windows
Contents
windows#
97 Datasets#
Created |
Dataset |
Description |
Tags |
Contributors |
|---|---|---|---|---|
2022/08/03 |
After getting an elevated meterpreter session, we added the MiniNt registry key in the following hives HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control. After rebooting the system and trying to access event logs trough the Event Viewer application, we got the following message Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. The request is not supported (50). We have simulated this attack using 3 different procedures REG command via cmd.exe, REG meterpreter command (Metasploit), and the PowerShell module (Metasploit). These datasets describe the before-rebooitng phase of the simulation, and they were generated using a Windows 10 Pro Evaluation edition (Version:1903,OS Build:18362.30). |
[‘reg’, ‘powershell’, ‘eventlog’, ‘minint’] |
||
2022/07/08 |
Stopping Event Log Service via Modification of Start Up Type |
After getting a shell with elevated privileges on the target, we modified the start up type for the EventLog service to |
[‘powershell’, ‘reg’, ‘cmd’, ‘eventlog’] |
|
2022/07/08 |
Stopping Event Log Service after Stopping Depending Services |
The simulation of this technique cosniders 2 steps Disabling the netprofm service (Before reboot) and stopping the Event Log service (After reboot). Therefore, 2 datasets were generated, before-reboot and after-reboot data. We have used PowerShell to execute this simulation Execution using PowerShell (Spawned from cmd.exe) and execution using the PowerShell module from Metasploit. This dataset was generated using a Windows 10 Pro Evaluation edition (Version:1903,OS Build:18362.30). |
[‘powershell’, ‘eventlog’, ‘netprofm’] |
|
2022/07/05 |
Modifying Security Event Log File Path via Modification of Log Configuration |
After getting a shell with elevated privileges on the target, we used wevtutil.exe to modify the configuration of the Security event log. Event logs for Microsoft Windows Security Auditing are stored in a different file (Not-Important-Log.evtx) by changing the standard log path C:\Windows\System32\Winevt\Logs\Security.evtx. This dataset was generated using a Windows 10 Enterprise Evaluation edition (Version:21H1,OS Build:19043.1766) and Kali Linux (Version:2021.3). |
[‘wevtutil’, ‘cmd’, ‘microsoft windows security auditing’] |
|
2022/07/03 |
Disabling Process Command Line Logging via Registry Modification |
After getting a shell with elevated privileges on the target, we used reg.exe to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit registry key. Logging of command line in process creation events for Microsoft Windows Security Auditing was disabled by changing the registry value data from 1 to 0 in the ProcessCreationIncludeCmdLine_Enabled registry value. This dataset was generated using a Windows 10 Pro edition (Version:1903,OS Build:18362.30) and Kali Linux (Version:2022.2). |
[‘reg’, ‘cmd’, ‘microsoft windows security auditing’] |
|
2022/06/30 |
Disabling Windows Event Logging via Audit Policy Modification |
After getting a shell with elevated privileges on the target, we used auditpol.exe to modify the current system and user audit policies. Success and failure events were disabled using the /set /remove /clear commands and /success /failure parameters. This dataset was generated using a Windows 10 Pro edition (Version:1903,OS Build:18362.30) and Kali Linux (Version:2022.2). |
[‘auditpol’, ‘cmd’, ‘microsoft windows security auditing’] |
|
2021/06/11 |
This dataset was created after running the Cobalt Strike module from the APT Simulator tool (https://github.com/NextronSystems/APTSimulator). |
None |
||
2021/04/27 |
This dataset represents a threat actor exporting the AD FS database configuration remotely over http. |
None |
||
2021/03/14 |
This dataset represents the execution of a public POC to abuse Exchange vulnerabilities (CVE-2021-26855 server-side request forgery (SSRF) vulnerability) |
None |
||
2020/12/19 |
This dataset represents a threat actor creating a scheduled task remotely using schtasks. |
None |
||
2020/12/19 |
This dataset represents a threat actor modifying a scheduled task remotely. |
None |
||
2020/11/02 |
This dataset represents a threat actor using PowerShell to start an HTTP Listener on a compromised endpoint |
None |
||
2020/11/02 |
