whickey-r7
b381d04faf
Create AppInstaller.yml
...
New lolbin for downloading files in Windows 10.
2020-12-02 11:35:49 -05:00
unload
bfe248b07e
Create DataSvcUtil.yml
...
Another data exfil way with lolbins
2020-12-01 22:57:09 -03:00
Nasreddine Bencherchali
15d5ff302d
Create Dllhost.yml
2020-11-07 14:22:24 +01:00
jesgal
483482e3a3
Create Upload.yml
...
File describing the execution of LolBin Update.exe deployed with the installation of Whatsapp on Windows operating systems.
2020-11-01 20:09:41 +01:00
jesgal
4c67be51c1
Delete Update.yml
2020-11-01 20:05:25 +01:00
jesgal
748cfb4223
Merge pull request #2 from jesgal/jesgal-persistence-update
...
Update Update.yml
2020-11-01 19:53:13 +01:00
jesgal
31c7d34a00
Create Update.yml
...
This file describes LoLbin Update.exe deployed in the Whatsapp installation for Windows Operating Systems.
2020-11-01 19:50:59 +01:00
jesgal
9642f81be7
Update Update.yml
...
I update this LolBin to create persistence of payload.exe in the directory "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" by running payload.exe with the argument "--createShortcut" and "--removeShortcut".
2020-10-29 09:12:28 +01:00
Conor Richard
d15172284a
Merge pull request #101 from leo1-1/master
...
added command to certutil
2020-10-26 19:44:53 -04:00
Conor Richard
5806d33e70
Update Certutil.yml
2020-10-26 19:43:55 -04:00
leo1-1
64d5dffc4b
Delete certutil.yml
2020-10-26 08:59:00 +02:00
leo1-1
76d79ea479
Update Certutil
2020-10-26 08:57:42 +02:00
leo1-1
2166960d4e
changed path
2020-10-26 08:22:58 +02:00
Conor Richard
9a83179ddd
Merge pull request #99 from dtmsecurity/master
...
Create Wuauclt.yml
2020-10-24 22:29:34 -04:00
Conor Richard
edbd01860c
Merge pull request #97 from MartinSohn/master
...
Create Coregen.yml - Thank you for the contribution!
2020-10-24 21:49:09 -04:00
Conor Richard
04c0e7ee38
Update Explorer.yml
...
Fixing alignment in Acknowledgement section
2020-10-22 22:00:05 -04:00
xenoscr
de169664d6
Finxing missing quotes
2020-10-22 21:51:57 -04:00
Conor Richard
b61cd18072
Merge pull request #94 from checkymander/master
...
Create DefaultPack.yml
2020-10-22 21:19:50 -04:00
Conor Richard
4f19dbba19
Merge pull request #93 from C3dr1cMFE/add_MpCmdRun_Bypass
...
Update MpCmdRun.yml
2020-10-22 21:05:37 -04:00
Conor Richard
d281faccd3
Merge pull request #92 from whickey-r7/patch-1
...
Update Xwizard.yml
2020-10-22 20:57:55 -04:00
Conor Richard
9a6309d8de
Update ConfigSecurityPolicy.yml
...
Added link to Tweet from author containing an example usage.
2020-10-22 20:38:50 -04:00
@dtmsecurity
651e156583
Create Wuauclt.yml
2020-10-12 19:24:45 +01:00
Martin
47c03c97b8
Typo
2020-10-10 19:54:50 +00:00
Martin
22d9bbe92a
Initial commit of Coregen.yml
2020-10-09 17:10:49 +02:00
checkymander
a45d4ca25c
Create DefaultPack.yml
...
Added DefaultPack.EXE LOLBin
2020-10-01 22:37:00 -04:00
Cochin, Cedric
13026a481b
Update MpCmdRun.yml
...
DownloadFile option has been removed from current MpCmdRun.exe, but old binary remains on disk. Defender cmd line mitigation can be bypassed by simply renaming the binary in a folder controlled by the attacker
2020-09-24 14:09:58 -07:00
whickey-r7
11aa1e503b
Update Xwizard.yml
...
This lolbin has functionality which allows downloading of files from the internet as well as previously outlined execution functionality.
2020-09-16 16:34:47 +00:00
unload
6a5af9a71c
Create ConfigSecurityPolicy.yml
2020-09-04 07:54:44 -03:00
Rich Rumble
1b00b374b3
Updated per suggestion
...
