipulation before hijack. + Category: Hijack Execution Flow + Privileges: User + MitreID: T1574.009 + OperatingSystem: Windows + + - Command: setx MYPATH ~PATH~ + Description: Uses tilde syntax to copy PATH. + Usecase: Introduce malicious directories for execution hijacking. + Category: Hijack Execution Flow + Privileges: User + MitreID: T1574.009 + OperatingSystem: Windows + + - Command: setx /S system /U user /P password MACHINE COMPAQ + Description: Creates a variable on a remote host. + Usecase: Remote persistence without shell access. + Category: Lateral Movement + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows + + - Command: setx /S system /U user /P password MYPATH ^%PATH^% + Description: Writes variables to remote host using escaped syntax. + Usecase: Environment poisoning on remote machines. + Category: Lateral Movement + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows + + - Command: setx TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName + Description: Extracts registry value into an environment variable. + Usecase: Harvest registry data without reg.exe or PowerShell. + Category: Collection + Privileges: User + MitreID: T1005 + OperatingSystem: Windows + + - Command: setx BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M + Description: Extracts build number and writes it as system variable. + Usecase: Persistence with registry-derived data. + Category: Persistence + Privileges: Administrator + MitreID: T1547 + OperatingSystem: Windows + + - Command: setx /S system /U user /P password TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName + Description: Extracts registry data remotely into variables. + Usecase: Remote discovery and persistence. + Category: Lateral Movement + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows + + - Command: setx /S system /U user /P password BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M + Description: Writes system variables on remote host using registry data. + Usecase: Cross-host persistent config poisoning. + Category: Lateral Movement + Privileges: DomainAdmin + MitreID: T1021 + OperatingSystem: Windows + + - Command: setx /F ipconfig.out /X + Description: Displays a file with coordinate references. + Usecase: Covert file reading without type/more. + Category: Discovery + Privileges: User + MitreID: T1083 + OperatingSystem: Windows + + - Command: setx IPADDR /F ipconfig.out /A 5,11 + Description: Extracts text at absolute coordinates. + Usecase: Extract sensitive info from dumped output. + Category: Discovery + Privileges: User + MitreID: T1083 + OperatingSystem: Windows + + - Command: setx OCTET1 /F ipconfig.out /A 5,3 /D "#$*." + Description: Parses file content using delimiter tokens. + Usecase: Structured data extraction. + Category: Discovery + Privileges: User + MitreID: T1083 + OperatingSystem: Windows + + - Command: setx IPGATEWAY /F ipconfig.out /R 0,7 Gateway + Description: Extracts text relative to a matched pattern. + Usecase: Pattern-based file parsing like grep/awk. + Category: Discovery + Privileges: User + MitreID: T1083 + OperatingSystem: Windows + + - Command: setx /S system /U user /P password /F c:\ipconfig.out /X + Description: Remote file read using SetX. + Usecase: File discovery without remote shell. + Category: Lateral Movement + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows + +Full_Path: + - Path: C:\Windows\System32\setx.exe + - Path: C:\Windows\SysWOW64\setx.exe + +Code_Sample: + - Code: setx payload C:\Users\Public\evil.exe + - Code: setx /M COMSPEC C:\Users\Public\cmd.exe + - Code: setx PATH "%PATH%;C:\Temp\bin" + - Code: setx SECRET /K HKCU\Software\MyApp\Config\Password + - Code: setx KEYVAL /F output.txt /A 2,5 + - Code: setx /S 10.0.0.8 /U corp\admin /P Pass123 backdoor C:\backdoor.exe + +Detection: + - IOC: Modification of PATH, COMSPEC, WINDIR, PATHEXT, TEMP, TMP + - IOC: SetX usage with /M from untrusted process + - IOC: Remote variable creation via /S /U /P + - IOC: Registry extraction via /K from sensitive paths + - IOC: Coordinate-based parsing (/A, /R, /X) + - Analysis: Environment manipulation followed by suspicious execution + +Resources: + - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx + +Acknowledgement: + - Person: Raja Singh + Handle: '@fluxwarden' From 9d531af6292bcfa83cfb5a4596bb7fea4b8affab Mon Sep 17 00:00:00 2001 From: Raja Singh Date: Thu, 11 Dec 2025 23:46:01 +0530 Subject: [PATCH 4/7] Delete Setx.yml --- Setx.yml | 155 ------------------------------------------------------- 1 file changed, 155 deletions(-) delete mode 100644 Setx.yml diff --git a/Setx.yml b/Setx.yml deleted file mode 100644 index 2be89fad..00000000 --- a/Setx.