public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-02-05 10:02:00 +01:00
Code Issues Projects Releases Wiki Activity

New yml template

Browse Source
This commit is contained in:
Oddvar Moe 2018-09-18 16:31:27 +02:00
parent 08036a8147
commit 0895790a4e
2 changed files with 100 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
README.md
View File

@ -10,33 +10,42 @@ There are currently three different lists.
* [LOLScripts](LOLScripts.md) * [LOLScripts](LOLScripts.md)
The goal of these lists are to document every binary, script and library that can be used for Living Off The Land techniques. ## Goal
The goal of the LOLBAS project are to document every binary, script and library that can be used for Living Off The Land techniques.
Primarily files that offer "extra" functionality.
Definition of LOLBAS candidates (Binaries,scripts and libraries):
* LOLBAS candidates must be present on the system by default or introduced by application/software "installation" from a "reputable" vendor or open-source entity. Otherwise, LOLBAS determination is subject to scrutiny by the (security) community and agreed upon standards. ## Definition
* Can be used as an attacker tool directly or can perform other actions than what it was intended to do (Ex: regsvr32 - execute code from SCT online)
* executing code * Must be a Microsoft signed file. (OS or downloaded from Microsoft site)
* downloading/upload files * Only extra "unexpected" functionality is interesting (Not interesting to document what it was intended for)
* bypass UAC * Exceptions are Application Whitelisting bypasses
* compile code
* getting creds/dumping process * Functionality can include:
* surveillance (keylogger, network trace) * Executing code
* evade logging/remove log entry * Arbitrary code execution
* side-loading/hijacking of DLL * Pass-through execution of other programs (unsigned), script (via a LOLBin)
* pass-through execution of other programs, script (via a LOLBin) * Compile code
* File operations
* downloading
* upload
* copy
* Persistence
* pass-through persistence utilizing existing LOLBin * pass-through persistence utilizing existing LOLBin
* persistence (Hide data in ADS, execute at logon etc) * persistence (Hide data in ADS, execute at logon etc)
* UAC bypass
* Credentials
* Dumping process
* Surveillance (keylogger, network trace)
* Evade logging/remove log entry
* DLL Side-Loading/Hijacking (Binary must maintain path integrity - e.g. Without copying a binary to another folder that the user controls)
Every binary, script and library has it's own .md file in the subfolders. That way I should be easier to maintain and reuse.
## YML
A yml version of every file is located under the yml folder. A yml version of every file is located under the yml folder.
This is the master for all things LOLBAS. This is the master for all things LOLBAS.
We generate the MD files from this and later it will also be the base for an upcoming webportal. We generate the MD files from this and later it will also be the base for an upcoming webportal.
I have borrowed examples from the community (And a lot from Red Canary - Atomic Red Team - Thanks @subtee)
Would really love if the community could contribute as much as possible. That would make it better for everyone.
If you think it is hard to make a pull request using github, don't hesitate to send me a tweet and I will add the contribution for you.
## STORY ## STORY
"Living off the land" was coined by Matt Graeber - @mattifestation <3 "Living off the land" was coined by Matt Graeber - @mattifestation <3
@ -68,31 +77,38 @@ The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane)
Love this logo: Love this logo:
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOL1.png" height="250"> <img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOL1.png" height="250">
## Future work / Todo list
### 2.0 ## Versions - Roadmap
All features are added to the issues in this repo.
[x] Determine field mappings between existing Markdown and future structured format ### 1.0
[x] Define any additional fields required during launch (Date, Categories) * Hosted https://github.com/api0cradle/LOLBAS/
[x] Migrate * Only MD files
[x] Sanity checking & populate blank fields (e.g. Categories, Code Sample, Detection).
[ ] Define CONTRIBUTING.md to guide contributions. Suggested ambiguous files: regedit.exe, notepad.exe, powershell.exe, cmd.exe.
[ ] https://stackoverflow.com/questions/19109912/do-i-need-quotes-for-strings-in-yaml ### 2.0 -- Current
[ ] https://stackoverflow.com/questions/3790454/in-yaml-how-do-i-break-a-string-over-multiple-lines * Hosted here on this repo
[ ] https://til.hashrocket.com/posts/d7c96e2ee7-multiline-strings-in-yaml * Everything converted to YML files
[x] Re-factor project (version 2.0) and move it to a dedicated project site (https://github.com/LOLBAS-Project) * MD files generated from YML files
* Clearer definition
* Management scripts
### 2.1 ### 2.1
* More categories
* Jekyll frontend
* Privileges required
[ ] ATT&CK links
[ ] LOLBIN GUID? ### 2.2
[ ] Jekyll front end a la GTFOBINS? * ATT&CK Mitre mapping
[ ] Sub-Categories * LOLBIN GUID - Unique ID for each bin
[ ] Tests for PRs to ensure fields are valid * Sub-Categories
[ ] Create management scripts (find blank fields, ensure all fields are present, update fields) * Signed executing unsigned
[ ] Privileges required * Signed executing signed
[ ] Signed executing signed? Signed executing unsigned? @mattifestation's tweet has some good stuff. * Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
[ ] Specific tags/labeling for specific capability caveats, for example a App Whitelist bypass that works on AppLocker & Solidcore could cary tags for each product
[ ] split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
[ ] Provide the project in DB format (sqlite) ### 2.3
* Tests for PRs to ensure fields are valid
* Provide the project in DB format (sqlite)

38
YML-Template.yml Normal file
View File

@ -0,0 +1,38 @@
Name: Binary.exe
Description: Something general about the binary
Author: The person that created this file
Created: Date the person created this file
Commands:
- Command: The command
Description: Description of the command
Usecase: A description of the usecase
Category: Execution
Privileges: Required privs
MitreID: T1055
MitreLink: https://attack.mitre.org/wiki/Technique/T1055
OperatingSystem: Windows 10 1803, Windows 10 1703
- Command: The second command
Description: Description of the second command
Usecase: A description of the usecase
Category: AWL-Bypass
Privileges: Required privs
MitreID: T1033
MitreLink: https://attack.mitre.org/wiki/Technique/T1033
OperatingSystem: Windows 10 All
Full Path:
- Path: c:\windows\system32\bin.exe
- Path: c:\windows\syswow64\bin.exe
Code Sample:
- Code: http://url.com/git.txt
Detection:
- IOC: Event ID 10
- IOC: binary.exe spawned
Resources:
- Link: http://blogpost.com
- Link: http://twitter.com/something
- Link: Threatintelreport...
Acknowledgement:
- Person: John Doe
Handle: @johndoe
- Person: Ola Norman
Handle: @olaNor