Thanks!
2020-09-03 11:46:25 -04:00
Rich Rumble
3078cc3755
Update MpCmdRun.yml
...
Added note that slashes (/) can also be used as command separators, and that the UA is MpCommunication
Thanks!
2020-09-03 10:39:24 -04:00
Oddvar Moe
63c9bc97c3
Added detection details on mpcmdrun
2020-09-03 15:29:32 +02:00
Oddvar Moe
5c5a218faf
Updated links on mpcmdrun
2020-09-03 11:00:56 +02:00
Oddvar Moe
bfccb51085
Added MpCmdRun.exe
2020-09-03 10:55:37 +02:00
Oddvar Moe
9a5e2b114f
Fixed the OS versions on Diantz
2020-09-03 10:28:49 +02:00
Oddvar Moe
38a3d406b0
Update and rename pktmon.yml to Pktmon.yml
2020-08-24 09:51:48 +02:00
Oddvar Moe
2bb6404160
Merge pull request #82 from binar-x79/patch-1
...
Create pktmon.yml
2020-08-24 09:49:44 +02:00
Oddvar Moe
525fc0c1eb
Added missing ticks in Diantz
2020-08-24 09:48:07 +02:00
Oddvar Moe
9b290ba808
Update and rename diantz.yml to Diantz.yml
2020-08-24 09:46:09 +02:00
Oddvar Moe
48219b177f
Merge pull request #80 from Tamirye/master
...
Create diantz.yml
2020-08-24 09:45:12 +02:00
Oddvar Moe
c5c6820c56
Rename agentexecutor.yml to Agentexecutor.yml
2020-08-24 09:42:07 +02:00
Oddvar Moe
a7da0deddd
Merge pull request #77 from leftp/master
...
Added method for AgentExecutor
2020-08-24 09:41:22 +02:00
Oddvar Moe
57346d17f4
Changed capitalization inside file
2020-08-24 09:34:56 +02:00
Oddvar Moe
4792d22ddd
Rename vbc.yml to Vbc.yml
2020-08-24 09:33:37 +02:00
Oddvar Moe
380b8cfecd
Rename ilasm.yml to Ilasm.yml
2020-08-24 09:33:22 +02:00
Oddvar Moe
fa3710ede5
Rename certreq.yml to Certreq.yml
2020-08-24 09:32:54 +02:00
Oddvar Moe
a104fbd075
Merge pull request #75 from dtmsecurity/master
...
Create certreq.yml
2020-08-24 09:30:16 +02:00
Oddvar Moe
2cf7d8cdeb
Adjusted missing ticks in Acknowledgement
2020-08-24 09:28:38 +02:00
Oddvar Moe
84a6cd8e85
Merge pull request #66 from GoSecure/gosecure/ttdinject
...
Added proxy execution for ttdinject.exe
2020-08-24 09:25:29 +02:00
Oddvar Moe
8cf6ef53fb
Rename squirrel.yml to Squirrel.yml
2020-08-15 00:27:11 +02:00
Oddvar Moe
39f55359ef
Rename update.yml to Update.yml
2020-08-15 00:26:53 +02:00
Oddvar Moe
020416d098
Delete Update.yml
2020-08-15 00:26:35 +02:00
Oddvar Moe
4c44d039a1
Merge pull request #81 from jreegun/patch-6
...
Update update.yml
2020-08-15 00:24:45 +02:00
Oddvar Moe
b592be6027
Update Manage-bde.yml
...
Remove extra -
2020-08-15 00:17:27 +02:00
Oddvar Moe
2dabdb0840
adjusted extrac32 yml error
2020-08-15 00:13:16 +02:00
Oddvar Moe
a24bc5b946
Merge pull request #79 from LuxNoBulIshit/master
...
add new usecase for Extrace32.exe
2020-08-15 00:05:37 +02:00
Oddvar Moe
631996950a
Update Extrac32.yml
2020-08-15 00:05:16 +02:00
binar-x79
eb0279838b
Create pktmon.yml
2020-08-12 22:04:03 -07:00
Reegun J
ed1e113460
Update update.yml
...
Hi, I have updated with new findings - Reegun
2020-08-10 11:31:48 +08:00
Tamirye
4db780e0f0
Create diantz.yml
...
use daintz.exe to download and compress a binary file from a remote server\internet or use it to store file in Alternate data stream.
