Commit Graph

338 Commits

Author SHA1 Message Date
whickey-r7
b381d04faf
Create AppInstaller.yml
New lolbin for downloading files in Windows 10.
2020-12-02 11:35:49 -05:00
unload
bfe248b07e
Create DataSvcUtil.yml
Another data exfil way with lolbins
2020-12-01 22:57:09 -03:00
Nasreddine Bencherchali
15d5ff302d
Create Dllhost.yml 2020-11-07 14:22:24 +01:00
jesgal
483482e3a3
Create Upload.yml
File describing the execution of LolBin Update.exe deployed with the installation of Whatsapp on Windows operating systems.
2020-11-01 20:09:41 +01:00
jesgal
4c67be51c1
Delete Update.yml 2020-11-01 20:05:25 +01:00
jesgal
748cfb4223
Merge pull request #2 from jesgal/jesgal-persistence-update
Update Update.yml
2020-11-01 19:53:13 +01:00
jesgal
31c7d34a00
Create Update.yml
This file describes LoLbin Update.exe deployed in the Whatsapp installation for Windows Operating Systems.
2020-11-01 19:50:59 +01:00
jesgal
9642f81be7
Update Update.yml
I update this LolBin to create persistence of payload.exe in the directory "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" by running payload.exe with the argument "--createShortcut" and "--removeShortcut".
2020-10-29 09:12:28 +01:00
Conor Richard
d15172284a
Merge pull request #101 from leo1-1/master
added command to certutil
2020-10-26 19:44:53 -04:00
Conor Richard
5806d33e70
Update Certutil.yml 2020-10-26 19:43:55 -04:00
leo1-1
64d5dffc4b
Delete certutil.yml 2020-10-26 08:59:00 +02:00
leo1-1
76d79ea479
Update Certutil 2020-10-26 08:57:42 +02:00
leo1-1
2166960d4e
changed path 2020-10-26 08:22:58 +02:00
Conor Richard
9a83179ddd
Merge pull request #99 from dtmsecurity/master
Create Wuauclt.yml
2020-10-24 22:29:34 -04:00
Conor Richard
edbd01860c
Merge pull request #97 from MartinSohn/master
Create Coregen.yml - Thank you for the contribution!
2020-10-24 21:49:09 -04:00
Conor Richard
04c0e7ee38
Update Explorer.yml
Fixing alignment in Acknowledgement section
2020-10-22 22:00:05 -04:00
xenoscr
de169664d6 Finxing missing quotes 2020-10-22 21:51:57 -04:00
Conor Richard
b61cd18072
Merge pull request #94 from checkymander/master
Create DefaultPack.yml
2020-10-22 21:19:50 -04:00
Conor Richard
4f19dbba19
Merge pull request #93 from C3dr1cMFE/add_MpCmdRun_Bypass
Update MpCmdRun.yml
2020-10-22 21:05:37 -04:00
Conor Richard
d281faccd3
Merge pull request #92 from whickey-r7/patch-1
Update Xwizard.yml
2020-10-22 20:57:55 -04:00
Conor Richard
9a6309d8de
Update ConfigSecurityPolicy.yml
Added link to Tweet from author containing an example usage.
2020-10-22 20:38:50 -04:00
@dtmsecurity
651e156583
Create Wuauclt.yml 2020-10-12 19:24:45 +01:00
Martin
47c03c97b8
Typo 2020-10-10 19:54:50 +00:00
Martin
22d9bbe92a
Initial commit of Coregen.yml 2020-10-09 17:10:49 +02:00
checkymander
a45d4ca25c
Create DefaultPack.yml
Added DefaultPack.EXE LOLBin
2020-10-01 22:37:00 -04:00
Cochin, Cedric
13026a481b Update MpCmdRun.yml
DownloadFile option has been removed from current MpCmdRun.exe, but old binary remains on disk. Defender cmd line mitigation can be bypassed by simply renaming the binary in a folder controlled by the attacker
2020-09-24 14:09:58 -07:00
whickey-r7
11aa1e503b
Update Xwizard.yml
This lolbin has functionality which allows downloading of files from the internet as well as previously outlined execution functionality.
