public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-26 04:04:09 +02:00
Code Issues Projects Releases Wiki Activity

Minor adjustments to be yaml compliant

Browse Source
This commit is contained in:
Oddvar Moe
2018-09-24 23:18:00 +02:00
parent 37cc1ee83e
commit f8fec9849b
12 changed files with 60 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
yml/OSLibraries/Advpack.yml
View File

@@ -49,7 +49,7 @@ Code Sample:
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
Detection:
- IOC: ''
- IOC:
Resources:
- Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880
@@ -63,5 +63,5 @@ Acknowledgment:
- Person: Moriarty (RegisterOCX - CMD)
Handle: '@moriarty_meng'
- Person: Nick Carr (Threat Intel)
Handle: @ItsReallyNick
---
Handle: '@ItsReallyNick'
---

10
yml/OSLibraries/Setupapi.yml
View File

@@ -10,7 +10,7 @@ Commands:
Category: AWL Bypass
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
@@ -18,7 +18,7 @@ Commands:
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
- Path: c:\windows\system32\setupapi.dll
@@ -29,7 +29,7 @@ Code Sample:
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
Detection:
- IOC: ''
- IOC:
Resources:
- Link: https://github.com/huntresslabs/evading-autoruns
- Link: https://twitter.com/pabraeken/status/994742106852941825
@@ -42,5 +42,5 @@ Acknowledgment:
- Person: Casey Smith (COM Scriptlet)
Handle: '@subTee'
- Person: Nick Carr (Threat Intel)
Handle: @ItsReallyNick
---
Handle: '@ItsReallyNick'
---

10
yml/OSLibraries/Syssetup.yml
View File

@@ -6,11 +6,11 @@ Created: '2018-05-25'
Commands:
- Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
UseCase: Run local or remote script(let) code through INF file specification (Note: May pop an error window).
UseCase: Run local or remote script(let) code through INF file specification (Note May pop an error window).
Category: AWL Bypass
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
@@ -18,7 +18,7 @@ Commands:
Category: Execution
Privileges: User
MitreID: T1085
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows
Full Path:
- Path: c:\windows\system32\syssetup.dll
@@ -28,7 +28,7 @@ Code Sample:
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
- Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
Detection:
- IOC: ''
- IOC:
Resources:
- Link: https://twitter.com/pabraeken/status/994392481927258113
- Link: https://twitter.com/harr0ey/status/975350238184697857
@@ -41,4 +41,4 @@ Acknowledgment:
Handle: '@harr0ey'
- Person: Jimmy (Scriptlet)
Handle: '@bohops'
---
---