2020-08-08 15:09:53 +03:00
LuxNoBu!!shit
be19ca53ed
Update Extrac32.yml
2020-08-08 15:02:05 +03:00
LuxNoBu!!shit
2450b9fc0a
Update Extrac32.yml
2020-08-08 15:01:46 +03:00
LuxNoBu!!shit
3a3d28e496
Update Extrac32.yml
...
another use case for extrace32.
2020-08-08 14:59:15 +03:00
Chris "Lopi" Spehn
689c3b1fea
Update Regsvcs.yml
...
Fixed inaccurate permissions
2020-08-04 07:40:48 -06:00
Eleftherios Panos
3710c1c972
Added method for AgentExecutor
2020-07-23 13:58:30 +03:00
@dtmsecurity
aa88bf8144
Create certreq.yml
2020-07-07 21:09:06 +01:00
Maxime Nadeau
640e7f2d65
Added a Windows 10 2004 version
2020-07-03 16:59:53 -04:00
bohops
343a0e2478
Added plain explorer execution
2020-07-03 15:03:07 -04:00
bohops
92f020b885
Added dotnet msbuild awl bypass technique
2020-07-03 14:56:06 -04:00
bohops
a976eaefe1
Updated Mitre Reference - T1096
2020-07-03 10:35:01 -04:00
bohops
f1a7ad92dd
Changed privilege level for registration
2020-07-03 10:24:34 -04:00
bohops
e316cb4842
Delete Slmgr - COM Hijacks are too broad
2020-07-03 10:15:06 -04:00
bohops
12cdb47285
Removed COM Hijack
2020-07-03 10:07:18 -04:00
bohops
17a34e27f6
Added Twitter reference for use "in-the-wild"
2020-07-03 10:03:42 -04:00
Oddvar Moe
cb3a45008e
Added regini.exe writing to registry using ADS
2020-07-03 15:40:58 +02:00
Oddvar Moe
420860e5f7
Adjusted some missing quotes and stuff on Dekstopimgdownldr
2020-07-03 15:05:33 +02:00
Oddvar Moe
7dfbc7af67
Update and rename desktopimgdownldr.yml to Desktopimgdownldr.yml
...
Changed capitalization
2020-07-03 15:04:09 +02:00
Oddvar Moe
c5866efc41
Merge pull request #74 from Kristal-g/master
...
Added desktopimgdownldr.exe
2020-07-03 15:03:10 +02:00
Oddvar Moe
dac58c312f
Fixed some missing quotes and stuff on psr.exe
2020-07-03 14:59:50 +02:00
Oddvar Moe
17db28c643
Merge pull request #73 from Lemonada/master
...
Add psr.exe
2020-07-03 14:58:26 +02:00
Oddvar Moe
416680941d
Rename explorer.yml to Explorer.yml
...
Changed capitalization
2020-07-03 14:52:29 +02:00
Oddvar Moe
8bb57e1ac5
Merge pull request #72 from JPMinty/master
...
Create explorer.yml
2020-07-03 14:50:07 +02:00
Oddvar Moe
c31053e6bd
Merge pull request #70 from cnotin/patch-1
...
sqldumper: minor fix mis-typed words
2020-07-03 14:34:02 +02:00
Oddvar Moe
8ce4c1497d
Merge pull request #64 from noraj/patch-1
...
Download for ftp.exe
2020-07-03 14:08:32 +02:00
Oddvar Moe
794d3c04cc
Added Acknowledgement to rundll32
2020-07-03 14:03:51 +02:00
Oddvar Moe
604eb45fb4
Merge pull request #61 from MartinIngesen/master
...