This dataset represents a threat actor using Seatbelt profiling an endpoint. This specifically uses the -group=user command. |
None |
||
2020/10/29 |
This dataset represents threat actors adding a FW inbound rule and starting a Python HTTP Server. |
None |
||
2020/10/29 |
This dataset represents a threat actor leveraging SharpView and specific functions such as Get-ObjectAcl creating files and loading dlls related to PCRE.NET use. |
None |
||
2020/10/28 |
This dataset represents threat actors accessing the Windows Vault and reading web credentials saved. |
None |
||
2020/10/26 |
This dataset represents the execution of a Process Herpaderping to obscure the intentions of a process by modifying the content on disk after the image has been mapped. |
None |
||
2020/10/23 |
This dataset represents threat actors leveraging Register-Cimprovider to execute a malicious Dll. |
None |
||
2020/10/23 |
This dataset represents threat actors leveraging bitsadmin.exe to download a file. |
[‘art.3c73d728-75fb-4180-a12f-6712864d7421’] |
||
2020/10/23 |
This dataset represents threat actors injecting portable executables (PE) into processes via APIs such asVirtualAllocEx and WriteProcessMemory and running it on the virtual address space of another process via the CreateRemoteThread API. |
None |
||
2020/10/22 |
This dataset represents threat actors executing local compiled HTML Help payloads via hh.exe. |
[‘art.5cb87818-0d7c-4469-b7ef-9224107aebe8’] |
||
2020/10/22 |
This dataset represents threat actors leveraging control.exe to execute a .cpl file to proxy execute another payload (i.e. calc). |
[‘art.037e9d8a-9e46-4255-8b33-2ae3b545ca6f’] |
||
2020/10/22 |
This dataset represents threat actors leveraging CMSTP to execute an Inf file to proxy execute other malicious commands (i.e. cmd.exe). (Embedding commands in the RunPreSetupCommandsSection of the INF file). |
[‘art.748cb4f6-2fb3-4e97-b7ad-b22635a09ab0’] |
||
2020/10/22 |
This dataset represents threat actors leveraging mshta.exe to proxy execute malicious .sct files via Javascript. |
[‘art.1483fab9-4f52-4217-a9ce-daa9d7747cae’] |
||
2020/10/22 |
This dataset represents threat actors leveraging mshta.exe to proxy execute malicious powershell commands via vbscript. |
[‘art.906865c3-e05f-4acc-85c4-fbc185455095’] |
||
2020/10/22 |
This dataset represents threat actors leveraging mshta.exe to proxy execute malicious commands via an .hta file. |
[‘art.c4b97eeb-5249-4455-a607-59f95485cb45’] |
||
2020/10/22 |
This dataset represents threat actors performing a few techniques in Active Directory to brute force passwords, request Kerberos ticket-granting service (TGS) service tickets from all SPNs, test access to remote network shares, and move laterally over Windows Remote Management (WinRM). |
None |
||
2020/10/21 |
This dataset represents adversaries modifying the local FW by opening port for proxy. |
[‘art.15e57006-79dd-46df-9bf9-31bc24fb5a80’] |
||
2020/10/21 |
This dataset represents adversaries modifying a local service to execute powershell. |
[‘art.ed366cde-7d12-49df-a833-671904770b9f’] |
||
2020/10/21 |
This dataset represents threat actors querying HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer to get the version of internet explorer installed on the system. |
[‘art.68981660-6670-47ee-a5fa-7e74806420a4’] |
||
2020/10/20 |
This dataset represents adversaries leveraging functions such as CredUIPromptForCredentials to create and display a configurable dialog box that accepts credentials information from a user. |
[‘art.2b162bfd-0928-4d4c-9ec3-4d9f88374b52’] |
||
2020/10/19 |
This dataset represents adversaries copying the SAM hive using the esentutl.exe utility and volume shadow copy services. |
[‘art.a90c2f4d-6726-444e-99d2-a00cd7c20480’] |
||
2020/10/19 |
This dataset represents adversaries using psexec to run reg.exe as system and dump LSA secrets. Location HKLM\security\policy\secrets. |
[‘art.55295ab0-a703-433b-9ca4-ae13807de12f’] |
||
2020/10/19 |
This dataset represents adversaries leveraging logon initialization scripts to achieve persistence via the UserInitMprLogonScript user environment. |
[‘art.d6042746-07d4-4c92-9ad8-e644c114a231’] |
||
2020/10/19 |
This dataset represents adversaries leveraging |
[‘art.74496461-11a1-4982-b439-4d87a550d254’] |
||
2020/10/18 |
This dataset represents adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. |
