Merge pull request #15 from leesoh/master

Update README, add CONTRIBUTING
2024-10-23 00:58:42 +02:00 · 2018-10-04 21:09:55 +02:00 · 2018-10-04 21:09:55 +02:00 · 92a20a2d6f
commit 92a20a2d6f
parent 6381da333c 8ef35e7215
3 changed files with 51 additions and 132 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,7 @@
 # Contributing
 First, thank you for contributing!
 When submitting new LOLs, please submit a `yml` sourcefile (`yml/`) as these are used to generate everything else. Next, review `README.md` and ensure that your LOL meets the criteria--interesting or unexpected functionality that would be useful to an attacker.
 There's nothing special about the format. Just base your entry off an existing one and modify as required. Please ensure that you do not add or remove any of the fields; all are required.
--- a/Contribute.md
+++ b/Contribute.md
@ -1,36 +0,0 @@
 Use this a Template for new binaries and scripts. 
 If you think it is hard to make a pull request using github, don't hasitate 
 to send me a tweet and I will add the contribution for you.
 ## Binary.exe
 * Functions: Execute, Download, Copy, Read ADS, Write ADS, UACBypass, Search, Compile, Credentials, Surveillance
 ```
 Example
 ```
 Acknowledgements:
 * Name of guy - @twitterhandle
 Code sample:
 * [NameOfLink](Payload/NameOfPayload)
 Resources:
 * https://linktosomethingusefull.com
 Full path:
 ```
 c:\windows\system32\binary.exe
 c:\windows\sysWOW64\binary.exe
 ```
 Notes:
 Some specific details about the binary file.
 Detection:
 Details about detection.
 IOC, Behaviour , User Agents etc
--- a/README.md
+++ b/README.md
@ -2,118 +2,66 @@
 <img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBAS.png" height="250">
-
+There are currently three different lists:
 There are currently three different lists.
 * [LOLBins](LOLBins.md)
 * [LOLLibs](LOLLibs.md)
 * [LOLScripts](LOLScripts.md)
 The above files can be found behind a fancy frontend here: https://lolbas-project.github.io (thanks @ConsciousHacker for this bit of eyecandy and the team over at https://gtfobins.github.io/).
 ## Goal
 The goal of the LOLBAS project are to document every binary, script and library that can be used for Living Off The Land techniques.   
 Primarily files that offer "extra" functionality. 
 The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.
-## Definition
+## Criteria
-* Must be a Microsoft signed file. (Native to the OS or downloaded from Microsoft site)
+A LOLBin/Lib/Script must:
-* Only extra "unexpected" functionality is interesting (Not interesting to document what it was intended for)
+
-  * Exceptions are Application Whitelisting bypasses
+* Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
-* Primary focus is stuff that can be leveraged by APT or in Red Teaming
+* Have extra "unexpected" functionality. It is not interesting to document intended use cases.
  * Exceptions are application whitelisting bypasses
 * Have functionality that would be useful to an APT or red team
 Interesting functionality can include:
 * Functionality can include:
 * Executing code
  * Arbitrary code execution
-      * Pass-through execution of other programs (unsigned), script (via a LOLBin)
+  * Pass-through execution of other programs (unsigned) or scripts (via a LOLBin)
-   * Compile code
+* Compiling code
 * File operations
-      * downloading
+  * Downloading
-      * upload
+  * Upload
-      * copy
+  * Copy
 * Persistence
-      * pass-through persistence utilizing existing LOLBin
+  * Pass-through persistence utilizing existing LOLBin
-      * persistence (Hide data in ADS, execute at logon etc)
+  * Persistence (e.g. hide data in ADS, execute at logon)
 * UAC bypass
-    * Credentials
+* Credential theft
-    * Dumping process
+* Dumping process memory
-    * Surveillance (keylogger, network trace)
+* Surveillance (e.g. keylogger, network trace)
-    * Evade logging/remove log entry
+* Log evasion/modification
-    * DLL Side-Loading/Hijacking (Binary must maintain path integrity - e.g. Without copying a binary to another folder that the user controls)
+* DLL side-loading/hijacking without being relocated elsewhere in the filesystem.
 ## The History of the LOLBin
-## YML
+The phrase "Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation) at [DerbyCon 3](https://www.youtube.com/watch?v=j-r6UonEkUw).
 A yml version of every file is located under the yml folder. 
 This is the master for all things LOLBAS. 
 We generate the MD files from this and later it will also be the base for an upcoming webportal.
-
+The term LOLBins came from a Twitter discussion on what to call binaries that can be used by an attacker to perform actions beyond their original purpose. Philip Goh (@MathCasualty) [proposed LOLBins](https://twitter.com/MathCasualty/status/969174982579273728). A highly scientific internet poll ensued, and after a general consensus (69%) was reached, the name was [made official](https://twitter.com/Oddvarmoe/status/985432848961343488). Jimmy (@bohops) [followed up with LOLScripts](https://twitter.com/bohops/status/984828803120881665). No poll was taken.
 ## STORY
 "Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation)    
 One of the first "Living Off The Land" talks is this one:
 https://www.youtube.com/watch?v=j-r6UonEkUw   
 The term LOLBins came from a twitter discussion on what to call these binaries that can be used by an attacker to perform other actions than what the binary was designed to do. 
 LOLBins was first proposed by Philip Goh (@MathCasualty) here:
 https://twitter.com/MathCasualty/status/969174982579273728
 The term LOLScripts came from Jimmy (@bohops): 
 https://twitter.com/bohops/status/984828803120881665
 Common hashtags for these files are:
-#LOLBin   
+* #LOLBin
-#LOLBins   
+* #LOLBins
-#LOLScript   
+* #LOLScript
-#LOLScripts   
+* #LOLScripts
-#LOLLib   
+* #LOLLib
-#LOLLibs   
+* #LOLLibs
-A "highly scientific poll" was also conducted to agree (69% yes) on the name LOLBins.
+## Thanks
 https://twitter.com/Oddvarmoe/status/985432848961343488 
-The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you)
+As with many open-source projects, this one is the product of a community and we would like to thank ours:
 The domain http://lolbas-project.com has been registered by Jimmy (@bohops). (Thanks!)
 The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man! 
-Love this logo:   
+* The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project.
-<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOL1.png" height="250">
+* The domain http://lolbas-project.com has been registered by Jimmy (@bohops).
-   
+* The logos for the project were created by Adam Nadrowski (@_sup_mane). We #@&!!@#! love them.
 ## Versions - Roadmap
 All features are added to the issues in this repo. 
 ### 1.0
 - [x] Hosted https://github.com/api0cradle/LOLBAS/
 - [x] Only MD files
 ### 2.0 -- Current
 - [x] Moved from api0cradle and hosted here on this repo (https://github.com/LOLBAS-Project/LOLBAS)
 - [x] Everything converted to YML files   
 - [x] MD files generated from YML files
 - [x] Clearer definition of a LOLBin    
 - [ ] Management scripts
 - [x] New template
 ### 2.1
 - [ ] Migration to new template
 - [ ] More categories - Part of the new template
 - [ ] ATT&CK Mitre mapping
 - [ ] Privileges required by binary
 - [ ] Jekyll frontend
 ### 2.2
 - [ ] LOLBIN GUID - Unique ID for each bin
 - [ ]Sub-Categories
  - [ ] Signed executing unsigned
  - [ ] Signed executing signed 
  - [ ] Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
 ### 2.3
 - [ ] Tests for PRs to ensure fields are valid
 - [ ]Provide the project in DB format (sqlite)