mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-08-02 15:43:57 +02:00
Merge branch 'master' into feat/yamllinting
This commit is contained in:
Oddvar Moe
GitHub
@@ -2,8 +2,7 @@
|
||||
Name: AcroRd32.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
|
||||
Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
|
||||
@@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/997997818362155008
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
||||
@@ -2,8 +2,7 @@
|
||||
Name: Gpup.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
|
||||
Description: Execute another command through gpup.exe (Notepad++ binary).
|
||||
@@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/997892519827558400
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
||||
@@ -2,8 +2,7 @@
|
||||
Name: Nlnotes.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
Description: Run PowerShell via LotusNotes.
|
||||
@@ -14,4 +13,6 @@ Detection: []
|
||||
Resources:
|
||||
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||
- https://twitter.com/HanseSecure/status/995578436059127808
|
||||
Notes: Thanks to Daniel Bohannon - @danielhbohannon
|
||||
Acknowledgement:
|
||||
- Person: Daniel Bohannon
|
||||
Handle: '@danielhbohannon'
|
||||
|
||||
@@ -2,8 +2,7 @@
|
||||
Name: Notes.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
Description: Run PowerShell via LotusNotes.
|
||||
@@ -14,4 +13,6 @@ Detection: []
|
||||
Resources:
|
||||
- https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||
- https://twitter.com/HanseSecure/status/995578436059127808
|
||||
Notes: Thanks to Daniel Bohannon - @danielhbohannon
|
||||
Acknowledgement:
|
||||
- Person: Daniel Bohannon
|
||||
Handle: '@danielhbohannon'
|
||||
|
||||
@@ -2,8 +2,7 @@
|
||||
Name: Nvudisp.exe
|
||||
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Nvudisp.exe System calc.exe
|
||||
Description: Execute calc.exe as a subprocess.
|
||||
@@ -23,4 +22,7 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
||||
|
||||
@@ -2,8 +2,7 @@
|
||||
Name: Nvuhda6.exe
|
||||
Description: Execute, Copy, Add registry, Create shortcut, kill process
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: nvuhda6.exe System calc.exe
|
||||
Description: Execute calc.exe as a subprocess.
|
||||
@@ -23,4 +22,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
|
||||
Notes: Thanks to Adam - @hexacorn
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
|
||||
@@ -2,8 +2,7 @@
|
||||
Name: ROCCAT_Swarm.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
|
||||
Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
|
||||
@@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/994213164484001793
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
||||
@@ -2,8 +2,7 @@
|
||||
Name: Setup.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Run Setup.exe
|
||||
Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
|
||||
@@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/994381620588236800
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
||||
@@ -2,8 +2,7 @@
|
||||
Name: Usbinst.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
|
||||
Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
|
||||
@@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/993514357807108096
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
||||
@@ -2,8 +2,7 @@
|
||||
Name: VBoxDrvInst.exe
|
||||
Description: Persistence
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
|
||||
Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
|
||||
@@ -13,4 +12,6 @@ Code_Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/993497996179492864
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Acknowledgement:
|
||||
- Person: Pierre-Alexandre Braeken
|
||||
Handle: '@pabraeken'
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
Name: aswrundll.exe
|
||||
Description: This process is used by AVAST antivirus to run and execute any modules
|
||||
Author: Eli Salem
|
||||
Created: 19\03\2019
|
||||
Created: '2019-03-19'
|
||||
Commands:
|
||||
- Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
|
||||
Description: Load and execute modules using aswrundll
|
||||
@@ -17,4 +17,4 @@ Resources:
|
||||
- Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
|
||||
Acknowledgement:
|
||||
- Person: Eli Salem
|
||||
handle: https://www.linkedin.com/in/eli-salem-954728150
|
||||
handle: 'https://www.linkedin.com/in/eli-salem-954728150'
|
||||
Reference in New Issue
Block a user