Major changes to Web portal - Small fixes to source files to adjust

2025-07-27 12:42:19 +02:00 · 2018-12-10 14:28:12 +01:00
parent 2b77add5b4
commit 94368c1e69
113 changed files with 233 additions and 232 deletions
--- a/yml/LOLUtilz/OSBinaries/Explorer.yml
+++ b/yml/LOLUtilz/OSBinaries/Explorer.yml
@@ -7,10 +7,10 @@ Categories: []
 Commands:
  - Command: explorer.exe calc.exe
    Description: 'Executes calc.exe as a subprocess of explorer.exe.'
-Full Path:
+Full_Path:
  - c:\windows\explorer.exe
  - c:\windows\sysWOW64\explorer.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/bohops/status/986984122563391488
--- a/yml/LOLUtilz/OSBinaries/Netsh.yml
+++ b/yml/LOLUtilz/OSBinaries/Netsh.yml
@@ -13,10 +13,10 @@ Commands:
    Description: Load (execute) NetSh.exe helper DLL file.
  - Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
    Description: Forward traffic from the listening address and proxy to a remote system.
-Full Path:
+Full_Path:
  - C:\Windows\System32
  - C:\Windows\SysWOW64
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
--- a/yml/LOLUtilz/OSBinaries/Nltest.yml
+++ b/yml/LOLUtilz/OSBinaries/Nltest.yml
@@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: nltest.exe /SERVER:192.168.1.10 /QUERY
    Description: ''
-Full Path:
+Full_Path:
  - c:\windows\system32\nltest.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/sysopfb/status/986799053668139009
--- a/yml/LOLUtilz/OSBinaries/Openwith.yml
+++ b/yml/LOLUtilz/OSBinaries/Openwith.yml
@@ -9,10 +9,10 @@ Commands:
    Description: Opens the target file with the default application.
  - Command: OpenWith.exe /c C:\testing.msi
    Description: Opens the target file with the default application.
-Full Path:
+Full_Path:
  - c:\windows\system32\Openwith.exe
  - c:\windows\sysWOW64\Openwith.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/harr0ey/status/991670870384021504
--- a/yml/LOLUtilz/OSBinaries/Powershell.yml
+++ b/yml/LOLUtilz/OSBinaries/Powershell.yml
@@ -7,10 +7,10 @@ Categories: []
 Commands:
  - Command: powershell -ep bypass - < c:\temp:ttt
    Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
-Full Path:
+Full_Path:
  - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/Moriarty_Meng/status/984380793383370752
--- a/yml/LOLUtilz/OSBinaries/Psr.yml
+++ b/yml/LOLUtilz/OSBinaries/Psr.yml
@@ -11,10 +11,10 @@ Commands:
    Description: Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file.
  - Command: psr.exe /stop
    Description: Stop the Problem Step Recorder.
-Full Path:
+Full_Path:
  - C:\Windows\System32\Psr.exe
  - C:\Windows\SysWOW64\Psr.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
--- a/yml/LOLUtilz/OSBinaries/Robocopy.yml
+++ b/yml/LOLUtilz/OSBinaries/Robocopy.yml
@@ -9,10 +9,10 @@ Commands:
    Description: Copy the entire contents of the SourceFolder to the DestFolder.
  - Command: Robocopy.exe \\SERVER\SourceFolder C:\DestFolder
    Description: Copy the entire contents of the SourceFolder to the DestFolder.
-Full Path:
+Full_Path:
  - c:\windows\system32\binary.exe
  - c:\windows\sysWOW64\binary.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
--- a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml
+++ b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml
@@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
    Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
-Full Path:
+Full_Path:
  - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/997997818362155008
--- a/yml/LOLUtilz/OtherBinaries/Gpup.yml
+++ b/yml/LOLUtilz/OtherBinaries/Gpup.yml
@@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
    Description: Execute another command through gpup.exe (Notepad++ binary).
-Full Path:
+Full_Path:
  - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe    '
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/997892519827558400
--- a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml
+++ b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml
@@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
    Description: Run PowerShell via LotusNotes.
-Full Path:
+Full_Path:
  - C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
--- a/yml/LOLUtilz/OtherBinaries/Notes.yml
+++ b/yml/LOLUtilz/OtherBinaries/Notes.yml
@@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
    Description: Run PowerShell via LotusNotes.
-Full Path:
+Full_Path:
  - C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
--- a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml
+++ b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml
@@ -17,9 +17,9 @@ Commands:
    Description: Kill a process.
  - Command: Nvudisp.exe Run foo
    Description: Run process
-Full Path:
+Full_Path:
  - C:\windows\system32\nvuDisp.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
--- a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml
+++ b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml
@@ -17,9 +17,9 @@ Commands:
    Description: Kill a process.
  - Command: nvuhda6.exe Run foo
    Description: Run process
-Full Path:
+Full_Path:
  - Missing
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
--- a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml
+++ b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml
@@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
    Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
-Full Path:
+Full_Path:
  - C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/994213164484001793
--- a/yml/LOLUtilz/OtherBinaries/Setup.yml
+++ b/yml/LOLUtilz/OtherBinaries/Setup.yml
@@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Run Setup.exe
    Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
-Full Path:
+Full_Path:
  - C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/994381620588236800
--- a/yml/LOLUtilz/OtherBinaries/Usbinst.yml
+++ b/yml/LOLUtilz/OtherBinaries/Usbinst.yml
@@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
    Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
-Full Path:
+Full_Path:
  - C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/993514357807108096
--- a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
+++ b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
@@ -7,9 +7,9 @@ Categories: []
 Commands:
  - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
    Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
-Full Path:
+Full_Path:
  - C:\Program Files\Oracle\VirtualBox Guest Additions
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/pabraeken/status/993497996179492864
--- a/yml/LOLUtilz/OtherMSBinaries/Winword.yml
+++ b/yml/LOLUtilz/OtherMSBinaries/Winword.yml
@@ -12,9 +12,9 @@ Commands:
    MitreID: T1218
    MItreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
-Code Sample:
+Code_Sample:
  - Code:
 Detection:
  - IOC:
--- a/yml/LOLUtilz/OtherScripts/Testxlst.yml
+++ b/yml/LOLUtilz/OtherScripts/Testxlst.yml
@@ -18,9 +18,9 @@ Commands:
    MitreID: T1064
    MitreLink: https://attack.mitre.org/wiki/Technique/T1064
    OperatingSystem: Windows
-Full Path:
+Full_Path:
  - c:\python27amd64\Lib\site-packages\win32com\test\testxslt.js (Visual Studio Installation)
-Code Sample: []
+Code_Sample: []
 Detection: []
 Resources:
  - https://twitter.com/bohops/status/993314069116485632