[‘art.2536dee2-12fb-459a-8c37-971844fa73be’] |
||
2020/10/18 |
This dataset represents adversaries using system calls (syscalls) and API unhooking to dump the memoty contents of lsass. |
[‘art.7ae7102c-a099-45c8-b985-4c7a2d05790d’] |
||
2020/10/17 |
This dataset represents adversaries proxy executing code and bypassing application controls by leveraging wmic and the |
None |
||
2020/10/12 |
This dataset represents adversaries proxy executing code via the Windows Update client utility. In order to bypass rules looking for the binary reaching out directly to the Internet, this dataset shows the binary creating and running a thread in the virtual address space of another process via the CreateRemoteThread API. |
[‘CreateRemoteThread’] |
||
2020/10/09 |
This dataset represents adversaries abusing a DLL hijack vulnerability found in the execution of the WMI provider host (wmiprvse.exe) for lateral movement. |
[‘SMB CreateRequest’] |
||
2020/10/09 |
This dataset represents adversaries abusing a DLL hijack vulnerability found in the execution of the DCOM InternetExplorer.Application class for lateral movement. |
[‘SMB CreateRequest’] |
||
2020/09/22 |
This dataset represents adversaries calculating the SysKey to decrypt Security Account Mannager (SAM) database entries (from registry or hive) and get NTLM, and sometimes LM hashes of local accounts password. |
[‘Calculating SysKey’, ‘SAM Read’] |
||
2020/09/21 |
This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely. |
[‘WMI IWbemServices ExecMethod’] |
||
2020/09/21 |
This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment. |
[‘Local Scheduled Tasks’] |
||
2020/09/18 |
This dataset represents adversaries leveraging the COM Method ExecuteExcel4Macro over DCOM to execute Excel4 macros remotely |
[‘DCOM’] |
||
2020/09/18 |
This dataset represents adversaries leveraging the COM Method RegisterXLL over DCOM to execute an XLL file remotely. The XLL file can exist on the target or externally in an UNC path such as \SERVER\FILES. |
[‘DCOM’] |
||
2020/09/16 |
This dataset represents adversaries leveraging a vulnerability (CVE-2020-1472) in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This vulnerability was discovered by @@SecuraBV. |
[‘CVE-2020-1472’, ‘Password Update’, ‘Netlogon Insecure AES-CFB8’] |
||
2020/09/14 |
This dataset represents an adversary remotely executing code via WMI to ad a backdoor user on the target system. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely. |
[‘WMI IWbemServices ExecMethod’, ‘User Backdoor’] |
||
2020/09/04 |
This dataset represents adversaries elevating privileges (bypassing uac) by performing an registry modification for FodHelper. |
[‘BypassUAC’, ‘Registry Modification’, ‘Windows Registry FodHelper’] |
||
2020/08/06 |
This dataset represents a threat actor leveraging the RPC method EnumServiceStatusW over SMB svcctl to query the status of a service on a remote endpoint… |
[‘RPC EnumServiceStatusW’, ‘SMB Svcctl’] |
||
2020/08/06 |
This dataset represents a threat actor remotely copying a file over SMB (CreateRequest). |
[‘SMB CreateRequest’] |
||
2020/08/06 |
This dataset represents adversaries remotely creating a service via RPC methods such as CreateService over SMB named pipes such as svcctl. |
[‘RPC CreateService’, ‘SMB Svcctl’] |
||
2020/08/06 |
This dataset represents adversaries remotely starting a service via RPC methods such as StartService over SMB named pipes such as svcctl. |
[‘RPC StartService’, ‘SMB Svcctl’] |
||
2020/08/06 |
This dataset represents a threat actor using the RPC ControlService method over SMB to stop a service. |
[‘RPC ControlService’, ‘Stop Service’, ‘SMB Svcctl’] |
||
2020/08/06 |
This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remoting (WinRM). |
[‘PowerShell Remoting’] |
||
2020/08/06 |
This dataset represents a threat actor enumerating the domain groups via LDAP (i.e. SearchRequest Method) in an environment. |
[‘Domain Groups Enumeration’, ‘LDAP SearchRequest’] |
||
2020/08/05 |
This dataset represents adversaries abusing Active Directory Replication services to retrieve secret domain data (i.e. NTLM hashes) from domain accounts. |
[‘AD Replication Services’, ‘RPC DRSUAPI DsGetNCChanges’] |
||
2020/08/05 |
This dataset represents an adversary leveraging the sc.exe utility to query (RPC QueryServiceStatus method) for the statu of a service on a remote endpoint. |
