From cd16f0aff3c14d982b26a7e49b1f132c2cc8f750 Mon Sep 17 00:00:00 2001
From: bohops <jimmy@jbtech.us>
Date: Sat, 25 Feb 2023 13:47:44 -0500
Subject: [PATCH] Add vsls-agent lolbin and committing a few other changes
 (#263)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 NOTICE.md                                     |  2 +-
 README.md                                     |  1 +
 .../GfxDownloadWrapper.yml                    |  0
 yml/OSBinaries/Conhost.yml                    |  9 ++++++++
 yml/OSBinaries/Eventvwr.yml                   |  4 ++--
 yml/OtherMSBinaries/vsls-agent.yml            | 22 +++++++++++++++++++
 6 files changed, 35 insertions(+), 3 deletions(-)
 rename yml/{OSBinaries => HonorableMentions}/GfxDownloadWrapper.yml (100%)
 create mode 100644 yml/OtherMSBinaries/vsls-agent.yml

diff --git a/NOTICE.md b/NOTICE.md
index 146540e..d9e446d 100644
--- a/NOTICE.md
+++ b/NOTICE.md
@@ -14,7 +14,7 @@
 
 * Submitter: An individual, group, organization, or entity that contributes to the LOLBAS project through project maintenance, issue submission, Pull Request (PR) submission, etc.
 * Consumer: An individual, group, organization, or entity that uses ("consumes") the LOLBAS project resources through the web portal or repository interfaces and capabilities.
-* OLBAS: Living Off The Land Binaries and Scripts
+* LOLBAS: Living Off The Land Binaries and Scripts
 * LOLBIN: Living Off The Land Binary
 * LOL/"lol": Living Off The Land
 
diff --git a/README.md b/README.md
index 457eda3..a938664 100644
--- a/README.md
+++ b/README.md
@@ -72,6 +72,7 @@ The following folks help maintain the LOLBAS Project on their personal time:
 * Chris 'Lopi' Spehn ([@ConsciousHacker](https://twitter.com/ConsciousHacker))
 * Liam ([@liamsomerville](https://twitter.com/liamsomerville))
 * Wietze ([@Wietze](https://twitter.com/@Wietze))
+* Jose Hernandez ([@_josehelps](https://twitter.com/_josehelps))
 
 ## Thanks
 
diff --git a/yml/OSBinaries/GfxDownloadWrapper.yml b/yml/HonorableMentions/GfxDownloadWrapper.yml
similarity index 100%
rename from yml/OSBinaries/GfxDownloadWrapper.yml
rename to yml/HonorableMentions/GfxDownloadWrapper.yml
diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml
index cc27bc7..5e095b2 100644
--- a/yml/OSBinaries/Conhost.yml
+++ b/yml/OSBinaries/Conhost.yml
@@ -11,6 +11,13 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10, Windows 11
+  - Command: "conhost.exe --headless calc.exe"
+    Description: Execute calc.exe with conhost.exe as parent process
+    Usecase: Specify --headless parameter to hide child process window (if applicable)
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: c:\windows\system32\conhost.exe
 Detection:
@@ -19,6 +26,8 @@ Detection:
 Resources:
   - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
   - Link: https://twitter.com/Wietze/status/1511397781159751680
+  - Link: https://twitter.com/embee_research/status/1559410767564181504
+  - Link: https://twitter.com/ankit_anubhav/status/1561683123816972288
 Acknowledgement:
   - Person: Adam
     Handle: '@hexacorn'
diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml
index 5442927..94e7e7a 100644
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@@ -14,9 +14,9 @@ Commands:
   - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
     Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
     Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
-    Category: Execute
+    Category: UAC Bypass
     Privileges: Administrator
-    MitreID: T1202
+    MitreID: T1548.002
     OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\eventvwr.exe
diff --git a/yml/OtherMSBinaries/vsls-agent.yml b/yml/OtherMSBinaries/vsls-agent.yml
new file mode 100644
index 0000000..cb4ea0f
--- /dev/null
+++ b/yml/OtherMSBinaries/vsls-agent.yml
@@ -0,0 +1,22 @@
+---
+Name: vsls-agent.exe
+Description: Agent for Visual Studio Live Share (Code Collaboration)
+Author: Jimmy (@bohops)
+Created: 2022-11-01
+Commands:
+  - Command: vsls-agent.exe --agentExtensionPath c:\path\to\payload.dll
+    Description: Load a library payload using the --agentExtensionPath parameter (32-bit)
+    Usecase: Execute proxied payload with Microsoft signed binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
+Full_Path:
+  - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml
+Resources:
+  - Link: https://twitter.com/bohops/status/1583916360404729857
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'