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- -Name: SetX.exe -Description: Microsoft-signed utility used to create or modify user and system environment variables. Supports registry extraction, remote execution context, and coordinate-based file parsing. Useful for persistence, execution flow hijacking, discovery, and lateral movement. -Aliases: - - Alias: setx64.exe -Author: Raja Singh -Created: 2025-12-10 - -Commands: - - Command: setx MACHINE COMPAQ - Description: Creates or updates a user environment variable. - Usecase: Persistent environment modification. - Category: Hijack Execution Flow - Privileges: User - MitreID: T1547 - OperatingSystem: Windows - - - Command: setx MACHINE "COMPAQ COMPUTER" /M - Description: Creates or updates a system-wide environment variable. - Usecase: System-level persistence. - Category: Hijack Execution Flow - Privileges: Administrator - MitreID: T1547 - OperatingSystem: Windows - - - Command: setx MYPATH %PATH% - Description: Copies current PATH into a new variable. - Usecase: Allows PATH manipulation before hijack. - Category: Hijack Execution Flow - Privileges: User - MitreID: T1574.009 - OperatingSystem: Windows - - - Command: setx MYPATH ~PATH~ - Description: Uses tilde syntax to copy PATH. - Usecase: Introduce malicious directories for execution hijacking. - Category: Hijack Execution Flow - Privileges: User - MitreID: T1574.009 - OperatingSystem: Windows - - - Command: setx /S system /U user /P password MACHINE COMPAQ - Description: Creates a variable on a remote host. - Usecase: Remote persistence without shell access. - Category: Lateral Movement - Privileges: DomainUser - MitreID: T1021 - OperatingSystem: Windows - - - Command: setx /S system /U user /P password MYPATH ^%PATH^% - Description: Writes variables to remote host using escaped syntax. - Usecase: Environment poisoning on remote machines. - Category: Lateral Movement - Privileges: DomainUser - MitreID: T1021 - OperatingSystem: Windows - - - Command: setx TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName - Description: Extracts registry value into an environment variable. - Usecase: Harvest registry data without reg.exe or PowerShell. - Category: Collection - Privileges: User - MitreID: T1005 - OperatingSystem: Windows - - - Command: setx BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M - Description: Extracts build number and writes it as system variable. - Usecase: Persistence with registry-derived data. - Category: Persistence - Privileges: Administrator - MitreID: T1547 - OperatingSystem: Windows - - - Command: setx /S system /U user /P password TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName - Description: Extracts registry data remotely into variables. - Usecase: Remote discovery and persistence. - Category: Lateral Movement - Privileges: DomainUser - MitreID: T1021 - OperatingSystem: Windows - - - Command: setx /S system /U user /P password BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M - Description: Writes system variables on remote host using registry data. - Usecase: Cross-host persistent config poisoning. - Category: Lateral Movement - Privileges: DomainAdmin - MitreID: T1021 - OperatingSystem: Windows - - - Command: setx /F ipconfig.out /X - Description: Displays a file with coordinate references. - Usecase: Covert file reading without type/more. - Category: Discovery - Privileges: User - MitreID: T1083 - OperatingSystem: Windows - - - Command: setx IPADDR /F ipconfig.out /A 5,11 - Description: Extracts text at absolute coordinates. - Usecase: Extract sensitive info from dumped output. - Category: Discovery - Privileges: User - MitreID: T1083 - OperatingSystem: Windows - - - Command: setx OCTET1 /F ipconfig.out /A 5,3 /D "#$*." - Description: Parses file content using delimiter tokens. - Usecase: Structured data extraction. - Category: Discovery - Privileges: User - MitreID: T1083 - OperatingSystem: Windows - - - Command: setx IPGATEWAY /F ipconfig.out /R 0,7 Gateway - Description: Extracts text relative to a matched pattern. - Usecase: Pattern-based file parsing like grep/awk. - Category: Discovery - Privileges: User - MitreID: T1083 - OperatingSystem: Windows - - - Command: setx /S system /U user /P password /F c:\ipconfig.out /X - Description: Remote file read using SetX. - Usecase: File discovery without remote shell. - Category: Lateral Movement - Privileges: DomainUser - MitreID: T1021 - OperatingSystem: Windows - -Full_Path: - - Path: C:\Windows\System32\setx.exe - - Path: C:\Windows\SysWOW64\setx.exe - -Code_Sample: - - Code: setx payload C:\Users\Public\evil.exe - - Code: setx /M COMSPEC C:\Users\Public\cmd.exe - - Code: setx PATH "%PATH%;C:\Temp\bin" - - Code: setx SECRET /K HKCU\Software\MyApp\Config\Password - - Code: setx KEYVAL /F output.txt /A 2,5 - - Code: setx /S 10.0.0.8 /U corp\admin /P Pass123 backdoor C:\backdoor.exe - -Detection: - - IOC: Modification of PATH, COMSPEC, WINDIR, PATHEXT, TEMP, TMP - - IOC: SetX usage with /M from untrusted process - - IOC: Remote variable creation via /S /U /P - - IOC: Registry extraction via /K from sensitive paths - - IOC: Coordinate-based parsing (/A, /R, /X) - - Analysis: Environment manipulation followed by suspicious execution - -Resources: - - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx - -Acknowledgement: - - Person: Raja Singh - Handle: '@fluxwarden' From 9a7b1e6804c637532c805124d8d7e787c472476d Mon Sep 17 00:00:00 2001 From: Raja Singh Date: Thu, 11 Dec 2025 23:46:26 +0530 Subject: [PATCH 5/7] Create setx.yml --- yml/OSBinaries/setx.yml | 155 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 155 insertions(+) create mode 100644 yml/OSBinaries/setx.yml diff --git a/yml/OSBinaries/setx.yml b/yml/OSBinaries/setx.yml new file mode 100644 index 00000000..2be89fad --- /dev/null +++ b/yml/OSBinaries/setx.yml @@ -0,0 +1,155 @@ +--- +Name: SetX.exe +Description: Microsoft-signed utility used to create or modify user and system environment variables. Supports registry extraction, remote execution context, and coordinate-based file parsing. Useful for persistence, execution flow hijacking, discovery, and lateral movement. +Aliases: + - Alias: setx64.exe +Author: Raja Singh +Created: 2025-12-10 + +Commands: + - Command: setx MACHINE COMPAQ + Description: Creates or updates a user environment variable. + Usecase: Persistent environment modification. + Category: Hijack Execution Flow + Privileges: User + MitreID: T1547 + OperatingSystem: Windows + + - Command: setx MACHINE "COMPAQ COMPUTER" /M + Description: Creates or updates a system-wide environment variable. + Usecase: System-level persistence. + Category: Hijack Execution Flow + Privileges: Administrator + MitreID: T1547 + OperatingSystem: Windows + + - Command: setx MYPATH %PATH% + Description: Copies current PATH into a new variable. + Usecase: Allows PATH manipulation before hijack. + Category: Hijack Execution Flow + Privileges: User + MitreID: T1574.009 + OperatingSystem: Windows + + - Command: setx MYPATH ~PATH~ + Description: Uses tilde syntax to copy PATH. + Usecase: Introduce malicious directories for execution hijacking. + Category: Hijack Execution Flow + Privileges: User + MitreID: T1574.009 + OperatingSystem: Windows + + - Command: setx /S system /U user /P password MACHINE COMPAQ + Description: Creates a variable on a remote host. + Usecase: Remote persistence without shell access. + Category: Lateral Movement + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows + + - Command: setx /S system /U user /P password MYPATH ^%PATH^% + Description: Writes variables to remote host using escaped syntax. + Usecase: Environment poisoning on remote