[‘RPC QueryServiceStatus’, ‘SMB Svcctl’] |
||
2020/07/24 |
This dataset represents adversaries using WMI event subscriptions (ActiveScriptEventConsumers) remotely to move laterally. |
[‘Remote WMI Eventing’] |
||
2020/07/22 |
This dataset represents a threat actor injecting a Dll (On Disk) into an arbitrary process via LoadLibrary and executd by CreateRemoteThread APIs |
[‘DLL Injection’, ‘LoadLibrary’, ‘CreateRemoteThread Execution’] |
||
2020/07/22 |
This dataset represents adversaries modifying local Run registry keys (i.e. HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run) for persistence. It also captures the execution of the persistence mechanism. |
[‘Local Registry Modification’, ‘Registry Run Keys’] |
||
2020/07/21 |
This dataset represents threat actors leveraging regsvr32 to proxy the execution of an empire payload (.sct file) to create a reverse connection to the C2. |
[‘Regsvr32 Execution’] |
||
2020/06/09 |
This dataset represents adversaries accessing the microphone of an endpoint. |
[‘Microphone Access’] |
||
2019/12/25 |
This dataset represents adversaries downgrading the challenge/response authentication protocol used for network logons, the minimum security negotiated for applications using NTLMSSP, and security settings that restrict outgoing NTLM traffic to remote servers in an environment |
[‘Registry Modification’, ‘Windows Registry NetNTLM settings’, ‘Downgrade’] |
||
2019/10/27 |
This dataset represents adversaries using RDP and task manager interactively and dump the memory space of lsass. |
[‘RDP Interactive’] |
||
2019/10/27 |
This dataset represents adversaries proxy executing code through InstallUtil, a trusted Windows utility. |
[‘InstallUtil’, ‘LOLBin’] |
||
2019/06/25 |
This dataset represents adversaries calculating the SysKey to decrypt Security Account Mannager (SAM) database entries (from registry or hive) and get NTLM, and sometimes LM hashes of local accounts password. |
[‘Calculating SysKey’, ‘SAM Read’, ‘SAM Handle Request’] |
||
2019/06/25 |
This dataset represents adversaries with administrator privileges using the windows reg utility to dump the SAM registry hive. |
[‘SAM Rquest Handle’] |
||
2019/05/19 |
This dataset represents adversaries leveraging RPC SRVSVC and the method NetSessEnum over SMB to query remote hosts for active sessions |
[‘RPC NetSessEnum’, ‘SMB Srvsvc’] |
||
2019/05/18 |
This dataset represents adversaries executing a VBS script as a launcher for initial access. |
[‘VBS Script Execution’] |
||
2019/05/18 |
This dataset represents adversaries leveraging WMI subscriptions locally for persistence. |
[‘Local WMI Eventing’, ‘WMI Event Subscriptions’] |
||
2019/05/18 |
This dataset represents adversaries reflectively loading/intecting a portable executable (PE) (not on disk) into a process via WriteprocessMemory and executed via CreateRemoteThread APIs |
[‘PE Injection’, ‘WriteProcessMemory’, ‘CreateRemoteThread Execution’] |
||
2019/05/18 |
This dataset represents adversaries enumerating members of domain groups (i.e. Domain Admins) via RPC SAMR interface over SMB. Some of the main RPC methods captured over the network are SamrLookupNamesInDomain (Opnum 17) and SamrQueryInformationGroup (Opnum 20) where there are indicators about the specific group name enumerated. |
[‘Domain Groups Enumeration’, ‘RPC SAMR SamrQueryInformationGroup’] |
||
2019/05/18 |
This dataset represents adversaries setting the UseLogonCredential property value from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest key to 1 to enable plain text passwords. |
[‘Registry Modification’, ‘Windows Registry WDigest’] |
||
2019/05/18 |
This dataset represents adversaries reading credentials from the memory contents of lsass.exe. One popular tool performing this behavior is Mimikatz. |
[‘LSASS Memory Credentials Read’] |
||
2019/05/18 |
This dataset represents adversaries enabling RDP and adding a firewall exception to a compromised system |
[‘Registry Modification’, ‘Windows Registry RDP Settings’] |
||
2019/05/18 |
This dataset represents adversaries remotely creating and starting a service via RPC methods over SMB named pipes such as svcctl. |
[‘RPC CreateService’, ‘RPC StartService’, ‘SMB Svcctl’] |
||
2019/05/18 |
