mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-09-20 02:33:03 +02:00
Adding Windows 11 reference to missed-out executables
This commit is contained in:
Wietze
parent
6793a7d238
commit
e51caad3dd
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Reconnaissance
|
||||
Privileges: Administrator
|
||||
MitreID: T1040
|
||||
OperatingSystem: Windows 10 1809 and later
|
||||
OperatingSystem: Windows 10 1809 and later, Windows 11
|
||||
- Command: pktmon.exe filter add -p 445
|
||||
Description: Select Desired ports for packet capture
|
||||
Usecase: Look for interesting traffic such as telent or FTP
|
||||
Category: Reconnaissance
|
||||
Privileges: Administrator
|
||||
MitreID: T1040
|
||||
OperatingSystem: Windows 10 1809 and later
|
||||
OperatingSystem: Windows 10 1809 and later, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\pktmon.exe
|
||||
- Path: c:\windows\syswow64\pktmon.exe
|
||||
|
||||
@ -10,10 +10,10 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1547
|
||||
OperatingSystem: Windows 10,7
|
||||
OperatingSystem: Windows 7, Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\system32\pnputil.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/a8a0d546f347febb0423aa920dbc10713cc1f92f/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
|
||||
|
||||
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10 2004
|
||||
OperatingSystem: Windows 10 2004 and above, Windows 11
|
||||
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
|
||||
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
|
||||
Usecase: Spawn process using other binary
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10 1909
|
||||
OperatingSystem: Windows 10 1909 and below
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\ttdinject.exe
|
||||
- Path: C:\Windows\Syswow64\ttdinject.exe
|
||||
|
||||
@ -10,14 +10,14 @@ Commands:
|
||||
Category: Execute
|
||||
Privileges: Administrator
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows 10 1809 and newer
|
||||
OperatingSystem: Windows 10 1809 and newer, Windows 11
|
||||
- Command: TTTracer.exe -dumpFull -attach pid
|
||||
Description: Dumps process using tttracer.exe. Requires administrator privileges
|
||||
Usecase: Dump process by PID
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003
|
||||
OperatingSystem: Windows 10 1809 and newer
|
||||
OperatingSystem: Windows 10 1809 and newer, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\tttracer.exe
|
||||
- Path: C:\Windows\SysWOW64\tttracer.exe
|
||||
|
||||
Loading…
Reference in New Issue
Block a user