2020-09-16 16:34:47 +00:00
unload
6a5af9a71c
Create ConfigSecurityPolicy.yml 2020-09-04 07:54:44 -03:00
Rich Rumble
1b00b374b3
Updated per suggestion
Thanks!
2020-09-03 11:46:25 -04:00
Rich Rumble
3078cc3755
Update MpCmdRun.yml
Added note that slashes (/) can also be used as command separators, and that the UA is MpCommunication
Thanks!
2020-09-03 10:39:24 -04:00
Oddvar Moe
63c9bc97c3 Added detection details on mpcmdrun 2020-09-03 15:29:32 +02:00
Oddvar Moe
5c5a218faf Updated links on mpcmdrun 2020-09-03 11:00:56 +02:00
Oddvar Moe
bfccb51085 Added MpCmdRun.exe 2020-09-03 10:55:37 +02:00
Oddvar Moe
9a5e2b114f Fixed the OS versions on Diantz 2020-09-03 10:28:49 +02:00
Oddvar Moe
38a3d406b0
Update and rename pktmon.yml to Pktmon.yml 2020-08-24 09:51:48 +02:00
Oddvar Moe
2bb6404160
Merge pull request #82 from binar-x79/patch-1
Create pktmon.yml
2020-08-24 09:49:44 +02:00
Oddvar Moe
525fc0c1eb Added missing ticks in Diantz 2020-08-24 09:48:07 +02:00
Oddvar Moe
9b290ba808
Update and rename diantz.yml to Diantz.yml 2020-08-24 09:46:09 +02:00
Oddvar Moe
48219b177f
Merge pull request #80 from Tamirye/master
Create diantz.yml
2020-08-24 09:45:12 +02:00
Oddvar Moe
c5c6820c56
Rename agentexecutor.yml to Agentexecutor.yml 2020-08-24 09:42:07 +02:00
Oddvar Moe
a7da0deddd
Merge pull request #77 from leftp/master
Added method for AgentExecutor
2020-08-24 09:41:22 +02:00
Oddvar Moe
57346d17f4 Changed capitalization inside file 2020-08-24 09:34:56 +02:00
Oddvar Moe
4792d22ddd
Rename vbc.yml to Vbc.yml 2020-08-24 09:33:37 +02:00
Oddvar Moe
380b8cfecd
Rename ilasm.yml to Ilasm.yml 2020-08-24 09:33:22 +02:00
Oddvar Moe
fa3710ede5
Rename certreq.yml to Certreq.yml 2020-08-24 09:32:54 +02:00
Oddvar Moe
a104fbd075
Merge pull request #75 from dtmsecurity/master
Create certreq.yml
2020-08-24 09:30:16 +02:00
Oddvar Moe
2cf7d8cdeb Adjusted missing ticks in Acknowledgement 2020-08-24 09:28:38 +02:00
Oddvar Moe
84a6cd8e85
Merge pull request #66 from GoSecure/gosecure/ttdinject
Added proxy execution for ttdinject.exe
2020-08-24 09:25:29 +02:00
Oddvar Moe
8cf6ef53fb
Rename squirrel.yml to Squirrel.yml 2020-08-15 00:27:11 +02:00
Oddvar Moe
39f55359ef
Rename update.yml to Update.yml 2020-08-15 00:26:53 +02:00
Oddvar Moe
020416d098
Delete Update.yml 2020-08-15 00:26:35 +02:00
Oddvar Moe
4c44d039a1
Merge pull request #81 from jreegun/patch-6
Update update.yml
2020-08-15 00:24:45 +02:00
Oddvar Moe
b592be6027
Update Manage-bde.yml
Remove extra -
2020-08-15 00:17:27 +02:00
Oddvar Moe
2dabdb0840 adjusted extrac32 yml error 2020-08-15 00:13:16 +02:00
Oddvar Moe
a24bc5b946
Merge pull request #79 from LuxNoBulIshit/master
add new usecase for Extrace32.exe
2020-08-15 00:05:37 +02:00
Oddvar Moe
631996950a
Update Extrac32.yml 2020-08-15 00:05:16 +02:00
binar-x79
eb0279838b
Create pktmon.yml 2020-08-12 22:04:03 -07:00
Reegun J
ed1e113460
Update update.yml
Hi, I have updated with new findings - Reegun
2020-08-10 11:31:48 +08:00
Tamirye
4db780e0f0
Create diantz.yml
use daintz.exe to download and compress a binary file from a remote server\internet or use it to store file in Alternate data stream.
2020-08-08 15:09:53 +03:00
LuxNoBu!!shit
be19ca53ed
Update Extrac32.yml 2020-08-08 15:02:05 +03:00
LuxNoBu!!shit
2450b9fc0a
Update Extrac32.yml 2020-08-08 15:01:46 +03:00
LuxNoBu!!shit
3a3d28e496
Update Extrac32.yml
another use case for extrace32.
2020-08-08 14:59:15 +03:00
Chris "Lopi" Spehn
689c3b1fea
Update Regsvcs.yml
Fixed inaccurate permissions
2020-08-04 07:40:48 -06:00
Eleftherios Panos
3710c1c972 Added method for AgentExecutor 2020-07-23 13:58:30 +03:00
@dtmsecurity
aa88bf8144 Create certreq.yml 2020-07-07 21:09:06 +01:00
Maxime Nadeau
640e7f2d65 Added a Windows 10 2004 version 2020-07-03 16:59:53 -04:00
bohops
343a0e2478
Added plain explorer execution 2020-07-03 15:03:07 -04:00
bohops
92f020b885
Added dotnet msbuild awl bypass technique 2020-07-03 14:56:06 -04:00
bohops
a976eaefe1
Updated Mitre Reference - T1096 2020-07-03 10:35:01 -04:00
bohops
f1a7ad92dd
Changed privilege level for registration 2020-07-03 10:24:34 -04:00
bohops
e316cb4842
Delete Slmgr - COM Hijacks are too broad 2020-07-03 10:15:06 -04:00
bohops
12cdb47285
Removed COM Hijack 2020-07-03 10:07:18 -04:00
bohops
17a34e27f6
Added Twitter reference for use "in-the-wild" 2020-07-03 10:03:42 -04:00
Oddvar Moe
cb3a45008e Added regini.exe writing to registry using ADS 2020-07-03 15:40:58 +02:00
Oddvar Moe
420860e5f7 Adjusted some missing quotes and stuff on Dekstopimgdownldr 2020-07-03 15:05:33 +02:00
Oddvar Moe
7dfbc7af67
Update and rename desktopimgdownldr.yml to Desktopimgdownldr.yml
Changed capitalization
2020-07-03 15:04:09 +02:00
Oddvar Moe
c5866efc41
Merge pull request #74 from Kristal-g/master
Added desktopimgdownldr.exe
2020-07-03 15:03:10 +02:00
Oddvar Moe
dac58c312f Fixed some missing quotes and stuff on psr.exe 2020-07-03 14:59:50 +02:00
Oddvar Moe
17db28c643
Merge pull request #73 from Lemonada/master
Add psr.exe
2020-07-03 14:58:26 +02:00
Oddvar Moe
416680941d
Rename explorer.yml to Explorer.yml
Changed capitalization
2020-07-03 14:52:29 +02:00
Oddvar Moe
8bb57e1ac5
Merge pull request #72 from JPMinty/master
Create explorer.yml
2020-07-03 14:50:07 +02:00
Oddvar Moe
c31053e6bd
Merge pull request #70 from cnotin/patch-1
sqldumper: minor fix mis-typed words
2020-07-03 14:34:02 +02:00
Oddvar Moe
8ce4c1497d
Merge pull request #64 from noraj/patch-1
Download for ftp.exe
2020-07-03 14:08:32 +02:00
Oddvar Moe
794d3c04cc Added Acknowledgement to rundll32 2020-07-03 14:03:51 +02:00
Oddvar Moe
604eb45fb4
Merge pull request #61 from MartinIngesen/master
Using rundll32 to execute dll from a SMB share
2020-07-03 14:01:12 +02:00
Kristal-g
fd01a9151a Added desktopimgdownldr.exe 2020-07-02 20:46:05 +03:00
Lemonada
2a5a4e391d
Create Psr.yml
take screenshots of user sessions
2020-06-27 14:51:07 +03:00
JPMinty
663724523f Update explorer.yml 2020-06-24 21:15:40 +09:30
JPMinty
dec26ada21 Create explorer.yml 2020-06-24 21:09:59 +09:30
Clément Notin
ae3d9b9b6b
sqldumper: minor fix mis-typed words 2020-06-15 23:33:34 +02:00
Maxime Nadeau
b95fb7ed27 Added the IOCs 2020-05-12 16:40:49 -04:00
Maxime Nadeau
b8b265b397 Added ttdinject 2020-05-12 16:31:47 -04:00
Maxime Nadeau
5de8d357b6 Added ttdinject.exe 2020-05-12 16:24:49 -04:00
Alexandre ZANNI
aef4b06952
Download for ftp.exe
add a non-interactive one-line command to download arbitrary binary with ftp.exe
excessively useful on Windows XP, & Windows Server 2003 where all other LOLBAS that allow download (certutils, bitsutils, etc.) don't exist and where powershell was not install by default.
