mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-27 07:18:05 +01:00
Fixed a few categories
This commit is contained in:
parent
bac3b9e56c
commit
f8e9ac5a0a
@ -23,7 +23,7 @@ Commands:
|
|||||||
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
|
- Command: rundll32.exe advpack.dll,RegisterOCX test.dll
|
||||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||||
UseCase: Load a DLL payload.
|
UseCase: Load a DLL payload.
|
||||||
Category: Execution
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
@ -31,14 +31,14 @@ Commands:
|
|||||||
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
|
- Command: rundll32.exe advpack.dll,RegisterOCX calc.exe
|
||||||
Description: Launch an executable by calling the RegisterOCX function.
|
Description: Launch an executable by calling the RegisterOCX function.
|
||||||
UseCase: Run an executable payload.
|
UseCase: Run an executable payload.
|
||||||
Category: Execution
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
- Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||||
Description: Launch command line by calling the RegisterOCX function.
|
Description: Launch command line by calling the RegisterOCX function.
|
||||||
UseCase: Run an executable payload.
|
UseCase: Run an executable payload.
|
||||||
Category: Execution
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
@ -55,7 +55,7 @@ Resources:
|
|||||||
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880
|
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880
|
||||||
- Link: https://twitter.com/bohops/status/974497123101179904
|
- Link: https://twitter.com/bohops/status/974497123101179904
|
||||||
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
|
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
|
||||||
Acknowledgment:
|
Acknowledegment:
|
||||||
- Person: Jimmy (LaunchINFSection)
|
- Person: Jimmy (LaunchINFSection)
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
- Person: Fabrizio (RegisterOCX - DLL)
|
- Person: Fabrizio (RegisterOCX - DLL)
|
||||||
|
@ -23,7 +23,7 @@ Commands:
|
|||||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
|
- Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll
|
||||||
Description: Launch a DLL payload by calling the RegisterOCX function.
|
Description: Launch a DLL payload by calling the RegisterOCX function.
|
||||||
UseCase: Load a DLL payload.
|
UseCase: Load a DLL payload.
|
||||||
Category: Execution
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
@ -31,14 +31,14 @@ Commands:
|
|||||||
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
|
- Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe
|
||||||
Description: Launch an executable by calling the RegisterOCX function.
|
Description: Launch an executable by calling the RegisterOCX function.
|
||||||
UseCase: Run an executable payload.
|
UseCase: Run an executable payload.
|
||||||
Category: Execution
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
- Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||||
Description: Launch command line by calling the RegisterOCX function.
|
Description: Launch command line by calling the RegisterOCX function.
|
||||||
UseCase: Run an executable payload.
|
UseCase: Run an executable payload.
|
||||||
Category: Execution
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
@ -54,7 +54,7 @@ Resources:
|
|||||||
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||||
- Link: https://twitter.com/pabraeken/status/991695411902599168
|
- Link: https://twitter.com/pabraeken/status/991695411902599168
|
||||||
- Link: https://twitter.com/0rbz_/status/974472392012689408
|
- Link: https://twitter.com/0rbz_/status/974472392012689408
|
||||||
Acknowledgment:
|
Acknowledgement:
|
||||||
- Person: Jimmy (LaunchINFSection)
|
- Person: Jimmy (LaunchINFSection)
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
- Person: Fabrizio (RegisterOCX - DLL)
|
- Person: Fabrizio (RegisterOCX - DLL)
|
||||||
|
@ -24,9 +24,10 @@ Resources:
|
|||||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||||
- Link: https://twitter.com/bohops/status/997690405092290561
|
- Link: https://twitter.com/bohops/status/997690405092290561
|
||||||
- Link: https://windows10dll.nirsoft.net/ieframe_dll.html
|
- Link: https://windows10dll.nirsoft.net/ieframe_dll.html
|
||||||
Acknowledgment:
|
Acknowledgement:
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
- Person: Adam
|
- Person: Adam
|
||||||
Handle: '@hexacorn'
|
Handle: '@hexacorn'
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ Detection:
|
|||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/pabraeken/status/998567549670477824
|
- Link: https://twitter.com/pabraeken/status/998567549670477824
|
||||||
- Link: https://windows10dll.nirsoft.net/mshtml_dll.html
|
- Link: https://windows10dll.nirsoft.net/mshtml_dll.html
|
||||||
Acknowledgment:
|
Acknowledgement:
|
||||||
- Person: Pierre-Alexandre Braeken
|
- Person: Pierre-Alexandre Braeken
|
||||||
Handle: '@pabraeken'
|
Handle: '@pabraeken'
|
||||||
---
|
---
|
||||||
|
@ -22,6 +22,6 @@ Detection:
|
|||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/harr0ey/status/989617817849876488
|
- Link: https://twitter.com/harr0ey/status/989617817849876488
|
||||||
- Link: https://windows10dll.nirsoft.net/pcwutl_dll.html
|
- Link: https://windows10dll.nirsoft.net/pcwutl_dll.html
|
||||||
Acknowledgment:
|
Acknowledgement:
|
||||||
- Person: Matt harr0ey
|
- Person: Matt harr0ey
|
||||||
Handle: '@harr0ey'
|
Handle: '@harr0ey'
|
||||||
|
@ -15,7 +15,7 @@ Commands:
|
|||||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
|
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
|
||||||
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
||||||
UseCase: Load an executable payload.
|
UseCase: Load an executable payload.