machines. + Category: Lateral Movement + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows + + - Command: setx TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName + Description: Extracts registry value into an environment variable. + Usecase: Harvest registry data without reg.exe or PowerShell. + Category: Collection + Privileges: User + MitreID: T1005 + OperatingSystem: Windows + + - Command: setx BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M + Description: Extracts build number and writes it as system variable. + Usecase: Persistence with registry-derived data. + Category: Persistence + Privileges: Administrator + MitreID: T1547 + OperatingSystem: Windows + + - Command: setx /S system /U user /P password TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName + Description: Extracts registry data remotely into variables. + Usecase: Remote discovery and persistence. + Category: Lateral Movement + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows + + - Command: setx /S system /U user /P password BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M + Description: Writes system variables on remote host using registry data. + Usecase: Cross-host persistent config poisoning. + Category: Lateral Movement + Privileges: DomainAdmin + MitreID: T1021 + OperatingSystem: Windows + + - Command: setx /F ipconfig.out /X + Description: Displays a file with coordinate references. + Usecase: Covert file reading without type/more. + Category: Discovery + Privileges: User + MitreID: T1083 + OperatingSystem: Windows + + - Command: setx IPADDR /F ipconfig.out /A 5,11 + Description: Extracts text at absolute coordinates. + Usecase: Extract sensitive info from dumped output. + Category: Discovery + Privileges: User + MitreID: T1083 + OperatingSystem: Windows + + - Command: setx OCTET1 /F ipconfig.out /A 5,3 /D "#$*." + Description: Parses file content using delimiter tokens. + Usecase: Structured data extraction. + Category: Discovery + Privileges: User + MitreID: T1083 + OperatingSystem: Windows + + - Command: setx IPGATEWAY /F ipconfig.out /R 0,7 Gateway + Description: Extracts text relative to a matched pattern. + Usecase: Pattern-based file parsing like grep/awk. + Category: Discovery + Privileges: User + MitreID: T1083 + OperatingSystem: Windows + + - Command: setx /S system /U user /P password /F c:\ipconfig.out /X + Description: Remote file read using SetX. + Usecase: File discovery without remote shell. + Category: Lateral Movement + Privileges: DomainUser + MitreID: T1021 + OperatingSystem: Windows + +Full_Path: + - Path: C:\Windows\System32\setx.exe + - Path: C:\Windows\SysWOW64\setx.exe + +Code_Sample: + - Code: setx payload C:\Users\Public\evil.exe + - Code: setx /M COMSPEC C:\Users\Public\cmd.exe + - Code: setx PATH "%PATH%;C:\Temp\bin" + - Code: setx SECRET /K HKCU\Software\MyApp\Config\Password + - Code: setx KEYVAL /F output.txt /A 2,5 + - Code: setx /S 10.0.0.8 /U corp\admin /P Pass123 backdoor C:\backdoor.exe + +Detection: + - IOC: Modification of PATH, COMSPEC, WINDIR, PATHEXT, TEMP, TMP + - IOC: SetX usage with /M from untrusted process + - IOC: Remote variable creation via /S /U /P + - IOC: Registry extraction via /K from sensitive paths + - IOC: Coordinate-based parsing (/A, /R, /X) + - Analysis: Environment manipulation followed by suspicious execution + +Resources: + - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx + +Acknowledgement: + - Person: Raja Singh + Handle: '@fluxwarden' From 9da9c1472c61e8f64085ac2612053285385c40c0 Mon Sep 17 00:00:00 2001 From: Raja Singh Date: Thu, 11 Dec 2025 23:51:10 +0530 Subject: [PATCH 6/7] Update setx.yml --- yml/OSBinaries/setx.yml | 175 +++++++++++++++++++++++++--------------- 1 file changed, 112 insertions(+), 63 deletions(-) diff --git a/yml/OSBinaries/setx.yml b/yml/OSBinaries/setx.yml index 2be89fad..e21e9580 100644 --- a/yml/OSBinaries/setx.yml +++ b/yml/OSBinaries/setx.yml @@ -1,131 +1,181 @@ ---- Name: SetX.exe -Description: Microsoft-signed utility used to create or modify user and system environment variables. Supports registry extraction, remote execution