public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-27 04:32:24 +02:00
Code Issues Projects Releases Wiki Activity

Adding Execute tags to most LOLBas (#405)

Browse Source
This commit is contained in:
hegusung
2024-12-29 18:31:01 +01:00
committed by GitHub
parent baaa5bbc73
commit b9a6cd6a87
129 changed files with 520 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
yml/OSLibraries/Advpack.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: INF
- Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
Usecase: Run local or remote script(let) code through INF file specification.
@@ -19,7 +21,7 @@ Commands:
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
- Execute: INF
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
Usecase: Load a DLL payload.
@@ -36,6 +38,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
Usecase: Run an executable payload.
@@ -43,6 +47,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: c:\windows\system32\advpack.dll
- Path: c:\windows\syswow64\advpack.dll

5
yml/OSLibraries/Desk.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr
Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function.
Usecase: Launch any executable payload, as long as it uses the .scr extension.
@@ -18,6 +20,9 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Execute: Remote
Full_Path:
- Path: C:\Windows\System32\desk.cpl
- Path: C:\Windows\SysWOW64\desk.cpl

3
yml/OSLibraries/Dfshim.yml
View File

@@ -11,6 +11,9 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: ClickOnce
- Execute: Remote
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe

8
yml/OSLibraries/Ieadvpack.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: INF
- Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (DefaultInstall section implied).
Usecase: Run local or remote script(let) code through INF file specification.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: INF
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
Usecase: Load a DLL payload.
@@ -34,6 +38,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
Usecase: Run an executable payload.
@@ -41,6 +47,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: c:\windows\system32\ieadvpack.dll
- Path: c:\windows\syswow64\ieadvpack.dll

2
yml/OSLibraries/Ieframe.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: URL
Full_Path:
- Path: c:\windows\system32\ieframe.dll
- Path: c:\windows\syswow64\ieframe.dll

2
yml/OSLibraries/Mshtml.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: HTA
Full_Path:
- Path: c:\windows\system32\mshtml.dll
- Path: c:\windows\syswow64\mshtml.dll

2
yml/OSLibraries/Pcwutl.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\pcwutl.dll
- Path: c:\windows\syswow64\pcwutl.dll

4
yml/OSLibraries/Setupapi.yml
View File

@@ -12,7 +12,7 @@ Commands:
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
- Execute: INF
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
Usecase: Load an executable payload.
@@ -21,7 +21,7 @@ Commands:
MitreID: T1218.011
OperatingSystem: Windows
Tags:
- Input: INF
- Execute: INF
Full_Path:
- Path: c:\windows\system32\setupapi.dll
- Path: c:\windows\syswow64\setupapi.dll

2
yml/OSLibraries/Shdocvw.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: URL
Full_Path:
- Path: c:\windows\system32\shdocvw.dll
- Path: c:\windows\syswow64\shdocvw.dll

4
yml/OSLibraries/Shell32.yml
View File

@@ -20,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
Description: Launch command line by calling the ShellExec_RunDLL function.
Usecase: Run an executable payload.
@@ -27,6 +29,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: c:\windows\system32\shell32.dll
- Path: c:\windows\syswow64\shell32.dll

4
yml/OSLibraries/Syssetup.yml
View File

@@ -12,7 +12,7 @@ Commands:
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
- Execute: INF
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
Usecase: Load an executable payload.
@@ -21,7 +21,7 @@ Commands:
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Input: INF
- Execute: INF
Full_Path:
- Path: c:\windows\system32\syssetup.dll
- Path: c:\windows\syswow64\syssetup.dll

12
yml/OSLibraries/Url.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: HTA
- Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
Usecase: Load an executable payload by calling a .url file with or without quotes.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: URL
- Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling OpenURL.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
@@ -25,6 +29,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: rundll32.exe url.dll,FileProtocolHandler calc.exe
Description: Launch an executable by calling FileProtocolHandler.
Usecase: Launch an executable.
@@ -32,6 +38,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable by calling FileProtocolHandler.
Usecase: Load an executable payload by specifying the file protocol handler (obfuscated).
@@ -39,6 +47,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
Description: Launch a HTML application payload by calling FileProtocolHandler.
Usecase: Invoke an HTML Application via mshta.exe (Default Handler).
@@ -46,6 +56,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: HTA
Full_Path:
- Path: c:\windows\system32\url.dll
- Path: c:\windows\syswow64\url.dll

4
yml/OSLibraries/Zipfldr.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Description: Launch an executable payload by calling RouteTheCall (obfuscated).
Usecase: Launch an executable.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218.011
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\zipfldr.dll
- Path: c:\windows\syswow64\zipfldr.dll