|
||||||
Category: Execution
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
@ -34,7 +34,7 @@ Resources:
|
|||||||
- Link: https://github.com/huntresslabs/evading-autoruns
|
- Link: https://github.com/huntresslabs/evading-autoruns
|
||||||
- Link: https://twitter.com/pabraeken/status/994742106852941825
|
- Link: https://twitter.com/pabraeken/status/994742106852941825
|
||||||
- Link: https://windows10dll.nirsoft.net/setupapi_dll.html
|
- Link: https://windows10dll.nirsoft.net/setupapi_dll.html
|
||||||
Acknowledgment:
|
Acknowledgement:
|
||||||
- Person: Kyle Hanslovan (COM Scriptlet)
|
- Person: Kyle Hanslovan (COM Scriptlet)
|
||||||
Handle: '@KyleHanslovan'
|
Handle: '@KyleHanslovan'
|
||||||
- Person: Huntress Labs (COM Scriptlet)
|
- Person: Huntress Labs (COM Scriptlet)
|
||||||
|
@ -24,7 +24,7 @@ Resources:
|
|||||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||||
- Link: https://twitter.com/bohops/status/997690405092290561
|
- Link: https://twitter.com/bohops/status/997690405092290561
|
||||||
- Link: https://windows10dll.nirsoft.net/shdocvw_dll.html
|
- Link: https://windows10dll.nirsoft.net/shdocvw_dll.html
|
||||||
Acknowledgment:
|
Acknowledgement:
|
||||||
- Person: Adam
|
- Person: Adam
|
||||||
Handle: '@hexacorn'
|
Handle: '@hexacorn'
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
|
@ -39,7 +39,7 @@ Resources:
|
|||||||
- Link: https://twitter.com/mattifestation/status/776574940128485376
|
- Link: https://twitter.com/mattifestation/status/776574940128485376
|
||||||
- Link: https://twitter.com/KyleHanslovan/status/905189665120149506
|
- Link: https://twitter.com/KyleHanslovan/status/905189665120149506
|
||||||
- Link: https://windows10dll.nirsoft.net/shell32_dll.html
|
- Link: https://windows10dll.nirsoft.net/shell32_dll.html
|
||||||
Acknowledgment:
|
Acknowledgement:
|
||||||
- Person: Adam (Control_RunDLL)
|
- Person: Adam (Control_RunDLL)
|
||||||
Handle: '@hexacorn'
|
Handle: '@hexacorn'
|
||||||
- Person: Pierre-Alexandre Braeken (ShellExec_RunDLL)
|
- Person: Pierre-Alexandre Braeken (ShellExec_RunDLL)
|
||||||
|
@ -15,7 +15,7 @@ Commands:
|
|||||||
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
|
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
|
||||||
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
|
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
|
||||||
UseCase: Load an executable payload.
|
UseCase: Load an executable payload.
|
||||||
Category: Execution
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
@ -34,7 +34,7 @@ Resources:
|
|||||||
- Link: https://twitter.com/harr0ey/status/975350238184697857
|
- Link: https://twitter.com/harr0ey/status/975350238184697857
|
||||||
- Link: https://twitter.com/bohops/status/975549525938135040
|
- Link: https://twitter.com/bohops/status/975549525938135040
|
||||||
- Link: https://windows10dll.nirsoft.net/syssetup_dll.html
|
- Link: https://windows10dll.nirsoft.net/syssetup_dll.html
|
||||||
Acknowledgment:
|
Acknowledgement:
|
||||||
- Person: Pierre-Alexandre Braeken (Execute)
|
- Person: Pierre-Alexandre Braeken (Execute)
|
||||||
Handle: '@pabraeken'
|
Handle: '@pabraeken'
|
||||||
- Person: Matt harr0ey (Execute)
|
- Person: Matt harr0ey (Execute)
|
||||||
|
@ -66,7 +66,7 @@ Resources:
|
|||||||
- Link: https://twitter.com/yeyint_mth/status/997355558070927360
|
- Link: https://twitter.com/yeyint_mth/status/997355558070927360
|
||||||
- Link: https://twitter.com/Hexacorn/status/974063407321223168
|
- Link: https://twitter.com/Hexacorn/status/974063407321223168
|
||||||
- Link: https://windows10dll.nirsoft.net/url_dll.html
|
- Link: https://windows10dll.nirsoft.net/url_dll.html
|
||||||
Acknowledgment:
|
Acknowledgement:
|
||||||
- Person: Adam (OpenURL)
|
- Person: Adam (OpenURL)
|
||||||
Handle: '@hexacorn'
|
Handle: '@hexacorn'
|
||||||
- Person: Jimmy (OpenURL)
|
- Person: Jimmy (OpenURL)
|
||||||
|
@ -31,7 +31,7 @@ Resources:
|
|||||||
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
|
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
|
||||||
- Link: https://twitter.com/bohops/status/997896811904929792
|
- Link: https://twitter.com/bohops/status/997896811904929792
|
||||||
- Link: https://windows10dll.nirsoft.net/zipfldr_dll.html
|
- Link: https://windows10dll.nirsoft.net/zipfldr_dll.html
|
||||||
Acknowledgment:
|
Acknowledgement:
|
||||||
- Person: Moriarty (Execution)
|
- Person: Moriarty (Execution)
|
||||||
Handle: '@moriarty_meng'
|
Handle: '@moriarty_meng'
|
||||||
- Person: r0lan (Obfuscation)
|
- Person: r0lan (Obfuscation)
|
||||||
|
Loading…
Reference in New Issue
Block a user