mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-01-27 22:10:20 +01:00
Merge branch 'master' into windows_11_sprint
This commit is contained in:
commit
7797a1967c
27
yml/OSBinaries/Conhost.yml
Normal file
27
yml/OSBinaries/Conhost.yml
Normal file
@ -0,0 +1,27 @@
|
||||
---
|
||||
Name: Conhost.exe
|
||||
Description: Console Window host
|
||||
Author: Wietze Beukema
|
||||
Created: 2022-04-05
|
||||
Commands:
|
||||
- Command: "conhost.exe calc.exe"
|
||||
Description: Execute calc.exe with conhost.exe as parent process
|
||||
Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\conhost.exe
|
||||
Detection:
|
||||
- IOC: conhost.exe spawning unexpected processes
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
|
||||
Resources:
|
||||
- Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
|
||||
- Link: https://twitter.com/Wietze/status/1511397781159751680
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
- Person: Wietze
|
||||
Handle: '@wietze'
|
||||
---
|
@ -24,6 +24,7 @@ Full_Path:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml
|
||||
- IOC: Scripts added in local group policy
|
||||
- IOC: Execution of Gpscript.exe after logon
|
||||
Resources:
|
||||
|
@ -14,6 +14,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml
|
||||
Resources:
|
||||
- Link: https://twitter.com/notwhickey/status/1367493406835040265
|
||||
Acknowledgement:
|
||||
|
@ -21,6 +21,7 @@ Code_Sample:
|
||||
Detection:
|
||||
- IOC: ie4uinit.exe copied outside of %windir%
|
||||
- IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||
Acknowledgement:
|
||||
|
@ -25,6 +25,7 @@ Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Ilasm may not be used often in production environments (such as on endpoints)
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml
|
||||
Resources:
|
||||
- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
|
||||
Acknowledgement:
|
||||
|
@ -26,6 +26,7 @@ Full_Path:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml
|
||||
- IOC: Jsc.exe should normally not run a system unless it is used for development.
|
||||
Resources:
|
||||
- Link: https://twitter.com/DissectMalware/status/998797808907046913
|
||||
|
@ -14,6 +14,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml
|
||||
- IOC: OfflineScannerShell.exe should not be run on a normal workstation
|
||||
Acknowledgement:
|
||||
- Person: Elliot Killick
|
||||
|
@ -24,6 +24,7 @@ Full_Path:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml
|
||||
- IOC: .etl files found on system
|
||||
Resources:
|
||||
- Link: https://binar-x79.com/windows-10-secret-sniffer/
|
||||
|
@ -21,6 +21,7 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\spool\tools\PrintBrm.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml
|
||||
- IOC: PrintBrm.exe should not be run on a normal workstation
|
||||
Resources:
|
||||
- Link: https://twitter.com/elliotkillick/status/1404117015447670800
|
||||
|
44
yml/OSBinaries/Rdrleakdiag.yml
Normal file
44
yml/OSBinaries/Rdrleakdiag.yml
Normal file
@ -0,0 +1,44 @@
|
||||
---
|
||||
Name: rdrleakdiag.exe
|
||||
Description: Microsoft Windows resource leak diagnostic tool
|
||||
Author: 'John Dwyer'
|
||||
Created: 2022-05-18
|
||||
Commands:
|
||||
- Command: rdrleakdiag.exe /p 940 /o c:\evil /fullmemdmp /wait 1
|
||||
Description: Dump process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
|
||||
Usecase: Dump process by PID.
|
||||
Category: Dump
|
||||
Privileges: User
|
||||
MitreID: T1003
|
||||
OperatingSystem: Windows
|
||||
- Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /wait 1
|
||||
Description: Dump LSASS process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
|
||||
Usecase: Dump LSASS process.
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003.001
|
||||
OperatingSystem: Windows
|
||||
- Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /snap
|
||||
Description: After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
|
||||
Usecase: Dump LSASS process mutliple times.
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003.001
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\rdrleakdiag.exe
|
||||
- Path: c:\Windows\SysWOW64\rdrleakdiag.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
|
||||
- Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
|
||||
Resources:
|
||||
- Link: https://twitter.com/0gtweet/status/1299071304805560321?s=21
|
||||
- Link: https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
|
||||
- Link: https://github.com/LOLBAS-Project/LOLBAS/issues/84
|
||||
Acknowledgement:
|
||||
- Person: Grzegorz Tworek
|
||||
Handle: '@0gtweet'
|
||||
---
|
@ -17,6 +17,7 @@ Full_Path:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml
|
||||
- IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious
|
||||
Resources:
|
||||
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||
|
@ -25,6 +25,7 @@ Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Replace.exe retrieving files from remote server
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml
|
||||
Resources:
|
||||
- Link: https://twitter.com/elceef/status/986334113941655553
|
||||
- Link: https://twitter.com/elceef/status/986842299861782529
|
||||
|
@ -24,6 +24,8 @@ Full_Path:
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml
|
||||
- IOC: Parent child relationship. Ttdinject.exe parent for executed command
|
||||
- IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
|
||||
Resources:
|
||||
|
33
yml/OSBinaries/Wlrmdr.yml
Normal file
33
yml/OSBinaries/Wlrmdr.yml
Normal file
@ -0,0 +1,33 @@
|
||||
---
|
||||
Name: Wlrmdr.exe
|
||||
Description: Windows Logon Reminder executable
|
||||
Author: Moshe Kaplan
|
||||
Created: 2022-02-16
|
||||
Commands:
|
||||
- Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe"
|
||||
Description: Execute calc.exe with wlrmdr.exe as parent process
|
||||
Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\wlrmdr.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml
|
||||
- IOC: wlrmdr.exe spawning any new processes
|
||||
Resources:
|
||||
- Link: https://twitter.com/0gtweet/status/1493963591745220608
|
||||
- Link: https://twitter.com/Oddvarmoe/status/927437787242090496
|
||||
- Link: https://twitter.com/falsneg/status/1461625526640992260
|
||||
- Link: https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw
|
||||
Acknowledgement:
|
||||
- Person: Grzegorz Tworek
|
||||
Handle: '@0gtweet'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@Oddvarmoe'
|
||||
- Person: Freddy
|
||||
Handle: '@falsneg'
|
||||
---
|
@ -4,12 +4,12 @@ Description: Windows Update Client
|
||||
Author: 'David Middlehurst'
|
||||
Created: 2020-09-23
|
||||
Commands:
|
||||
- Command: wuauclt.exe /UpdateDeploymentProvider <Full_Path_To_DLL> /RunHandlerComServer
|
||||
- Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer
|
||||
Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach.
|
||||
Usecase: Execute dll via attach/detach methods
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wuauclt.exe
|
||||
|
44
yml/OSLibraries/Desk.yml
Normal file
44
yml/OSLibraries/Desk.yml
Normal file
@ -0,0 +1,44 @@
|
||||
---
|
||||
Name: Desk.cpl
|
||||
Description: Desktop Settings Control Panel
|
||||
Author: Hai Vaknin
|
||||
Created: 2022-04-21
|
||||
Commands:
|
||||
- Command: rundll32.exe desk.cpl,InstallScreenSaver C:\temp\file.scr
|
||||
Description: Launch an executable with a .scr extension by calling the InstallScreenSaver function.
|
||||
Usecase: Launch any executable payload, as long as it uses the .scr extension.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr
|
||||
Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function.
|
||||
Usecase: Launch any executable payload, as long as it uses the .scr extension.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\desk.cpl
|
||||
- Path: C:\Windows\SysWOW64\desk.cpl
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
|
||||
Resources:
|
||||
- Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt
|
||||
- Link: https://twitter.com/pabraeken/status/998627081360695297
|
||||
- Link: https://twitter.com/VakninHai/status/1517027824984547329
|
||||
- Link: https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
|
||||
Acknowledgement:
|
||||
- Person: Rafael S Marques
|
||||
Handle: '@pegabizu'
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
- Person: hai
|
||||
Handle: '@VakninHai'
|
||||
- Person: Christopher Peacock
|
||||
Handle: '@SecurePeacock'
|
||||
- Person: Jose Luis Sanchez
|
||||
Handle: '@Joseliyo_Jstnk'
|
||||
---
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
Name: Ieaframe.dll
|
||||
Name: Ieframe.dll
|
||||
Description: Internet Browser DLL for translating HTML code.
|
||||
Author:
|
||||
Created: 2018-05-25
|
||||
|
37
yml/OtherMSBinaries/AccCheckConsole.yml
Normal file
37
yml/OtherMSBinaries/AccCheckConsole.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
Name: AccCheckConsole.exe
|
||||
Description: Verifies UI accessibility requirements
|
||||
Author: 'bohops'
|
||||
Created: 2022-01-02
|
||||
Commands:
|
||||
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
|
||||
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
|
||||
Usecase: Local execution of managed code from assembly DLL.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
|
||||
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
|
||||
Usecase: Local execution of managed code to bypass AppLocker.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe
|
||||
Code_Sample:
|
||||
- Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines
|
||||
Detection:
|
||||
- IOC: Sysmon Event ID 1 - Process Creation
|
||||
- Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
|
||||
Resources:
|
||||
- Link: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
|
||||
- Link: https://twitter.com/bohops/status/1477717351017680899
|
||||
Acknowledgement:
|
||||
- Person: Jimmy
|
||||
Handle: '@bohops'
|
||||
---
|
@ -4,7 +4,7 @@ Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads
|
||||
Author: Martin Sohn Christensen
|
||||
Created: 2020-10-09
|
||||
Commands:
|
||||
- Command: coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name
|
||||
- Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
|
||||
Description: Loads the target .DLL in arbitrary path specified with /L.
|
||||
Usecase: Execute DLL code
|
||||
Category: Execute
|
||||
|
24
yml/OtherMSBinaries/Dump64.yml
Normal file
24
yml/OtherMSBinaries/Dump64.yml
Normal file
@ -0,0 +1,24 @@
|
||||
---
|
||||
Name: Dump64.exe
|
||||
Description: Memory dump tool that comes with Microsoft Visual Studio
|
||||
Author: mr.d0x
|
||||
Created: 2021-11-16
|
||||
Commands:
|
||||
- Command: dump64.exe <pid> out.dmp
|
||||
Description: Creates a memory dump of the LSASS process.
|
||||
Usecase: Create memory dump and parse it offline to retrieve credentials.
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003.001
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/138b06628380468fb8a41fc27770e1630cb64326/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml
|
||||
- IOC: As a Windows SDK binary, execution on a system may be suspicious
|
||||
Resources:
|
||||
- Link: https://twitter.com/mrd0x/status/1460597833917251595
|
||||
Acknowledgement:
|
||||
- Person: mr.d0x
|
||||
Handle: '@mrd0x'
|
||||
---
|
@ -16,6 +16,7 @@ Full_Path:
|
||||
- Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe
|
||||
- Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe
|
||||
- Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
@ -24,9 +25,12 @@ Detection:
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md
|
||||
Resources:
|
||||
- Link: https://twitter.com/ManuelBerrueta/status/1527289261350760455
|
||||
- Link: https://twitter.com/bryon_/status/975835709587075072
|
||||
- Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017
|
||||
Acknowledgement:
|
||||
- Person: Bryon
|
||||
Handle: '@bryon_'
|
||||
- Person: Manny
|
||||
Handle: '@ManuelBerrueta'
|
||||
---
|
||||
|
Loading…
Reference in New Issue
Block a user