Using rundll32 to execute dll from a SMB share
2020-07-03 14:01:12 +02:00
Kristal-g
fd01a9151a
Added desktopimgdownldr.exe
2020-07-02 20:46:05 +03:00
Lemonada
2a5a4e391d
Create Psr.yml
...
take screenshots of user sessions
2020-06-27 14:51:07 +03:00
JPMinty
663724523f
Update explorer.yml
2020-06-24 21:15:40 +09:30
JPMinty
dec26ada21
Create explorer.yml
2020-06-24 21:09:59 +09:30
Clément Notin
ae3d9b9b6b
sqldumper: minor fix mis-typed words
2020-06-15 23:33:34 +02:00
Maxime Nadeau
b95fb7ed27
Added the IOCs
2020-05-12 16:40:49 -04:00
Maxime Nadeau
b8b265b397
Added ttdinject
2020-05-12 16:31:47 -04:00
Maxime Nadeau
5de8d357b6
Added ttdinject.exe
2020-05-12 16:24:49 -04:00
Alexandre ZANNI
aef4b06952
Download for ftp.exe
...
add a non-interactive one-line command to download arbitrary binary with ftp.exe
excessively useful on Windows XP, & Windows Server 2003 where all other LOLBAS that allow download (certutils, bitsutils, etc.) don't exist and where powershell was not install by default.
2020-04-21 23:52:22 +02:00
Oddvar Moe
9722cceb9e
Added download example to wsl.exe
2020-03-25 11:33:02 +01:00
Oddvar Moe
9f110bce07
Fixed missing octet in command
2020-03-25 11:24:54 +01:00
Oddvar Moe
6ac04d73d7
Added examples to bash.exe
2020-03-25 11:08:13 +01:00
Oddvar Moe
f2fa2ef989
Added additional example to wsl.exe
2020-03-25 10:26:59 +01:00
Chris "Lopi" Spehn
d67c8f5c11
Update RegAsm to the correct permissions
2020-03-20 11:51:21 -06:00
Martin Ingesen
e4face79af
Using rundll32 to execute dll via SMB
2020-03-18 15:20:50 +01:00
Oddvar Moe
cce7c5ce3a
Adjusted error in atbroker as per issue #47
2020-03-17 11:08:47 +01:00
Oddvar Moe
94d10799d3
Adjusted ilasm
2020-03-17 11:05:14 +01:00
Oddvar Moe
187786469c
Merge pull request #60 from LuxNoBulIshit/master
...
Create ilasm.yml
2020-03-17 10:57:53 +01:00
Oddvar Moe
dc3a211c89
Re-added ntdsutil
2020-03-17 10:55:59 +01:00
LuxNoBu!!shit
7a2ff4c250
Create ilasm.yml
2020-03-17 03:04:20 +02:00
Oddvar Moe
4bef10b147
adjusted rasautou and removed ntdsutil
2020-03-16 20:10:17 +01:00
Oddvar Moe
80295ef865
Merge pull request #54 from ForensicITGuy/ntdsutil
...
Ntdsutil & Rasautou addition
2020-03-16 20:06:54 +01:00
Oddvar Moe
81c363ac8a
Adjustment to vbc.yml contribution
2020-03-16 19:55:27 +01:00
leo1-1
c7c93e9f95
Create vbc.yml
2020-02-27 17:13:07 +02:00
Oddvar Moe
acecdcf3df
Netsh contribution from Freddie Bar-Smith - Thank you
2020-01-23 09:07:40 +01:00
Oddvar Moe
94708ac5d6
Added links to obfuscation technique from Sailay(valen) on rundll32
2020-01-23 08:57:43 +01:00
Tony M Lambert
e2f217c777
ntdsutil addition
2020-01-10 22:53:34 -06:00
Tony M Lambert
99b87fdc13
Rasautou addition
2020-01-10 22:52:15 -06:00
Oddvar Moe
ecc94c2d09
Adjusted GfxDownloadWrapper
2020-01-07 09:08:13 +01:00
Oddvar Moe
71aec7465b
Minor adjustments to GfxDownloadWrapper.yml
2020-01-07 09:03:42 +01:00
Oddvar Moe
aada926e6f
Merge pull request #52 from jesgal/patch-1
...
Create GfxDownloadWrapper.yml
2020-01-07 09:00:58 +01:00
Oddvar Moe
22ef6bfc63
Added additional paths to CL_MutexVerifiers.ps1 - input from @shilpeshTrivedi
2020-01-07 08:45:25 +01:00
Oddvar Moe
7030e00929
Capitalized dotnet name
2020-01-07 08:40:24 +01:00
Oddvar Moe
e1b36a25bd
Rename dotnet.yml to Dotnet.yml
2020-01-07 08:37:36 +01:00
Oddvar Moe
acd38cec9e
Merge pull request #49 from felamos/master
...
