mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Merge pull request #54 from ForensicITGuy/ntdsutil
Ntdsutil & Rasautou addition
This commit is contained in:
commit
80295ef865
27
yml/OSBinaries/Rasautou.yml
Normal file
27
yml/OSBinaries/Rasautou.yml
Normal file
@ -0,0 +1,27 @@
|
||||
---
|
||||
Name: Rasautou.exe
|
||||
Description: Windows Remote Access Dialer
|
||||
Author: 'Tony Lambert'
|
||||
Created: '2020-01-10'
|
||||
Commands:
|
||||
- Command: rasautou -d powershell.dll -p powershell -a a -e e
|
||||
Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
|
||||
Usecase: Execute DLL code
|
||||
Category: Execute
|
||||
Privileges: User, Administrator in Windows 8
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\rasautou.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: rasautou.exe command line containing -d and -p
|
||||
Resources:
|
||||
- Link: https://github.com/fireeye/DueDLLigence
|
||||
- Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
|
||||
Acknowledgement:
|
||||
- Person: FireEye
|
||||
Handle: '@FireEye'
|
||||
---
|
26
yml/OtherMSBinaries/Ntdsutil.yml
Normal file
26
yml/OtherMSBinaries/Ntdsutil.yml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
Name: ntdsutil.exe
|
||||
Description: Command line utility used to export Actove Directory.
|
||||
Author: 'Tony Lambert'
|
||||
Created: '2020-01-10'
|
||||
Commands:
|
||||
- Command: ntdsutil.exe “ac i ntds” “ifm” “create full c:\” q q
|
||||
Description: Dump NTDS.dit into folder
|
||||
Usecase: Dumping of Active Directory NTDS.dit database
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\ntdsutil.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: ntdsutil.exe with command line including "ifm"
|
||||
Resources:
|
||||
- Link: https://adsecurity.org/?p=2398#CreateIFM
|
||||
Acknowledgement:
|
||||
- Person: Sean Metcalf
|
||||
Handle: '@PyroTek3'
|
||||
---
|
Loading…
Reference in New Issue
Block a user