public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-08-03 16:12:50 +02:00
Code Issues Projects Releases Wiki Activity

Revert "MITRE ATT&CK realignment sprint"

Browse Source
This commit is contained in:
bohops
2021-11-05 20:22:14 -04:00
committed by GitHub
parent 03362b8640
commit 61a3d97fad
159 changed files with 571 additions and 253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
yml/OSScripts/CL_LoadAssembly.yml
View File

@@ -9,13 +9,14 @@ Commands:
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1216
MitreID: T1059.001
MitreLink: https://attack.mitre.org/techniques/T1059/001/
OperatingSystem: Windows 10 21H1 (likely other versions as well)
Full_Path:
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Code_Sample:
Code_Sample:
- Code:
Detection:
Detection:
- IOC:
Resources:
- Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/

1
yml/OSScripts/CL_mutexverifiers.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1

1
yml/OSScripts/Cl_invocation.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1

2
yml/OSScripts/Manage-bde.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
@@ -17,6 +18,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\manage-bde.wsf

3
yml/OSScripts/Pubprn.yml
View File

@@ -9,7 +9,8 @@ Commands:
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1216.001
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs

1
yml/OSScripts/Syncappvpublishingserver.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.vbs

9
yml/OSScripts/UtilityFunctions.yml
View File

@@ -9,17 +9,18 @@ Commands:
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1216
MitreID: T1059.001
MitreLink: https://attack.mitre.org/techniques/T1059/001/
OperatingSystem: Windows 10 21H1 (likely other versions as well)
Full_Path:
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Code_Sample:
Code_Sample:
- Code:
Detection:
Detection:
- IOC:
Resources:
- Link: https://twitter.com/nickvangilder/status/1441003666274668546
Acknowledgement:
- Person: Nick VanGilder
Handle: '@nickvangilder'
---
---

3
yml/OSScripts/Winrm.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
- Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
@@ -17,6 +18,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
- Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location
@@ -24,6 +26,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full_Path:
- Path: C:\Windows\System32\winrm.vbs

1
yml/OSScripts/pester.yml
View File

@@ -10,6 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full_Path:
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat