mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-01-13 23:39:23 +01:00
Merge pull request #160 from bohops/master
WDAC Bypass additions, LOLScript additions, and a few updates
This commit is contained in:
commit
3b848e6121
28
yml/OSBinaries/Aspnet_Compiler.yml
Normal file
28
yml/OSBinaries/Aspnet_Compiler.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
Name: Aspnet_Compiler.exe
|
||||||
|
Description: ASP.NET Compilation Tool
|
||||||
|
Author: Jimmy (@bohops)
|
||||||
|
Created: 2021-09-26
|
||||||
|
Commands:
|
||||||
|
- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
|
||||||
|
Description: Execute C# code with the Build Provider and proper folder structure in place.
|
||||||
|
Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
|
||||||
|
- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
|
||||||
|
Detection:
|
||||||
|
- IOC: Sysmon Event ID 1 - Process Creation
|
||||||
|
Resources:
|
||||||
|
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
|
||||||
|
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: cpl
|
||||||
|
Handle: '@cpl3h'
|
||||||
|
---
|
@ -20,6 +20,14 @@ Commands:
|
|||||||
MitreID: T1127
|
MitreID: T1127
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: msbuild.exe project.proj
|
||||||
|
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
|
||||||
|
Usecase: Execute project file that contains XslTransformation tag parameters
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1127
|
||||||
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1127
|
||||||
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
|
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
|
||||||
@ -27,6 +35,7 @@ Full_Path:
|
|||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
|
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||||
|
- Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
@ -36,9 +45,12 @@ Resources:
|
|||||||
- Link: https://github.com/Cn33liz/MSBuildShell
|
- Link: https://github.com/Cn33liz/MSBuildShell
|
||||||
- Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
|
- Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
|
||||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||||
|
- Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
- Person: Cn33liz
|
- Person: Cn33liz
|
||||||
Handle: '@Cneelis'
|
Handle: '@Cneelis'
|
||||||
|
- Person: Jimmy
|
||||||
|
Handle: '@bohops'
|
||||||
---
|
---
|
26
yml/OSScripts/CL_LoadAssembly.yml
Normal file
26
yml/OSScripts/CL_LoadAssembly.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
Name: CL_LoadAssembly.ps1
|
||||||
|
Description: PowerShell Diagnostic Script
|
||||||
|
Author: Jimmy (@bohops)
|
||||||
|
Created: 2021-09-26
|
||||||
|
Commands:
|
||||||
|
- Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
|
||||||
|
Description: Proxy execute Managed DLL with PowerShell
|
||||||
|
Usecase: Execute proxied payload with Microsoft signed binary
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1059.001
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1059/001/
|
||||||
|
OperatingSystem: Windows 10 21H1 (likely other versions as well)
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC:
|
||||||
|
Resources:
|
||||||
|
- Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Jimmy
|
||||||
|
Handle: '@bohops'
|
||||||
|
---
|
26
yml/OSScripts/UtilityFunctions.yml
Normal file
26
yml/OSScripts/UtilityFunctions.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
Name: UtilityFunctions.ps1
|
||||||
|
Description: PowerShell Diagnostic Script
|
||||||
|
Author: Jimmy (@bohops)
|
||||||
|
Created: 2021-09-26
|
||||||
|
Commands:
|
||||||
|
- Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”'
|
||||||
|
Description: Proxy execute Managed DLL with PowerShell
|
||||||
|
Usecase: Execute proxied payload with Microsoft signed binary
|
||||||
|
Category: Execute
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1059.001
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1059/001/
|
||||||
|
OperatingSystem: Windows 10 21H1 (likely other versions as well)
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC:
|
||||||
|
Resources:
|
||||||
|
- Link: https://twitter.com/nickvangilder/status/1441003666274668546
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Nick VanGilder
|
||||||
|
Handle: '@nickvangilder'
|
||||||
|
---
|
38
yml/OtherMSBinaries/Fsi.yml
Normal file
38
yml/OtherMSBinaries/Fsi.yml
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
---
|
||||||
|
Name: Fsi.exe
|
||||||
|
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
|
||||||
|
Author: Jimmy (@bohops)
|
||||||
|
Created: 2021-09-26
|
||||||
|
Commands:
|
||||||
|
- Command: fsi.exe c:\path\to\test.fsscript
|
||||||
|
Description: Execute F# code via script file
|
||||||
|
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1059
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||||
|
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||||
|
- Command: fsi.exe
|
||||||
|
Description: Execute F# code via interactive command line
|
||||||
|
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1059
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||||
|
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
|
||||||
|
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
|
||||||
|
Detection:
|
||||||
|
- IOC: Sysmon Event ID 1 - Process Creation
|
||||||
|
Resources:
|
||||||
|
- Link: https://twitter.com/NickTyrer/status/904273264385589248
|
||||||
|
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Nick Tyrer
|
||||||
|
Handle: '@NickTyrer'
|
||||||
|
- Person: Jimmy
|
||||||
|
Handle: '@bohops'
|
||||||
|
---
|
36
yml/OtherMSBinaries/FsiAnyCpu.yml
Normal file
36
yml/OtherMSBinaries/FsiAnyCpu.yml
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
---
|
||||||
|
Name: FsiAnyCpu.exe
|
||||||
|
Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
|
||||||
|
Author: Jimmy (@bohops)
|
||||||
|
Created: 2021-09-26
|
||||||
|
Commands:
|
||||||
|
- Command: fsianycpu.exe c:\path\to\test.fsscript
|
||||||
|
Description: Execute F# code via script file
|
||||||
|
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1059
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||||
|
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||||
|
- Command: fsianycpu.exe
|
||||||
|
Description: Execute F# code via interactive command line
|
||||||
|
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1059
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1059/
|
||||||
|
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||||
|
Full_Path:
|
||||||
|
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
|
||||||
|
Detection:
|
||||||
|
- IOC: Sysmon Event ID 1 - Process Creation
|
||||||
|
Resources:
|
||||||
|
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Nick Tyrer
|
||||||
|
Handle: '@NickTyrer'
|
||||||
|
- Person: Jimmy
|
||||||
|
Handle: '@bohops'
|
||||||
|
---
|
31
yml/OtherMSBinaries/VisualUiaVerifyNative.yml
Normal file
31
yml/OtherMSBinaries/VisualUiaVerifyNative.yml
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
---
|
||||||
|
Name: VisualUiaVerifyNative.exe
|
||||||
|
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
|
||||||
|
Author: Jimmy (@bohops)
|
||||||
|
Created: 2021-09-26
|
||||||
|
Commands:
|
||||||
|
- Command: VisualUiaVerifyNative.exe
|
||||||
|
Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
|
||||||
|
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||||
|
Full_Path:
|
||||||
|
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
|
||||||
|
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
|
||||||
|
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: Sysmon Event ID 1 - Process Creation
|
||||||
|
Resources:
|
||||||
|
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
|
||||||
|
- Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Lee Christensen
|
||||||
|
Handle: '@tifkin'
|
||||||
|
- Person: Jimmy
|
||||||
|
Handle: '@bohops'
|
||||||
|
---
|
28
yml/OtherMSBinaries/Wfc.yml
Normal file
28
yml/OtherMSBinaries/Wfc.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
Name: Wfc.exe
|
||||||
|
Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
|
||||||
|
Author: Jimmy (@bohops)
|
||||||
|
Created: 2021-09-26
|
||||||
|
Commands:
|
||||||
|
- Command: wfc.exe c:\path\to\test.xoml
|
||||||
|
Description: Execute arbitrary C# code embedded in a XOML file.
|
||||||
|
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
|
||||||
|
Category: AWL Bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1218
|
||||||
|
MitreLink: https://attack.mitre.org/techniques/T1218/
|
||||||
|
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||||
|
Detection:
|
||||||
|
- IOC: Sysmon Event ID 1 - Process Creation
|
||||||
|
Resources:
|
||||||
|
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Matt Graeber
|
||||||
|
Handle: '@mattifestation'
|
||||||
|
- Person: Jimmy
|
||||||
|
Handle: '@bohops'
|
||||||
|
---
|
Loading…
Reference in New Issue
Block a user