public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-11-04 02:29:34 +01:00
Code Issues Projects Releases Wiki Activity

Fixed a few categories

Browse Source
This commit is contained in:
bohops
2018-09-26 10:33:52 -04:00
committed by GitHub
parent bac3b9e56c
commit f8e9ac5a0a
11 changed files with 20 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
yml/OSLibraries/Advpack.yml
View File

@@ -23,7 +23,7 @@ Commands:
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
UseCase: Load a DLL payload.
Category: Execution
Category: Execute
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -31,14 +31,14 @@ Commands:
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
UseCase: Run an executable payload.
Category: Execution
Category: Execute
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
UseCase: Run an executable payload.
Category: Execution
Category: Execute
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -55,7 +55,7 @@ Resources:
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880
- Link: https://twitter.com/bohops/status/974497123101179904
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
Acknowledgment:
Acknowledegment:
- Person: Jimmy (LaunchINFSection)
Handle: '@bohops'
- Person: Fabrizio (RegisterOCX - DLL)

8
yml/OSLibraries/Ieadvpack.yml
View File

@@ -23,7 +23,7 @@ Commands:
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
Description: Launch a DLL payload by calling the RegisterOCX function.
UseCase: Load a DLL payload.
Category: Execution
Category: Execute
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -31,14 +31,14 @@ Commands:
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
Description: Launch an executable by calling the RegisterOCX function.
UseCase: Run an executable payload.
Category: Execution
Category: Execute
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Description: Launch command line by calling the RegisterOCX function.
UseCase: Run an executable payload.
Category: Execution
Category: Execute
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -54,7 +54,7 @@ Resources:
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
- Link: https://twitter.com/pabraeken/status/991695411902599168
- Link: https://twitter.com/0rbz_/status/974472392012689408
Acknowledgment:
Acknowledgement:
- Person: Jimmy (LaunchINFSection)
Handle: '@bohops'
- Person: Fabrizio (RegisterOCX - DLL)

3
yml/OSLibraries/Ieframe.yml
View File

@@ -24,9 +24,10 @@ Resources:
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- Link: https://twitter.com/bohops/status/997690405092290561
- Link: https://windows10dll.nirsoft.net/ieframe_dll.html
Acknowledgment:
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
- Person: Adam
Handle: '@hexacorn'
---

2
yml/OSLibraries/Mshtml.yml
View File

@@ -22,7 +22,7 @@ Detection:
Resources:
- Link: https://twitter.com/pabraeken/status/998567549670477824
- Link: https://windows10dll.nirsoft.net/mshtml_dll.html
Acknowledgment:
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

2
yml/OSLibraries/Pcwutl.yml
View File

@@ -22,6 +22,6 @@ Detection:
Resources:
- Link: https://twitter.com/harr0ey/status/989617817849876488
- Link: https://windows10dll.nirsoft.net/pcwutl_dll.html
Acknowledgment:
Acknowledgement:
- Person: Matt harr0ey
Handle: '@harr0ey'

4
yml/OSLibraries/Setupapi.yml
View File

@@ -15,7 +15,7 @@ Commands:
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
UseCase: Load an executable payload.
Category: Execution
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -34,7 +34,7 @@ Resources:
- Link: https://github.com/huntresslabs/evading-autoruns
- Link: https://twitter.com/pabraeken/status/994742106852941825
- Link: https://windows10dll.nirsoft.net/setupapi_dll.html
Acknowledgment:
Acknowledgement:
- Person: Kyle Hanslovan (COM Scriptlet)
Handle: '@KyleHanslovan'
- Person: Huntress Labs (COM Scriptlet)

2
yml/OSLibraries/Shdocvw.yml
View File

@@ -24,7 +24,7 @@ Resources:
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
- Link: https://twitter.com/bohops/status/997690405092290561
- Link: https://windows10dll.nirsoft.net/shdocvw_dll.html
Acknowledgment:
Acknowledgement:
- Person: Adam
Handle: '@hexacorn'
- Person: Jimmy

2
yml/OSLibraries/Shell32.yml
View File

@@ -39,7 +39,7 @@ Resources:
- Link: https://twitter.com/mattifestation/status/776574940128485376
- Link: https://twitter.com/KyleHanslovan/status/905189665120149506
- Link: https://windows10dll.nirsoft.net/shell32_dll.html
Acknowledgment:
Acknowledgement:
- Person: Adam (Control_RunDLL)
Handle: '@hexacorn'
- Person: Pierre-Alexandre Braeken (ShellExec_RunDLL)

4
yml/OSLibraries/Syssetup.yml
View File

@@ -15,7 +15,7 @@ Commands:
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
UseCase: Load an executable payload.
Category: Execution
Category: Execute
Privileges: User
MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
@@ -34,7 +34,7 @@ Resources:
- Link: https://twitter.com/harr0ey/status/975350238184697857
- Link: https://twitter.com/bohops/status/975549525938135040
- Link: https://windows10dll.nirsoft.net/syssetup_dll.html
Acknowledgment:
Acknowledgement:
- Person: Pierre-Alexandre Braeken (Execute)
Handle: '@pabraeken'
- Person: Matt harr0ey (Execute)

2
yml/OSLibraries/Url.yml
View File

@@ -66,7 +66,7 @@ Resources:
- Link: https://twitter.com/yeyint_mth/status/997355558070927360
- Link: https://twitter.com/Hexacorn/status/974063407321223168
- Link: https://windows10dll.nirsoft.net/url_dll.html
Acknowledgment:
Acknowledgement:
- Person: Adam (OpenURL)
Handle: '@hexacorn'
- Person: Jimmy (OpenURL)

2
yml/OSLibraries/Zipfldr.yml
View File

@@ -31,7 +31,7 @@ Resources:
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
- Link: https://twitter.com/bohops/status/997896811904929792
- Link: https://windows10dll.nirsoft.net/zipfldr_dll.html
Acknowledgment:
Acknowledgement:
- Person: Moriarty (Execution)
Handle: '@moriarty_meng'
- Person: r0lan (Obfuscation)