2020-04-21 23:52:22 +02:00
Oddvar Moe
9722cceb9e Added download example to wsl.exe 2020-03-25 11:33:02 +01:00
Oddvar Moe
9f110bce07 Fixed missing octet in command 2020-03-25 11:24:54 +01:00
Oddvar Moe
6ac04d73d7 Added examples to bash.exe 2020-03-25 11:08:13 +01:00
Oddvar Moe
f2fa2ef989 Added additional example to wsl.exe 2020-03-25 10:26:59 +01:00
Chris "Lopi" Spehn
d67c8f5c11
Update RegAsm to the correct permissions 2020-03-20 11:51:21 -06:00
Martin Ingesen
e4face79af Using rundll32 to execute dll via SMB 2020-03-18 15:20:50 +01:00
Oddvar Moe
cce7c5ce3a Adjusted error in atbroker as per issue #47 2020-03-17 11:08:47 +01:00
Oddvar Moe
94d10799d3 Adjusted ilasm 2020-03-17 11:05:14 +01:00
Oddvar Moe
187786469c
Merge pull request #60 from LuxNoBulIshit/master
Create ilasm.yml
2020-03-17 10:57:53 +01:00
Oddvar Moe
dc3a211c89 Re-added ntdsutil 2020-03-17 10:55:59 +01:00
LuxNoBu!!shit
7a2ff4c250
Create ilasm.yml 2020-03-17 03:04:20 +02:00
Oddvar Moe
4bef10b147 adjusted rasautou and removed ntdsutil 2020-03-16 20:10:17 +01:00
Oddvar Moe
80295ef865
Merge pull request #54 from ForensicITGuy/ntdsutil
Ntdsutil & Rasautou addition
2020-03-16 20:06:54 +01:00
Oddvar Moe
81c363ac8a Adjustment to vbc.yml contribution 2020-03-16 19:55:27 +01:00
leo1-1
c7c93e9f95
Create vbc.yml 2020-02-27 17:13:07 +02:00
Oddvar Moe
acecdcf3df Netsh contribution from Freddie Bar-Smith - Thank you 2020-01-23 09:07:40 +01:00
Oddvar Moe
94708ac5d6 Added links to obfuscation technique from Sailay(valen) on rundll32 2020-01-23 08:57:43 +01:00
Tony M Lambert
e2f217c777 ntdsutil addition 2020-01-10 22:53:34 -06:00
Tony M Lambert
99b87fdc13 Rasautou addition 2020-01-10 22:52:15 -06:00
Oddvar Moe
ecc94c2d09 Adjusted GfxDownloadWrapper 2020-01-07 09:08:13 +01:00
Oddvar Moe
71aec7465b Minor adjustments to GfxDownloadWrapper.yml 2020-01-07 09:03:42 +01:00
Oddvar Moe
aada926e6f
Merge pull request #52 from jesgal/patch-1
Create GfxDownloadWrapper.yml
2020-01-07 09:00:58 +01:00
Oddvar Moe
22ef6bfc63 Added additional paths to CL_MutexVerifiers.ps1 - input from @shilpeshTrivedi 2020-01-07 08:45:25 +01:00
Oddvar Moe
7030e00929 Capitalized dotnet name 2020-01-07 08:40:24 +01:00
Oddvar Moe
e1b36a25bd
Rename dotnet.yml to Dotnet.yml 2020-01-07 08:37:36 +01:00
Oddvar Moe
acd38cec9e
Merge pull request #49 from felamos/master
Create dotnet.yml
2020-01-07 08:32:35 +01:00
jesgal
c9e608ce0f
Update GfxDownloadWrapper.yml 2019-12-27 17:11:30 +01:00
jesgal
a057cf2420
Create GfxDownloadWrapper.yml
GfxDownloadWrapper.exe downloads the content that returns <URL> and writes it to the file <DESTINATION FILE PATH>. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
2019-12-27 17:02:34 +01:00
Ayush Sahay
5cb17cfb26
Create dotnet.yml 2019-12-11 15:53:12 +05:30
Oddvar Moe
94a295213e Added Dump example to TTTracer.exe 2019-11-18 12:50:49 +01:00
Oddvar Moe
e0db5721ff Added Dump Example to TTTracer.exe 2019-11-18 12:47:51 +01:00
Oddvar Moe
4663c13324 Adjustment 2019-11-05 15:47:20 +01:00
Oddvar Moe
8d74b3062f Adjustment 2019-11-05 14:36:53 +01:00
Oddvar Moe
f9a7c42a85 Added TTTracer.exe - Thanks Onur Ulusoy 2019-11-05 12:12:46 +01:00
Oddvar Moe
13093c879e Updated odbcconf.exe with discovery from @Hexacorn <3 2019-10-24 10:01:44 +02:00
Oddvar Moe
cb9fa974dd
Merge pull request #46 from felamos/patch-1
Create devtoolslauncher.yml
2019-10-07 23:56:01 +02:00
Oddvar Moe
7469812286
Update and rename devtoolslauncher.yml to Devtoolslauncher.yml 2019-10-07 23:55:44 +02:00
Oddvar Moe
8eb582de42
Update At.yml 2019-10-07 23:51:26 +02:00
Ayush Sahay
134b272567
Update devtoolslauncher.yml 2019-10-07 12:15:47 +05:30
Ayush Sahay
0fe0504622
Update devtoolslauncher.yml 2019-10-04 10:20:38 +05:30
Ayush Sahay
48ed8f7914
Create devtoolslauncher.yml 2019-10-04 09:29:59 +05:30
freddie
9f47e26f16 Adding At.exe, for submission to LOLbas list, with proof of malware using it in wild :O 2019-09-21 03:19:25 +01:00
Oddvar Moe
32757cd0c3 Added Office binaries from jreegun to the project. Pull request 42 2019-09-17 22:58:03 +02:00
Oddvar Moe
0644ac30d7 Added Office binaries from jreegun to the project. Pull request 42 2019-09-17 22:44:27 +02:00
Oddvar Moe
ed266c0983 Fixed some typos 2019-09-17 20:45:49 +02:00
Oddvar Moe
8762fc5735 Acknowledgement fix for comsvcs 2019-09-16 09:50:01 +02:00
Oddvar Moe
4ebf1ac4f7 Adjusted case sensitive type in yml file for Comsvcs 2019-09-16 09:44:14 +02:00
Oddvar Moe
11c6c7c48d Adjusted 2019-09-16 09:38:05 +02:00
plowsec
dd5df7cf3e
Add Comsvcs.yml: dump lsass via signed DLL. 2019-08-30 14:12:46 +02:00
Oddvar Moe
5b63815c0a Updated update and squirrel with updaterollback parameter 2019-07-02 09:06:19 +02:00
Oddvar Moe
8fcc9a105a Fixed spacing error 2019-06-28 18:07:24 +02:00
Oddvar Moe
8528caf21d Added Acknowledgement to wsl.exe 2019-06-28 18:05:34 +02:00
Oddvar Moe
f77b3b4019 Fixed spacing issue 2019-06-28 17:53:45 +02:00
Oddvar Moe
dd545693da
Merge pull request #40 from NotoriousRebel/master
Create Wsl.yml
2019-06-28 17:50:13 +02:00
NotoriousRebel
ff0155f599 Moved Wsl.yml location to OtherMSBinaries and added another example for possible usecases. 2019-06-28 09:20:56 -04:00
Oddvar Moe
e05ae6c051 Adjusted Update and Squirrel 2019-06-28 09:05:27 +02:00