This dataset represents adversaries remotely creating and starting a service via RPC methods over TCP. |
[‘RPC CreateService’, ‘RPC StartService’, ‘TCP Svcctl’] |
||
2019/05/18 |
This dataset represents adversaries executing commands remotely via DCOM ShellWindows COM Method. |
[‘DCOM ShellWindows’] |
||
2019/05/18 |
This dataset represents adversaries executing malicious code on remote hosts using PowerShell Remoting (WinRM). |
[‘PowerShell Remoting’] |
||
2019/05/18 |
This dataset represents an adversary remotely creating a file (.xml) via SMB and executing it remotetly via WMI and msbuild. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely. |
[‘WMI IWbemServices ExecMethod’, ‘SMB CreateRequest’] |
||
2019/05/18 |
This dataset represents adversaries using the OpenSCManagerW Win32API call to establish a handle to the remote host and verify if the current user context has local administrator acess to the target. |
[‘RPC OpenSCManager’, ‘SMB Svcctl’] |
||
2019/05/18 |
This dataset represents adversaries extracting kerberos tickets from memory. |
[‘Kerberos Tickets’] |
||
2019/05/18 |
This dataset represents adversaries retrieving the DPAPI Domain Backup Key from the DC via RPC LSARPC methods over SMB. |
[‘DPAPI’, ‘DPAPI Domain Backup key’, ‘RPC LSARPC’] |
||
2019/05/18 |
This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely. |
[‘WMI IWbemServices ExecMethod’] |
||
2019/05/18 |
This dataset represents adversaries reading credentials from the memory contents of lsass.exe. One popular tool performing this behavior is Mimikatz. |
[‘LSASS Memory Credentials Read’] |
||
2019/04/03 |
This dataset represents adversaries copying a file remotely to replace a file which is executed by a service that is vulnerable to DLL hijack. This dataset includes |
[‘Remote Service DLL Hijacking’, ‘RPC over SMB Svcctl’] |
||
2019/03/19 |
This dataset represents adversaries enumerating members of the local Administratrors group via the net.exe utility |
[‘Local Administrators Group Enumeration’] |
||
2019/03/19 |
This dataset represents adversaries enumerating all local users on an endpoint |
[‘Local Users Enumeration’] |
||
2019/03/19 |
This dataset represents adversaries enumerating all users that belong to a domain via RPC SAMR EnumDomainUsers. |
[‘Domain Users Enumeration’, ‘RPC SAMR EnumDomainUsers’] |
||
2019/03/19 |
This dataset represents adversaries modifying local Run registry keys (i.e. HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run) for persistence. It also captures the execution of the persistence mechanism. |
[‘Local Registry Modification’, ‘Registry Run Keys’] |
||
2019/03/19 |
This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment. |
[‘Local Scheduled Tasks’] |
||
2019/03/19 |
This dataset represents adversaries taking a hash/key (rc4_hmac, aes256_cts_hmac_sha1, etc.) for a domain-joined user into a fully-fledged Kerberos TGT. In this case, an adversary can write the hash/key into an existing logon session (i.e. a sacrificial logon session) section in the memory content of LSASS and kick off the regular Kerberos authentication process. |
[‘Over-Pass-The-Hash’, ‘Patching LSASS’] |
||
2019/03/19 |
This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass. |
[‘Over-Pass-The-Hash’, ‘Not Touching LSASS’] |
||
2019/03/19 |
This dataset represents adversaries crafting raw AS-REQ (TGT request) traffic for a specific user and encryption key (/rc4, /aes128, /aes256, or /des) to request TGTs without touching lsass. |
[‘Over-Pass-The-Hash’, ‘Not Touching LSASS’] |
||
2019/03/01 |
These datasets represent adversaries with enough permissions (i.e. domain admin) adding an access control entry (ACE) to the discretionary access control list (DACL) of an Active Directory object (i.e Root Domain). One example could be adversaries modifying the root domain DACL to allow a specific domain user, despite being in no privileged groups and not having local admin rights on the domain controller itself, to use Active Directory replication services and obtain secret domain data (i.e. Other user NTLM Hashes) |
[‘AD Object Modification’, ‘AD Object nTSecurityDescriptor’, ‘LDAP ModifyRequest’] |
||
2019/03/01 |
This dataset represents adversaries abusing Active Directory Replication services to retrieve secret domain data (i.e. NTLM hashes) from domain accounts. |
[‘AD Replication services’, ‘RPC DRSUAPI DsGetNCChanges’] |