mirror/ LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-05-18 05:26:15 +02:00
Code Issues

Compare commits

base: mirror:2ad45f7d805160abd68c9d5c314ff34d1ecabf2b
Branches Tags
mirror:master
mirror:add_too_check_detection_urls
mirror:revert-170-fixes/mitre_attack_realignment
mirror:feat/add_missing_WDAC_bypasses
...
compare: mirror:7e61707e5fcdf05a047059284048ddbdb459dc73
Branches Tags
mirror:master
mirror:add_too_check_detection_urls
mirror:revert-170-fixes/mitre_attack_realignment
mirror:feat/add_missing_WDAC_bypasses

3 Commits
2ad45f7d80 ... 7e61707e5f

Author SHA1 Message Date
Jan Miller 7e61707e5f
Merge 790bbed18d into 2cc0ee99e6 2024-05-02 22:13:19 +08:00
Wietze 2cc0ee99e6
Applying MITRE ATT&CK v15 changes (#370) 
https://attack.mitre.org/resources/updates/updates-april-2024/
 2024-04-24 15:10:59 +01:00
Jan Miller 790bbed18d New cleanmgr indirect execution trick 2022-03-18 11:21:14 +01:00
7 changed files with 39 additions and 13 deletions
Show Stats Expand all files Collapse all files

2
yml/OSBinaries/Certutil.yml
View File

@ -30,7 +30,7 @@ Commands:
Usecase: Encode files to evade defensive measures
Category: Encode
Privileges: User
MitreID: T1027
MitreID: T1027.013
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: certutil -decode encodedInputFileName decodedOutputFileName
Description: Command to decode a Base64 encoded file.

28
yml/OSBinaries/Cleanmgr.yml Normal file
View File

@ -0,0 +1,28 @@
---
Name: Cleanmgr.exe
Description: Used for disk cleanup as part of Windows update
Author: 'Jan Miller'
Created: 2022-18-03
Commands:
- Command: %WINDIR%\system32\cleanmgr.exe /autoclean /d %systemdrive%
Description: Automatically reclaim unused disc space at the specified drive (/d switch)
Usecase: Exploiting HKEY_CURRENT_USER\Environment\windir registry, a malicious script (e.g. dropper) may be executed by cleanmgr
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\cleanmgr.exe
- Path: C:\Windows\SysWOW64\cleanmgr.exe
Code_Sample:
- Code:
Detection:
- IOC: Child process from cleanmgr.exe
Resources:
- Link: https://twitter.com/filescan_itsec/status/1504615170387161089
Acknowledgement:
- Person: Jan Miller
Handle: '@miller_itsec'
- Person: FileScan GmbH
Handle: '@filescan_itsec'
---

2
yml/OSBinaries/Msedge.yml
View File

@ -23,7 +23,7 @@ Commands:
Usecase: Executes a process under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe

2
yml/OSBinaries/msedge_proxy.yml
View File

@ -25,7 +25,7 @@ Commands:
Usecase: Executes a process under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml

8
yml/OSBinaries/msedgewebview2.yml
View File

@ -9,28 +9,28 @@ Commands:
Usecase: Proxy execution of binary
Category: Execute
Privileges: Low privileges
MitreID: T1202
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
- Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe"
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
Usecase: Proxy execution of binary
Category: Execute
Privileges: User
MitreID: T1202
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
- Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe"
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
Usecase: Proxy execution of binary
Category: Execute
Privileges: User
MitreID: T1202
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
- Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe"
Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
Usecase: Proxy execution of binary
Category: Execute
Privileges: User
MitreID: T1202
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe

4
yml/OSScripts/Syncappvpublishingserver.yml
View File

@ -9,12 +9,10 @@ Commands:
Usecase: Use Powershell host invoked from vbs script
Category: Execute
Privileges: User
MitreID: T1216
MitreID: T1216.002
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
Resources:

6
yml/OtherMSBinaries/Teams.yml
View File

@ -9,21 +9,21 @@ Commands:
Usecase: Execute JavaScript code
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
- Command: teams.exe
Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing.
Usecase: Execute JavaScript code
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
- Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"
Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command
Usecase: Executes a process under a trusted Microsoft signed binary
Category: Execute
Privileges: User
MitreID: T1218
MitreID: T1218.015
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe"