Adding app-ctrl bypass bins and a few lolscripts

2025-07-26 20:22:24 +02:00 · 2021-09-26 23:31:30 -04:00
parent c48a5ea1ea
commit b5357cdec0
8 changed files with 229 additions and 0 deletions
--- a/yml/OSBinaries/Aspnet_Compiler.yml
+++ b/yml/OSBinaries/Aspnet_Compiler.yml
@@ -0,0 +1,28 @@
+---
+Name: Aspnet_Compiler.exe
+Description: ASP.NET Compilation Tool 
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
+    Description: Execute C# code with the Build Provider and proper folder structure in place.
+    Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 10
+Full_Path:
+  - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
+  - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
+Code_Sample: 
+  - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
+Detection: 
+  - IOC: Sysmon Event ID 1 - Process Creation
+Resources:
+  - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
+  - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
+Acknowledgement:
+  - Person: cpl
+    Handle: '@cpl3h'
+---
--- a/yml/OSBinaries/Msbuild.yml
+++ b/yml/OSBinaries/Msbuild.yml
@@ -20,6 +20,14 @@ Commands:
    MitreID: T1127
    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: msbuild.exe project.proj
+    Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
+    Usecase: Execute project file that contains XslTransformation tag parameters
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1127
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10    
 Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
@@ -27,6 +35,7 @@ Full_Path:
  - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
+  - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
 Code_Sample: 
 - Code:
 Detection:
@@ -36,9 +45,12 @@ Resources:
  - Link: https://github.com/Cn33liz/MSBuildShell
  - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
  - Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+  - Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
 Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
  - Person: Cn33liz
    Handle: '@Cneelis'
+  - Person: Jimmy
+    Handle: '@bohops'
 ---