public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-10-14 01:15:35 +02:00
Code Issues Projects Releases Wiki Activity

Improve GitHub Actions workflows (#467)

Browse Source
This commit is contained in:
Wietze
2025-10-02 18:14:34 +01:00
committed by GitHub
parent 2d7441bb9a
commit dcca4db04a
16 changed files with 150 additions and 188 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
yml/OtherMSBinaries/Dsdbutil.yml
View File

@@ -15,7 +15,7 @@ Commands:
OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
Description: Mounting the snapshot with its GUID
Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
Usecase: Mounting the snapshot to access the ntds.dit with `copy c:\<Snap Volume>\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak`
Category: Dump
Privileges: Administrator
MitreID: T1003.003
@@ -29,7 +29,7 @@ Commands:
OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
Description: Mounting with snapshot identifier
Usecase: Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
Usecase: Mounting the snapshot identifier 1 and accessing it with `copy c:\<Snap Volume>\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak`
Category: Dump
Privileges: Administrator
MitreID: T1003.003
@@ -51,11 +51,6 @@ Detection:
- IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
- IOC: Event ID 4656
- IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
- Analysis:
- Sigma:
- Elastic:
- Splunk:
- BlockRule:
Resources:
- Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358
- Link: https://www.netwrix.com/ntds_dit_security_active_directory.html

2
yml/OtherMSBinaries/VisualUiaVerifyNative.yml
View File

@@ -5,7 +5,7 @@ Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: VisualUiaVerifyNative.exe
Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
Description: Generate Serialized gadget and save to - `C:\Users\%USERNAME%\AppData\Roaminguiverify.config` before executing.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User