mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-27 07:18:05 +01:00
Merge pull request #131 from fslds/feat/yamllinting
Adding yamllinting github action and some minor syntax corrections in yml-files.
This commit is contained in:
commit
e480be182e
12
.github/workflows/yamllinting.yml
vendored
Normal file
12
.github/workflows/yamllinting.yml
vendored
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
name: Yaml Lint
|
||||||
|
on: [push, pull_request]
|
||||||
|
jobs:
|
||||||
|
lintFiles:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v1
|
||||||
|
- name: yaml-lint
|
||||||
|
uses: ibiqlik/action-yamllint@v3
|
||||||
|
with:
|
||||||
|
config_file: .yamllint
|
15
.yamllint
Normal file
15
.yamllint
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
extends: default
|
||||||
|
yaml-files:
|
||||||
|
- '*.yml'
|
||||||
|
rules:
|
||||||
|
new-line-at-end-of-file:
|
||||||
|
level: warning
|
||||||
|
trailing-spaces:
|
||||||
|
level: warning
|
||||||
|
line-length:
|
||||||
|
level: warning
|
||||||
|
new-lines:
|
||||||
|
level: warning
|
||||||
|
indentation:
|
||||||
|
level: warning
|
@ -2,7 +2,7 @@
|
|||||||
Name: Binary.exe
|
Name: Binary.exe
|
||||||
Description: Something general about the binary
|
Description: Something general about the binary
|
||||||
Author: The person that created this file
|
Author: The person that created this file
|
||||||
Created: Date the person created this file (use YYYY-MM-DD without quotes)
|
Created: Date the person created this file
|
||||||
Commands:
|
Commands:
|
||||||
- Command: The command
|
- Command: The command
|
||||||
Description: Description of the command
|
Description: Description of the command
|
||||||
@ -37,4 +37,3 @@ Acknowledgement:
|
|||||||
Handle: '@johndoe'
|
Handle: '@johndoe'
|
||||||
- Person: Ola Norman
|
- Person: Ola Norman
|
||||||
Handle: '@olaNor'
|
Handle: '@olaNor'
|
||||||
---
|
|
||||||
|
@ -2,7 +2,8 @@
|
|||||||
Name: Explorer.exe
|
Name: Explorer.exe
|
||||||
Description: Execute
|
Description: Execute
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: 2018-05-25
|
Created: '2018-05-25'
|
||||||
|
Categories: []
|
||||||
Commands:
|
Commands:
|
||||||
- Command: explorer.exe calc.exe
|
- Command: explorer.exe calc.exe
|
||||||
Description: 'Executes calc.exe as a subprocess of explorer.exe.'
|
Description: 'Executes calc.exe as a subprocess of explorer.exe.'
|
||||||
@ -16,4 +17,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
|
|
||||||
|
@ -2,7 +2,8 @@
|
|||||||
Name: Netsh.exe
|
Name: Netsh.exe
|
||||||
Description: Execute, Surveillance
|
Description: Execute, Surveillance
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: 2018-05-25
|
Created: '2018-05-25'
|
||||||
|
Categories: []
|
||||||
Commands:
|
Commands:
|
||||||
- Command: |
|
- Command: |
|
||||||
netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
|
netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
|
||||||
@ -21,3 +22,6 @@ Resources:
|
|||||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
|
||||||
- https://attack.mitre.org/wiki/Technique/T1128
|
- https://attack.mitre.org/wiki/Technique/T1128
|
||||||
- https://twitter.com/teemuluotio/status/990532938952527873
|
- https://twitter.com/teemuluotio/status/990532938952527873
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: ''
|
||||||
|
- Handle: ''
|
@ -2,7 +2,7 @@
|
|||||||
Name: Openwith.exe
|
Name: Openwith.exe
|
||||||
Description: Execute
|
Description: Execute
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: 2018-05-25
|
Created: '2018-05-25'
|
||||||
Commands:
|
Commands:
|
||||||
- Command: OpenWith.exe /c C:\test.hta
|
- Command: OpenWith.exe /c C:\test.hta
|
||||||
Description: Opens the target file with the default application.
|
Description: Opens the target file with the default application.
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Name: Powershell.exe
|
Name: Powershell.exe
|
||||||
Description: Execute, Read ADS
|
Description: Execute, Read ADS
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: 2018-05-25
|
Created: '2018-05-25'
|
||||||
Commands:
|
Commands:
|
||||||
- Command: powershell -ep bypass - < c:\temp:ttt
|
- Command: powershell -ep bypass - < c:\temp:ttt
|
||||||
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
|
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
|
||||||
@ -16,4 +16,3 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Moriarty
|
- Person: Moriarty
|
||||||
Handle: '@Moriarty_Meng'
|
Handle: '@Moriarty_Meng'
|
||||||
|
|
||||||
|
@ -2,7 +2,8 @@
|
|||||||
Name: Psr.exe
|
Name: Psr.exe
|
||||||
Description: Surveillance
|
Description: Surveillance
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: 2018-05-25
|
Created: '2018-05-25'
|
||||||
|
Categories: []
|
||||||
Commands:
|
Commands:
|
||||||
- Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
|
- Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
|
||||||
Description: Capture screenshots of the desktop and save them in the target .ZIP file.
|
Description: Capture screenshots of the desktop and save them in the target .ZIP file.
|
||||||
@ -17,4 +18,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
|
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: ''
|
||||||
|
- Handle: ''
|
||||||
|
@ -3,6 +3,7 @@ Name: Robocopy.exe
|
|||||||
Description: Copy
|
Description: Copy
|
||||||
Author: ''
|
Author: ''
|
||||||
Created: 2018-05-25
|
Created: 2018-05-25
|
||||||
|
Categories: []
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Robocopy.exe C:\SourceFolder C:\DestFolder
|
- Command: Robocopy.exe C:\SourceFolder C:\DestFolder
|
||||||
Description: Copy the entire contents of the SourceFolder to the DestFolder.
|
Description: Copy the entire contents of the SourceFolder to the DestFolder.
|
||||||
@ -15,3 +16,6 @@ Code_Sample: []
|
|||||||
Detection: []
|
Detection: []
|
||||||
Resources:
|
Resources:
|
||||||
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
|
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: ''
|
||||||
|
- Handle: ''
|
@ -3,6 +3,7 @@ Name: Update.exe
|
|||||||
Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
|
Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
|
||||||
Author: 'Jesus Galvez'
|
Author: 'Jesus Galvez'
|
||||||
Created: '2020-11-01'
|
Created: '2020-11-01'
|
||||||
|
Commands:
|
||||||
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
|
||||||
Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
|
Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
|
||||||
Usecase: Execute binary
|
Usecase: Execute binary
|
||||||
@ -14,5 +15,5 @@ Created: '2020-11-01'
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: '%localappdata%\Whatsapp\Update.exe'
|
- Path: '%localappdata%\Whatsapp\Update.exe'
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process
|
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
|
||||||
---
|
---
|
||||||
|
@ -1,18 +1,20 @@
|
|||||||
Name: aswrundll.exe
|
Name: aswrundll.exe
|
||||||
Description: This process is used by AVAST antivirus to run and execute any modules
|
Description: This process is used by AVAST antivirus to run and execute any modules
|
||||||
Author: Eli Salem
|
Author: Eli Salem
|
||||||
Created: 2019-03-19
|
Created: '2019-03-19'
|
||||||
Commands:
|
Commands:
|
||||||
- Command: "\"C:\\Program Files\\Avast Software\\Avast\\aswrundll\" \"C:\\Users\\Public\\Libraries\\tempsys\\module.dll\""
|
- Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
|
||||||
Description: Load and execute modules using aswrundll
|
Description: Load and execute modules using aswrundll
|
||||||
Usecase: Execute malicious modules using aswrundll.exe
|
Usecase: Execute malicious modules using aswrundll.exe
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: Any
|
Privileges: Any
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Program Files\Avast Software\Avast\aswrundll
|
- Path: 'C:\Program Files\Avast Software\Avast\aswrundll'
|
||||||
|
Code_Sample:
|
||||||
|
- Code: '["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]'
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
|
- Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Eli Salem
|
- Person: Eli Salem
|
||||||
Handle: https://www.linkedin.com/in/eli-salem-954728150
|
handle: 'https://www.linkedin.com/in/eli-salem-954728150'
|
@ -2,15 +2,15 @@
|
|||||||
Name: Ieaframe.dll
|
Name: Ieaframe.dll
|
||||||
Description: Internet Browser DLL for translating HTML code.
|
Description: Internet Browser DLL for translating HTML code.
|
||||||
Author:
|
Author:
|
||||||
Created: 2018-05-25
|
Created: '2018-05-25'
|
||||||
Commands:
|
Commands:
|
||||||
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
|
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
|
||||||
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||||
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
OperatingSystem: Windows
|
OperatingSystem: Windows
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: c:\windows\system32\ieframe.dll
|
- Path: c:\windows\system32\ieframe.dll
|
||||||
@ -30,4 +30,3 @@ Acknowledgement:
|
|||||||
- Person: Adam
|
- Person: Adam
|
||||||
Handle: '@hexacorn'
|
Handle: '@hexacorn'
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
Name: Setupapi.dll
|
Name: Setupapi.dll
|
||||||
Description: Windows Setup Application Programming Interface
|
Description: Windows Setup Application Programming Interface
|
||||||
Author:
|
Author:
|
||||||
Created: 2018-05-25
|
Created: '2018-05-25'
|
||||||
Commands:
|
Commands:
|
||||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
|
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
|
||||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||||
Usecase: Run local or remote script(let) code through INF file specification.
|
UseCase: Run local or remote script(let) code through INF file specification.
|
||||||
Category: AWL Bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
@ -14,7 +14,7 @@ Commands:
|
|||||||
OperatingSystem: Windows
|
OperatingSystem: Windows
|
||||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
|
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
|
||||||
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
||||||
Usecase: Load an executable payload.
|
UseCase: Load an executable payload.
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
@ -37,7 +37,7 @@ Resources:
|
|||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Kyle Hanslovan (COM Scriptlet)
|
- Person: Kyle Hanslovan (COM Scriptlet)
|
||||||
Handle: '@KyleHanslovan'
|
Handle: '@KyleHanslovan'
|
||||||
- Person: Huntress Labs (COM Scriptlet)
|
- Person: Huntress Labs (COM Scriptlet)
|
||||||
Handle: '@HuntressLabs'
|
Handle: '@HuntressLabs'
|
||||||
- Person: Casey Smith (COM Scriptlet)
|
- Person: Casey Smith (COM Scriptlet)
|
||||||
Handle: '@subTee'
|
Handle: '@subTee'
|
||||||
|
@ -4,7 +4,7 @@ Description: Used as part of the Powershell pester
|
|||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: 2018-05-25
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: Pester.bat [/help|?|-?|/?] "$null; notepad"
|
- Command: Pester.bat [/help|?|-?|/?] "$null; notepad"
|
||||||
Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad
|
Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad
|
||||||
Usecase: Proxy execution
|
Usecase: Proxy execution
|
||||||
Category: Execute
|
Category: Execute
|
||||||
|
Loading…
Reference in New Issue
Block a user