Create dotnet.yml
2020-01-07 08:32:35 +01:00
jesgal
c9e608ce0f
Update GfxDownloadWrapper.yml
2019-12-27 17:11:30 +01:00
jesgal
a057cf2420
Create GfxDownloadWrapper.yml
...
GfxDownloadWrapper.exe downloads the content that returns <URL> and writes it to the file <DESTINATION FILE PATH>. The binary is signed by "Microsoft Windows Hardware", "Compatibility Publisher", "Microsoft Windows Third Party Component CA 2012", "Microsoft Time-Stamp PCA 2010", "Microsoft Time-Stamp Service".
2019-12-27 17:02:34 +01:00
Ayush Sahay
5cb17cfb26
Create dotnet.yml
2019-12-11 15:53:12 +05:30
Oddvar Moe
94a295213e
Added Dump example to TTTracer.exe
2019-11-18 12:50:49 +01:00
Oddvar Moe
e0db5721ff
Added Dump Example to TTTracer.exe
2019-11-18 12:47:51 +01:00
Oddvar Moe
4663c13324
Adjustment
2019-11-05 15:47:20 +01:00
Oddvar Moe
8d74b3062f
Adjustment
2019-11-05 14:36:53 +01:00
Oddvar Moe
f9a7c42a85
Added TTTracer.exe - Thanks Onur Ulusoy
2019-11-05 12:12:46 +01:00
Oddvar Moe
13093c879e
Updated odbcconf.exe with discovery from @Hexacorn <3
2019-10-24 10:01:44 +02:00
Oddvar Moe
cb9fa974dd
Merge pull request #46 from felamos/patch-1
...
Create devtoolslauncher.yml
2019-10-07 23:56:01 +02:00
Oddvar Moe
7469812286
Update and rename devtoolslauncher.yml to Devtoolslauncher.yml
2019-10-07 23:55:44 +02:00
Oddvar Moe
8eb582de42
Update At.yml
2019-10-07 23:51:26 +02:00
Ayush Sahay
134b272567
Update devtoolslauncher.yml
2019-10-07 12:15:47 +05:30
Ayush Sahay
0fe0504622
Update devtoolslauncher.yml
2019-10-04 10:20:38 +05:30
Ayush Sahay
48ed8f7914
Create devtoolslauncher.yml
2019-10-04 09:29:59 +05:30
freddie
9f47e26f16
Adding At.exe, for submission to LOLbas list, with proof of malware using it in wild :O
2019-09-21 03:19:25 +01:00
Oddvar Moe
32757cd0c3
Added Office binaries from jreegun to the project. Pull request 42
2019-09-17 22:58:03 +02:00
Oddvar Moe
0644ac30d7
Added Office binaries from jreegun to the project. Pull request 42
2019-09-17 22:44:27 +02:00
Oddvar Moe
ed266c0983
Fixed some typos
2019-09-17 20:45:49 +02:00
Oddvar Moe
8762fc5735
Acknowledgement fix for comsvcs
2019-09-16 09:50:01 +02:00
Oddvar Moe
4ebf1ac4f7
Adjusted case sensitive type in yml file for Comsvcs
2019-09-16 09:44:14 +02:00
Oddvar Moe
11c6c7c48d
Adjusted
2019-09-16 09:38:05 +02:00
plowsec
dd5df7cf3e
Add Comsvcs.yml: dump lsass via signed DLL.
2019-08-30 14:12:46 +02:00
Oddvar Moe
5b63815c0a
Updated update and squirrel with updaterollback parameter
2019-07-02 09:06:19 +02:00
Oddvar Moe
8fcc9a105a
Fixed spacing error
2019-06-28 18:07:24 +02:00
Oddvar Moe
8528caf21d
Added Acknowledgement to wsl.exe
2019-06-28 18:05:34 +02:00
Oddvar Moe
f77b3b4019
Fixed spacing issue
2019-06-28 17:53:45 +02:00
Oddvar Moe
dd545693da
Merge pull request #40 from NotoriousRebel/master
...
Create Wsl.yml
2019-06-28 17:50:13 +02:00
NotoriousRebel
ff0155f599
Moved Wsl.yml location to OtherMSBinaries and added another example for possible usecases.
2019-06-28 09:20:56 -04:00
Oddvar Moe
e05ae6c051
Adjusted Update and Squirrel
2019-06-28 09:05:27 +02:00