Adjusted Readme
Oddvar Moe
parent
c5617669aa
commit
1790682bcd
|
|
@ -5,7 +5,7 @@ Dbghost.exe
|
|||
Robocopy.exe Needs examples
|
||||
Bitsadmin.exe bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
|
||||
Vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
|
||||
notepad.exe Gui - Download files using Open (A lot of other programs as well)
|
||||
notepad.exe Gui - Download files using Open (A lot of other programs as well) LOLGuiBins?
|
||||
wbadmin.exe wbadmin delete catalog -quiet
|
||||
psexec.exe Remote execution of code
|
||||
java.exe -agentpath:<dllname_with_dll_extension> or -agentlib:<dllname>
|
||||
|
|
@ -14,5 +14,4 @@ odbcad32.exe GUI DLL Loading
|
|||
WseClientSvc.exe - https://blog.huntresslabs.com/abusing-trusted-applications-a719219220f
|
||||
dvdplay.exe http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/
|
||||
http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/
|
||||
|
||||
|
||||
https://twitter.com/Hexacorn/status/993498264497541120
|
||||
|
|
|
|||
55
README.md
55
README.md
|
|
@ -1,30 +1,69 @@
|
|||
# Living Off The Land Binaries and Scripts (and now also Libraries)
|
||||
|
||||
There are three different lists.
|
||||
There are currently three different lists.
|
||||
|
||||
* [LOLBins](LOLBins.md)
|
||||
* [LOLLibs](LOLLibs.md)
|
||||
* [LOLScripts](LOLScripts.md)
|
||||
|
||||
|
||||
The goal of these lists are to document every binary, script and library that can be used for other purposes than they are designed to.
|
||||
The goal of these lists are to document every binary, script and library that can be used for Living Off The Land techniques.
|
||||
|
||||
Definition of LOLBAS candidates (Binaries,scripts and libraries):
|
||||
* LOLBAS candidates must be present on the system by default or introduced by application/software "installation" from a "reputable" vendor or open-source entity. Otherwise, LOLBAS determination is subject to scrutiny by the (security) community and agreed upon standards.
|
||||
* Can be used as an attacker tool directly or can perform other actions than what it was intended to do (Ex: regsvr32 - execute code from SCT online)
|
||||
* executing code
|
||||
* downloading/upload files
|
||||
* bypass UAC
|
||||
* compile code
|
||||
* getting creds/dumping process
|
||||
* surveillance (keylogger, network trace)
|
||||
* evade logging/remove log entry
|
||||
* side-loading/hijacking of DLL
|
||||
* pass-through execution of other programs, script (via a LOLBin)
|
||||
* pass-through persistence utilizing existing LOLBin
|
||||
* persistence (Hide data in ADS, execute at logon etc)
|
||||
|
||||
Right now it is me that decides if the files are a valid contribution or not.
|
||||
I try my best to conclude with help from others in the InfoSec community and I do not wish to exclude anything.
|
||||
Also, please be patient if it takes some time for your contribution to be added to the list. I am just one guy.
|
||||
|
||||
Every binary, script and library has it's own .md file in the subfolders. That way I should be easier to maintain and reuse.
|
||||
I have borrowed examples from the community (And a lot from Red Canary - Atomic Red Team - Thanks @subtee)
|
||||
Would really love if the community could contribute as much as possible. That would make it better for everyone.
|
||||
If you think it is hard to make a pull request using github, don't hasitate to send me a tweet and I will add the contribution for you.
|
||||
|
||||
|
||||
## STORY
|
||||
The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here:
|
||||
https://twitter.com/MathCasualty/status/969174982579273728
|
||||
|
||||
The term LOLScripts came from Jimmy - @bohops:
|
||||
https://twitter.com/bohops/status/984828803120881665
|
||||
|
||||
Common hashtags for these files are:
|
||||
|
||||
#LOLBin
|
||||
#LOLBins
|
||||
#LOLScript
|
||||
#LOLScripts
|
||||
#LOLLib
|
||||
#LOLLibs
|
||||
#LOLBin
|
||||
#LOLBins
|
||||
#LOLScript
|
||||
#LOLScripts
|
||||
#LOLLib
|
||||
#LOLLibs
|
||||
|
||||
A "highly scientific poll" was also conducted to agree (69% yes) on the name LOLBins.
|
||||
https://twitter.com/Oddvarmoe/status/985432848961343488
|
||||
|
||||
The domain http;//lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you)
|
||||
|
||||
|
||||
## Future work / Todo list
|
||||
* Better classification system
|
||||
* Load DLL
|
||||
* Arbitrary unsigned code execution
|
||||
* Launch other process
|
||||
* Better contribution template
|
||||
* Provide the project in DB format (sqlite)
|
||||
* Re-factor project (version 2.0) and move it to a dedicated project site (https://github.com/LOLBAS-Project)
|
||||
* Map it to the Mitre Att&ck <3
|
||||
* LOLGuiBins
|
||||
* More list based on classifications
|
||||
Loading…
Reference in New Issue