diff --git a/yml/LOLUtilz/OSBinaries/Explorer.yml b/yml/LOLUtilz/OSBinaries/Explorer.yml index bcd987d..362816d 100644 --- a/yml/LOLUtilz/OSBinaries/Explorer.yml +++ b/yml/LOLUtilz/OSBinaries/Explorer.yml @@ -3,7 +3,6 @@ Name: Explorer.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: explorer.exe calc.exe Description: 'Executes calc.exe as a subprocess of explorer.exe.' diff --git a/yml/LOLUtilz/OSBinaries/Netsh.yml b/yml/LOLUtilz/OSBinaries/Netsh.yml index 7e4ce80..bb00211 100644 --- a/yml/LOLUtilz/OSBinaries/Netsh.yml +++ b/yml/LOLUtilz/OSBinaries/Netsh.yml @@ -3,7 +3,6 @@ Name: Netsh.exe Description: Execute, Surveillance Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: | netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!() diff --git a/yml/LOLUtilz/OSBinaries/Nltest.yml b/yml/LOLUtilz/OSBinaries/Nltest.yml index 4288719..38b00df 100644 --- a/yml/LOLUtilz/OSBinaries/Nltest.yml +++ b/yml/LOLUtilz/OSBinaries/Nltest.yml @@ -3,7 +3,6 @@ Name: Nltest.exe Description: Credentials Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: nltest.exe /SERVER:192.168.1.10 /QUERY Description: '' diff --git a/yml/LOLUtilz/OSBinaries/Openwith.yml b/yml/LOLUtilz/OSBinaries/Openwith.yml index 656dc31..97600aa 100644 --- a/yml/LOLUtilz/OSBinaries/Openwith.yml +++ b/yml/LOLUtilz/OSBinaries/Openwith.yml @@ -3,7 +3,6 @@ Name: Openwith.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: OpenWith.exe /c C:\test.hta Description: Opens the target file with the default application. diff --git a/yml/LOLUtilz/OSBinaries/Powershell.yml b/yml/LOLUtilz/OSBinaries/Powershell.yml index dfcc47b..da89149 100644 --- a/yml/LOLUtilz/OSBinaries/Powershell.yml +++ b/yml/LOLUtilz/OSBinaries/Powershell.yml @@ -3,7 +3,6 @@ Name: Powershell.exe Description: Execute, Read ADS Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: powershell -ep bypass - < c:\temp:ttt Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS). diff --git a/yml/LOLUtilz/OSBinaries/Psr.yml b/yml/LOLUtilz/OSBinaries/Psr.yml index eeafb02..7d529ed 100644 --- a/yml/LOLUtilz/OSBinaries/Psr.yml +++ b/yml/LOLUtilz/OSBinaries/Psr.yml @@ -3,7 +3,6 @@ Name: Psr.exe Description: Surveillance Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip Description: Capture screenshots of the desktop and save them in the target .ZIP file. diff --git a/yml/LOLUtilz/OSBinaries/Robocopy.yml b/yml/LOLUtilz/OSBinaries/Robocopy.yml index a14102d..ceecc8b 100644 --- a/yml/LOLUtilz/OSBinaries/Robocopy.yml +++ b/yml/LOLUtilz/OSBinaries/Robocopy.yml @@ -3,7 +3,6 @@ Name: Robocopy.exe Description: Copy Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Robocopy.exe C:\SourceFolder C:\DestFolder Description: Copy the entire contents of the SourceFolder to the DestFolder. diff --git a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml index 81af1bd..0e0b27f 100644 --- a/yml/LOLUtilz/OtherBinaries/AcroRd32.yml +++ b/yml/LOLUtilz/OtherBinaries/AcroRd32.yml @@ -3,7 +3,6 @@ Name: AcroRd32.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe diff --git a/yml/LOLUtilz/OtherBinaries/Gpup.yml b/yml/LOLUtilz/OtherBinaries/Gpup.yml index a704097..43332a2 100644 --- a/yml/LOLUtilz/OtherBinaries/Gpup.yml +++ b/yml/LOLUtilz/OtherBinaries/Gpup.yml @@ -3,7 +3,6 @@ Name: Gpup.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe Description: Execute another command through gpup.exe (Notepad++ binary). diff --git a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml index 0e9615e..c33ccf4 100644 --- a/yml/LOLUtilz/OtherBinaries/Nlnotes.yml +++ b/yml/LOLUtilz/OtherBinaries/Nlnotes.yml @@ -3,7 +3,6 @@ Name: Nlnotes.