context, and coordinate-based file parsing. Useful for persistence, execution flow hijacking, discovery, and lateral movement. +Description: Microsoft-signed utility used to create or modify user and system environment variables, including registry extraction, remote variable creation, and file parsing. Aliases: - Alias: setx64.exe Author: Raja Singh Created: 2025-12-10 Commands: + + # Basic Variable Assignment - Command: setx MACHINE COMPAQ Description: Creates or updates a user environment variable. - Usecase: Persistent environment modification. - Category: Hijack Execution Flow + Usecase: Persistent variable modification. + Category: Tamper Privileges: User MitreID: T1547 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: EnvModification + - Risk: Persistence - Command: setx MACHINE "COMPAQ COMPUTER" /M - Description: Creates or updates a system-wide environment variable. - Usecase: System-level persistence. - Category: Hijack Execution Flow + Description: Creates or updates a system environment variable. + Usecase: System-wide persistence. + Category: Tamper Privileges: Administrator MitreID: T1547 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: SystemPersistence + - Risk: ExecutionHijack + # PATH Hijacking - Command: setx MYPATH %PATH% - Description: Copies current PATH into a new variable. - Usecase: Allows PATH manipulation before hijack. - Category: Hijack Execution Flow + Description: Copies PATH to a new variable. + Usecase: Prepare for PATH hijacking. + Category: Tamper Privileges: User MitreID: T1574.009 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: PathCopy + - Risk: HijackPrep - Command: setx MYPATH ~PATH~ - Description: Uses tilde syntax to copy PATH. - Usecase: Introduce malicious directories for execution hijacking. - Category: Hijack Execution Flow + Description: Copies PATH with tilde expansion. + Usecase: Modify PATH to insert malicious directories. + Category: Tamper Privileges: User MitreID: T1574.009 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: PathManipulation + - Risk: ExecutionHijack + # Remote Execution Context - Command: setx /S system /U user /P password MACHINE COMPAQ Description: Creates a variable on a remote host. - Usecase: Remote persistence without shell access. - Category: Lateral Movement + Usecase: Remote persistence. + Category: Upload Privileges: DomainUser MitreID: T1021 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RemoteWrite + - Risk: LateralMovement - Command: setx /S system /U user /P password MYPATH ^%PATH^% - Description: Writes variables to remote host using escaped syntax. - Usecase: Environment poisoning on remote machines. - Category: Lateral Movement + Description: Writes variables remotely using escaped syntax. + Usecase: Remote environment poisoning. + Category: Upload Privileges: DomainUser MitreID: T1021 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RemotePoisoning + - Risk: LMPreAttack + # Registry Extraction (/K) - Command: setx TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName Description: Extracts registry value into an environment variable. - Usecase: Harvest registry data without reg.exe or PowerShell. - Category: Collection + Usecase: Collect system configuration without reg.exe. + Category: Reconnaissance Privileges: User MitreID: T1005 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RegistryRead + - Risk: DataGathering - Command: setx BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M - Description: Extracts build number and writes it as system variable. - Usecase: Persistence with registry-derived data. - Category: Persistence + Description: Extracts build number into a system variable. + Usecase: Persist configuration state. + Category: Reconnaissance Privileges: Administrator MitreID: T1547 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: BuildInfo + - Risk: ReconPersistence - Command: setx /S system /U user /P password TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName - Description: Extracts registry data remotely into variables. - Usecase: Remote discovery and persistence. - Category: Lateral Movement + Description: Remote registry extraction. + Usecase: Discovery across hosts. + Category: Upload Privileges: DomainUser MitreID: T1021 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RemoteRecon + - Risk: LateralMovement - Command: setx /S system /U user /P password BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M - Description: Writes system variables on remote host using registry data. - Usecase: Cross-host persistent config poisoning. - Category: Lateral Movement + Description: Writes system registry values remotely. + Usecase: Cross-host persistence. + Category: Upload Privileges: DomainAdmin MitreID: T1021 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RemoteBuildWrite + - Risk: CrossHostPersistence + # File Parsing (Syntax 3) - Command: setx /F ipconfig.out /X - Description: Displays a file with coordinate references. - Usecase: Covert file reading without type/more. - Category: Discovery + Description: Displays file content via coordinate rendering. + Usecase: Covert file reading. + Category: Reconnaissance Privileges: User MitreID: T1083 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: FileRead + - Risk: DataLeak - Command: setx IPADDR /F ipconfig.out /A 5,11 - Description: Extracts text at absolute coordinates. - Usecase: Extract sensitive info from dumped output. - Category: Discovery + Description: Extracts text at file coordinates. + Usecase: Extract sensitive values. + Category: Reconnaissance Privileges: User MitreID: T1083 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: CoordinateExtract + - Risk: SensitiveInfoGrab - Command: setx OCTET1 /F ipconfig.out /A 5,3 /D "#$*." - Description: Parses file content using delimiter tokens. - Usecase: Structured data extraction. - Category: Discovery + Description: Parses file content using custom delimiters. + Usecase: Extract structured data. + Category: Reconnaissance Privileges: User MitreID: T1083 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: DelimiterParsing + - Risk: StructuredLeak - Command: setx IPGATEWAY /F ipconfig.out /R 0,7 Gateway - Description: Extracts text relative to a matched pattern. - Usecase: Pattern-based file parsing like grep/awk. - Category: Discovery + Description: Extracts text relative to keyword. + Usecase: Pattern-based extraction. + Category: Reconnaissance Privileges: User MitreID: T1083 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: PatternExtract + - Risk: InfraRecon - Command: setx /S system /U user /P password /F c:\ipconfig.out /X - Description: Remote file read using SetX. - Usecase: File discovery without remote shell. - Category: Lateral Movement + Description: Reads file contents remotely. + Usecase: Remote file reconnaissance. + Category: Upload Privileges: DomainUser MitreID: T1021 - OperatingSystem: Windows + OperatingSystem: Windows 7–11; Windows Server 2012–2022 + Tags: + - Purpose: RemoteFileRead + - Risk: LMRecon Full_Path: - Path: C:\Windows\System32\setx.exe @@ -141,11 +191,10 @@ Code_Sample: Detection: - IOC: Modification of PATH, COMSPEC, WINDIR, PATHEXT, TEMP, TMP - - IOC: SetX usage with /M from untrusted process - - IOC: Remote variable creation via /S /U /P - - IOC: Registry extraction via /K from sensitive paths + - IOC: System variable modification via /M + - IOC: Remote SetX usage via /S /U /P + - IOC: Registry extraction using /K - IOC: Coordinate-based parsing (/A, /R, /X) - - Analysis: Environment manipulation followed by suspicious execution Resources: - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx From 005c197d62f8cb61a9da412dfb53e7a5d52dedc6 Mon Sep 17 00:00:00 2001 From: Raja Singh Date: Thu, 11 Dec 2025 23:52:25 +0530 Subject: [PATCH 7/7] Update setx.yml --- yml/OSBinaries/setx.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/setx.yml b/yml/OSBinaries/setx.yml index e21e9580..a86c4734 100644 --- a/yml/OSBinaries/setx.yml +++ b/yml/OSBinaries/setx.yml @@ -1,3 +1,4 @@ +--- Name: SetX.exe Description: Microsoft-signed utility used to create or modify user and system environment variables, including registry extraction, remote variable creation, and file parsing. Aliases: