Added Projectnotes

2024-12-25 22:39:27 +01:00 · 2018-06-12 08:26:24 +02:00 · 2018-06-12 08:26:24 +02:00 · eef9e78be8
commit eef9e78be8
parent db324ad08f
1 changed files with 104 additions and 0 deletions
--- a/Projectnotes.md
+++ b/Projectnotes.md
@ -0,0 +1,104 @@
+# LOLBAS-Project
+
+## What is a LOLBIN?
+
+Living off the land is using the tools on the systems to perform your intended actions. A LOLBIN is a binary used by an attacker to achieve their goals.
+
+## Categories
+
+Initial Access
+Persistence
+Privilege Escalation
+Defense Evasion
+Credential Access
+Discovery
+Lateral Movement
+Execution
+Collection
+Exfiltration
+Command and Control
+
+## Sub-cats
+"Application Whitelisting Bypass"
+"squiblydoo"
+"Component Object Model Hijacking"
+"Signed Script Proxy Execution"
+"Path Interception"
+"Search Order Hijacking"
+"Launch process"
+"UAC Bypass"
+"AutoRun Persistence"
+"Credential Dumping"
+
+## Roadmap
+
+### 2.0
+
+[x] Determine field mappings between existing Markdown and future structured format
+[x] Define any additional fields required during launch (Date, Categories)
+[x] Migrate
+[ ] Sanity checking & populate blank fields (e.g. Categories, Code Sample, Detection).
+[ ] Define CONTRIBUTING.md to guide contributions. What is the technical criteria for a LOLBIN/LOLSCRIPT/LOLLIB? Suggested ambiguous files: regedit.exe, notepad.exe, powershell.exe, cmd.exe.
+    [ ] https://stackoverflow.com/questions/19109912/do-i-need-quotes-for-strings-in-yaml
+    [ ] https://stackoverflow.com/questions/3790454/in-yaml-how-do-i-break-a-string-over-multiple-lines
+    [ ] https://til.hashrocket.com/posts/d7c96e2ee7-multiline-strings-in-yaml
+
+### 2.1
+
+[ ] ATT&CK links
+[ ] LOLBIN GUID?
+[ ] Jekyll front end a la GTFOBINS?
+[ ] Sub-Categories
+[ ] Tests for PRs to ensure fields are valid
+[ ] Create management scripts (find blank fields, ensure all fields are present, update fields)
+[ ] Privileges required
+[ ] Signed executing signed? Signed executing unsigned? @mattifestation's tweet has some good stuff.
+[ ] Specific tags/labeling for specific capability caveats, for example a App Whitelist bypass that works on AppLocker & Solidcore could cary tags for each product
+[ ] split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf
+
+## 2.0 Schema
+
+The goal for this version is feature parity with the current Markdown format along with any other fields required to support 2.0 objectives.
+
+<> - Denotes existing values
+"" - Value does not exist. Key will be created but not immediately populated.
+
+### YAML
+- Name: <Markdown Heading>
+- Description: <Function Text>
+- Author: ''
+- Created: 2018-05-25
+- Categories: []
+- Commands:
+  - <Code Block 1>
+    - Description: ''
+  - <Code Block 2>
+    - Description: ''
+- Full Path:
+  - <Full Path 1>
+  - <Full Path 2>
+- Code Sample:
+  - <Code Sample 1>
+  - <Code Sample 2>
+- Detection:
+  - <Detection 1>
+  - <Detection 2>
+- Resources:
+  - <Resource 1>
+  - <Resource 2>
+- Notes: <Notes>, <Acknowledgements>
+
+### JSON (more like no, son, you're not getting used, gtfo)
+{
+    "Name": "<Markdown Heading>",
+    "Description": "<Function Text>",
+    "Created": "",
+    "Categories": [""],
+    "Commands": ["<Code Block>"],
+    "Full path": ["<Full Path>],
+    "Code sample": ["<Code Sample>"],
+    "Resources": ["<Resources>"],
+    "Acknowledgments": ["<Acknowledgements>"],
+    "Detection": ["<Detection>",]
+    "Notes": "<Notes>",
+}