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } Description: Run PowerShell via LotusNotes. diff --git a/yml/LOLUtilz/OtherBinaries/Notes.yml b/yml/LOLUtilz/OtherBinaries/Notes.yml index 479ae55..1b0bbab 100644 --- a/yml/LOLUtilz/OtherBinaries/Notes.yml +++ b/yml/LOLUtilz/OtherBinaries/Notes.yml @@ -3,7 +3,6 @@ Name: Notes.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } Description: Run PowerShell via LotusNotes. diff --git a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml index d0d439d..c3fdbcf 100644 --- a/yml/LOLUtilz/OtherBinaries/Nvudisp.yml +++ b/yml/LOLUtilz/OtherBinaries/Nvudisp.yml @@ -3,7 +3,6 @@ Name: Nvudisp.exe Description: Execute, Copy, Add registry, Create shortcut, kill process Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Nvudisp.exe System calc.exe Description: Execute calc.exe as a subprocess. diff --git a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml index f7961f8..0d696a6 100644 --- a/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml +++ b/yml/LOLUtilz/OtherBinaries/Nvuhda6.yml @@ -3,7 +3,6 @@ Name: Nvuhda6.exe Description: Execute, Copy, Add registry, Create shortcut, kill process Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: nvuhda6.exe System calc.exe Description: Execute calc.exe as a subprocess. diff --git a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml index f5cf18d..8c97780 100644 --- a/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml +++ b/yml/LOLUtilz/OtherBinaries/ROCCAT_Swarm.yml @@ -3,7 +3,6 @@ Name: ROCCAT_Swarm.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe diff --git a/yml/LOLUtilz/OtherBinaries/Setup.yml b/yml/LOLUtilz/OtherBinaries/Setup.yml index 0dac609..8c775f1 100644 --- a/yml/LOLUtilz/OtherBinaries/Setup.yml +++ b/yml/LOLUtilz/OtherBinaries/Setup.yml @@ -3,7 +3,6 @@ Name: Setup.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Run Setup.exe Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload. diff --git a/yml/LOLUtilz/OtherBinaries/Usbinst.yml b/yml/LOLUtilz/OtherBinaries/Usbinst.yml index 4c31160..3cfaf97 100644 --- a/yml/LOLUtilz/OtherBinaries/Usbinst.yml +++ b/yml/LOLUtilz/OtherBinaries/Usbinst.yml @@ -3,7 +3,6 @@ Name: Usbinst.exe Description: Execute Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf" Description: Execute calc.exe through DefaultInstall Section Directive in INF file. diff --git a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml index 593dea1..f264cb8 100644 --- a/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml +++ b/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml @@ -3,7 +3,6 @@ Name: VBoxDrvInst.exe Description: Persistence Author: '' Created: 2018-05-25 -Categories: [] Commands: - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe diff --git a/yml/LOLUtilz/OtherScripts/Testxlst.yml b/yml/LOLUtilz/OtherScripts/Testxlst.yml index 029eee3..2fa25ed 100644 --- a/yml/LOLUtilz/OtherScripts/Testxlst.yml +++ b/yml/LOLUtilz/OtherScripts/Testxlst.yml @@ -6,14 +6,14 @@ Created: 2018-05-25 Commands: - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out Description: Test Jscript included in Python tool to perform XSL transform (for payload execution). - Categories: Execution + Category: Execution Privileges: User MitreID: T1064 MitreLink: https://attack.mitre.org/wiki/Technique/T1064 OperatingSystem: Windows - Command: wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out Description: Test Jscript included in Python tool to perform XSL transform (for payload execution). - Categories: Execution + Category: Execution Privileges: User MitreID: T1064 MitreLink: https://attack.mitre.org/wiki/Technique/T1064