public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-26 14:59:03 +01:00
Code Issues Projects Releases Wiki Activity
58e88b98f9
LOLBAS/Projectnotes.md
Oddvar Moe eef9e78be8 Added Projectnotes
2018-06-12 08:26:24 +02:00

3.1 KiB
Raw Blame History

LOLBAS-Project

What is a LOLBIN?

Living off the land is using the tools on the systems to perform your intended actions. A LOLBIN is a binary used by an attacker to achieve their goals.

Categories

Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control

Sub-cats

"Application Whitelisting Bypass" "squiblydoo" "Component Object Model Hijacking" "Signed Script Proxy Execution" "Path Interception" "Search Order Hijacking" "Launch process" "UAC Bypass" "AutoRun Persistence" "Credential Dumping"

Roadmap

2.0

[x] Determine field mappings between existing Markdown and future structured format [x] Define any additional fields required during launch (Date, Categories) [x] Migrate [ ] Sanity checking & populate blank fields (e.g. Categories, Code Sample, Detection). [ ] Define CONTRIBUTING.md to guide contributions. What is the technical criteria for a LOLBIN/LOLSCRIPT/LOLLIB? Suggested ambiguous files: regedit.exe, notepad.exe, powershell.exe, cmd.exe. [ ] https://stackoverflow.com/questions/19109912/do-i-need-quotes-for-strings-in-yaml [ ] https://stackoverflow.com/questions/3790454/in-yaml-how-do-i-break-a-string-over-multiple-lines [ ] https://til.hashrocket.com/posts/d7c96e2ee7-multiline-strings-in-yaml

2.1

[ ] ATT&CK links [ ] LOLBIN GUID? [ ] Jekyll front end a la GTFOBINS? [ ] Sub-Categories [ ] Tests for PRs to ensure fields are valid [ ] Create management scripts (find blank fields, ensure all fields are present, update fields) [ ] Privileges required [ ] Signed executing signed? Signed executing unsigned? @mattifestation's tweet has some good stuff. [ ] Specific tags/labeling for specific capability caveats, for example a App Whitelist bypass that works on AppLocker & Solidcore could cary tags for each product [ ] split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf

2.0 Schema

The goal for this version is feature parity with the current Markdown format along with any other fields required to support 2.0 objectives.

<> - Denotes existing values "" - Value does not exist. Key will be created but not immediately populated.

YAML

  • Name:
  • Description:
  • Author: ''
  • Created: 2018-05-25
  • Categories: []
  • Commands:
    • <Code Block 1>
      • Description: ''
    • <Code Block 2>
      • Description: ''
  • Full Path:
    • <Full Path 1>
    • <Full Path 2>
  • Code Sample:
    • <Code Sample 1>
    • <Code Sample 2>
  • Detection:
    • <Detection 1>
    • <Detection 2>
  • Resources:
    • <Resource 1>
    • <Resource 2>
  • Notes: ,

JSON (more like no, son, you're not getting used, gtfo)

{ "Name": "", "Description": "", "Created": "", "Categories": [""], "Commands": [""], "Full path": ["], "Code sample": [""], "Resources": [""], "Acknowledgments": [""], "Detection": ["",] "Notes": "", }