Archiving off legacy LOLUtilz

2025-07-26 04:04:09 +02:00 · 2021-10-25 21:32:59 +01:00
parent 6df5ef310a
commit ca11578655
22 changed files with 0 additions and 0 deletions
--- a/Archive-Old-Version/LOLUtilz/OSBinaries/Explorer.yml
+++ b/Archive-Old-Version/LOLUtilz/OSBinaries/Explorer.yml
@@ -0,0 +1,19 @@
+---
+Name: Explorer.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: explorer.exe calc.exe
+    Description: 'Executes calc.exe as a subprocess of explorer.exe.'
+Full_Path:
+  - c:\windows\explorer.exe
+  - c:\windows\sysWOW64\explorer.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/bohops/status/986984122563391488
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'
--- a/Archive-Old-Version/LOLUtilz/OSBinaries/Netsh.yml
+++ b/Archive-Old-Version/LOLUtilz/OSBinaries/Netsh.yml
@@ -0,0 +1,27 @@
+---
+Name: Netsh.exe
+Description: Execute, Surveillance
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: |
+          netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
+          netsh.exe trace show status
+    Description: Capture network traffic on remote file share.
+  - Command: netsh.exe add helper C:\Path\file.dll
+    Description: Load (execute) NetSh.exe helper DLL file.
+  - Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
+    Description: Forward traffic from the listening address and proxy to a remote system.
+Full_Path:
+  - C:\Windows\System32
+  - C:\Windows\SysWOW64
+Code_Sample: []
+Detection: []
+Resources:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
+  - https://attack.mitre.org/wiki/Technique/T1128
+  - https://twitter.com/teemuluotio/status/990532938952527873
+Acknowledgement:
+  - Person: ''
+  - Handle: ''
--- a/Archive-Old-Version/LOLUtilz/OSBinaries/Nltest.yml
+++ b/Archive-Old-Version/LOLUtilz/OSBinaries/Nltest.yml
@@ -0,0 +1,18 @@
+---
+Name: Nltest.exe
+Description: Credentials
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: nltest.exe /SERVER:192.168.1.10 /QUERY
+    Description: ''
+Full_Path:
+  - c:\windows\system32\nltest.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/sysopfb/status/986799053668139009
+  - https://ss64.com/nt/nltest.html
+Acknowledgement:
+  - Person: Sysopfb
+    Handle: '@sysopfb'
--- a/Archive-Old-Version/LOLUtilz/OSBinaries/Openwith.yml
+++ b/Archive-Old-Version/LOLUtilz/OSBinaries/Openwith.yml
@@ -0,0 +1,20 @@
+---
+Name: Openwith.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Commands:
+  - Command: OpenWith.exe /c C:\test.hta
+    Description: Opens the target file with the default application.
+  - Command: OpenWith.exe /c C:\testing.msi
+    Description: Opens the target file with the default application.
+Full_Path:
+  - c:\windows\system32\Openwith.exe
+  - c:\windows\sysWOW64\Openwith.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/harr0ey/status/991670870384021504
+Acknowledgement:
+  - Person: Matt harr0ey
+    Handle: '@harr0ey'
--- a/Archive-Old-Version/LOLUtilz/OSBinaries/Powershell.yml
+++ b/Archive-Old-Version/LOLUtilz/OSBinaries/Powershell.yml
@@ -0,0 +1,18 @@
+---
+Name: Powershell.exe
+Description: Execute, Read ADS
+Author: ''
+Created: '2018-05-25'
+Commands:
+  - Command: powershell -ep bypass - < c:\temp:ttt
+    Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
+Full_Path:
+  - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
+  - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/Moriarty_Meng/status/984380793383370752
+Acknowledgement:
+  - Person: Moriarty
+    Handle: '@Moriarty_Meng'
--- a/Archive-Old-Version/LOLUtilz/OSBinaries/Psr.yml
+++ b/Archive-Old-Version/LOLUtilz/OSBinaries/Psr.yml
@@ -0,0 +1,23 @@
+---
+Name: Psr.exe
+Description: Surveillance
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
+    Description: Capture screenshots of the desktop and save them in the target .ZIP file.
+  - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip
+    Description: Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file.
+  - Command: psr.exe /stop
+    Description: Stop the Problem Step Recorder.
+Full_Path:
+  - C:\Windows\System32\Psr.exe
+  - C:\Windows\SysWOW64\Psr.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
+Acknowledgement:
+  - Person: ''
+  - Handle: ''
--- a/Archive-Old-Version/LOLUtilz/OSBinaries/Robocopy.yml
+++ b/Archive-Old-Version/LOLUtilz/OSBinaries/Robocopy.yml
@@ -0,0 +1,21 @@
+---
+Name: Robocopy.exe
+Description: Copy
+Author: ''
+Created: 2018-05-25
+Categories: []
+Commands:
+  - Command: Robocopy.exe C:\SourceFolder C:\DestFolder
+    Description: Copy the entire contents of the SourceFolder to the DestFolder.
+  - Command: Robocopy.exe \\SERVER\SourceFolder C:\DestFolder
+    Description: Copy the entire contents of the SourceFolder to the DestFolder.
+Full_Path:
+  - c:\windows\system32\binary.exe
+  - c:\windows\sysWOW64\binary.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
+Acknowledgement:
+  - Person: ''
+  - Handle: ''