mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-05-08 00:26:19 +02:00
Compare commits
5 Commits
178f895a7b
...
1522badfea
Author | SHA1 | Date | |
---|---|---|---|
bohops | 1522badfea | ||
Wietze | 2cc0ee99e6 | ||
frack113 | 2cc01b0113 | ||
root | 3a7f13130a | ||
root | 462b5a8c61 |
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
Name: Powershell.exe
|
||||
Description: Powershell.exe is a a task-based command-line shell built on .NET.
|
||||
Author: 'Everyone'
|
||||
Created: 2024-04-03
|
||||
Commands:
|
||||
- Command: powershell.exe -ep bypass -file c:\path\to\a\script.ps1
|
||||
Description: Set the execution policy to bypass and execute a PowerShell script without warning
|
||||
Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1059.001
|
||||
OperatingSystem: Windows 7 and up
|
||||
- Command: powershell.exe -ep bypass -command "Invoke-AllTheThings..."
|
||||
Description: Set the execution policy to bypass and execute a PowerShell command
|
||||
Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1059.001
|
||||
OperatingSystem: Windows 7 and up
|
||||
- Command: powershell.exe -ep bypass -ec IgBXAGUAIAA8ADMAIABMAE8ATABCAEEAUwAiAA==
|
||||
Description: Set the execution policy to bypass and execute a very malicious PowerShell encoded command
|
||||
Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1059.001
|
||||
OperatingSystem: Windows 7 and up
|
||||
Full_Path:
|
||||
- Path: '%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe'
|
||||
- Path: '%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell
|
||||
Resources:
|
||||
- Link: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1
|
||||
- Link: https://attack.mitre.org/techniques/T1059/001/
|
||||
Acknowledgement:
|
||||
- Person: Everyone
|
||||
Handle: '@alltheoffensivecyberers'
|
|
@ -30,7 +30,7 @@ Commands:
|
|||
Usecase: Encode files to evade defensive measures
|
||||
Category: Encode
|
||||
Privileges: User
|
||||
MitreID: T1027
|
||||
MitreID: T1027.013
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: certutil -decode encodedInputFileName decodedOutputFileName
|
||||
Description: Command to decode a Base64 encoded file.
|
||||
|
|
|
@ -23,7 +23,7 @@ Commands:
|
|||
Usecase: Executes a process under a trusted Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
|
||||
|
|
|
@ -35,6 +35,8 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\tar.exe
|
||||
- Path: C:\Windows\SysWOW64\tar.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_tar_compression.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_tar_extraction.yml
|
||||
- IOC: tar.exe extracting files from a remote host within the environment
|
||||
- IOC: Abnormal processes spawning tar.exe
|
||||
- IOC: tar.exe interacting with alternate data streams (ADS)
|
||||
|
|
|
@ -25,8 +25,10 @@ Commands:
|
|||
Usecase: Executes a process under a trusted Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml
|
||||
Acknowledgement:
|
||||
- Person: Mert DaĹź
|
||||
Handle: '@merterpreter'
|
||||
|
|
|
@ -9,32 +9,33 @@ Commands:
|
|||
Usecase: Proxy execution of binary
|
||||
Category: Execute
|
||||
Privileges: Low privileges
|
||||
MitreID: T1202
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe"
|
||||
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
|
||||
Usecase: Proxy execution of binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe"
|
||||
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
|
||||
Usecase: Proxy execution of binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe"
|
||||
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
|
||||
Usecase: Proxy execution of binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml
|
||||
- IOC: 'msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path'
|
||||
Resources:
|
||||
- Link: https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
|
||||
|
|
|
@ -17,6 +17,7 @@ Full_Path:
|
|||
- Path: c:\windows\system32\scrobj.dll
|
||||
- Path: c:\windows\syswow64\scrobj.dll
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
|
||||
- IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line
|
||||
Resources:
|
||||
- Link: https://twitter.com/eral4m/status/1479106975967240209
|
||||
|
|
|
@ -17,6 +17,7 @@ Full_Path:
|
|||
- Path: c:\windows\system32\shimgvw.dll
|
||||
- Path: c:\windows\syswow64\shimgvw.dll
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
|
||||
- IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line
|
||||
Resources:
|
||||
- Link: https://twitter.com/eral4m/status/1479080793003671557
|
||||
|
|
|
@ -9,12 +9,10 @@ Commands:
|
|||
Usecase: Use Powershell host invoked from vbs script
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1216
|
||||
MitreID: T1216.002
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
|
||||
Resources:
|
||||
|
|
|
@ -9,21 +9,21 @@ Commands:
|
|||
Usecase: Execute JavaScript code
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: teams.exe
|
||||
Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing.
|
||||
Usecase: Execute JavaScript code
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
- Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"
|
||||
Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command
|
||||
Usecase: Executes a process under a trusted Microsoft signed binary
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe"
|
||||
|
|
Loading…
Reference in New Issue