Archiving off legacy LOLUtilz

Archive-Old-Version/LOLUtilz/OtherBinaries/AcroRd32.yml

@@ -0,0 +1,17 @@
+---
+Name: AcroRd32.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
+    Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
+Full_Path:
+  - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/997997818362155008
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/Gpup.yml

@@ -0,0 +1,17 @@
+---
+Name: Gpup.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
+    Description: Execute another command through gpup.exe (Notepad++ binary).
+Full_Path:
+  - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe    '
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/997892519827558400
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/Nlnotes.yml

@@ -0,0 +1,18 @@
+---
+Name: Nlnotes.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
+    Description: Run PowerShell via LotusNotes.
+Full_Path:
+  - C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
+  - https://twitter.com/HanseSecure/status/995578436059127808
+Acknowledgement:
+  - Person: Daniel Bohannon
+    Handle: '@danielhbohannon'

Archive-Old-Version/LOLUtilz/OtherBinaries/Notes.yml

@@ -0,0 +1,18 @@
+---
+Name: Notes.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
+    Description: Run PowerShell via LotusNotes.
+Full_Path:
+  - C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
+  - https://twitter.com/HanseSecure/status/995578436059127808
+Acknowledgement:
+  - Person: Daniel Bohannon
+    Handle: '@danielhbohannon'

Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml

@@ -0,0 +1,28 @@
+---
+Name: Nvudisp.exe
+Description: Execute, Copy, Add registry, Create shortcut, kill process
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Nvudisp.exe System calc.exe
+    Description: Execute calc.exe as a subprocess.
+  - Command: Nvudisp.exe Copy test.txt,test-2.txt
+    Description: Copy fila A to file B.
+  - Command: Nvudisp.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
+    Description: Add/Edit a Registry key value.
+  - Command: Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\"
+    Description: Create shortcut file.
+  - Command: Nvudisp.exe KillApp calculator.exe
+    Description: Kill a process.
+  - Command: Nvudisp.exe Run foo
+    Description: Run process
+Full_Path:
+  - C:\windows\system32\nvuDisp.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
+---

Archive-Old-Version/LOLUtilz/OtherBinaries/Nvuhda6.yml

@@ -0,0 +1,27 @@
+---
+Name: Nvuhda6.exe
+Description: Execute, Copy, Add registry, Create shortcut, kill process
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: nvuhda6.exe System calc.exe
+    Description: Execute calc.exe as a subprocess.
+  - Command: nvuhda6.exe Copy test.txt,test-2.txt
+    Description: Copy fila A to file B.
+  - Command: nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
+    Description: Add/Edit a Registry key value
+  - Command: nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\"
+    Description: Create shortcut file.
+  - Command: nvuhda6.exe KillApp calc.exe
+    Description: Kill a process.
+  - Command: nvuhda6.exe Run foo
+    Description: Run process
+Full_Path:
+  - Missing
+Code_Sample: []
+Detection: []
+Resources:
+  - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
+Acknowledgement:
+  - Person: Adam
+    Handle: '@hexacorn'

Archive-Old-Version/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml

@@ -0,0 +1,17 @@
+---
+Name: ROCCAT_Swarm.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
+    Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
+Full_Path:
+  - C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/994213164484001793
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml

@@ -0,0 +1,27 @@
+---
+Name: RunCmd_X64.exe
+Description: A tool to execute a command file
+Author: Bart
+Created: 2019-03-17
+Commands:
+  - Command: RunCmd_X64 file.cmd /F
+    Description: Launch command file and hide the console window
+    Usecase: Run applications and scripts using Acer's RunCmd
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+- Path: C:\OEM\Preload\utility
+Code_Sample: 
+- Code: 
+Detection: 
+- IOC: RunCmd_X64.exe spawned
+Resources:
+ - Link: https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html
+ - Link: https://twitter.com/bartblaze/status/1107390776147881984
+Acknowledgement:
+  - Person: Bart
+    Handle: '@bartblaze'
+---

Archive-Old-Version/LOLUtilz/OtherBinaries/Setup.yml

@@ -0,0 +1,17 @@
+---
+Name: Setup.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Run Setup.exe
+    Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
+Full_Path:
+  - C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/994381620588236800
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml

@@ -0,0 +1,19 @@
+---
+Name: Update.exe
+Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
+Author: 'Jesus Galvez'
+Created: '2020-11-01'
+Commands:
+  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
+    Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
+    Usecase: Execute binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with Whatsapp installed
+Full_Path:
+  - Path: '%localappdata%\Whatsapp\Update.exe'
+Detection: 
+  - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
+---

Archive-Old-Version/LOLUtilz/OtherBinaries/Usbinst.yml

@@ -0,0 +1,17 @@
+---
+Name: Usbinst.exe
+Description: Execute
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
+    Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
+Full_Path:
+  - C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/993514357807108096
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/VBoxDrvInst.yml

@@ -0,0 +1,17 @@
+---
+Name: VBoxDrvInst.exe
+Description: Persistence
+Author: ''
+Created: 2018-05-25
+Commands:
+  - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
+    Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
+Full_Path:
+  - C:\Program Files\Oracle\VirtualBox Guest Additions
+Code_Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/993497996179492864
+Acknowledgement:
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'

Archive-Old-Version/LOLUtilz/OtherBinaries/aswrundll.yml

@@ -0,0 +1,20 @@
+Name: aswrundll.exe
+Description: This process is used by AVAST antivirus to run and execute any modules
+Author: Eli Salem
+Created: '2019-03-19'
+Commands:
+  - Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
+    Description: Load and execute modules using aswrundll
+    Usecase: Execute malicious modules using aswrundll.exe
+    Category: Execute
+    Privileges: Any
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+- Path: 'C:\Program Files\Avast Software\Avast\aswrundll'
+Code_Sample: 
+- Code: '["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]'
+Resources:
+ - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
+Acknowledgement:
+  - Person: Eli Salem 
+    handle: 'https://www.linkedin.com/in/eli-salem-954728150'