public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-25 19:53:08 +02:00
Code Issues Projects Releases Wiki Activity

Addressing @bohops's feedback

Browse Source
This commit is contained in:
Wietze
2022-05-05 11:12:22 +01:00
parent 085aaa37b1
commit b92ee99627
11 changed files with 25 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
yml/OSScripts/Syncappvpublishingserver.yml
View File

@@ -10,7 +10,7 @@ Commands:
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
Code_Sample:

6
yml/OSScripts/Winrm.yml
View File

@@ -19,11 +19,11 @@ Commands:
MitreID: T1216
OperatingSystem: Windows 10, Windows 11
- Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location
Usecase: Execute aribtrary, unsigned code via XSL script
Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe.
Usecase: Execute arbitrary, unsigned code via XSL script
Category: AWL Bypass
Privileges: User
MitreID: T1216
MitreID: T1220
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\winrm.vbs